AlainODea/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Allowing Microsoft Update through a transparent Squid TLS proxy

Using Squid and getting TAG_NONE on sls.update.microsoft.com and several other domains?
Root Cause

The problem is certificate related. These domains use Microsoft Root Certificate Authority 2011 which is not publicly trusted. It is trusted by Windows, but not in general.
Remedy

Install Microsoft Root Certificate Authority 2011. Caveat: you are now trusting a CA cert for everything that isn't publicly trusted.
The included script, squid_allow_windows_updates.sh, downloads the CA certificate from Microsoft and adds it to your trust store on Amazon Linux 2 / CentOS 6+ / RHEL 6+.
Complete solution?

An Amazon Linux 2 Squid web proxy with a SASL-authenticated Postfix Implicit TLS for SMTP Submission relay to Amazon SES built with Packer and Terraform is documented as Squid and Postfix SES Relay

  
## squid_allow_windows_updates.sh
#!/bin/bash

# Allow Windows Updates
# Microsoft uses cert trusted only by Windows for Microsoft reasons
tmp_cert=$(mktemp)
curl -L 'http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409' > "$tmp_cert"
sudo mv "$tmp_cert" '/etc/pki/ca-trust/source/anchors/Microsoft_Root_Certificate_Authority_2011.cer'
sudo update-ca-trust enable
sudo update-ca-trust extract
	#!/bin/bash

	# Allow Windows Updates
	# Microsoft uses cert trusted only by Windows for Microsoft reasons
	tmp_cert=$(mktemp)
	curl -L 'http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409' > "$tmp_cert"
	sudo mv "$tmp_cert" '/etc/pki/ca-trust/source/anchors/Microsoft_Root_Certificate_Authority_2011.cer'
	sudo update-ca-trust enable
	sudo update-ca-trust extract