On 18 October 2018 15:27:43 Az <[email protected]> wrote:
On Thursday 18 October 2018 14:50,
Chris Woods <[email protected]> put forth the proposition:
On Thu, 18 Oct 2018 08:35:05 +0100
Az <[email protected]> wrote:
> On Tuesday 9 October 2018 16:16,
> Nick Lord <[email protected]> put forth the proposition:
> > After a lengthy pause I've now installed get_iplayer 3.17 on my
> > openSUSE Leap 42.3 system. Previously I was using 3.14. Now when
> > attempting to download a programme I repeatedly get the message:
> >
> > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate
> > verify failed)
> >
> > and the download fails. Trying to refresh the pvr cache brings a
> > similar message:
> >
> > ERROR: Connection error: SSL connect attempt failed error:14090086:SSL
> > routines:ssl3_get_server_certificate:certificate verify failed
> >
> > Can anyone tell me what I'm missing?
>
> I just got a bunch of these.
>
> ERROR: Response: 500 Can't connect to
> vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify failed)
>
> --
> Az
>
> _______________________________________________
> get_iplayer mailing list
> [email protected]
> http://lists.infradead.org/mailman/listinfo/get_iplayer
Try
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect
bbc.co.uk:443
and
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect
vod-dash-uk-live.bbcfmt.hs.llnwd.net:443
You should ultimately see "Verify return code: 0 (ok)".
Both those return 0 (ok)
export PERL_LWP_SSL_VERIFY_HOSTNAME=0
However, this is widely regarded as a bad move - any subsequent connection
will never actually be verified as safe until that env variable is reset.
The files did actually download after those warnings, so I'm not too
upset. I may temporarily set that if it gets too noisy, then unset it
after.
I use CentOS. Using the curl.haxx.se PEM CA bundle (in combination with the
Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS connections to both
that VOD endpoint and the main bbc.co.uk site OK.
I don't use GiP on Linux though so can't check atm - and OpenSUSE's method
for updating certs (and where they're stored in the filesystem) will differ
from CentOS.
If you haven't already got it installed, try installing
ca-certificates-mozilla:
# zypper install ca-certificates-mozilla
If that doesn't work, you'll need to set about manually updating the CA bundle.
I usually recommend the curl.haxx.se bundle -
https://curl.haxx.se/docs/sslcerts.html
I don't use OpenSUSE Leap, but there's plenty of discussions about CA
bundle location, update method etc...
https://forums.opensuse.org/showthread.php/530383-Looking-for-ca-certificates-crt-file-where-is-it
https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-into-openSUSE.html
https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_certificates/
https://github.com/openSUSE/ca-certificates (README in
/usr/share/doc/packages/ca-certificates/)
https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL-certificate&p=38033#post38033
CA bundles are a pain but important to get right. Easy to get yourself tied
up in knots, so if you make any changes back up the entire /etc/pki/tls
folder tree (/etc/ssl/certs is a symlink). Don't overwrite or delete CA
files before you do this.
Be mindful of symlinks and recreate them where necessary (ls -a to see
them.) Usually they're there for legacy purposes, certain files may be
referenced by specific apps/libraries, and certs are sometimes not 'picked
up' unless they go in certain anchor folders, etc.
If you use update-ca-certificates (recommended I think!) try starting by
grabbing the latest CA bundle, putting it into the right folder and let the
system do its thing.
I haven't done this manually for some years. I do have have a daily
cron job for expiration checks, which came with the package.
I'll run the update command before I download anything else.
glhf,
Chris
Thanks
--
Az
_______________________________________________
get_iplayer mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/get_iplayer
Excellent. Apologies if you're already familiar with the ins and outs, no
intention to condescend. I like that it continues fine after whingeing :-)
(I really should spin up an openSUSE box...)
_______________________________________________
get_iplayer mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/get_iplayer
