Problems with certificates after update to OSMC 2016.01-1

Some Certificate validation is failing after update to OSMC ver 2016.01-1. I do the following to re-create my problem:

• Clean install of OSMC_TGT_rbp2_20160118.img.gz
• Add repository for Retrospect from www.rieter.net/install
• Install the Add-On Retrospect
• I can look at Live channels from SVT Play
• Run OSMC Update to 2016.01-1
• Attempt to look at Live channels from SVT Play fails

Looking in error log for Retrospect shows the following:
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - Error Opening url https://svt10-lh.akamaihd.net/i/svt10_0@77505/master.m3u8?__b__=563
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | Traceback (most recent call last):
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | File “/home/osmc/.kodi/addons/net.rieter.xot/resources/libs/urihandler.py”, line 460, in __RetreiveData
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | srcHandle = opener.open(uri)
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | File “/usr/lib/python2.7/urllib2.py”, line 431, in open
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | response = self._open(req, data)
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | File “/usr/lib/python2.7/urllib2.py”, line 449, in _open
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | ‘_open’, req)
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | File “/usr/lib/python2.7/urllib2.py”, line 409, in _call_chain
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | result = func(*args)
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | File “/usr/lib/python2.7/urllib2.py”, line 1240, in https_open
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | context=self._context)
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | File “/usr/lib/python2.7/urllib2.py”, line 1197, in do_open
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - | raise URLError(err)
20160204 18:04:04 - [ 633MB] CRITICAL - urihandler.py - 522 - + URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>

I examined the certificate chain:
osmc@osmc:~$ openssl s_client -connect svt10-lh.akamaihd.net:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2
1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

Please advice how to proceed!
Thanks!
Kenneth

Adding parts of the Kodi log as well from my latest run:

