v18 SSL Certificates Issues
#1
Hi there,

Since early April there seemed to be a change in regards to ssl certificates which has prevented my self signed certificates from working when using the emby addon and when connecting to my local music library over a FTPS server as a traditional source through kodi. I paid for a certificate which allowed the Emby addon to start working, however I don't use it for my music since iv'e never successfully managed to get it to scan in my music library without crashing, so I use a Filezilla server I run locally for my music, so that I can use Kodi on the go outside of my local network.

I cannot however get even the legit certificate from a CA to work with Kodi, none of the media will play on the FTPS source and I cannot even add/browse the source in the file manager. I noticed in the log this entry which I was able to resolve with the emby content, however not the FTPS source:

17:44:24.596 T:6040   ERROR: CCurlFile::FillBuffer - Failed: Peer certificate cannot be authenticated with given CA certificates(60)

I have had to resort to using an old nightly where this still works, I'm assuming there has been some security changes with the certificates in the last month, I noticed something in relation to addon repo's but hadn't found anyone complaining about this specifically.

The build I am currently using that still supports my use case is 18.0-Alpha2 Git:20180330-d1aaa5ecce, I cannot recall the exact build where this stopped working though.

Any help on getting around this issue would be appreciated, ive attached a link to my log file.

Kodi Log Paste Bin

Cheers,
Reply
#2
you have to add your server cert to kodi's cert store: [install_dir]\system\certs\cacert.pem
Alternatively, you can provide your own Cert file, by setting the env var SSL_CERT_FILE
Reply
#3
awesome, I never had to do this previously.

Thanks for your help!
Reply
#4
there was so certificate verification previously, but from a security POV, SSL without cert verification is pretty much useless.
Reply
#5
(2018-05-15, 11:26)wsnipex Wrote: you have to add your server cert to kodi's cert store: [install_dir]\system\certs\cacert.pem
Alternatively, you can provide your own Cert file, by setting the env var SSL_CERT_FILE
 I don't have that directory, should I create it?  where is the env var SSL_CERT_FILE set?  also my cert file is a .crt, does that matter?
Reply
#6
(2018-05-15, 11:26)wsnipex Wrote: Alternatively, you can provide your own Cert file, by setting the env var SSL_CERT_FILE
 What do you mean by that? Can you explain it for dummies? Because with CE/LE you cannot edit the cacert.pem ...

The last 2 years my Kodi was delightfully connected with my NAS via webdavs, with current CoreElec this problem "Peer certificate cannot be authenticated with given CA certificates(60) " appeared. The only thing I have ist a boxcert.cer file from my fritzbox.

In my opinion the easiest way could be giving the user the feature to ignore "unsecure" connections for own sources like webbrowers like Chrome or FF do -> https://i.ytimg.com/vi/rK_nVJbO6o8/maxresdefault.jpg

Otherwise after next update people without a certificate cannot connect with their NASs, Ownclouds, Nextclouds... via webdavS or (s)ftp(s) anymore and cannot solve the problem or even dont know whats wrong at all.
Reply
#7
btw shoud be OS independent / Other
Reply
#8
It would be nice if a little primer on SSL/certificates and how they work in Kodi could be posted for all platforms on the wiki.

scott s.
.
maintainer of skin  Aeon MQ5 mods for post-Gotham Kodi releases:
Matrix see: Aeon MQ5 Mod Matrix release thread
Nexus see: Aeon MQ5 Mod Nexus release thread
Aeon MQ 5 skin and addon repo 11.1.0
Reply
#9
(2018-05-16, 00:54)scott967 Wrote: It would be nice if a little primer on SSL/certificates and how they work in Kodi could be posted for all platforms on the wiki.
I don't think many of us wiki editors have an understanding of this topic. I certainly don't, so the primer won't be coming from me. If you do, you may want to consider writing the primer.
My Signature
Links to : Official:Forum rules (wiki) | Official:Forum rules/Banned add-ons (wiki) | Debug Log (wiki)
Links to : HOW-TO:Create Music Library (wiki) | HOW-TO:Create_Video_Library (wiki)  ||  Artwork (wiki) | Basic controls (wiki) | Import-export library (wiki) | Movie sets (wiki) | Movie universe (wiki) | NFO files (wiki) | Quick start guide (wiki)
Reply
#10
(2018-05-15, 22:11)JohnPlayerSpecial Wrote: In my opinion the easiest way could be giving the user the feature to ignore "unsecure" connections for own sources like webbrowers like Chrome or FF do -> https://i.ytimg.com/vi/rK_nVJbO6o8/maxresdefault.jpg

The main point is that people without certificates should be able to use kodi furthermore with their ftps/webdavs sources like before. So why not make it easy like above? An additional wiki/alternative way would be fine, but make things also more complicated.
Reply
#11
if you use SSL, you also have a certificate. It doesn't work without. In the time of letsencrypt it's trivial for everyone to get a free official cert.
If you still prefer self-signed, you have to do the extra step to configure your clients to trust your cert.
Reply
#12
Ok, I downloaded this boxcert.cer file from my fritzbox, I suppose this is my certificate. But what do you mean by extra steps? Can you give an explanation?
Reply
#13
I cannot give you detailed steps, since I don't know how coreelec handles it. You should ask them.

General steps: Add your Certifiate to the SSL trust store. The trust store usually is either a single file containing all trusted Certificates or a directory containing a single file for each trusted cert.
On a normal linux distro it's usually the /etc/ssl/certs/ directory.
Reply
#14
Is there a way without trusted cert? If not: Can you initiate the option to use unsecured connections for own sources? Please keep in mind that Kodi is not usable anymore to people like me:

- You cannot edit files on /etc/ssl within CE/LE. So atm I don't know how to connect with my NAS on current kodi builds.
- My NAS does not offer automatically pick up a letsencrypt cert, so I would have manual work each time.
- Why forcing users to those laborious things since its not necessary in this case?
Reply
#15
(2018-05-17, 20:34)JohnPlayerSpecial Wrote: - Why forcing users to those laborious things since its not necessary in this case?
 Nobody is forcing you to use SSL, there are plenty (better) alternatives (NFS, SMB, DAV/HTTP) for use on a LAN. If you don't trust your own LAN enough for unencrypted media sharing, you shouldn't use unverified SSL either.
Reply

Logout Mark Read Team Forum Stats Members Help
SSL Certificates Issues2