SOLVED: kodi.tv https certificate expired
#1
I'm sure someone already knows, and maybe it's not the highest agenda item to worry about - but, just in case it's gone unnoticed... the kodi.tv certificate expired a few weeks ago, so https connections are complaining:

Code:
Issued To

Common Name (CN)    www.kodi.tv
Organisation (O)    <Not Part Of Certificate>
Organisational Unit (OU)    Domain Control Validated
Serial Number    11:21:A8:1D:8A:07:26:A3:8B:80:97:86:CA:28:4A:D3:82:67

Issued By

Common Name (CN)    GlobalSign Domain Validation CA - SHA256 - G2
Organisation (O)    GlobalSign nv-sa
Organisational Unit (OU)    <Not Part Of Certificate>

Validity Period

Issued On    Monday, 16 February 2015 at 13:02:41
Expires On    Wednesday, 17 February 2016 at 13:02:41

I thought I heard somewhere that kodi.tv was moving to a self-signed or self-generated cert (letsencrypt.org?), but couldn't find a thread about it so thought I'd post. All I could really find is this thread, so I'm presuming that the free cert that Kib mentioned there has expired and renewing is just easier said than done. Unless the dead rat server is still in use, and everyone is relaxing without the overhead, of course Smile

Cheers...
Reply
#2
we've switched to using a cloudflare certificate last month.

not sure why you're stuck with an old certificate.
Do not PM or e-mail Team-Kodi members directly asking for support.
Always read the Forum rules, Kodi online-manual, FAQ, Help and Search the forum before posting.
Reply
#3
Hmmm - let me clear and see what happens, as a different system confirms that the Comodo cert is valid. I will take it personally, of course, the Internet was meant for that :0)

At least there's a record if someone else is getting the same. Thanks for the response.
Reply
#4
Interesting - I can't get it to load the new cert on Chrome (Ubuntu 14.04), which is my preferred browser - but nor do I get the new cert if I try Firefox on the same platform, which I've never used to access kodi.tv before (to my knowledge). That suggests that either the certificate is cached at an OS level, or your web server is still dishing out the old one under certain circumstances - could it be cached in the CDN or similar?

IE on Win7 and Chrome on Win10 work fine and get the new certificate. More digging required...
Reply
#5
So, it's nothing to do with the browsers...

Code:
prompt:~$ openssl s_client -showcerts -connect kodi.tv:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/OU=Domain Control Validated/CN=www.kodi.tv
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
<cut>
    Start Time: 1458130782
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---


... which is the old certificate still ...

Interestingly, if I change the certificate path to use the system-wide credentials vs the user-specific ones, if still gets the old cert, although now recognises that it's expired versus simply complaining that it's self-signed:

Code:
prompt:~$ openssl s_client -connect kodi.tv:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - SHA256 - G2
verify return:1
depth=0 C = US, OU = Domain Control Validated, CN = www.kodi.tv
verify error:num=10:certificate has expired
notAfter=Feb 17 13:02:41 2016 GMT
verify return:1
depth=0 C = US, OU = Domain Control Validated, CN = www.kodi.tv
notAfter=Feb 17 13:02:41 2016 GMT
verify return:1
---
Certificate chain
0 s:/C=US/OU=Domain Control Validated/CN=www.kodi.tv
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<cut>
    Start Time: 1458131064
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)

... but I've already exceeded my web server/SSL knowledge here ...!
Reply
#6
Final thought before I find a different system to try...

Code:
prompt:~$ echo | openssl s_client -connect kodi.tv:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
subject= /C=US/OU=Domain Control Validated/CN=www.kodi.tv
notBefore=Feb 16 13:02:41 2015 GMT
notAfter=Feb 17 13:02:41 2016 GMT

So it's resolutely being cached somewhere...
Reply
#7
... but a 'buntu VM on a different box gives me this:

Code:
prompt$ echo | openssl s_client -connect kodi.tv:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
subject= /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=ssl379254.cloudflaressl.com
notBefore=Feb 17 00:00:00 2016 GMT
notAfter=Aug 21 23:59:59 2016 GMT

... which is correct. So that suggests it's my main Linux PC that's at fault in some way. Very odd.
Reply
#8
I can't wholly explain this, but...

I was using Google's DNS servers, and I switched (unrelated reasons) to OpenDNS. Problem solved.

I suspect that either Google is returning an old IP address for kodi.tv - which may still be live, but for which the certificate isn't valid - or else I had a local cached address that was surviving reboots and restarts. The latter seems unlikely, but is more unlikely than Google having the wrong addresses...

Anyway, that was the result for me. I leave this here in case it ever helps anyone else, as this isn't the first time I've had odd behaviour from Google DNS.
Reply

Logout Mark Read Team Forum Stats Members Help
SOLVED: kodi.tv https certificate expired0