SSL3_GET_SERVER_CERTIFICATE:certificate verify failed #255

Closed
Horazon86 opened this Issue Jan 3, 2014 · 12 comments

Comments

Projects
None yet
6 participants
@Horazon86

Hello,

I'm having some issues using livestreamer - when I attempt to use it for anything, I receive a SSL3 Certifcate Error. I'm using the default config file and Livestreamer v1.7.2

Here's the error:

$ livestreamer twitch.tv/ongamenet
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1]_ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

Any ideas?

@karlo2105

This comment has been minimized.

Show comment
Hide comment
@karlo2105

karlo2105 Jan 3, 2014

Try this.
livestreamer "twitch.tv/ongamenet verify=False" best
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet verify=False
[plugin.twitch][warning] The quality 'high' is not available since it requires a
subscription.
[plugin.twitch][warning] The quality 'source' is not available since it requires
a subscription.
[cli][info] Opening stream: medium
[cli][info] Starting player: 'C:\Program Files (x86)\VideoLAN\VLC\vlc.exe'
[cli][info] Player closed
[cli][info] Stream ended

Try this.
livestreamer "twitch.tv/ongamenet verify=False" best
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet verify=False
[plugin.twitch][warning] The quality 'high' is not available since it requires a
subscription.
[plugin.twitch][warning] The quality 'source' is not available since it requires
a subscription.
[cli][info] Opening stream: medium
[cli][info] Starting player: 'C:\Program Files (x86)\VideoLAN\VLC\vlc.exe'
[cli][info] Player closed
[cli][info] Stream ended

@Horazon86

This comment has been minimized.

Show comment
Hide comment
@Horazon86

Horazon86 Jan 3, 2014

Unfortunately receiving the same error when using:
$ livestreamer "twitch.tv/ongamenet verify=False" best

Error message:
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet verify=False
error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

Unfortunately receiving the same error when using:
$ livestreamer "twitch.tv/ongamenet verify=False" best

Error message:
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet verify=False
error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

@karlo2105

This comment has been minimized.

Show comment
Hide comment
@karlo2105

karlo2105 Jan 3, 2014

Try with uninstalling livestreamer from Add/Remove or Program Functionalities then install the latest livestreamer and try again.

Try with uninstalling livestreamer from Add/Remove or Program Functionalities then install the latest livestreamer and try again.

@Horazon86

This comment has been minimized.

Show comment
Hide comment
@Horazon86

Horazon86 Jan 3, 2014

Uninstalled both Livestreamer and VLC, and reinstalled (Livestreamer 1.7.2, VLC 2.1.2), same error message. :(

Uninstalled both Livestreamer and VLC, and reinstalled (Livestreamer 1.7.2, VLC 2.1.2), same error message. :(

@chrippa

This comment has been minimized.

Show comment
Hide comment
@chrippa

chrippa Jan 3, 2014

Owner

Do you use some proxy/VPN that might mess with your HTTPS traffic? Does Twitch work in your browser? What OS are you using?

Owner

chrippa commented Jan 3, 2014

Do you use some proxy/VPN that might mess with your HTTPS traffic? Does Twitch work in your browser? What OS are you using?

@Horazon86

This comment has been minimized.

Show comment
Hide comment
@Horazon86

Horazon86 Jan 3, 2014

It's possible, I'm at work and they do block some stuff (but not much). I unfortunately don't have the ability to tinker with any of their settings.

That said, Twitch does work in my browser. I'm using Win 7 64.

It's possible, I'm at work and they do block some stuff (but not much). I unfortunately don't have the ability to tinker with any of their settings.

That said, Twitch does work in my browser. I'm using Win 7 64.

@JoshBour

This comment has been minimized.

Show comment
Hide comment
@JoshBour

JoshBour Jan 26, 2014

I'm getting the exact same error, tried both version (with or without the verify=False), tried uninstalling and installing again but still nothing. Using Win7 x64 and twitch works on my browsers perfectly.
Any updates on this issue?

I'm getting the exact same error, tried both version (with or without the verify=False), tried uninstalling and installing again but still nothing. Using Win7 x64 and twitch works on my browsers perfectly.
Any updates on this issue?

@xXLupoXx

This comment has been minimized.

Show comment
Hide comment
@xXLupoXx

xXLupoXx Feb 16, 2014

Same problem if cyperghost vpn is active....
Is there a way to fix this?

