Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RD auth not working on Ubuntu 21.04 / Kodi 19.1 #470

Closed
prountzifer opened this issue Jun 19, 2021 · 15 comments
Closed

RD auth not working on Ubuntu 21.04 / Kodi 19.1 #470

prountzifer opened this issue Jun 19, 2021 · 15 comments
Assignees
Labels
bug Something isn't working linux

Comments

@prountzifer
Copy link

Reproduction:
(Kodi) System -> Add-ons -> Manage dependencies -> ResolveURL -> Configure -> Universal Resolvers -> RD -> (Re)Authorise My Account -> 8 character/digit code shown -> (Web browser) code inserted in RD app auth page (ending in /device) -> App named -> (Kodi) Authorisation code shown until timeout without activation taking place.

Notes:

  • Both Kodi and web browser run on the same machine, no VPN or other network settings activated
  • Packet capture shows TCP communication with RD host continuing after device auth on browser, but it indicates retries with packets containing no payload
  • Another Kodi plugin with its own resolver implementation (not ResolveURL) works successfully

Please indicate additional information required to troubleshoot the issue.

@Gujal00
Copy link
Contributor

Gujal00 commented Jun 19, 2021

Can you please provide a full kodi debug log (not snippets) of the process, I do not have RD account to test. @jsergio123 has one I think

@prountzifer
Copy link
Author

kodi.log with debugging on:
kodi.log

@Gujal00
Copy link
Contributor

Gujal00 commented Jun 21, 2021

Multiple ssl errors in the log
ResolveURL: Exception during RD auth: <urlopen error [SSL] internal error (_ssl.c:1129)>
Are you going through any https inspection proxy?

@prountzifer
Copy link
Author

prountzifer commented Jun 21, 2021

Hi Gujal00, thanks for looking into this!

I'll look into my OpenWRT router settings tomorrow, but I don't think that's the case.

I suspect the server certificate validation. I checked the installed certificates on my Ubuntu system and they are up to date. However, while the root CA, "DigiCert High Assurance EV Root CA" is installed, the "DigiCert SHA2 Extended Validation Server CA", which has signed the RD server's certificate, is not listed. I had CA certificates package installed as part of this Ubuntu setup, which is a fresh system, only a few days old.

$ awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep DigiCert
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G2
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G3
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Trusted Root G4

I have also verified (packet capture) that RD provides the intermediate CA cert and the server cert as part of the TLS handshake. However, I am not sure whether the plugin takes this into account. When I did an "openssl verify" on the RD's server certificate, which I downloaded from the browser, I got an "unable to get local issuer certificate" error.

$ openssl verify real-debrid-com.pem 
businessCategory = Private Organization, jurisdictionC = FR, jurisdictionST = Centre-Val de Loire, jurisdictionL = Tours, serialNumber = 530 125 319, C = FR, L = Saint Avertin, O = XT Network SARL, CN = real-debrid.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error real-debrid-com.pem: verification failed

$ openssl verify -CAfile DigiCertSHA2ExtendedValidationServerCA.crt.pem real-debrid-com.pem 
real-debrid-com.pem: OK

Can you confirm whether ResolveURL takes both certificates sent by RD into account?

@Gujal00
Copy link
Contributor

Gujal00 commented Jun 22, 2021

AFAIK Resolveurl uses xbmc.python interface which looks for certs in the cacert.pem provided by script.module.certifi
It does not use system certs.
I'll have to check on a Linux system, my main dev workstation is windows 10 and there it uses script.module.certifi as installed inside kodi addons

I see this in your log, so script.module.certifi is what it seems to be using
DEBUG <general>: CPythonInvoker(0, /home/username/.kodi/addons/plugin.video.seren/service.py): setting the Python path to /home/username/.kodi/addons/plugin.video.seren:/home/username/.kodi/addons/script.module.beautifulsoup4/lib:/home/username/.kodi/addons/script.module.certifi/lib:/home/username/.kodi/addons/script.module.chardet/lib:/home/username/.kodi/addons/script.module.future/lib:/home/username/.kodi/addons/script.module.idna/lib:/home/username/.kodi/addons/script.module.inputstreamhelper/lib:/home/username/.kodi/addons/script.module.myconnpy/lib:/home/username/.kodi/addons/script.module.requests/lib:/home/username/.kodi/addons/script.module.soupsieve/lib:/home/username/.kodi/addons/script.module.unidecode/lib:/home/username/.kodi/addons/script.module.urllib3/lib:/usr/lib/python39.zip:/usr/lib/python3.9:/usr/lib/python3.9/lib-dynload:/usr/local/lib/python3.9/dist-packages:/usr/lib/python3/dist-packages:/usr/lib/python3.9/dist-packages

@prountzifer
Copy link
Author

I checked, certifi was already installed together with python.

