[SOLVED] Installing add-ons suddenly failing? How to update curl's CA store.

    Hi all,

    I ran into an issue recently whereby I suddenly could not install any plugins at all. The on-screen message was simply 'Installation Failed' regardless of which plugin I chose. I enabled debug logging and obtained the log, which told me the following :

    Code
    2021-12-02 08:02:31.132 T:3981439856 ERROR: CCurlFile::FillBuffer - Failed: SSL peer certificate or SSH remote key was not OK(60)
2021-12-02 08:02:31.132 T:3981439856 ERROR: CCurlFile::Open failed with code 0 for https://mirrors.kodi.tv/addons/leia/skin....2.123.zip:
2021-12-02 08:02:31.132 T:3981439856 ERROR: Could not fetch addon location and hash from https://mirrors.kodi.tv/addons/leia/skin....2.123.zip
2021-12-02 08:02:31.132 T:3981439856 ERROR: CAddonInstallJob[skin.amber]: failed to resolve addon install source path

    I learnt from this that curl had run into an SSL certificate issue (since clearly it's not using SSH for downloading add-ons). Some trivial web searching told me that the cacerts.pem file on which curl depends for root certificates must have been out of date. Here's what I did to fix that:


    1. Download a more recent cacerts.pem from curl's own web site. You can find the URL from the web easily enough, you don't have to trust a random stranger (i.e. me!) to tell you where to find it.

    2. Enable SSH on your Kodi install.

    3. Log in and change into /etc/ssl to find where your cacerts.pem is stored (in my case it is a soft link to /run/libreelec/cacerts.pem because I'm running LibreELEC off an SD Card).

    4. Rename your existing cacerts.pem to cacerts.pem.old, or just delete it.

    5. Use an SFTP client to log into your Kodi install over SSH and copy the new cacerts.pem into the same folder where the old one was located.

    6. If you're running LibreELEC from an SD Card, the above fix will be lost every time you shut down/restart. It's not perfect, but my workaround has been to copy an up to date cacert.pem file to /storage, then add a cron entry to copy it to /run/libreelec daily at a couple of times I know it's likely that the box will be switched on.


    Hope this is useful to anyone else running into this problem,

    Ian