Re: Certificate verify failed
On Thu, 2018-10-18 at 16:15 +0100, Christopher Woods wrote: > > On 18 October 2018 15:27:43 Az wrote: > > > On Thursday 18 October 2018 14:50, > > Chris Woods put forth the > > proposition: > > > On Thu, 18 Oct 2018 08:35:05 +0100 > > > Az wrote: > > > > > > > On Tuesday 9 October 2018 16:16, > > > > Nick Lord put forth the proposition: > > > > > After a lengthy pause I've now installed get_iplayer 3.17 on > > > > > my > > > > > openSUSE Leap 42.3 system. Previously I was using 3.14. Now > > > > > when > > > > > attempting to download a programme I repeatedly get the > > > > > message: > > > > > > > > > > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 > > > > > (certificate > > > > > verify failed) > > > > > > > > > > and the download fails. Trying to refresh the pvr cache > > > > > brings a > > > > > similar message: > > > > > > > > > > ERROR: Connection error: SSL connect attempt failed > > > > > error:14090086:SSL > > > > > routines:ssl3_get_server_certificate:certificate verify > > > > > failed > > > > > > > > > > Can anyone tell me what I'm missing? > > > > > > > > I just got a bunch of these. > > > > > > > > ERROR: Response: 500 Can't connect to > > > > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify > > > > failed) > > > > > > > > -- > > > > Az > > > > > > > > ___ > > > > get_iplayer mailing list > > > > get_iplayer@lists.infradead.org > > > > http://lists.infradead.org/mailman/listinfo/get_iplayer > > > > > > Try > > > > > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt > > > -connect > > > bbc.co.uk:443 > > > > > > and > > > > > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt > > > -connect > > > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 > > > > > > You should ultimately see "Verify return code: 0 (ok)". > > > > Both those return 0 (ok) > > > > > export PERL_LWP_SSL_VERIFY_HOSTNAME=0 > > > > > > However, this is widely regarded as a bad move - any subsequent > > > connection > > > will never actually be verified as safe until that env variable > > > is reset. > > > > The files did actually download after those warnings, so I'm not > > too > > upset. I may temporarily set that if it gets too noisy, then unset > > it > > after. > > > > > I use CentOS. Using the curl.haxx.se PEM CA bundle (in > > > combination with the > > > Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS > > > connections to both > > > that VOD endpoint and the main bbc.co.uk site OK. > > > > > > I don't use GiP on Linux though so can't check atm - and > > > OpenSUSE's method > > > for updating certs (and where they're stored in the filesystem) > > > will differ > > > from CentOS. > > > > > > If you haven't already got it installed, try installing > > > ca-certificates-mozilla: > > > # zypper install ca-certificates-mozilla > > > > > > > > > If that doesn't work, you'll need to set about manually updating > > > the CA bundle. > > > I usually recommend the curl.haxx.se bundle - > > > https://curl.haxx.se/docs/sslcerts.html > > > > > > I don't use OpenSUSE Leap, but there's plenty of discussions > > > about CA > > > bundle location, update method etc... > > > > > > https://forums.opensuse.org/showthread.php/530383-Looking-for-ca- > > > certificates-crt-file-where-is-it > > > https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-ce > > > rtificate-into-openSUSE.html > > > https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_c > > > ertificates/ > > > https://github.com/openSUSE/ca-certificates (README in > > > /usr/share/doc/packages/ca-certificates/) > > > https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL- > > > certificate=38033#post38033 > > > > > > CA bundles are a pain but important to get right. Easy to get > > &g
Re: Certificate verify failed
