Fixing WSL Certificates

When working for a cilent, I am typically supplied with either a VM or a laptop for work. Windows is the operating system I get to use on these. With Posit Workbench IDE being available, I haven't bothered to setup nor personalize the development environment on the Windows itself. However, yesterday, I decided to give it a go and install WSL on such VM.

The Issues

I have my dotfiles based on Homebrew. Knowing Homebrew can be installed on Linux, I hoped for a quick win in terms of the setup.

The hope quickly faded... as the install command has failed. curl complained about a self-signed certificate.

I have a vague idea of how certificates are handled in corporations. My suspicion was that WSL doesn't see a corporation's root certificate that's most likely installed on its host Windows.

I asked around and a couple people confirmed confirmed that this might be the case. And so the quest to find the certificate has begun.

The Quest

Arek suggested to use a Windows' GUI tool to export the certificate. I tried. I failed. I got defeated. By the GUI. I didn't know which certificate to export—there was so many of them! On top of that, the export wizard didn't provide an option to export the keys with .pem extension (and presumably the right format).

Luckily, someone has written a PowerShell script to dump every certificate installed on Windows into a directory. It worked like a charm!

The Fix

  1. Run the script in PowerShell. This will create an all-certificates directory
  2. Open WSL
  3. Back up current certificates: sudo mv /etc/ssl/certs /etc/ssl/certs_bak
  4. Add a symlink from all-certificates to /etc/ssl/certs1
  5. Run update-ca-certificates

This should fix the issue! You can test if curl works—hopefully it does! 🤞

Footnotes

  1. Windows files should be available under /mnt. In my case the symlink command was: sudo ln -s /mnt/c/Users/Tymek/all-certificates /etc/ssl/certs