Adding own certs to connect via webdavs/sftp again

  • Since changes in Kodi you have to add your server cert to kodi's cert store: [install_dir]\system\certs\cacert.pem in windows. In LE I found this file in /etc/ssl but I was not able to change it there (cannot write there). On Odroid I use CE and informed developer in CE Forum (HTTPS/FTP not working - Kodi - CoreELEC Forums) but Adamg patch did not worked kodi: use provided ssl certificate if available · CoreELEC/[email protected] · GitHub in spite of good idea.


    Can you help to geht this working again since its a global problem? If your cert isn't added to kodi people will get:

    CCurlFile::FillBuffer - Failed: Peer certificate cannot be authenticated with given CA certificates(60)

    and cannot connect to their webdavs/sftp sources anymore.


    This is my main problem with alphas since many many weeks and I hope somebody will fix this issue before RC.


    thanks for your attention and happy new year <3

  • Is there any public sftp server which could be used to test this issue? Just to connect to it not with actual media stuff :)

    Gone...

  • Btw: if the problem is read-only ssl folder you can make it writable :)

    Code
    cp -a /etc/ssl/ /storage/
    mount -o bind /storage/ssl/ /etc/ssl/
    systemctl restart kodi

    Gone...

  • Thanks, thats my personal problem - i did not know how to make it writable.


    I will try that and report! And how do I unmount it again?

    _

    But nevertheless I think a generally feature without workaround would be useful. I wont be the only one with problems when changing to leia.

  • It's a shell script, so it should look like the shell commands that you ran manually, but with /full/paths/to/binaries where used.

  • Put this line in autostart.sh

    Code
    mount | grep -q etc/ssl || mount -o bind /storage/ssl/ /etc/ssl/

    If you don't have this file you can create it with command

    Code
    echo "mount | grep -q etc/ssl || mount -o bind /storage/ssl/ /etc/ssl/" >/storage/.config/autostart.sh

    When I will reproduce the issue then will make better solution :)

    Gone...

  • For understanding: this autostart.sh would only mount /etc/ssl/ (to make it writable)? How do I add/replace, in the next step, my modified cert.pem-file to /etc/ssl/?

    Sorry for noob-questions, these commands are like chinese for me.

    When I will reproduce the issue then will make better solution

    That would be so marvelous!!! :D As I mentioned, adamg's code had sound very easy kodi: use provided ssl certificate if available · CoreELEC/[email protected] · GitHub , but did not work, so he throw it away. Maybe you have another idea.

  • autostart.sh script will mount ssl folder to make it writable. But you need to make folder /storage/ssl where you add/change files (as written in one of my post).


    I did reproduce the issue but even with copying cacert.pem to ssl folder didn't make it work. Probably because I don't really understand all those certificate stuff :D Was just following first google tutorial for creating self signed certificate.

    Gone...

  • Probably because I don't really understand all those certificate stuff :D

    Welcome to the club :D A few weeks ago I even did not know that my NAS/webdavsserver has a cert^^ And now kodi wants me to add this f****g thing to its "cert-store" only to get connection again, that worked with Isengard till Krypton without doing anything - just adding webserver-adress and voilà...nice old times

    but even with copying cacert.pem to ssl folder didn't make it work.

    Did you try webdavs/https? Because in relation to sftp (if you tried this) there where also other changes i kodi I believe.


    But you need to make folder /storage/ssl where you add/change files (as written in one of my post).

    Ah, I missunderstood this. I just knocked the code from #6 in putty and then I replaced original cacert.pem-file with my modified one directly in etc/ssl via WinSCP (what worked temporary till next restart^^)

  • I made few tests and seems the only solution is to add self signed CA certificate (cacert.pem) to /etc/ssl/cert.pem file. This way all CA's are usable. Of course for this folder must be writable.

    But maybe I'm wrong and there is better solution :)

    Gone...