On 18 October 2018 15:27:43 Az wrote: On Thursday 18 October 2018 14:50, Chris Woods put forth the proposition: On Thu, 18 Oct 2018 08:35:05 +0100 Az wrote: > On Tuesday 9 October 2018 16:16, > Nick Lord put forth the proposition: > > After a lengthy pause I've now installed get_iplayer 3.17 on my > > openSUSE Leap 42.3 system. Previously I was using 3.14. Now when > > attempting to download a programme I repeatedly get the message: > > > > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate > > verify failed) > > > > and the download fails. Trying to refresh the pvr cache brings a > > similar message: > > > > ERROR: Connection error: SSL connect attempt failed error:14090086:SSL > > routines:ssl3_get_server_certificate:certificate verify failed > > > > Can anyone tell me what I'm missing? > > I just got a bunch of these. > > ERROR: Response: 500 Can't connect to > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify failed) > > -- > Az > > ___ > get_iplayer mailing list > get_iplayer@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/get_iplayer Try openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect bbc.co.uk:443 and openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 You should ultimately see "Verify return code: 0 (ok)". Both those return 0 (ok) export PERL_LWP_SSL_VERIFY_HOSTNAME=0 However, this is widely regarded as a bad move - any subsequent connection will never actually be verified as safe until that env variable is reset. The files did actually download after those warnings, so I'm not too upset. I may temporarily set that if it gets too noisy, then unset it after. I use CentOS. Using the curl.haxx.se PEM CA bundle (in combination with the Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS connections to both that VOD endpoint and the main bbc.co.uk site OK. I don't use GiP on Linux though so can't check atm - and OpenSUSE's method for updating certs (and where they're stored in the filesystem) will differ from CentOS. If you haven't already got it installed, try installing ca-certificates-mozilla: # zypper install ca-certificates-mozilla If that doesn't work, you'll need to set about manually updating the CA bundle. I usually recommend the curl.haxx.se bundle - https://curl.haxx.se/docs/sslcerts.html I don't use OpenSUSE Leap, but there's plenty of discussions about CA bundle location, update method etc... https://forums.opensuse.org/showthread.php/530383-Looking-for-ca-certificates-crt-file-where-is-it https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-into-openSUSE.html https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_certificates/ https://github.com/openSUSE/ca-certificates (README in /usr/share/doc/packages/ca-certificates/) https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL-certificate=38033#post38033 CA bundles are a pain but important to get right. Easy to get yourself tied up in knots, so if you make any changes back up the entire /etc/pki/tls folder tree (/etc/ssl/certs is a symlink). Don't overwrite or delete CA files before you do this. Be mindful of symlinks and recreate them where necessary (ls -a to see them.) Usually they're there for legacy purposes, certain files may be referenced by specific apps/libraries, and certs are sometimes not 'picked up' unless they go in certain anchor folders, etc. If you use update-ca-certificates (recommended I think!) try starting by grabbing the latest CA bundle, putting it into the right folder and let the system do its thing. I haven't done this manually for some years. I do have have a daily cron job for expiration checks, which came with the package. I'll run the update command before I download anything else. glhf, Chris Thanks -- Az ___ get_iplayer mailing list get_iplayer@lists.infradead.org http://lists.infradead.org/mailman/listinfo/get_iplayer Excellent. Apologies if you're already familiar with the ins and outs, no intention to condescend. I like that it continues fine after whingeing :-) (I really should spin up an openSUSE box...) ___ get_iplayer mailing list get_iplayer@lists.infradead.org http://lists.infradead.org/mailman/listinfo/get_iplayer
Re: Certificate verify failed
On Thursday 18 October 2018 14:50, Chris Woods put forth the proposition: > On Thu, 18 Oct 2018 08:35:05 +0100 > Az wrote: > > > On Tuesday 9 October 2018 16:16, > > Nick Lord put forth the proposition: > > > After a lengthy pause I've now installed get_iplayer 3.17 on my > > > openSUSE Leap 42.3 system. Previously I was using 3.14. Now when > > > attempting to download a programme I repeatedly get the message: > > > > > > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate > > > verify failed) > > > > > > and the download fails. Trying to refresh the pvr cache brings a > > > similar message: > > > > > > ERROR: Connection error: SSL connect attempt failed error:14090086:SSL > > > routines:ssl3_get_server_certificate:certificate verify failed > > > > > > Can anyone tell me what I'm missing? > > > > I just got a bunch of these. > > > > ERROR: Response: 500 Can't connect to > > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify failed) > > > > -- > > Az > > > > ___ > > get_iplayer mailing list > > get_iplayer@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/get_iplayer > > Try > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect > bbc.co.uk:443 > > and > > openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 > > You should ultimately see "Verify return code: 0 (ok)". Both those return 0 (ok) > export PERL_LWP_SSL_VERIFY_HOSTNAME=0 > > However, this is widely regarded as a bad move - any subsequent connection > will never actually be verified as safe until that env variable is reset. The files did actually download after those warnings, so I'm not too upset. I may temporarily set that if it gets too noisy, then unset it after. > I use CentOS. Using the curl.haxx.se PEM CA bundle (in combination with the > Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS connections to both > that VOD endpoint and the main bbc.co.uk site OK. > > I don't use GiP on Linux though so can't check atm - and OpenSUSE's method > for updating certs (and where they're stored in the filesystem) will differ > from CentOS. > > If you haven't already got it installed, try installing > ca-certificates-mozilla: > # zypper install ca-certificates-mozilla > > > If that doesn't work, you'll need to set about manually updating the CA > bundle. > I usually recommend the curl.haxx.se bundle - > https://curl.haxx.se/docs/sslcerts.html > > I don't use OpenSUSE Leap, but there's plenty of discussions about CA bundle > location, update method etc... > > https://forums.opensuse.org/showthread.php/530383-Looking-for-ca-certificates-crt-file-where-is-it > https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-into-openSUSE.html > https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_certificates/ > https://github.com/openSUSE/ca-certificates (README in > /usr/share/doc/packages/ca-certificates/) > https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL-certificate=38033#post38033 > > CA bundles are a pain but important to get right. Easy to get yourself tied > up in knots, so if you make any changes back up the entire /etc/pki/tls > folder tree (/etc/ssl/certs is a symlink). Don't overwrite or delete CA files > before you do this. > > Be mindful of symlinks and recreate them where necessary (ls -a to see them.) > Usually they're there for legacy purposes, certain files may be referenced by > specific apps/libraries, and certs are sometimes not 'picked up' unless they > go in certain anchor folders, etc. > > > If you use update-ca-certificates (recommended I think!) try starting by > grabbing the latest CA bundle, putting it into the right folder and let the > system do its thing. I haven't done this manually for some years. I do have have a daily cron job for expiration checks, which came with the package. I'll run the update command before I download anything else. > glhf, > Chris Thanks -- Az ___ get_iplayer mailing list get_iplayer@lists.infradead.org http://lists.infradead.org/mailman/listinfo/get_iplayer
Re: Certificate verify failed
On Thu, 18 Oct 2018 08:35:05 +0100 Az wrote: > On Tuesday 9 October 2018 16:16, > Nick Lord put forth the proposition: > > After a lengthy pause I've now installed get_iplayer 3.17 on my > > openSUSE Leap 42.3 system. Previously I was using 3.14. Now when > > attempting to download a programme I repeatedly get the message: > > > > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate > > verify failed) > > > > and the download fails. Trying to refresh the pvr cache brings a > > similar message: > > > > ERROR: Connection error: SSL connect attempt failed error:14090086:SSL > > routines:ssl3_get_server_certificate:certificate verify failed > > > > Can anyone tell me what I'm missing? > > I just got a bunch of these. > > ERROR: Response: 500 Can't connect to > vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify failed) > > -- > Az > > ___ > get_iplayer mailing list > get_iplayer@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/get_iplayer Try openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect bbc.co.uk:443 and openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 You should ultimately see "Verify return code: 0 (ok)". Anything else indicates your CA certificates are out of date. I've attached an OpenSSL output showing what you should see if your system has an up to date CA bundle. Perl