I try to configure mitmproxy to work with an upstream proxy in another domain.
To be more explicit, i have a platform with its own domain (e.g mydomain.com) and to access to interne i need to go through my company proxy with its own domain too (e.g. company.com).
I générate certificate for mitmproxy and i have the CA and the key used to generate the certificate. I rename them as mitmproxy-ca.pem (key + ca) and mitmproxy-ca-cert.pem (certificate) and put them into .mitmproxy folder. It seems to work fine even if i didn't manage to test completely.
But for the upstream proxy ssl configuration, i put the company CA into .mitmproxy folder and name it (mycompany-ca.pem). I configured config.yaml file with : ssl_verify_upstream_trusted_ca: "/home/mitmproxy/.mitmproxy/mycompany-ca.pem".
But when i try to use mitproxy to curl https://www.google.com i've got this error :
W.X.Y.Z:57370: client connect
W.X.Y.Z:57370: server connect proxy.mycompany.com (A.B.C.D:8080)
W.X.Y.Z:57370: Server TLS handshake failed. Certificate verify failed: unable to get local issuer certificate
W.X.Y.Z:57370: GET https://www.google.com/ HTTP/2.0
<< Certificate verify failed: unable to get local issuer certificate
W.X.Y.Z:57370: server disconnect proxy.mycompany.com (A.B.C.D:8080)
W.X.Y.Z:57370: client disconnect
When i use my company proxy for my browser i can see that the certificate subject is google but the issuer is my company proxy information.
More over, the company proxy CA is only a certificate without any key (seems normal) and i use mitmproxy from docker. And of course when i use --ssl_insecure option it works but i don't want (i'm not allowed) to bypass the upstream proxy certificate verification.
Do you have an idea how to configure upstream SSL certificate control please ?