SOLVED: Cannot Install/Update Addons (on LE9.0 and older versions)

  • I'm not sure when this issue started, but I just noticed I cannot install or update addons from any repository. Installing from .zip files work fine (tested with Youtube alpha addon). I tried researching the issue and everything always seemed to point to time issues. However, my time is correct on the system so I assume I'm using the default NTP servers (I haven't set anything manually). I haven't made any changes this year and was previously able to install/update addons (although it could have been months since the Youtube addon officially updated). I did try manually try setting NTP settings to 0.north-america.pool.ntp.org and 0.pool.ntp.org (not exactly sure what I'm doing with those), but I undid this as it didn't fix anything after restarting. My time remained correct with and without these in the Libreelec settings.

    Line 466 of the attached log gives the error "Failed: SSL peer certificate or SSH remote key was not OK(60)." I don't know if this is NTP-related or if something broke with SSL certs with Libreelec 9.0.2 recently (which I can't upgrade from).

    I have "Wait for Network" enabled. I do not have any NTP servers manually entered. I have internet access on the device. I have multiple devices (attached log is from Odroid C2. I also have 2 Pi3s) and the date & time is always correct on each of them. The devices have unrestricted Internet access (tested with Youtube addon).

    Due to the Odroid C2 being the main device I use, I am on Libreelec 9.0.2 across all devices. This device is hardwired. My router is not configured to block traffic.

    If I am supposed to configure NTP servers, I'm not sure exactly what to type in - all my research seemed to lead to general instructions but not a specific address (unless I just didn't understand).

  • Go to Best Answer
  • Code
    2021-10-12 17:32:01.107 T:3908014960   ERROR: CCurlFile::FillBuffer - Failed: SSL peer certificate or SSH remote key was not OK(60)

    It's not the NTP/time issue that invalidates the cert (which produces different error messages). It's also not clear what the issue is, but I'd hazard a guess that something fundamental with the TLS cert is bad, e.g. ciphers supported or perhaps broken chain of authority (signed by someone that the embedded certs in your 9.0.2 image cannot trust).

    If you attempt to download https://mirrors.kodi.tv/addons/leia/sc…ktail-1.1.0.zip direct from the console you might get more info?

    NB: There are some community releases for S905 devices that are newer than 9.0.2 which might be worth investigating on a spare SD card. Sadly the LE10 codebase is not ready for prime-time use (board support is good, media capabilities are not).

  • LE 9.0 (and before) use the old openssl 1.0.2 version which is tripping over the DST Root CA X3 expiration end of September - read more about it here: https://www.openssl.org/blog/blog/2021…RootCertExpire/

    Fortunately applying the workaround 1 (removing the cert) is quite easy:

    First create the directory /storage/.config/system.d/openssl-config.service.d:

    Code
    mkdir -p /storage/.config/system.d/openssl-config.service.d

    then create a file drop-dst-x3.conf in there (full path is /storage/.config/system.d/openssl-config.service.d/drop-dst-x3.conf) with the following content:

    Code
    [Service]
    ExecStartPost=sed -i '/^DST Root CA X3/,/END CERTIFICATE/ d' /run/libreelec/cacert.pem

    Now reboot and kodi (and curl etc) should be happy again.

    so long,

    Hias

  • Dear @HiassofT. You sir are a genius.

    In my case first symptoms were some posters for tv shows not downloading. Then I wanted to install a different scraper and found that I can't install any addons. I was so close to formating the emmc and starting a fresh install.

    Thank you very much for the solution. How come this just happened by itself? And how come so very few people have this issue?

    Kind regards

  • Hi all,

    I think I have the same issue as described in this post, see my log file attached to this post. Suddenly I couldn't update any addons. After a fresh install of libreelec ( I use version 9.2.5.) I also couldn't install addons anymore (regardless which repository).

    I don't understand how to apply the solution of HiassofT. It's because my lack of knowledge. Hope someone could help me.

    Kind regards,

    David

  • Following the video steps, when I tried to login as root using PuTTY I get the message "No supported authentication methods available (server sent: publickey,keyboard-intractive)."

    What can I do?

    EDIT: Incredible! using the Windows Command (cmd) instead of PuTTY I connected without problems. It's crazy!

    Problem solved, many thanks :thumbup:

    Edited 2 times, last by Papalapa (November 18, 2021 at 6:02 PM).

  • Is easier to understand

    1.create folder

    Code
    mkdir -p /storage/.config/system.d/openssl-config.service.d

    2.create config

    Code
     nano /storage/.config/system.d/openssl-config.service.d/drop-dst-x3.conf

    3 create file, add line

    Code
    Service]
    ExecStartPost=sed -i '/^DST Root CA X3/,/END CERTIFICATE/ d' /run/libreelec/cacert.pem

    system restart /reboot

  • Hello,

    had no luck yet.

    After executing all the steps above and pressing 'Y" to save , i see that Putty is asking something about filename, what should i press then?

    Edit:

    I just press Enter and it seems ok.

    Then i checked with FTP and i see that the drop-dst-x3.conf file is created in correct directory.

    I reboot but nothing is affected, all add-ons fail to update.

    Edit 2:

    Problem solved, i had to update Libreelec as well to latest, after that the fix above worked!

  • I have some similar issues. LE repo isn't available. Tried to run the instructions above, but it doesn't work.

    here is logs: http://ix.io/3ZvU

    upd: solved, reinstall clear system

    Edited 2 times, last by ravl: upd: solved, reinstall clear system (June 6, 2022 at 1:55 PM).


  • Well, I dont have that directory structure and I dont know if it makes a difference.

    I have:

    /storage/.config/system.d/openvpn.service.sample

    so I created a folder structure as shown :

    /storage/.config/system.d/openssl-config.service.d

    and it still dont work.

    Do I need to make the folder openssl-config.service.d and put that file in it.

    thanks

    Edited once, last by hextejas: Merged a post created by hextejas into this post. (September 23, 2022 at 9:38 PM).