-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RD auth not working on Ubuntu 21.04 / Kodi 19.1 #470
Comments
Can you please provide a full kodi debug log (not snippets) of the process, I do not have RD account to test. @jsergio123 has one I think |
kodi.log with debugging on: |
Multiple ssl errors in the log |
Hi Gujal00, thanks for looking into this! I'll look into my OpenWRT router settings tomorrow, but I don't think that's the case. I suspect the server certificate validation. I checked the installed certificates on my Ubuntu system and they are up to date. However, while the root CA, "DigiCert High Assurance EV Root CA" is installed, the "DigiCert SHA2 Extended Validation Server CA", which has signed the RD server's certificate, is not listed. I had CA certificates package installed as part of this Ubuntu setup, which is a fresh system, only a few days old.
I have also verified (packet capture) that RD provides the intermediate CA cert and the server cert as part of the TLS handshake. However, I am not sure whether the plugin takes this into account. When I did an "openssl verify" on the RD's server certificate, which I downloaded from the browser, I got an "unable to get local issuer certificate" error.
Can you confirm whether ResolveURL takes both certificates sent by RD into account? |
AFAIK Resolveurl uses xbmc.python interface which looks for certs in the cacert.pem provided by script.module.certifi I see this in your log, so script.module.certifi is what it seems to be using |
I checked, certifi was already installed together with python.
I found that the "/lib/python3/dist-packages/certifi/cacert.pem" already contains the required root CA certificate, but not the subordinate CA (the same way the OS does):
I downloaded the subordinate CA from DigiCert's site and I added the following part in "/lib/python3/dist-packages/certifi/cacert.pem":
I restarted Kodi, then the computer, the problem persists. Updated log: kodi.log Unless there is something else I am missing, it might be necessary to tell the resolveURL to take into account the sub-CA sent by the RD site, alongside the server certificate. |
Resolveurl uses xbmc.python which in turn uses script.module.certifi, not the system python certifi. Check the cacert.pem in .kodi/addons/script.module.certifi/lib
Sent from ProtonMail mobile
…-------- Original Message --------
On 24 Jun 2021, 06:45, prountzifer wrote:
I checked, certifi was already installed together with python.
$ pip install certifi
Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (2020.6.20)
I found that the "/lib/python3/dist-packages/certifi/cacert.pem" already contains the required root CA certificate, but not the subordinate CA (the same way the OS does):
$ cat /lib/python3/dist-packages/certifi/cacert.pem | grep "Subject: CN=DigiCert"
# Subject: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Assured ID Root G2 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Assured ID Root G3 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Trusted Root G4 O=DigiCert Inc OU=www.digicert.com
I downloaded the subordinate CA from [DigiCert's site](https://www.digicert.com/kb/digicert-root-certificates.htm) and I added the following part in "/lib/python3/dist-packages/certifi/cacert.pem":
# Issuer: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert SHA2 Extended Validation Server CA O=DigiCert Inc OU=www.digicert.com
# Label: "DigiCert SHA2 Extended Validation Server CA"
# Serial: 0C79A944B08C11952092615FE26B1D83
# SHA1 Fingerprint: 7E2F3A4F8FE8FA8A5730AECA029696637E986F3F
# SHA256 Fingerprint: 403E062A2653059113285BAF80A0D4AE422C848C9F78FAD01FC94BC5B87FEF1A
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
<< certificate content clipped, download file from link above >>
oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
8TUoE6smftX3eg==
-----END CERTIFICATE-----
I restarted Kodi, then the computer, the problem persists. Updated log: [kodi.log](https://github.com/jsergio123/script.module.resolveurl/files/6704168/kodi.log)
Unless there is something else I am missing, it might be necessary to tell the resolveURL to take into account the sub-CA sent by the RD site, alongside the server certificate.
—
You are receiving this because you commented.
Reply to this email directly, [view it on GitHub](#470 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AEEWTC6MLPJY2V2BSXJ2OSDTUITVLANCNFSM46672ZXA).
|
Oh, OK. I modified the correct cacert.pem this time:
Unfortunately, I still get the same error: I tried to search the "urlopen error [SSL] internal error (_ssl.c:1129)". This search also brings results that contain the "[SSL: CERTIFICATE_VERIFY_FAILED]", which leads me to believe that, if I was correct on the intermediate CA (that is, as part of the whole certificate chain) not being validated, then we should be expecting this message. Instead, we get an "internal error", which can be found in a few other app threads (#1, #2) here in Github, but they refer to a completely different issue that I don't know if/how I can solve. Edit - fresh kodi.log |
Can you check what version of OpenSSL is installed on your machine? should be 1.1.1 for this to work. If you install SMR_Linktester addon from resolveurl repo and run it, it will record the Python version and openssl version seen inside xbmc.python in kodi log. |
From console:
From kodi.log with SMR_Linktester:
|
@prountzifer self.net = common.Net() Change it to self.net = common.Net(ssl_verify=False) and then try authorizing RD |
Hi @Gujal00, I can confirm that this edit worked. I successfully authorised my account. I assume that this issue may affect other debrid plugins, as no public server certificate is directly signed by a root CA. However, since disabling the TLS certificate verification is an inherently insecure setting, wouldn't it be safer if the script got the intermediate certificate missing from the chain and make the TLS verification with it (equivalent to the openssl console example I provided here)? From Wireshark, TLS "certificate" payload packet from server, while visiting the rd site: |
Unfortunately ResolveURL is reliant on xbmc.python and this issue is specific to Linux and Realdebrid, cant do much in ResolveURL other than disabling ssl verification. The certs are controlled by xbmc.python The auth works fine on all other platforms including LibreElec which is linux based |
Thanks Guys. This work-around helped me on Ubuntu 20.04.3 LTS after upgrading from 18.04. |
Issue sorted in ResolveURL release 5.1.44 |
Reproduction:
(Kodi) System -> Add-ons -> Manage dependencies -> ResolveURL -> Configure -> Universal Resolvers -> RD -> (Re)Authorise My Account -> 8 character/digit code shown -> (Web browser) code inserted in RD app auth page (ending in /device) -> App named -> (Kodi) Authorisation code shown until timeout without activation taking place.
Notes:
Please indicate additional information required to troubleshoot the issue.
The text was updated successfully, but these errors were encountered: