On Thursday 18 October 2018 14:50, Chris Woods <[email protected]> put forth the proposition: > On Thu, 18 Oct 2018 08:35:05 +0100 > Az <[email protected]> wrote: > > > On Tuesday 9 October 2018 16:16, > > Nick Lord <[email protected]> put forth the proposition: > > > After a lengthy pause I've now installed get_iplayer 3.17 on my > > > openSUSE Leap 42.3 system. Previously I was using 3.14. Now when > > > attempting to download a programme I repeatedly get the message: > > > > > > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate > > > verify failed) > > > > > > and the download fails. Trying to refresh the pvr cache brings a > > > similar message: > > > > > > ERROR: Connection error: SSL connect attempt failed error:14090086:SSL > > > routines:ssl3_get_server_certificate:certificate verify failed > > > > > > Can anyone tell me what I'm missing? > > > > I just got a bunch of these. > > > > ERROR: Response: 500 Can't connect to > > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify failed) > > > > -- > > Az > > > > _______________________________________________ > > get_iplayer mailing list > > [email protected] > > http://lists.infradead.org/mailman/listinfo/get_iplayer > > Try > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect > bbc.co.uk:443 > > and > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 > > You should ultimately see "Verify return code: 0 (ok)".
Both those return 0 (ok) > export PERL_LWP_SSL_VERIFY_HOSTNAME=0 > > However, this is widely regarded as a bad move - any subsequent connection > will never actually be verified as safe until that env variable is reset. The files did actually download after those warnings, so I'm not too upset. I may temporarily set that if it gets too noisy, then unset it after. > I use CentOS. Using the curl.haxx.se PEM CA bundle (in combination with the > Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS connections to both > that VOD endpoint and the main bbc.co.uk site OK. > > I don't use GiP on Linux though so can't check atm - and OpenSUSE's method > for updating certs (and where they're stored in the filesystem) will differ > from CentOS. > > If you haven't already got it installed, try installing > ca-certificates-mozilla: > # zypper install ca-certificates-mozilla > > > If that doesn't work, you'll need to set about manually updating the CA > bundle. > I usually recommend the curl.haxx.se bundle - > https://curl.haxx.se/docs/sslcerts.html > > I don't use OpenSUSE Leap, but there's plenty of discussions about CA bundle > location, update method etc... > > https://forums.opensuse.org/showthread.php/530383-Looking-for-ca-certificates-crt-file-where-is-it > https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-into-openSUSE.html > https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_certificates/ > https://github.com/openSUSE/ca-certificates (README in > /usr/share/doc/packages/ca-certificates/) > https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL-certificate&p=38033#post38033 > > CA bundles are a pain but important to get right. Easy to get yourself tied > up in knots, so if you make any changes back up the entire /etc/pki/tls > folder tree (/etc/ssl/certs is a symlink). Don't overwrite or delete CA files > before you do this. > > Be mindful of symlinks and recreate them where necessary (ls -a to see them.) > Usually they're there for legacy purposes, certain files may be referenced by > specific apps/libraries, and certs are sometimes not 'picked up' unless they > go in certain anchor folders, etc. > > > If you use update-ca-certificates (recommended I think!) try starting by > grabbing the latest CA bundle, putting it into the right folder and let the > system do its thing. I haven't done this manually for some years. I do have have a daily cron job for expiration checks, which came with the package. I'll run the update command before I download anything else. > glhf, > Chris Thanks -- Az _______________________________________________ get_iplayer mailing list [email protected] http://lists.infradead.org/mailman/listinfo/get_iplayer
