error with nextcloud self-signed certs, webdav source paths

  • On a standlone Kodi instance (internal network) I have linuxserver.io nextcloud and mariadb addon running.


    Now I want to add a nexcloud webdav resource to the kodi source path (for instance pictures/photos). This fails to work due to nextcloud self-signed certificate.


    I searched the forum for clues on how to go about telling kodi to use (or ignore) the nexcloud certificate. This is what I did:


    find /storage -iname cert.crt

    /storage/.kodi/userdata/addon_data/docker.linuxserver.nextcloud/config/keys/cert.crt

    cp /storage/.kodi/userdata/addon_data/docker.linuxserver.nextcloud/config/keys/cert.crt /storage/.config/

    openssl x509 -in cert.crt -noout -text

    openssl x509 -in cert.crt -out nextcloud.pem

    cp  nextcloud.pem cacert.pem

    export SSL_CERT_FILE=/storage/.config/cacert.pem

    systemctl restart kodi

    ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:[email protected]:443/re

    mote.php/webdav/files/USERNAME/Photos


    Any ideas why this won't work?


    PS: also tried the |verifypeer=false suffix (did not work)

    common sense is not so common

  • awiouy

    Approved the thread.
  • Do you even have file /storage/.config/cacert.pem ?


    Also after all the changes reboot the box because cacert.pem is used from openssl-config.servic. Not sure if SSL_CERT_FILE is even applied here.


    Also read this: How to connect to Filezilla FTP over TLS server to stream music?


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)


  • vpeter thanks for your reply!


    Before I created it I did not have a /storage/.config/cacert.pem


    I presumed I could just make a certificate (in fact copy it) and put it in the designated spot and it would be used. Coincidentally are the certificates just separate files in a direcotry or just one file containing multiple certificates? (so you cat >> them)


    Naturally I tried rebooting the box as well :)


    Before my post I already found that post.

    Quote

    Obviously I am missing something.

    common sense is not so common

  • I'm wondering why |verifypeer=false doesn't work. Try with |verifypeer=false&auth=SSL/TLS.


    Post whole kodi debug and check that curl is selected as a debug component.


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)


  • vpeter OK tried it but no go :( see below


    2019-09-03 12:36:53.405 T:3002069872 DEBUG: libinput: event1 - debounce state: DEBOUNCE_STATE_RELEASED → DEBOUNCE_EVENT_TIMEOUT → DEBOUNCE_STATE_IS_UP

    2019-09-03 12:36:53.418 T:3011907600 DEBUG: ProcessMouse: trying mouse action leftclick

    2019-09-03 12:36:53.670 T:3011907600 DEBUG: ------ Window Deinit (DialogConfirm.xml) ------

    2019-09-03 12:36:53.949 T:3011907600 DEBUG: ------ Window Deinit (DialogMediaSource.xml) ------

    2019-09-03 12:36:53.981 T:3011907600 DEBUG: CGUIMediaWindow::GetDirectory ()

    2019-09-03 12:36:53.981 T:3011907600 DEBUG: ParentPath = []

    2019-09-03 12:36:54.003 T:2882610032 DEBUG: Thread waiting start, auto delete: false

    2019-09-03 12:36:54.103 T:3011907600 DEBUG: ------ Window Init (DialogBusy.xml) ------

    2019-09-03 12:36:54.111 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:[email protected]:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/VIDEO_TS.IFO|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.150 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:[email protected]:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/VIDEO_TS/VIDEO_TS.IFO|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.189 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:[email protected]:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/index.bdmv|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.233 T:2882610032 ERROR: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://USERNAME:[email protected]:443/re

    mote.php/webdav/files/some_user/Kodi/Photos/BDMV/index.bdmv|verifypeer=false&auth=SSL/TLS

    2019-09-03 12:36:54.233 T:2882610032 DEBUG: Thread waiting 2882610032 terminating

    2019-09-03 12:36:54.238 T:3011907600 DEBUG: ------ Window Deinit (DialogBusy.xml) ------

    2019-09-03 12:36:54.267 T:2882610032 DEBUG: Thread BackgroundLoader start, auto delete: false

    2019-09-03 12:36:54.271 T:2882610032 DEBUG: Thread BackgroundLoader 2882610032 terminating

    2019-09-03 12:36:58.439 T:3011907600 DEBUG: ------ Window Deinit (Pointer.xml) ------

    2019-09-03 12:37:03.853 T:3011907600 INFO: CheckIdle - Closing session to http://127.0.0.1 (easy=0xb2f98a18, multi=(nil))

    2019-09-03 12:37:11.913 T:2679350128 DEBUG: Thread JobWorker 2679350128 terminating (autodelete)

    2019-09-03 12:37:24.729 T:3011907600 INFO: CheckIdle - Closing session to https://localhost (easy=0x3d17c40, multi=0xafe33150)

    2019-09-03 12:37:32.418 T:2982142832 DEBUG: CAESinkPi:Drain delay:100ms now:0ms

    common sense is not so common

  • Enable CURL component in Kodi debug and maybe something more will be visible.


