Adding own certs to connect via webdavs/sftp again

  • It makes things a little bit more laborious for clean installations, but it's ok for me. Thanks for your support!


    Unfortunately there will be a few silent users dont know why their private davs connections dont work anymore when updating to leia. Finding the problem via log and landing on this script will take a while :D Maybe Kodi/yol (SSL Certificates Issues) will solve verifypeer=false-problems and give this option a checkbox in estuary, would be another more intuitive alternative.

  • With little more investigation I got more elegant solution.

    Curl needs to be build with --with-ca-path=/storage/.config/ssl-certs instead of --without-ca-path. Then users pem files can be put in this folder. But pem file needs to be named by the hash values with command cd /storage/.config/ssl-certs && find *.pem -exec sh -c 'ln -s $0 $(openssl x509 -hash -noout -in "$0").0' {} \;.


    Probably better path would be standard one /etc/ssl/certs/ with link to /storage.

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • You can try this: libreelec-generic.x86_64-9.0-devel-20180713105447-32ef9ba-certs-test.img.gz

    • remove mount line of /etc/ssl from autostart.sh
    • create folder /storage/.config/ssl-certs if doesn't exist
    • copy your cacert.pem file there (filename is not important)
    • update certs with command update-ca-certificates.sh

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • Ah, then nothing. At least you have workaround :)

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • vpeter what do you think of this change? Comparing LibreELEC:master...milhousevh:le90_user_ca · LibreELEC/LibreELEC.tv · GitHub


    It should allow a user to safely add *additional* CAs in /storage/.config/cacert.pem without losing the benefit of existing system-supplied CA certs.


    Replacing the shipped system CA cert file with a user CA file is going to result in long-term issues as CA certs expire or are compromised/replaced, and users with custom CA files start reporting weird and unreproducible certificate-related issues with public websites because their CA file is out of date.


    I've also reverted the name of /etc/ssl/cert.pem to /etc/ssl/cacert.pem as per the contents of /etc/ssl/openssl.cnf.

  • Sure, this would work also and it is initial idea.

    But you need to leave /etc/ssl/cert.pem because this is default name used. Use symbolic link instead.

    Also I would rename openssl-config to something more appropriate.

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • But you need to leave /etc/ssl/cert.pem because this is default name used. Use symbolic link instead.

    I'm not so sure - the openssl config is referencing /etc/ssl/cacert.pem not /etc/ssl/cert.pem, so it looks like /etc/ssl/cert.pem is a misconfiguration on our part. It has probably never been an issue as curl is hardcoded to use the /etc/ssl/cert.pem path.

    Also I would rename openssl-config to something more appropriate.

    It's not the greatest name I grant you, but it's consistent with our other kodi-config, smbd-config etc. scripts that all do something similar.

  • openssl.cnf is not relevant here.

    Can you tell me what else is using /etc/ssl/cert.pem ? We had some "backward compatability" links to /etc/ssl/cert.pem which are now linked to /etc/ssl/cacert.pem, but what all references I can find seem to refer to cacert.pem not cert.pem. And curl is hard-coded to use whatever we like.

  • I though openssl uses this file by default? If not then it is ok to use different name (didn't look into this part).

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • openssl does use this file by default, but it will be trying to access /etc/ssl/cacert.pem - we seem to have dropped the ca filename prefix (creating cert.pem not cacert.pem) in the transition back from libressl.


    openssl example using current LE master (bogus private key, just for testing):

    Code
    1. rpi22:~ # openssl ca -keyfile /storage/.config/private/cakey.pem
    2. Using configuration from /etc/ssl/openssl.cnf
    3. Error opening CA certificate /etc/ssl/cacert.pem
    4. 1996051232:error:02001002:system library:fopen:No such file or directory:bss_file.c:406:fopen('/etc/ssl/cacert.pem','r')
    5. 1996051232:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408:
    6. unable to load certificate
  • It should allow a user to safely add *additional* CAs in /storage/.config/cacert.pem without losing the benefit of existing system-supplied CA certs.

    Would this work without typing in any commands? Only put my own cacert.pem in /storage/.config/ ?