How to add CA certificates to LibreElec ? (SkyTicket Video AddOn failing due to certificate validation)

RobertPaulsen · August 7, 2017 at 12:41 PM

Hey,
I have successfully been using SkyTicket add-on until some days ago. The addOn won't connect any more and debug logging tells me, it fails to verify the certificate of
navigation.xml
That URL uses a certificate from June 8th 2017 which was signed by Symantec Class 3 Secure Server CA which in turn was signed by Verisign Class 3 Public (G5).

I am not exactly sure which recent update triggered this but I suspect

Looking at /etc/ssl/cert.pem I can find the Verisign one but the Symantec one is missing this breaking the validation path.
I would like to add the Symantect one but I haven't found any instructions on how to...

Ideas and referrals are welcome, thx.

info: Rapberry 2 - model B (Revision a01041) , LibreElec 8.0.2

**chewitt** · August 8, 2017 at 4:40 AM Official Post

The certs are baked into the system image so updating them requires the image to be rebuilt. It's something we can look at for 8.2 release, which should be in beta test soon-ish.

**chewitt** · August 8, 2017 at 6:53 AM Official Post

I looked at updating the cacert.pem bundle we embed which is obtained from here: curl - Extract CA Certs from Mozilla but the update doesn't make any changes to Symantec/Verisign certs and the bundle doesn't need to contain intermediate CA details; in broad terms the signing chain will be followed through live queries until you reach a trusted or revoked certificate; and if neither is reached the process fails.

It's possible this is just another indeterminate LibreSSL problem - we've seen some random/unexplainable issues and it's the reason we switched back to OpenSSL in preparation for LE 8.2/9.0. If you can test a current milhouse Leia build (Generic and Pi hardwar) on a spare USB/SD card that would confirm if that solves the issue.

**HiassofT** · August 8, 2017 at 7:52 AM

Could you test with this build: LibreELEC-RPi2.arm-8.2-devel-20170808010044-r25961-g2568ed687.tar

That's a current 8.2 branch build and Sky Ticket seems to work fine (no ssl errors).

so long,

Hias

**HiassofT** · August 8, 2017 at 9:04 AM

RobertPaulsen also please upload full kodi debug logs from the failing 8.0.2 build and the 8.2 preview-build above and verify that the system date/time is set correctly.

HOW TO:Provide Logfile - LibreELEC

Especially on systems without an RTC, like the RPi, failing to get the current date/time from NTP can have funny effects with certs (system will then fall back to image build time which may or may not be in the certificate valid-from/valid-to period).

so long,

Hias

RobertPaulsen · August 12, 2017 at 2:55 PM

Thanks guys,
it turned out that one of the add-in updates must have somehow altered config so my time server was not set. The RPi deemed itself in march 2017 at which time the certificate Sky Ticket is using as of June is not yet valid.
Added time server, waited for sync et voilá , things worked again. When reading through chewitt's comments I *FP* , as he's right, I don't need the intermediate, just the root CA which indeed IS in the bundle. So all is good regarding certs. I'd rather not allow to add certs to the bundle but handle additional trust in the code which requires it (VPN bundles, etc).

Thank you for the prompt responses and good leads, happy to see that not only the software is great to use but the forum is as well. Thumbs up. !