error with nextcloud self-signed certs, webdav source paths

  • On a standlone Kodi instance (internal network) I have linuxserver.io nextcloud and mariadb addon running.


    Now I want to add a nexcloud webdav resource to the kodi source path (for instance pictures/photos). This fails to work due to nextcloud self-signed certificate.

    I searched the forum for clues on how to go about telling kodi to use (or ignore) the nexcloud certificate. This is what I did:

    find /storage -iname cert.crt

    /storage/.kodi/userdata/addon_data/docker.linuxserver.nextcloud/config/keys/cert.crt

    cp /storage/.kodi/userdata/addon_data/docker.linuxserver.nextcloud/config/keys/cert.crt /storage/.config/

    openssl x509 -in cert.crt -noout -text

    openssl x509 -in cert.crt -out nextcloud.pem

    cp  nextcloud.pem cacert.pem

    export SSL_CERT_FILE=/storage/.config/cacert.pem

    systemctl restart kodi

    ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:PASSWORD@localhost:443/re

    mote.php/webdav/files/USERNAME/Photos

    Any ideas why this won't work?

    PS: also tried the |verifypeer=false suffix (did not work)

  • vpeter thanks for your reply!

    Before I created it I did not have a /storage/.config/cacert.pem

    I presumed I could just make a certificate (in fact copy it) and put it in the designated spot and it would be used. Coincidentally are the certificates just separate files in a direcotry or just one file containing multiple certificates? (so you cat >> them)

    Naturally I tried rebooting the box as well :)

    Before my post I already found that post.

    Quote

    Obviously I am missing something.

  • I'm wondering why |verifypeer=false doesn't work. Try with |verifypeer=false&auth=SSL/TLS.

    Post whole kodi debug and check that curl is selected as a debug component.

  • vpeter OK tried it but no go :( see below

    2019-09-03 12:36:53.405 T:3002069872 DEBUG: libinput: event1 - debounce state: DEBOUNCE_STATE_RELEASED → DEBOUNCE_EVENT_TIMEOUT → DEBOUNCE_STATE_IS_UP

    2019-09-03 12:36:53.418 T:3011907600 DEBUG: ProcessMouse: trying mouse action leftclick

    2019-09-03 12:36:53.670 T:3011907600 DEBUG: ------ Window Deinit (DialogConfirm.xml) ------

    2019-09-03 12:36:53.949 T:3011907600 DEBUG: ------ Window Deinit (DialogMediaSource.xml) ------

    2019-09-03 12:36:53.981 T:3011907600 DEBUG: CGUIMediaWindow::GetDirectory ()

    2019-09-03 12:36:53.981 T:3011907600 DEBUG: ParentPath = []

    2019-09-03 12:36:54.003 T:2882610032 DEBUG: Thread waiting start, auto delete: false

    2019-09-03 12:36:54.103 T:3011907600 DEBUG: ------ Window Init (DialogBusy.xml) ------

    2019-09-03 12:36:54.111 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:PASSWORD@localhost:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/VIDEO_TS.IFO|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.150 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:PASSWORD@localhost:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/VIDEO_TS/VIDEO_TS.IFO|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.189 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:PASSWORD@localhost:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/index.bdmv|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.233 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:PASSWORD@localhost:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/BDMV/index.bdmv|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.233 T:2882610032 DEBUG: Thread waiting 2882610032 terminating

    2019-09-03 12:36:54.238 T:3011907600 DEBUG: ------ Window Deinit (DialogBusy.xml) ------

    2019-09-03 12:36:54.267 T:2882610032 DEBUG: Thread BackgroundLoader start, auto delete: false

    2019-09-03 12:36:54.271 T:2882610032 DEBUG: Thread BackgroundLoader 2882610032 terminating

    2019-09-03 12:36:58.439 T:3011907600 DEBUG: ------ Window Deinit (Pointer.xml) ------

    2019-09-03 12:37:03.853 T:3011907600 INFO: CheckIdle - Closing session to http://127.0.0.1 (easy=0xb2f98a18, multi=(nil))

    2019-09-03 12:37:11.913 T:2679350128 DEBUG: Thread JobWorker 2679350128 terminating (autodelete)

    2019-09-03 12:37:24.729 T:3011907600 INFO: CheckIdle - Closing session to https://localhost (easy=0x3d17c40, multi=0xafe33150)

    2019-09-03 12:37:32.418 T:2982142832 DEBUG: CAESinkPi:Drain delay:100ms now:0ms

  • @ vpeter I thought I had enabled curl debugging,... did I forget something? Do i need to modify

    advancedsettings.xml ? (i used the on screen menus perhaps incorrectly)