LWP calls in GiP will be using the system CA bundle and will encounter the same issues as your OpenSSL tests. You can manually bodge Perl to skip the cert verification by setting export PERL_LWP_SSL_VERIFY_HOSTNAME=0 However, this is widely regarded as a bad move - any subsequent connection will never actually be verified as safe until that env variable is reset. I use CentOS. Using the curl.haxx.se PEM CA bundle (in combination with the Fedora/RHEL/CentOS update-ca-trust tool) I verified TLS connections to both that VOD endpoint and the main bbc.co.uk site OK. I don't use GiP on Linux though so can't check atm - and OpenSUSE's method for updating certs (and where they're stored in the filesystem) will differ from CentOS. If you haven't already got it installed, try installing ca-certificates-mozilla: # zypper install ca-certificates-mozilla If that doesn't work, you'll need to set about manually updating the CA bundle. I usually recommend the curl.haxx.se bundle - https://curl.haxx.se/docs/sslcerts.html I don't use OpenSUSE Leap, but there's plenty of discussions about CA bundle location, update method etc... https://forums.opensuse.org/showthread.php/530383-Looking-for-ca-certificates-crt-file-where-is-it https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-into-openSUSE.html https://www.reddit.com/r/openSUSE/comments/498efy/updating_root_certificates/ https://github.com/openSUSE/ca-certificates (README in /usr/share/doc/packages/ca-certificates/) https://forums.suse.com/showthread.php?9465-How-to-install-a-SSL-certificate=38033#post38033 CA bundles are a pain but important to get right. Easy to get yourself tied up in knots, so if you make any changes back up the entire /etc/pki/tls folder tree (/etc/ssl/certs is a symlink). Don't overwrite or delete CA files before you do this. Be mindful of symlinks and recreate them where necessary (ls -a to see them.) Usually they're there for legacy purposes, certain files may be referenced by specific apps/libraries, and certs are sometimes not 'picked up' unless they go in certain anchor folders, etc. If you use update-ca-certificates (recommended I think!) try starting by grabbing the latest CA bundle, putting it into the right folder and let the system do its thing. glhf, Chris # openssl s_client -CAfile /etc/ssl/certs/ca-bundle.crt -connect vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 CONNECTED(0003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA verify return:1 depth=0 C = US, postalCode = 85281, ST = Arizona, L = Tempe, street = "222 South Mill Avenue, Suite 800", O = "Limelight Networks, Inc.", OU = Unified Communications, CN = *.bbcfmt.hs.llnwd.net verify return:1 --- Certificate chain 0 s:/C=US/postalCode=85281/ST=Arizona/L=Tempe/street=222 South Mill Avenue, Suite 800/O=Limelight Networks, Inc./OU=Unified Communications/CN=*.bbcfmt.hs.llnwd.net i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Vali
Re: Certificate verify failed
On Tuesday 9 October 2018 16:16, Nick Lord put forth the proposition: > After a lengthy pause I've now installed get_iplayer 3.17 on my > openSUSE Leap 42.3 system. Previously I was using 3.14. Now when > attempting to download a programme I repeatedly get the message: > > ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate > verify failed) > > and the download fails. Trying to refresh the pvr cache brings a > similar message: > > ERROR: Connection error: SSL connect attempt failed error:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed > > Can anyone tell me what I'm missing? I just got a bunch of these. ERROR: Response: 500 Can't connect to vod-dash-uk-live.bbcfmt.hs.llnwd.net:443 (certificate verify failed) -- Az ___ get_iplayer mailing list get_iplayer@lists.infradead.org http://lists.infradead.org/mailman/listinfo/get_iplayer
Certificate verify failed
After a lengthy pause I've now installed get_iplayer 3.17 on my openSUSE Leap 42.3 system. Previously I was using 3.14. Now when attempting to download a programme I repeatedly get the message: ERROR: Response: 500 Can't connect to www.bbc.co.uk:443 (certificate verify failed) and the download fails. Trying to refresh the pvr cache brings a similar message: ERROR: Connection error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Can anyone tell me what I'm missing? ___ get_iplayer mailing list get_iplayer@lists.infradead.org http://lists.infradead.org/mailman/listinfo/get_iplayer