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)


  • @ vpeter I thought I had enabled curl debugging,... did I forget something? Do i need to modify

    advancedsettings.xml ? (i used the on screen menus perhaps incorrectly)


    Here's a recent (partial) log capture:


    2019-09-03 16:07:17.537 T:3001021296 DEBUG: CLibInputPointer::ProcessMotion - event.type: 3, event.motion.x: 968, event.motion.y: 379

    2019-09-03 16:07:17.556 T:2858824560 ERROR: CCurlFile::Stat - Failed: SSL peer certificate or SSH remote key was not OK(60) for davs://localhost:443/remote.php/webdav/file

    s/some_user/Kodi/Photos/|verifypeer=false&auth=SSL/TLS

    2019-09-03 16:07:17.556 T:2858824560 DEBUG: GetImageHash - unable to stat url davs://localhost:443/remote.php/webdav/files/xs4_rhebergen/Kodi/Photos/|verifypeer=false&auth

    =SSL/TLS

    2019-09-03 16:07:22.551 T:3011457040 DEBUG: ------ Window Deinit (Pointer.xml) ------

    2019-09-03 16:07:23.318 T:3011457040 INFO: CheckIdle - Closing session to http://127.0.0.1 (easy=0xb0fddd60, multi=(nil))

    2019-09-03 16:07:47.459 T:2875609968 DEBUG: Thread JobWorker 2875609968 terminating (autodelete)

    2019-09-03 16:07:47.459 T:2674185072 DEBUG: Thread JobWorker 2674185072 terminating (autodelete)

    2019-09-03 16:07:47.556 T:2858824560 DEBUG: Thread JobWorker 2858824560 terminating (autodelete)

    2019-09-03 16:07:47.629 T:3011457040 INFO: CheckIdle - Closing session to https://localhost (easy=0x37a6fe8, multi=0x37adb58)


    Perhaps it is easier to convince nextcloud to do webdav not over port 443 After all this host is inside a (trusted) home network behind a firewall. I will be creating a different one in the future which will have outside access and thus will use https and letsencrypt generated certificates.


    Still it bugs me why this selfsigned is not possible. Judgind from other posts it is though :)

    common sense is not so common

    Edited 3 times, last by JayBeRayBearGun: addtions ().

  • I did spend lot of time on such certificate issues here on a forum and also on Kodi issues. No idea why it doesn't work for you :(


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)


  • vpeter yeah i found your previous posts. It can be disheartening at times when it just doesn't want to work despite best efforts.


    I can only think that in my efforts to get it working and in the process of installing something got in the way (or broke) Given the fact that this is a fresh install with no media or users on it yet I could decided to trash it and start all over again using what I have learnt in the meantime. It's kind of a last resort idea.


    Although I am a old Linux user I am new to Kodi and also relatively new to docker. So I'm slightly handicapped there.


    In your opinion what are the gotchas to look out for when trying to solve this riddle? For instance where are the certificates supposed to be located in the kodi filesystem? Are all certificates concatenated in one file or are they separate in a directory? (i've seen both). So, any pointers on how to approach this are welcome. By the way how to I properly enable component loging for curl? (I though I did)


    Thanks so far!

    common sense is not so common

  • /storage/.config/cacert.pem is concatenated file of all user's certificates. This content is then added to the end of file /etc/ssl/cacert.pem.system to final file which is actually used /run/libreelec/cacert.pem.

    Also check your certificate with

    Code
    1. openssl x509 -in certificate.pem -text

    to see if name is correct


    I think good start to debug this issue is with curl (or openssl client) itself to connect to your source using this certificate.


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)


  • Like this?


    Issuer: C = US, ST = CA, L = Carlsbad, O = Linuxserver.io, OU = LSIO Server, CN = *


    Checked the /etc/ssl/cacert.pem.system and /run/libreelec/cacert.pem files. It seems the selfsigned certificate from nextcloud is indeed added which is nice to know ;)


    When trying to run curl from the bash prompt:


     curl: (1) Protocol "davs" not supported or disabled in libcurl

    common sense is not so common

    Edited once, last by JayBeRayBearGun: additional info ().

  • CN probably means Common Name which means because of * it will not work. As I wrote according to my findings there must be FQDN of the server (or maybe IP address.)


    For testing use openssl client with your certificate. The first thing is to make TLS connection and dav protocol comes later to he game :)


    I think the easiest would be to regenerate this certificate with openssl.


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)


  • Did you consider reverse proxying nextcloud with valid ssl certs?

    Letsencrypt addon/image was designed for that and works great with nextcloud. You can then add the external domain to kodi

  • aptalca yep I briefly looked into it (this is what i do on my regular server with its own public IP).


    the question is what how do you set the parameters for a systems that's on a local net behind a firewall.

    common sense is not so common

  • You could do dns or duckdns validation, as they don't require an incoming connection to your server from letsencrypt servers.


    Then you set up your local dns to resolve your domain to your libreelec ip

  • aptalca


    OK that sounds like a plan! Could you point me to some more docs or howtos perhaps? (noob proof if possible ;) Still a bit fuzzy about it.


    (I could tickle my own bind instance to resolve my home ip (although reverse will fail being a residential IP's name) Not familiar with duckdns though. )

    common sense is not so common

  • This is our mega guide on letsencrypt: Let's Encrypt, Nginx & Reverse Proxy Starter Guide - 2019 Edition


    Most things will apply but some things are a little different due to addon gui settings vs commandline.


    A couple of things to keep in mind are, the container name on libreelec will be docker.linuxserver.letsencrypt so to see the logs, you do "docker logs docker.linuxserver.letsencrypt" instead of "docker logs letsencrypt"