Windows上的Fiddler 4证书错误 [英] Fiddler 4 Certificate error on Windows

问题描述

我正在使用Fiddler监控私有项目的HTTPS流量。升级到Windows 10并安装Fiddler后，我无法创建根证书。我尝试使用CertEnroll和MakeCert两者并且都返回他们无法创建根证书：

I am using Fiddler to monitor HTTPS traffic for our private project. After upgrading to Windows 10 and installing Fiddler, I am unable to create a root certificate. I tried using Both CertEnroll and MakeCert and both returned that they cannot create a root certificate:

09：53：54：2275 Fiddler.CertMaker > [C：\Program Files（x86）\Fiddler2 \ MakeCert.exe -r -ss my -nCN = DO_NOT_TRUST_FiddlerRoot，O = DO_NOT_TRUST，OU =由 http://www.fiddler2.com -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha256 -m 132 -b 01/07/2015]返回错误：拦截证书的创建失败。

09:53:54:2275 Fiddler.CertMaker> [C:\Program Files (x86)\Fiddler2\MakeCert.exe -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha256 -m 132 -b 01/07/2015 ] Returned Error: Creation of the interception certificate failed.

makecert.exe返回-1。

makecert.exe returned -1.

结果来自C：\Program Files（x86）\Fiddler2 \ MakeCert.exe -r -ss my -nCN = DO_NOT_TRUST_FiddlerRoot，O = DO_NOT_TRUST，OU =由 http://www.fiddler2.com -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority - a sha256 -m 132 -b 01/07/2015

Results from C:\Program Files (x86)\Fiddler2\MakeCert.exe -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha256 -m 132 -b 01/07/2015

错误：无法创建主题的关键字（' JoeSoft'）
失败

Error: Can't create the key of the subject ('JoeSoft') Failed

AND

09：43：37：0332 /Fiddler.CertMaker>为主题调用CertEnroll：CN = DO_NOT_TRUST_FiddlerRoot，O = DO_NOT_TRUST，OU =由 http://www.fiddler2.com ; Thread的ApartmentState：MTA
09：43：39：0853！错误：无法使用CertEnroll生成证书。 System.Reflection.TargetInvocationException调用的目标抛出了异常。 < CertEnroll :: CX509PrivateKey :: Create：无法完成请求的操作。必须信任计算机以进行委派，并且必须将当前用户帐户配置为允许委派。 0x80090345（-2146892987 SEC_E_DELEGATION_REQUIRED）

09:43:37:0332 /Fiddler.CertMaker> Invoking CertEnroll for Subject: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com; Thread's ApartmentState: MTA 09:43:39:0853 !ERROR: Failed to generate Certificate using CertEnroll. System.Reflection.TargetInvocationException Exception has been thrown by the target of an invocation. < CertEnroll::CX509PrivateKey::Create: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED)

每次更改服务时，我都会重置所有证书和/或删除的拦截证书。此外， AppData / Roaming / Microsoft / Crypt / RSA / {LONG_ID} 中的密钥无处可寻（文件夹始终为空）。
浏览论坛后，我按照一些说明下载了Bouncy Castle证书制作工具（建议用于Android），并创建了2个根证书并将其添加到Windows中，以便他们受到信任。执行此操作后，我的所有HTTPS流量都显示为带有隧道的HTTP。在查看该问题时，我发现在文本视图中它说

Every time when changing the service I Reset All Certificates and/or Removed Interception Certificates. Also the key in AppData/Roaming/Microsoft/Crypt/RSA/{LONG_ID} is nowhere to be found (the folder is always empty). After browsing through forums, I followed some instructions and downloaded the Bouncy Castle Certificate Maker (the one suggested for Android) and that one created 2 root certificates and added them to Windows so they will be trusted. After doing so, all my HTTPS traffic looked like HTTP with tunneling. When looking into that issue, I found that in Text view it said

这是一个CONNECT隧道，加密的HTTPS流量通过该隧道流动。
Fiddler的HTTPS解密功能已启用，但此特定隧道已配置为不解密。可在工具>提琴选项> HTTPS中找到设置。

"This is a CONNECT tunnel, through which encrypted HTTPS traffic flows. Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Settings can be found inside Tools > Fiddler Options > HTTPS."

并且记录器返回以下几项：

AND the logger returned a few of the following:

10：02：38：5419！证书缓存没有找到[server.com]的证书。返回null到线程＃30。___ 10：02：38：5419 fiddler.https>由于证书制作者在被要求提交时返回null，因此无法获得server.com的证书server.com的证书

"10:02:38:5419 !Certificate cache didn't find certificate for [server.com]. Returning null to thread #30. ___ 10:02:38:5419 fiddler.https> Failed to obtain certificate for server.com due to Certificate Maker returned null when asked for a certificate for server.com"

无法为server.com创建证书：无法完成请求的操作。必须信任计算机以进行委派和当前用户帐户必须配置为允许委派。

"Failed to create certificate for server.com: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation."

在隧道连接的属性中，我找到了

In the properties of a tunneling connection, I found

X-HTTPS-DECRYPTION-ERROR：可能找不到或生成拦截证书。

"X-HTTPS-DECRYPTION-ERROR: Could not find or generate interception certificate."

你有什么解决方案吗？我真的很感激。谢谢！ ：）

Do you have any solutions for me? I'd really appreciate it. Thank you! :)

推荐答案

好吧，看起来最终它是一个Windows问题。
我的PC是公司Domain的一部分，即使我的用户是这台PC的管理员，也不是一切都功能齐全（例如我可以作为管理员运行任何没有问题的应用程序，但无法创建Root证书）。
我的同事在 Windows凭据管理器中找到了该问题，并使用以下注册条目（ .reg ）修复了该问题：

Well, it seems that in the end it was a Windows Issue. My PC is part of the company Domain and even though my user was an Administrator of this PC, not everything was fully functional (for example I could run as Administrator any app with no problem, but couldn't create a Root Certificate). The issue was found by my colleague in the Windows Credentials Manager and he fixed it with the following Registration Entry (.reg):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001

我希望这有助于有人避免在互联网上搜索数小时修复。

I hope this helps someone avoid hours of searching on the internet for a fix.

这篇关于Windows上的Fiddler 4证书错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！