Http(s) proxy, how to add my CA to... kodi?

  • I would like to use my http proxy (squid) but to use https connections i need to install my ca certificate to trusted cacert.pem. I have located the one that kodi is using in /usr/share/kodi/system/certs/ but the issue is that I cant make it survive the reboots. Is there any other location where custom CA certificate can be installed?

  • Iridium

    Approved the thread.
  • My suggestion didn't worked?


    And this is something new for LE :)

    Code
    1. mount -o remount,rw /


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)


  • Yep, remounting the root doesnt work :D I just took larger hammer.


    I have refined script but it just doesnt help, also putting ca certificate into /storage/.config/cacert.pem doesnt. There is something strange with kodi, they are using two ways to communicate over https, one is curl and second one is urllib. I have no clue why this is not working as python on its own should load the certificates from the system but it looks like it does not.


    I was checking Adding own certs to connect via webdavs/sftp again but this is not exactly the same case, the http proxy is performing mitm attack on https connections, serving back on the fly generated certificates with its own ca. All https trafic is affected. I am just puzzled why adding it to all cacert.pem files on the system doesnt work.


    There is a second option, to kill certificate checking by environment variable but unfortunately busybox is executing /etc/profile which doesnt execute . ~/.profile (or whatever writtable). touch /storage/.cache/debug.libreelec logs didnt reveal anything usefull so I would asume kodi is using normal functions to read certificates.


    I am cloning your git repo (and really dont understand why you have locked down the whole libreelec so much =/), either the problem is there or within kodi, which is next... =/

    Edited 3 times, last by VvJ44q1Z ().

  • Hm, ok, so /run/libreelec/cacert.pem is your single source of truth, softlinked to every part of system, but not into kodi... where it has /usr/share/kodi/system/certs/cacert.pem

  • I think SSL_CERT_FILE environment variable could also be used.


    Support my work with small (or big) Paypal donation


    Amlogic devices works better with CoreELEC

    Blu-ray Disc Java menus support - forum thread, Github

    my lamp addon (unofficial/community with limited support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)