Adding own certs to connect via webdavs/sftp again

  • Since changes in Kodi you have to add your server cert to kodi's cert store: [install_dir]\system\certs\cacert.pem in windows. In LE I found this file in /etc/ssl but I was not able to change it there (cannot write there). On Odroid I use CE and informed developer in CE Forum (HTTPS/FTP not working - Kodi - CoreELEC Forums) but Adamg patch did not worked kodi: use provided ssl certificate if available · CoreELEC/[email protected] · GitHub in spite of good idea.


    Can you help to geht this working again since its a global problem? If your cert isn't added to kodi people will get:

    CCurlFile::FillBuffer - Failed: Peer certificate cannot be authenticated with given CA certificates(60)

    and cannot connect to their webdavs/sftp sources anymore.


    This is my main problem with alphas since many many weeks and I hope somebody will fix this issue before RC.


    thanks for your attention and happy new year <3

  • Try setting this variable in console and then restart kodi. Of course file must exists there.

    Code
    1. export SSL_CERT_FILE=/storage/.kodi/userdata/cacert.pem
    2. systemctl restart kodi

    Maybe another option is to set verifypeer=false in sources.xml as [curl] add url option to disable peer verification by Rechi · Pull Request #13909 · xbmc/xbmc · GitHub

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • Is there any public sftp server which could be used to test this issue? Just to connect to it not with actual media stuff :)

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • Btw: if the problem is read-only ssl folder you can make it writable :)

    Code
    1. cp -a /etc/ssl/ /storage/
    2. mount -o bind /storage/ssl/ /etc/ssl/
    3. systemctl restart kodi

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • Thanks, thats my personal problem - i did not know how to make it writable.


    I will try that and report! And how do I unmount it again?

    _

    But nevertheless I think a generally feature without workaround would be useful. I wont be the only one with problems when changing to leia.


  • Put this line in autostart.sh

    Code
    1. mount | grep -q etc/ssl || mount -o bind /storage/ssl/ /etc/ssl/

    If you don't have this file you can create it with command

    Code
    1. echo "mount | grep -q etc/ssl || mount -o bind /storage/ssl/ /etc/ssl/" >/storage/.config/autostart.sh

    When I will reproduce the issue then will make better solution :)

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • For understanding: this autostart.sh would only mount /etc/ssl/ (to make it writable)? How do I add/replace, in the next step, my modified cert.pem-file to /etc/ssl/?

    Sorry for noob-questions, these commands are like chinese for me.

    When I will reproduce the issue then will make better solution

    That would be so marvelous!!! :D As I mentioned, adamg's code had sound very easy kodi: use provided ssl certificate if available · CoreELEC/[email protected] · GitHub , but did not work, so he throw it away. Maybe you have another idea.

  • autostart.sh script will mount ssl folder to make it writable. But you need to make folder /storage/ssl where you add/change files (as written in one of my post).


    I did reproduce the issue but even with copying cacert.pem to ssl folder didn't make it work. Probably because I don't really understand all those certificate stuff :D Was just following first google tutorial for creating self signed certificate.

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • Probably because I don't really understand all those certificate stuff :D

    Welcome to the club :D A few weeks ago I even did not know that my NAS/webdavsserver has a cert^^ And now kodi wants me to add this f****g thing to its "cert-store" only to get connection again, that worked with Isengard till Krypton without doing anything - just adding webserver-adress and voilà...nice old times

    but even with copying cacert.pem to ssl folder didn't make it work.

    Did you try webdavs/https? Because in relation to sftp (if you tried this) there where also other changes i kodi I believe.


    But you need to make folder /storage/ssl where you add/change files (as written in one of my post).

    Ah, I missunderstood this. I just knocked the code from #6 in putty and then I replaced original cacert.pem-file with my modified one directly in etc/ssl via WinSCP (what worked temporary till next restart^^)

  • I made few tests and seems the only solution is to add self signed CA certificate (cacert.pem) to /etc/ssl/cert.pem file. This way all CA's are usable. Of course for this folder must be writable.

    But maybe I'm wrong and there is better solution :)

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)