5

I have an application which is making calls to twitter and I need to inspect the traffic so that I can learn more about oAuth.

When I double click the ssl traffic I get a yellow box which prompts me to go and change the options (by the way I am running my app through a proxy).

enter image description here

After having read about using a certificate on my machine which fiddler creates I have clicked the link to let fiddler install certificates on my machine by following these instructions...

http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurefiddlerforwin8

However instead of this happening...

enter image description here

I get this error message...

"unable to configure windows to trust Fiddler Root certificate" here is a screen shot....

enter image description here

When I checked the logs as suggested (although is confusing as I thought the log was to do with each individual request), anyway I saw this...

enter image description here

I have even tried installing the certificate manually no no avail. Hope someone can help me get fiddler/ssl decryption working with windows 8! :-)

UPDATE : In response to Erics questions he made in the below answer...

Hi Eric thanks for replying.

1) A box popped up saying 'Certificate Trust' this is the box I have taken a screen shot of above. It was the box that told me to check the log.

2) I have an account and when I check my users it says I am an Administrator underneath my username.

3) I have tried to run Fiddler as an Administrator to no avail.

I also tried to drag and drop the certificate manually into the certmgr.msc tool and it comes up with a little round cursor with a line through it. Sounds like permissions but I just cant see why as I have full everything....

Improve this question
1
  • Sounds like you might be running into the same issue as this guy, if you are running on a corporate windows account. There is a policy setting this blocking things. You may need to use the Bouncy Castle Cert Maker plugin as well. stackoverflow.com/questions/34672374/…
    – kingargyle
    Commented Apr 7, 2017 at 13:04

5 Answers 5

Reset to default
5

I finally found a way to workaround cases where group policy tries to limit who you can trust.

METHOD 1

  1. Go into the fiddler HTTPS options and export the root cert to your desktop.
  2. Open up mmc.exe and add in the certificate widgets for Local Computer
  3. Import the fiddler certificate into the Third-Party Root Certificate Store
  4. Go ahead and use fiddler and see it generate new certs and watch your system trust them.

importing cert into Local Computer Third-Party Root store

Method 2

Run afoul and bypass an intentional security control.

  1. reg delete HKLM\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots /f
  2. Go back into fiddler HTTP options, and toggle Decrypt HTTPS traffic off and on again. press okay to install the cert in the usual way
  3. maybe run a gpupdate /force to get your setting back to the way your admins intended.

For insight, the problem group policy settings may look something like this:

anti-cert import group policy

If you have any Flags value in your registry under Local_Machine \ Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots, this lock-down is probably in effect.

@EricLaw - Are you up for maybe changing fiddler to try to import into the third-party store by default? It seems like the "third-party store" may be less subject to lockdown.

This is the best write-up of third-party-store i've seen: http://kreelbits.blogspot.com/2014/02/whats-purpose-of-users-third-party-root.html

Improve this answer
2
  • Not sure what you meant in the 4th step of method 1. Do I regenerate a cert in fiddler and then import it into browsers/windows again ?
    – MasterJoe
    Commented Jan 27, 2017 at 21:43
  • 4th step was meant to be "now use fiddler normally." Not another import action.
    – Gabe
    Commented Mar 31, 2017 at 17:23
4

I managed to solve a similar problem I was having (in windows 7) by following the instructions here: http://casualtechs.blogspot.com.au/2010/06/problem-when-trying-to-import.html (with the only difference being that we want to add the Fiddler certificate to "Trusted Root Certification Authorities -> Local Computer" instead of the "Trusted Publishers" that is mentioned on that site). My modified steps were:

  1. Obtain the Fiddler root certificate from the "fiddler options" -> "Https" -> "Export root certificate to desktop" menu
  2. Open the certificate (double click on it)
  3. Click on the Install certificate button
  4. Click the "Next" button
  5. Select "Place all certificates in the following store"
  6. Click the "Browse" button
  7. Tick the "Show physical stores" checkbox
  8. Expand the "Trusted Root Certification Authorities" folder
  9. Click "Local Computer"
  10. Click the "OK" button.
  11. Click the "Next" button, then click the "Finish" button

Basically the bit I was missing when trying to import the Fiddler Root certificate was to drill down into the "Local Computer" folder underneath the "Trusted Root Certification Authorities" folder. You will have to make sure that the "Show physical stores" checkbox is ticked as shown below:

Tick "Show physical stores"

Improve this answer
2
  • Where is the "local computer" option you speak of ? I dont see it in windows certmgr.
    – MasterJoe
    Commented Jan 27, 2017 at 21:50
  • Choosing local computer is a separate step in the certmgr but I was selecting this option from the Install certificate wizard and not from certmgr. I have clarified my answer and added a screenshot.
    – cosjav
    Commented Jan 29, 2017 at 0:39
2

The error message in question indicates that your Per-User certificate store does not allow you to put certificates into it. Sometimes this happens if your Corporate Group Policy prevents end-users from trusting certificates. Sometimes it happens if your software configuration has been changed by 3rd party software (E.g. VPN or security clients). Sometimes it happens when there's a corrupt ACL somewhere.

Questions

  1. What dialog box immediately preceded the error message on the Log tab?
  2. Are you an admin on the box?
  3. If so, if you run Fiddler as Admin and try again does it succeed or fail?

Workarounds

If #3 doesn't work, click the Export root certificate to desktop button. Then launch certmgr.msc using Start > Run. Attempt to drag the certificate from your Desktop into the Trusted Root Certification Authorities folder. What, if any, error messages are shown?

Improve this answer
5
  • Hi eric just to let you know I just uninstalled Windows 8 as it seemed to be the problem. Windows 7 now works with the decryption (I can see the data with sites that use http:). However not my .net app throws this error... "The remote certificate is invalid according to the validation procedure." Any ideas?
    – Exitos
    Commented Feb 16, 2014 at 17:27
  • Typically, this means you haven't configured Windows to trust Fiddler's root certificate. You should implement the certificate validation callback and look at what errors the certificate supposedly contains.
    – EricLaw
    Commented Feb 17, 2014 at 23:03
  • I have also tried all of the suggestions above and have had no luck (on windows 7). The error message I get when attempting to manually import the certificate using certmgr is "The import failed because the store was read-only, the store was full or the store did not open correctly". Not sure why this is the case because I am an admin of the machine and there shouldn't be any restrictions. Any ideas?
    – cosjav
    Commented Jun 12, 2014 at 5:43
  • Managed to figure it out - I was trying to add the certificate to the "Trusted Root Certification Authorities" folder instead of the "Local Computer" folder within the "Trusted Root Certification Authorities" folder...
    – cosjav
    Commented Jun 12, 2014 at 7:34
  • I tried this. The fiddler cert does not appear in the trusted root ca list and there is no error message anywhere.
    – MasterJoe
    Commented Jan 27, 2017 at 21:47
0

When configuring Telerik's Fiddler to handle HTTPS, I could not get root certificate installed. The error was "Failed to find the root certificate in User Root List". I solved the problem by temporarily turning off WebRoot, my antivirus program, then reattempting to enable HTTPS handling which installs Fiddler's root certificate. You may have to click the Action button on the HTTPS tab to remove/reset previous certificates before being able to create a new certificate.

Improve this answer
-1

I reset my certificates by Tool > Options > HTTPs > Action > Reset all certificates but it doesn't work.

This is how I fixed my problem

  • Restart service CryptSvc.
  • Right click HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
  • Permission > Current Windows Users > Full Access
  • Delete Full Key HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
  • Restart Windows and that's it

Ref: https://www.addictivetips.com/windows-tips/fix-chrome-not-working-windows-10/

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.