    Here's a recent (partial) log capture:

    2019-09-03 16:07:17.537 T:3001021296 DEBUG: CLibInputPointer::ProcessMotion - event.type: 3, event.motion.x: 968, event.motion.y: 379

    2019-09-03 16:07:17.556 T:2858824560 ERROR: CCurlFile::Stat - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://localhost:443/remote.php/webdav/file

    s/some_user/Kodi/Photos/|verifypeer=false&auth=SSL/TLS

    2019-09-03 16:07:17.556 T:2858824560 DEBUG: GetImageHash - unable to stat url davs://localhost:443/remote.php/webdav/files/xs4_rhebergen/Kodi/Photos/|verifypeer=false&auth

    =SSL/TLS

    2019-09-03 16:07:22.551 T:3011457040 DEBUG: ------ Window Deinit (Pointer.xml) ------

    2019-09-03 16:07:23.318 T:3011457040 INFO: CheckIdle - Closing session to http://127.0.0.1 (easy=0xb0fddd60, multi=(nil))

    2019-09-03 16:07:47.459 T:2875609968 DEBUG: Thread JobWorker 2875609968 terminating (autodelete)

    2019-09-03 16:07:47.459 T:2674185072 DEBUG: Thread JobWorker 2674185072 terminating (autodelete)

    2019-09-03 16:07:47.556 T:2858824560 DEBUG: Thread JobWorker 2858824560 terminating (autodelete)

    2019-09-03 16:07:47.629 T:3011457040 INFO: CheckIdle - Closing session to https://localhost (easy=0x37a6fe8, multi=0x37adb58)

    Perhaps it is easier to convince nextcloud to do webdav not over port 443 After all this host is inside a (trusted) home network behind a firewall. I will be creating a different one in the future which will have outside access and thus will use https and letsencrypt generated certificates.

    Still it bugs me why this selfsigned is not possible. Judgind from other posts it is though :)

    Edited 3 times, last by JayBeRayBearGun: addtions (September 5, 2019 at 1:50 PM).

  • vpeter yeah i found your previous posts. It can be disheartening at times when it just doesn't want to work despite best efforts.

    I can only think that in my efforts to get it working and in the process of installing something got in the way (or broke) Given the fact that this is a fresh install with no media or users on it yet I could decided to trash it and start all over again using what I have learnt in the meantime. It's kind of a last resort idea.

    Although I am a old Linux user I am new to Kodi and also relatively new to docker. So I'm slightly handicapped there.

    In your opinion what are the gotchas to look out for when trying to solve this riddle? For instance where are the certificates supposed to be located in the kodi filesystem? Are all certificates concatenated in one file or are they separate in a directory? (i've seen both). So, any pointers on how to approach this are welcome. By the way how to I properly enable component loging for curl? (I though I did)

    Thanks so far!

  • /storage/.config/cacert.pem is concatenated file of all user's certificates. This content is then added to the end of file /etc/ssl/cacert.pem.system to final file which is actually used /run/libreelec/cacert.pem.

    Also check your certificate with

    Code
    openssl x509 -in certificate.pem -text

    to see if name is correct

    I think good start to debug this issue is with curl (or openssl client) itself to connect to your source using this certificate.

  • Like this?

    Issuer: C = US, ST = CA, L = Carlsbad, O = Linuxserver.io, OU = LSIO Server, CN = *

    Checked the /etc/ssl/cacert.pem.system and /run/libreelec/cacert.pem files. It seems the selfsigned certificate from nextcloud is indeed added which is nice to know ;)

    When trying to run curl from the bash prompt:

     curl: (1) Protocol "davs" not supported or disabled in libcurl

    Edited once, last by JayBeRayBearGun: additional info (September 5, 2019 at 1:50 PM).

  • CN probably means Common Name which means because of * it will not work. As I wrote according to my findings there must be FQDN of the server (or maybe IP address.)

    For testing use openssl client with your certificate. The first thing is to make TLS connection and dav protocol comes later to he game :)

    I think the easiest would be to regenerate this certificate with openssl.

  • Did you consider reverse proxying nextcloud with valid ssl certs?

    Letsencrypt addon/image was designed for that and works great with nextcloud. You can then add the external domain to kodi

  • You could do dns or duckdns validation, as they don't require an incoming connection to your server from letsencrypt servers.

    Then you set up your local dns to resolve your domain to your libreelec ip

  • aptalca

    OK that sounds like a plan! Could you point me to some more docs or howtos perhaps? (noob proof if possible ;) Still a bit fuzzy about it.

    (I could tickle my own bind instance to resolve my home ip (although reverse will fail being a residential IP's name) Not familiar with duckdns though. )