On Thu, 2018-10-18 at 16:15 +0100, Christopher Woods wrote: > > On 18 October 2018 15:27:43 Az <[email protected]> wrote: > > > On Thursday 18 October 2018 14:50, > > Chris Woods <[email protected]> put forth the > > proposition: > > > On Thu, 18 Oct 2018 08:35:05 +0100 > > > Az <[email protected]> wrote: > > > > > > > On Tuesday 9 October 2018 16:16, > > > > Nick Lord <[email protected]> put forth the proposition: > > > > > After a lengthy pause I've now installed get_iplayer 3.17 on > > > > > my > > > > > openSUSE Leap 42.3 system. Previously I was using 3.14. Now > > > > > when > > > > > attempting to download a programme I repeatedly get the > > > > > message: > > > > > > > > > > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 > > > > > (certificate > > > > > verify failed) > > > > > > > > > > and the download fails. Trying to refresh the pvr cache > > > > > brings a > > > > > similar message: > > > > > > > > > > ERROR: Connection error: SSL connect attempt failed > > > > > error:14090086:SSL > > > > > routines:ssl3_get_server_certificate:certificate verify > > > > > failed > > > > > > > > > > Can anyone tell me what I'm missing? > > > > > > > > I just got a bunch of these. > > > > > > > > ERROR: Response: 500 Can't connect to > > > > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify > > > > failed) > > > > > > > > -- > > > > Az > > > > > > > > _______________________________________________ > > > > get_iplayer mailing list > > > > [email protected] > > > > http://lists.infradead.org/mailman/listinfo/get_iplayer > > > > > > Try > > > > > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt > > > -connect > > > bbc.co.uk:443 > > > > > > and > > > > > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt > > > -connect > > > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 > > > > > > You should ultimately see "Verify return code: 0 (ok)". > > > > Both those return 0 (ok) > > > > > export PERL_LWP_SSL_VERIFY_HOSTNAME=0 > > > > > > However, this is widely regarded as a bad move - any subsequent > > > connection > > > will never actually be verified as safe until that env variable > > > is reset. > > > > The files did actually download after those warnings, so I'm not > > too > > upset. I may temporarily set that if it gets too noisy, then unset > > it > > after. > > > > > I use CentOS. Using the curl.haxx.se PEM CA bundle (in > > > combination with the > > > Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS > > > connections to both > > > that VOD endpoint and the main bbc.co.uk site OK. > > > > > > I don't use GiP on Linux though so can't check atm - and > > > OpenSUSE's method > > > for updating certs (and where they're stored in the filesystem) > > > will differ > > > from CentOS. > > > > > > If you haven't already got it installed, try installing > > > ca-certificates-mozilla: > > > # zypper install ca-certificates-mozilla > > > > > > > > > If that doesn't work, you'll need to set about manually updating > > > the CA bundle. > > > I usually recommend the curl.haxx.se bundle - > > > https://curl.haxx.se/docs/sslcerts.html > > > > > > I don't use OpenSUSE Leap, but there's plenty of discussions > > > about CA > > > bundle location, update method etc... > > > > > > https://forums.opensuse.org/showthread.php/530383-Looking-for-ca- > > > certificates-crt-file-where-is-it > > > https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-ce > > > rtificate-into-openSUSE.html > > > https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_c > > > ertificates/ > > > https://github.com/openSUSE/ca-certificates (README in > > > /usr/share/doc/packages/ca-certificates/) > > > https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL- > > > certificate&p=38033#post38033 > > > > > > CA bundles are a pain but important to get right. Easy to get > > > yourself tied > > > up in knots, so if you make any changes back up the entire > > > /etc/pki/tls > > > folder tree (/etc/ssl/certs is a symlink). Don't overwrite or > > > delete CA > > > files before you do this. > > > > > > Be mindful of symlinks and recreate them where necessary (ls -a > > > to see > > > them.) Usually they're there for legacy purposes, certain files > > > may be > > > referenced by specific apps/libraries, and certs are sometimes > > > not 'picked > > > up' unless they go in certain anchor folders, etc. > > > > > > > > > If you use update-ca-certificates (recommended I think!) try > > > starting by > > > grabbing the latest CA bundle, putting it into the right folder > > > and let the > > > system do its thing. > > > > I haven't done this manually for some years. I do have have a daily > > cron job for expiration checks, which came with the package. > > > > I'll run the update command before I download anything else. > > > > > glhf, > > > Chris > > > > Thanks > > > > -- > > Az > > > > _______________________________________________ > > get_iplayer mailing list > > [email protected] > > http://lists.infradead.org/mailman/listinfo/get_iplayer > > Excellent. Apologies if you're already familiar with the ins and > outs, no > intention to condescend. I like that it continues fine after > whingeing :-) > > (I really should spin up an openSUSE box...) > > > > _______________________________________________ > get_iplayer mailing list > [email protected] > http://lists.infradead.org/mailman/listinfo/get_iplayer
Thanks for all the help. I had checked that I had ca-certificates installed on my openSUSE 42.3 system. What I had initially missed however, was that the latest version supplied in the official 42.3 repository was about 3 years out of date. I installed the version in the Tumbleweed repository and now everything's fine. So be careful when spinning up an openSUSE box ... Best regards, Nick _______________________________________________ get_iplayer mailing list [email protected] http://lists.infradead.org/mailman/listinfo/get_iplayer
