Http(s) proxy, how to add my CA to... kodi?

  • I would like to use my http proxy (squid) but to use https connections i need to install my ca certificate to trusted cacert.pem. I have located the one that kodi is using in /usr/share/kodi/system/certs/ but the issue is that I cant make it survive the reboots. Is there any other location where custom CA certificate can be installed?

  • Iridium

    Approved the thread.
  • Yep, remounting the root doesnt work :D I just took larger hammer.

    I have refined script but it just doesnt help, also putting ca certificate into /storage/.config/cacert.pem doesnt. There is something strange with kodi, they are using two ways to communicate over https, one is curl and second one is urllib. I have no clue why this is not working as python on its own should load the certificates from the system but it looks like it does not.

    I was checking Adding own certs to connect via webdavs/sftp again but this is not exactly the same case, the http proxy is performing mitm attack on https connections, serving back on the fly generated certificates with its own ca. All https trafic is affected. I am just puzzled why adding it to all cacert.pem files on the system doesnt work.

    There is a second option, to kill certificate checking by environment variable but unfortunately busybox is executing /etc/profile which doesnt execute . ~/.profile (or whatever writtable). touch /storage/.cache/debug.libreelec logs didnt reveal anything usefull so I would asume kodi is using normal functions to read certificates.

    I am cloning your git repo (and really dont understand why you have locked down the whole libreelec so much =/), either the problem is there or within kodi, which is next... =/

    Edited 3 times, last by VvJ44q1Z ().

  • Hm, ok, so /run/libreelec/cacert.pem is your single source of truth, softlinked to every part of system, but not into kodi... where it has /usr/share/kodi/system/certs/cacert.pem