Hi Bengt, I omitted a lot of your message, but I hope I have the easy explanation you’re looking for. :)
Bengt Richter <b...@bokr.com> writes: > On +2019-12-07 11:35:02 -0500, Timothy Sample wrote: >> >> [...] >> >> Unfortunately, I got certificate errors, but VLC lets you temporarily >> ignore those. > > [...] > > Anyone see an easy explanation? After a little more digging, it seems that the certificate sent for “ccwebcast.in2p3.fr” is signed with an intermediate certificate from “TERENA”. This is in turn signed with a DigiCert root certificate. Unfortunately it looks like “ccwebcast.in2p3.fr” doesn’t send the whole certificate chain, and the TERENA cert is not part of our “nss-certs” package, so tools using certs from that package (basically everything on a normal Guix install) will be unwilling to trust “ccwebcast.in2p3.fr”. IceCat is okay with it, but it uses its own certificates (it must know about the TERENA cert, so it doesn’t need the whole chain). Fortunately, for exceptional situations like this, you can tell most tools to skip certificate validation (like I mentioned with VLC). For youtube-dl, you can use the “--no-check-certificate” option. Note however that this is rather dangerous in general, since you are telling youtube-dl allow anyone to pretend to be anyone else! In this case, since it’s just a video and IceCat is okay with the certificate it’s probably fine. Just be careful. :) -- Tim
