TlsException('Cannot load trusted certificates (/etc/ssl/certs/ca-certificates.crt, None).')

[Banacizo]

Hi. So I've been trying to set up manual hotfix interception on my Ubuntu machine because simply doing a basic B3HM install prevents my game from starting and fiddling with wine settings seems a lot more boring than learning intercepting live traffic. However I've never done this kind of thing before so its a steep learning process. I've managed to successfully set up the MITM and run traffic through it - I've installed MITM's CA in my browser and in system (I'll be sure to disable those once I'm done) and set 127.0.0.0:8080 as my network proxy in system settings and the results are varied: Anything in browser runs through the proxy and I can see it just fine, Steam doesnt trust the SSL and doesnt display the store and such, but launches in a semi-online state and I do get a message in proxy every time it doesn't trust the SSL and Borderlands itself launches online as if nothing ever happened but I don't see its traffic in the proxy at all - not even any errors. Furthermore - I've tried disabling the proxy which cuts internet connection for anything running through it, but Borderlands still connects, gets SHIFT rewards list, enables crossplay and supposedly recieves hotfixes. All in all I've never even seen the discovery.services.gearboxsoftware.com host. Am I doing something wrong here? Can you at the very least please point me in a direction of a guide for a similar process? Thanks. I'm running Ubuntu, legit Bl3 on Steam, GE-proton-7-14 and mitmproxy.

[Banacizo]

NVM, turns out running a system-wide proxy is stupid and traffic to Gearbox can be rerouted using etc/hosts. But now I'm running into a TlsException (cannot load trusted certificates ) on launch, have no idea ho to fix this.

[apocalyptech]

Hello!

So yeah, for this script/mitmproxy in particular, all you'd need to do (as you already realized) is using /etc/hosts to send discovery.services.gearboxsoftware.com to whatever IP's running mitmproxy. Is it mitmproxy itself that's throwing that TlsException (cannot load trusted certificates ) error? Or was it the game itself? I'd be a little surprised either way -- I wonder why mitmproxy is having issues with it. What's the full commandline that you're running? What I'm using is:

mitmdump --certs mitmcert.pem -v --showhost -m reverse:https://discovery.services.gearboxsoftware.com/ --listen-host x.x.x.x -p 443 -s hfinject.py

... replacing x.x.x.x with the IP that I'm sending the traffic to.

If you're running BL3 via Wine/Proton, the game doesn't actaully seem to care how "real" your mitmcert.pem is. I've got an internal CA that I use to sign various internal services that I run, and I'd set up my cert to use that (which is already trusted on all my boxes on the home network), and I'd thought that I'd gotten lucky and that was enough. But it turns out that the game doesn't even care if it's a fully self-signed cert! Pretty weird, really. Possibly a security problem with Wine/Proton itself? That or I've got some weird setting somewhere that I've forgotten about.

Anyway, hope you can get it going!

[Banacizo]

Hi! as per your recommendation I'm running exactly this setup. Since I'm running the proxy locally my etc/hosts rule is exactly this simple line: 127.0.0.1 discovery.services.gearboxsoftware.com Then I'm running the mitmdump command. Since my proxy is on the same PC, I do mitmdump --certs mitmcert.pem -v --showhost -m reverse:https://discovery.services.gearboxsoftware.com/ --listen-host 127.0.0.1 -p 443 -s hfinject.py which I have to sudo, otherwise it doesn't allow me to use 443. Mitmcert in this case is a CA I've downloaded off of mitm.it. I've also installed it in my system certificates. (Yes I'm aware of the security risk) Then when I run the game I get this: This behavior is consistent - a bunch of 'clientconnect's then the error in the title, then 'wrong version number' and then a multitude of seemingly identical 'alert handshake failure'. Interestingly, if using http instead of https it straight up tells you that it doesn't trust the CA I've also tried checking the ca-certificates file it's angry at for permission issues, but it seems fine:

And lastly, running it without certificates at all gives a more similar to default result than I'd expect: As you could probably tell, I'm not very proficient in this matter, so unless you have something to try - I'm stuck.

[apocalyptech]

Oh oh! Okay, I think I know what's going on, actually. I'd kind of forgotten that this would be a problem for folks running everything on one box. Basically, you've got /etc/hosts sending discovery.services.gearboxsoftware.com to 127.0.0.1, so that's getting the game's traffic over to mitmproxy. However, then mitmproxy is set up to proxy to discovery.services.gearboxsoftware.com, but it's probably seeing the exact same 127.0.0.1 entry and so it's not being forwarded on properly.

On my setup at home, I've actually got mitmproxy running on a separate server in my basement, but in your case it might make sense to just spin up a little VM or something to run mitmproxy -- that way the VM can resolve discovery.services.gearboxsoftware.com properly, but the game can use /etc/hosts to get over to the mitmproxy. (You'd need to start using the VM's IP instead of 127.0.0.1, of course.)

Let me know if that does the trick!

[Banacizo]

Good try but nope, still the same pattern: I use etc/hosts to reroute to VM and mitmdump on VM with --listen-host itself. Could it be that since a VM is still on the same PC it ends up under etc/hosts rule all the same? By the way this load of clientconnect/clientdisconnect lines in the console is not me launching the game multiple times - it dumps like a couple of hundred of them on a single launch is it supposed to look like that?