08:50:39 72.054512 T:1958015536 DEBUG: WaitOnScriptResult - waiting on the Retrospect (id=6) plugin…
08:50:39 72.054665 T:1739584544 INFO: initializing python engine.
08:50:39 72.054794 T:1739584544 DEBUG: CPythonInvoker(6, /home/osmc/.kodi/addons/net.rieter.xot/default.py): start processing
08:50:40 72.479591 T:1786643488 DEBUG: script.module.osmcsetting.updates : - blurp 687 - MyVideoNav.xml
08:50:40 72.491005 T:1739584544 NOTICE: -->Python Interpreter Initialized<–
08:50:40 72.491318 T:1739584544 DEBUG: CPythonInvoker(6, /home/osmc/.kodi/addons/net.rieter.xot/default.py): the source file to load is “/home/osmc/.kodi/addons/net.rieter.xot/default.py”
08:50:40 72.491997 T:1739584544 DEBUG: CPythonInvoker(6, /home/osmc/.kodi/addons/net.rieter.xot/default.py): setting the Python path to /home/osmc/.kodi/addons/net.rieter.xot:/usr/share/kodi/addons/script.module.simplejson/lib:/usr/lib/python2.7:/usr/lib/python2.7/plat-arm-linux-gnueabihf:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload:/usr/local/lib/python2.7/dist-packages:/usr/lib/python2.7/dist-packages:/usr/lib/python2.7/dist-packages/PILcompat:/usr/lib/python2.7/dist-packages/gtk-2.0
08:50:40 72.492126 T:1739584544 DEBUG: CPythonInvoker(6, /home/osmc/.kodi/addons/net.rieter.xot/default.py): entering source directory /home/osmc/.kodi/addons/net.rieter.xot
08:50:40 72.492310 T:1739584544 DEBUG: CPythonInvoker(6, /home/osmc/.kodi/addons/net.rieter.xot/default.py): instantiating addon using automatically obtained id of “net.rieter.xot” dependent on version 2.1.0 of the xbmc.python api
08:50:40 72.838600 T:1739584544 INFO: Retrospect :: Additional logging can be found in ‘/home/osmc/.kodi/addons/net.rieter.xot/retrospect.log’
08:50:41 73.560104 T:1958015536 DEBUG: DialogProgress::StartModal called
08:50:41 73.560318 T:1958015536 DEBUG: ------ Window Init (DialogProgress.xml) ------
08:50:41 73.560410 T:1958015536 INFO: Loading skin file: DialogProgress.xml, load type: KEEP_IN_MEMORY
08:50:42 74.279251 T:1739584544 DEBUG: POParser: PO file has Win Style Line Endings. Converted in memory to Linux LF for file: /home/osmc/.kodi/addons/net.rieter.xot/resources/language/English/strings.po
08:50:42 74.281639 T:1739584544 DEBUG: POParser: loaded 144 strings from file /home/osmc/.kodi/addons/net.rieter.xot/resources/language/English/strings.po
08:50:42 74.310226 T:1958015536 DEBUG: Activating window ID: 10138
08:50:42 74.310417 T:1958015536 DEBUG: ------ Window Init (DialogBusy.xml) ------
08:50:42 74.465538 T:1739584544 ERROR: Traceback (most recent call last):
File “/home/osmc/.kodi/addons/net.rieter.xot/resources/libs/urihandler.py”, line 460, in __RetreiveData
srcHandle = opener.open(uri)
File “/usr/lib/python2.7/urllib2.py”, line 431, in open
response = self._open(req, data)
File “/usr/lib/python2.7/urllib2.py”, line 449, in _open
‘_open’, req)
File “/usr/lib/python2.7/urllib2.py”, line 409, in _call_chain
result = func(*args)
File “/usr/lib/python2.7/urllib2.py”, line 1240, in https_open
context=self._context)
File “/usr/lib/python2.7/urllib2.py”, line 1197, in do_open
raise URLError(err)
URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
08:50:42 74.477097 T:1739584544 DEBUG: JSONRPC: Value does not match any of the enum values in type
08:50:42 74.483368 T:1739584544 INFO: CPythonInvoker(6, /home/osmc/.kodi/addons/net.rieter.xot/default.py): script successfully run
08:50:42 74.502899 T:1958015536 DEBUG: ------ Window Init (DialogKaiToast.xml) ------
08:50:42 74.504791 T:1739584544 INFO: Python script stopped
08:50:42 74.505020 T:1739584544 DEBUG: Thread LanguageInvoker 1739584544 terminating
08:50:42 74.673256 T:1958015536 DEBUG: ------ Window Deinit (DialogBusy.xml) ------
08:50:42 74.715462 T:1958015536 DEBUG: WaitOnScriptResult - plugin exited prematurely - terminating
08:50:42 74.716118 T:1958015536 ERROR: Playlist Player: skipping unplayable item: 0, path [plugin://net.rieter.xot/?action=playvideo&pickle=KGltZWRpYWl0ZW0KTWVkaWFJdGVtCnAxCihkcDIKUydyYXRpbmcnCnAzCk5zUydNZWRpYUl0ZW1QYXJ0cycKcDQKKGxwNQpzUydjaGFubmVscycKcDYKKGxwNwpzUydpc0RybVByb3RlY3RlZCcKcDgKSTAwCnNTJ2d1aWQnCnA5ClMnQTk2QTY0MThCNDBGRjMzQjMzNjY3MDY1NDcyOTVEMzMzOTdFMzI2RkM3RDAzNjUyMkM4RTMzNzZCQjZFMUFEMScKcDEwCnNTJ2NvbXBsZXRlJwpwMTEKSTAwCnNTJ3RodW1iJwpwMTIKVmh0dHA6Ly93d3cuc3Z0LnNlL2NhY2hhYmxlX2ltYWdlLzE0NTE5OTQ4ODEwMDAvYXVrdGlvbnNrYW1tYXJlbi9hcnRpY2xlNTcxNjI4Ni5zdnQvQUxURVJOQVRFUy9leHRyYWxhcmdlL2F1a3Rpb25za2FtbWFyZW4tc3Z0LXBsYXktanBnCnAxMwpzUydmYW5hcnQnCnAxNApTJycKc1MnZG93bmxvYWRhYmxlJwpwMTUKSTAwCnNTJ2lzTGl2ZScKcDE2CkkwMQpzUyd0eXBlJwpwMTcKUyd2aWRlbycKcDE4CnNTJ0h0dHBIZWFkZXJzJwpwMTkKKGRwMjAKc1MnZGVzY3JpcHRpb24nCnAyMQpTJycKc1MncGFyZW50JwpwMjIKTnNTJ2lzR2VvTG9ja2VkJwpwMjMKSTAxCnNTJ19NZWRpYUl0ZW1fX3RpbWVzdGFtcCcKcDI0CmNkYXRldGltZQpkYXRldGltZQpwMjUKKFMnXHgwMFx4MDFceDAxXHgwMVx4MDBceDAwXHgwMFx4MDBceDAwXHgwMCcKdFJwMjYKc1MnZG93bmxvYWRlZCcKcDI3CkkwMApzUydpY29uJwpwMjgKUycnCnNTJ19NZWRpYUl0ZW1fX2RhdGUnCnAyOQpTJycKc1MnbmFtZScKcDMwClZTdnQxIDogIEF1a3Rpb25za2FtbWFyZW4KcDMxCnNTJ2RvbnRHcm91cCcKcDMyCkkwMApzUyd1cmwnCnAzMwpWaHR0cDovL3d3dy5zdnRwbGF5LnNlL2thbmFsZXIvc3Z0MT9vdXRwdXQ9anNvbgpwMzQKc1MnaXRlbXMnCnAzNQoobHAzNgpzUydlcnJvcicKcDM3CkkwMApzUydndWlkVmFsdWUnCnAzOApMNzY2Mjg4NDgwNDAwNzQ3MDE0NDIwMDYwNDQ2NzgxNjE4NzA3NjkxNjY3OTc3MjY5MDA5NTU1Mjc5OTQyNTc4NzkwNzM4OTkyODkyOTdMCnNiLg%3d%3d&channelcode=svt&channel=chn_svt&rnd=38857]
08:50:42 74.716232 T:1958015536 DEBUG: Playlist Player: no more playable items… aborting playback
08:50:42 74.717041 T:1739584544 NOTICE: Thread BackgroundLoader start, auto delete: false
08:50:42 74.764923 T:1739584544 DEBUG: Thread BackgroundLoader 1739584544 terminating
08:50:42 74.955338 T:1958015536 DEBUG: ------ Window Deinit (DialogProgress.xml) ------
08:50:44 76.387749 T:1958015536 DEBUG: ------ Window Deinit (DialogKaiToast.xml) ------

Seems like a Debian bug - have the root certs been updated recently @sam_nazarko?

The ssl connection works fine in a minimal CentOS 7 installation.

You probably need to do: sudo apt-get install apt-transport-https

[edit] Ahhh i just now see you didn’t add an apt source…
I think sudo apt-get install ca-certificates wil solve it for you then [/edit]

After running sudo apt-get install ca-certificates I get this:

osmc@osmc:~$ sudo apt-get install ca-certificates
Reading package lists… Done
Building dependency tree
Reading state information… Done
ca-certificates is already the newest version.
ca-certificates set to manually installed.
The following package was automatically installed and is no longer required:
rbp2-image-4.3.0-10-osmc
Use ‘apt-get autoremove’ to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

After running sudo apt-get install apt-transport-https i get this:

osmc@osmc:~$ sudo apt-get install apt-transport-https
Reading package lists… Done
Building dependency tree
Reading state information… Done
apt-transport-https is already the newest version.
apt-transport-https set to manually installed.
The following package was automatically installed and is no longer required:
rbp2-image-4.3.0-10-osmc
Use ‘apt-get autoremove’ to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
osmc@osmc:~$

I browsed around a bit and it looks to be something fishy around Python 2.7.9 and debian:
WARNING: yowsup will break with Python 2.7.9 on Debian and others (SSL certificate verify failed) #677

Been having the same issue with the STV Play addon when watching live channels gonna try messing around with update-ca-certificates etc see if that helps here is a log exception

http://paste.osmc.io/sesiwaqahe

think its the addon itself that has the issue gonna contact the addon developer see if that helps

It looks like that root cert is disabled in Debian:

grep GTE_CyberTrust_Global_Root /etc/ca-certificates.conf !mozilla/GTE_CyberTrust_Global_Root.crt

cant be just that cause on my other osmc installation live channels works but in my bedroom installation it doesnt.

Could still be - Debian has disabled that root cert and if Akamai has one or more mirrors still using it we won’t be able to connect. I guess it will depend on which mirror you end up connecting to.

i take that back

NOTE: This is a temporary workaround until Mozilla sorts their shit out

here is what i did

sudo nano /etc/ca-certificates.conf

and removed the ! in front of mozilla/GTE_CyberTrust_Global_Root.crt.

sudo nano /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt

sudo update-ca-certificates --fresh

and it started working again, flag this as a solution if it works for anyone else

Works for me:

openssl s_client -CAfile GTE_CyberTrust_Global_Root.crt -connect svt10-lh.akamaihd.net:443

Verify return code: 0 (ok)

However you will have to do this every time ca-certificates package gets updated since it has been removed by Mozilla.

It worked for me as well

• sudo nano /etc/ca-certificates.conf and removed the ! in front of mozilla/GTE_CyberTrust_Global_Root.crt. Was that neccissary? Toast did’n mention that.
• sudo nano /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt in order to create the crt-file and pasted the certificate from Toast above.
• sudo update-ca-certificates --fresh
• reboot

After this Retrospect works with SVT Play but openssl s_client -CAfile GTE_CyberTrust_Global_Root.crt -connect svt10-lh.akamaihd.net:443 is responding:

Start Time: 1454852121
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

I agree that this is a work around, but we can hardly call it a solution.

The reason why your openssl call fails is that you have to provide the full path to the root cert. You put it in

/usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt

And I just put it in the home folder to test it.

so

openssl s_client -CAfile /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt -connect svt10-lh.akamaihd.net:443

Should work. Also since you added it to the cert store on the device, the CAfile flag should not be needed.

I agree that this is a hack and probably Akamai will sort it sooner or later. I don’t feel comfortable adding a root cert that has been deemed unsafe by Mozilla.

its a workaround but it can be flagged as a solution and i agree with ogre but as a temporary fix it works

edited my initial post

Now to see why this certificate has been unlisted… mostly not without a reason!

If Debian have unlisted a root certificate there will be a good reason for it. This is a very serious action which they would not have taken lightly.