SSL inspection bypass

I have a issue with winget, it detect that the certificate is intercepted by the ipfire proxy. I have found the solution on a winget forum “Adding a SSL inspection bypass for the msstore endpoint URL resolved this issue in my environment.” but I don’t know how to do that with ipfire.
Can someone help me?

If you have nothing added the proxy in IPFire doesn’t support SSL interception at all and we don’t support this.


I have not added anything but I have force a redirection to the proxy in firewall, could it be that?

Hi @nappert

Welcome to the IPFire community.

If something is trying to intercept SSL traffic, it is not IPFire. It will pass all https traffic straight on, and that also applies to the proxy.

I think you need to show us the actual error message you got. I presume this message was shown in your browser.

Is the force redirection to the web proxy done by firewall rules or by some other means?

Hi @bonnietwin and thank you :grinning:
The message came from the app winget, so not from a browser: The server certificate did not match any of the expected values

The redirection is done by firewall rules: - Force clients to use IPFire DNS Server

When you say server certificate do you mean the IPFire web browser certificate or a certificate that comes from winget?

I did some searching on winget because I had no idea what it was.

I found this error message mentioned in an issue report on the winget-cli github repository.

Failed when searching source: msstore
An unexpected error occurred while executing the command:
0x8a15005e : The server certificate did not match any of the expected values.

Is this the error you had. If yes then this appears to be related to an issue with the microsoft certificate not being accepted by microsoft after something changed with the certificate.

The github issue link is

The issue was raised 6 days ago and is still open at the moment. The issue has been classified as a bug in winget on the github site.

If that is the same error as you are experiencing then bypassing the IPFire proxy won’t help as the certificate details for the https traffic from your winget application will be the same whether the traffic goes directly or via the IPFire proxy.

Thank you for your research, I have this problem but when I use my phone winget work fine. On the same forum someone have find a solution by adding a SSL bypass: "0x8a15005e : The server certificate did not match any of the expected values." when trying to search on msstore with winget 1.4 · Issue #2879 · microsoft/winget-cli · GitHub

I am presuming you mean this comment

That cannot apply here. That posters problem is that their Palo Alto firewall has been set up to decrypt and re-encrypt all HTTPS traffic, therefore acting as a MITM (Man In The Middle). This is what @arne_f mentioned does not happen in IPFire. Therefore there is no SSL interception to be bypassed.

If you disable your forced redirection and turn off the web proxy and then try using the winget command, does that successfully work.

When you say that winget works with your phone, is that via the same forced redirection and if yes are you sure that the phone has actually used that redirection.

When I use my phone I do not use IPfire anymore, so I disable all proxy settings. Ok I will try without the forced redirection and proxy, it’s not possible for the moment but I will do it tomorrow morning.

I have finaly find a solution by using another way to connect to internet, I have upgrade winget then by going back to the network with IPfire winget work fine now. Maybe an issue with the certificate.

Thank you for your help :slight_smile:

1 Like