Http(s) proxy, how to add my CA to... kodi?

VvJ44q1Z · November 21, 2019 at 9:03 AM

I would like to use my http proxy (squid) but to use https connections i need to install my ca certificate to trusted cacert.pem. I have located the one that kodi is using in /usr/share/kodi/system/certs/ but the issue is that I cant make it survive the reboots. Is there any other location where custom CA certificate can be installed?

**vpeter** · November 21, 2019 at 10:31 AM

Try adding it to a file /storage/.config/cacert.pem.

VvJ44q1Z · November 21, 2019 at 11:37 AM

Code

I have created this, it works. Put it to: /storage/.config
------------------------------------------------------------

#!/usr/bin/env bash
cacrt=/tmp/squid.ca.crt
kodicerts=/usr/share/kodi/system/certs

# prepare
mount -o remount,rw /
#you can get it from elsewhere:  wget -O ${cacrt} https://<hostname>/squid.ca.crt 2> /dev/null
cp -a ${kodicerts} /tmp
                       
# inject your cert into all pems
pemfiles="/tmp/certs /etc/pki/tls/cacert.pem /etc/ssl/cacert.pem /etc/ssl/cert.pem /run/libreelec/cacert.pem /usr/lib/ssl/cert.pem"
set -- $pemfiles                                                                                                                   
while [ -n "$1" ]; do
  cat ${cacrt} >> ${1}
  shift    
done   
    
# bind mount it over squashfs
mount -o bind /tmp/certs /usr/share/kodi/system/certs

Display More

**vpeter** · November 21, 2019 at 12:57 PM

My suggestion didn't worked?

And this is something new for LE

Code

mount -o remount,rw /

VvJ44q1Z · November 23, 2019 at 8:51 AM

Yep, remounting the root doesnt work I just took larger hammer.

I have refined script but it just doesnt help, also putting ca certificate into /storage/.config/cacert.pem doesnt. There is something strange with kodi, they are using two ways to communicate over https, one is curl and second one is urllib. I have no clue why this is not working as python on its own should load the certificates from the system but it looks like it does not.

I was checking Adding own certs to connect via webdavs/sftp again but this is not exactly the same case, the http proxy is performing mitm attack on https connections, serving back on the fly generated certificates with its own ca. All https trafic is affected. I am just puzzled why adding it to all cacert.pem files on the system doesnt work.

There is a second option, to kill certificate checking by environment variable but unfortunately busybox is executing /etc/profile which doesnt execute . ~/.profile (or whatever writtable). touch /storage/.cache/debug.libreelec logs didnt reveal anything usefull so I would asume kodi is using normal functions to read certificates.

I am cloning your git repo (and really dont understand why you have locked down the whole libreelec so much =/), either the problem is there or within kodi, which is next... =/

VvJ44q1Z · November 23, 2019 at 9:55 AM

Hm, ok, so /run/libreelec/cacert.pem is your single source of truth, softlinked to every part of system, but not into kodi... where it has /usr/share/kodi/system/certs/cacert.pem

**vpeter** · November 23, 2019 at 12:49 PM

I think SSL_CERT_FILE environment variable could also be used.

VvJ44q1Z · September 15, 2022 at 3:26 PM

Just for an info, in a moment of being pissed off to non working proxy, I took Kodi source code and figured out the issue was actually in how Kodi was handling proxy requests without authentication. I have written a fix and submitted it to Kodi team, it should be merged into Kodi for about a year.

Now I am waiting for libreelec to actually start supporting proxy. Kodi does it, libreelec not (at least for updates).

I am not letting contacting the internet without a VPN any single request due to potentially illegal (i have no clue) content in my media library. It would be really helpful if you would implement usage of defined proxy.

Http(s) proxy, how to add my CA to... kodi?

Similar Threads

HowTo: Docker & Zerotier Private

How do i add additional certificate authorities for mitm proxy such as burp/mitmproxy ?

Moving videos to another drive