$ pip install certifi
Requirement already satisfied: certifi in /usr/lib/python3/dist-packages (2020.6.20)

I found that the "/lib/python3/dist-packages/certifi/cacert.pem" already contains the required root CA certificate, but not the subordinate CA (the same way the OS does):

$ cat /lib/python3/dist-packages/certifi/cacert.pem | grep "Subject: CN=DigiCert"
# Subject: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Assured ID Root G2 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Assured ID Root G3 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Trusted Root G4 O=DigiCert Inc OU=www.digicert.com

I downloaded the subordinate CA from DigiCert's site and I added the following part in "/lib/python3/dist-packages/certifi/cacert.pem":

# Issuer: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert SHA2 Extended Validation Server CA O=DigiCert Inc OU=www.digicert.com
# Label: "DigiCert SHA2 Extended Validation Server CA"
# Serial: 0C79A944B08C11952092615FE26B1D83
# SHA1 Fingerprint: 7E2F3A4F8FE8FA8A5730AECA029696637E986F3F
# SHA256 Fingerprint: 403E062A2653059113285BAF80A0D4AE422C848C9F78FAD01FC94BC5B87FEF1A
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
<< certificate content clipped, download file from link above >>
oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
8TUoE6smftX3eg==
-----END CERTIFICATE-----

I restarted Kodi, then the computer, the problem persists. Updated log: kodi.log

Unless there is something else I am missing, it might be necessary to tell the resolveURL to take into account the sub-CA sent by the RD site, alongside the server certificate.

@Gujal00
Copy link
Contributor

Gujal00 commented Jun 23, 2021 via email

@prountzifer
Copy link
Author

prountzifer commented Jun 23, 2021

Oh, OK. I modified the correct cacert.pem this time:

username@fr34krock:~/.kodi/addons/script.module.certifi/lib/certifi$ cat cacert.pem | grep "Subject: CN=DigiCert"
# Subject: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert High Assurance EV Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert SHA2 Extended Validation Server CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Assured ID Root G2 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Assured ID Root G3 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root G2 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root G3 O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Trusted Root G4 O=DigiCert Inc OU=www.digicert.com

Unfortunately, I still get the same error:
2021-06-24 00:23:52.820 T:9870 DEBUG <general>: ResolveURL: Exception during RD auth: <urlopen error [SSL] internal error (_ssl.c:1129)>

I tried to search the "urlopen error [SSL] internal error (_ssl.c:1129)". This search also brings results that contain the "[SSL: CERTIFICATE_VERIFY_FAILED]", which leads me to believe that, if I was correct on the intermediate CA (that is, as part of the whole certificate chain) not being validated, then we should be expecting this message.

Instead, we get an "internal error", which can be found in a few other app threads (#1, #2) here in Github, but they refer to a completely different issue that I don't know if/how I can solve.

Edit - fresh kodi.log

@Gujal00
Copy link
Contributor

Gujal00 commented Jun 24, 2021

Can you check what version of OpenSSL is installed on your machine? should be 1.1.1 for this to work.
ResolveURL uses python default urllib library with ssl_verify and negotiated tls level. It does not force any tls level by default.

If you install SMR_Linktester addon from resolveurl repo and run it, it will record the Python version and openssl version seen inside xbmc.python in kodi log.

@prountzifer
Copy link
Author

prountzifer commented Jun 24, 2021

From console:

$ openssl version
OpenSSL 1.1.1j  16 Feb 2021

From kodi.log with SMR_Linktester:

2021-06-25 02:23:52.257 T:34108    INFO <general>: SMR Link Tester: Running on: |Python 3.9.5 (default, May 11 2021, 08:20:37) 
                                                   [GCC 10.3.0]|OpenSSL 1.1.1j  16 Feb 2021

@Gujal00 Gujal00 self-assigned this Jun 25, 2021
@Gujal00 Gujal00 added bug Something isn't working linux labels Jun 25, 2021
@Gujal00
Copy link
Contributor

Gujal00 commented Jun 26, 2021

@prountzifer
Can you do this check please. This workaround works on my test ubuntu 21.04 vm
In the file ~/.kodi/addons/script.module.resolveurl/lib/resolveurl/plugins/realdebrid.py
Edit line 57
Currently it is

        self.net = common.Net()

Change it to

        self.net = common.Net(ssl_verify=False)

and then try authorizing RD

@prountzifer
Copy link
Author

Hi @Gujal00,

I can confirm that this edit worked. I successfully authorised my account.

I assume that this issue may affect other debrid plugins, as no public server certificate is directly signed by a root CA.

However, since disabling the TLS certificate verification is an inherently insecure setting, wouldn't it be safer if the script got the intermediate certificate missing from the chain and make the TLS verification with it (equivalent to the openssl console example I provided here)?

From Wireshark, TLS "certificate" payload packet from server, while visiting the rd site:
screenshot

@Gujal00
Copy link
Contributor

Gujal00 commented Jun 27, 2021

Unfortunately ResolveURL is reliant on xbmc.python and this issue is specific to Linux and Realdebrid, cant do much in ResolveURL other than disabling ssl verification. The certs are controlled by xbmc.python

The auth works fine on all other platforms including LibreElec which is linux based

@Gujal00 Gujal00 pinned this issue Aug 12, 2021
@AussieRules00
Copy link

Thanks Guys. This work-around helped me on Ubuntu 20.04.3 LTS after upgrading from 18.04.
No such problem in Windows 10 (5.1.32) and MiBox (5.1.22) but I agree it looks like Linux specific.

@Gujal00
Copy link
Contributor

Gujal00 commented Oct 10, 2021

Issue sorted in ResolveURL release 5.1.44

@Gujal00 Gujal00 closed this as completed Oct 10, 2021
@Gujal00 Gujal00 unpinned this issue Oct 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working linux
Projects
None yet
Development

No branches or pull requests

3 participants