Http(s) proxy, how to add my CA to... kodi?

  • I would like to use my http proxy (squid) but to use https connections i need to install my ca certificate to trusted cacert.pem. I have located the one that kodi is using in /usr/share/kodi/system/certs/ but the issue is that I cant make it survive the reboots. Is there any other location where custom CA certificate can be installed?

  • Yep, remounting the root doesnt work :D I just took larger hammer.

    I have refined script but it just doesnt help, also putting ca certificate into /storage/.config/cacert.pem doesnt. There is something strange with kodi, they are using two ways to communicate over https, one is curl and second one is urllib. I have no clue why this is not working as python on its own should load the certificates from the system but it looks like it does not.

    I was checking Adding own certs to connect via webdavs/sftp again but this is not exactly the same case, the http proxy is performing mitm attack on https connections, serving back on the fly generated certificates with its own ca. All https trafic is affected. I am just puzzled why adding it to all cacert.pem files on the system doesnt work.

    There is a second option, to kill certificate checking by environment variable but unfortunately busybox is executing /etc/profile which doesnt execute . ~/.profile (or whatever writtable). touch /storage/.cache/debug.libreelec logs didnt reveal anything usefull so I would asume kodi is using normal functions to read certificates.

    I am cloning your git repo (and really dont understand why you have locked down the whole libreelec so much =/), either the problem is there or within kodi, which is next... =/

    Edited 3 times, last by VvJ44q1Z (November 23, 2019 at 9:02 AM).

  • Hm, ok, so /run/libreelec/cacert.pem is your single source of truth, softlinked to every part of system, but not into kodi... where it has /usr/share/kodi/system/certs/cacert.pem

  • Just for an info, in a moment of being pissed off to non working proxy, I took Kodi source code and figured out the issue was actually in how Kodi was handling proxy requests without authentication. I have written a fix and submitted it to Kodi team, it should be merged into Kodi for about a year.

    Now I am waiting for libreelec to actually start supporting proxy. Kodi does it, libreelec not (at least for updates).

    I am not letting contacting the internet without a VPN any single request due to potentially illegal (i have no clue) content in my media library. It would be really helpful if you would implement usage of defined proxy.

    Edited once, last by VvJ44q1Z (September 15, 2022 at 3:38 PM).