Update:
looked into it and seems to be related to python not checking the certificate right.
(Cyberghost creates a trusted root ca which is used for ssl connectins)
sooo any solution for this?

Same problem if cyperghost vpn is active....
Is there a way to fix this?

Update:
looked into it and seems to be related to python not checking the certificate right.
(Cyberghost creates a trusted root ca which is used for ssl connectins)
sooo any solution for this?

@chrippa chrippa added bug labels Mar 14, 2014

@hcmh

This comment has been minimized.

Show comment
Hide comment
@hcmh

hcmh Mar 17, 2014

Hello,
I had the same problem and after looking at the code, I think I know where the problem is and why adding verify=False to the URL does not work. (Please bear in mind: I don't really know python, so I might be plain wrong):

verify=False only disables the certificate check when really accessing the stream. The Problem with

error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1] ssl.c:504: error:14090086:SSL routines:SSL3GET_SERVER_CERTIFICATE:certificate verify failed)

occurs earlier, however, when checking the access token. In utils.py there is a function urlget(url, *args, **kwargs) which is used to get the access token. Here there is the request generating the error, so adding verify=False to the request here (apparently the 'if' path with a session) makes twitch work again. (adding it like this:

try:
    if session:
        res = session.request(method, url, timeout=timeout, data=data, verify=False,
                              *args, **kwargs)
    else:

)

Unfortunately, addingverify=False to the code is not really a good fix, since then no certificates will be checked anymore. Maybe a command line option could take care of this?

hcmh commented Mar 17, 2014

Hello,
I had the same problem and after looking at the code, I think I know where the problem is and why adding verify=False to the URL does not work. (Please bear in mind: I don't really know python, so I might be plain wrong):

verify=False only disables the certificate check when really accessing the stream. The Problem with

error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1] ssl.c:504: error:14090086:SSL routines:SSL3GET_SERVER_CERTIFICATE:certificate verify failed)

occurs earlier, however, when checking the access token. In utils.py there is a function urlget(url, *args, **kwargs) which is used to get the access token. Here there is the request generating the error, so adding verify=False to the request here (apparently the 'if' path with a session) makes twitch work again. (adding it like this:

try:
    if session:
        res = session.request(method, url, timeout=timeout, data=data, verify=False,
                              *args, **kwargs)
    else:

)

Unfortunately, addingverify=False to the code is not really a good fix, since then no certificates will be checked anymore. Maybe a command line option could take care of this?

@chrippa

This comment has been minimized.

Show comment
Hide comment
@chrippa

chrippa Mar 17, 2014

Owner

Maybe a command line option could take care of this?

Yes, I'm currently working on a overhaul of the internal HTTP usage in Livestreamer and that will make it possible to add a --http-no-ssl-verify option.

But that is still just a workaround. So far I've figured out that there is something funky with the certificate Twitch is using, which is signed by Godaddy. The Crunchyroll plugin is also having this issue and it is using a Godaddy certificate aswell.

It's unknown what exactly is causing this but it is known to happen when using version 20140223-1 of the ca-certificates package in Arch Linux. If this turns out to be a widespread issue it might be worth setting verify to False in the affected plugins though.

Owner

chrippa commented Mar 17, 2014

Maybe a command line option could take care of this?

Yes, I'm currently working on a overhaul of the internal HTTP usage in Livestreamer and that will make it possible to add a --http-no-ssl-verify option.

But that is still just a workaround. So far I've figured out that there is something funky with the certificate Twitch is using, which is signed by Godaddy. The Crunchyroll plugin is also having this issue and it is using a Godaddy certificate aswell.

It's unknown what exactly is causing this but it is known to happen when using version 20140223-1 of the ca-certificates package in Arch Linux. If this turns out to be a widespread issue it might be worth setting verify to False in the affected plugins though.

@hcmh

This comment has been minimized.

Show comment
Hide comment
@hcmh

hcmh Mar 18, 2014

Ah, yes, that is my ca-certificates package.

While you are working on the overhaul, it might be good to just disable SSL cerification for that one step though, right? If have added the lines needed to turn off verification just for getting the access token here:

diff --git a/src/livestreamer/plugins/justintv_common.py b/src/livestreamer/plugins/justintv_common.py
index 0535021..1022340 100644
--- a/src/livestreamer/plugins/justintv_common.py
+++ b/src/livestreamer/plugins/justintv_common.py
@@ -71,7 +71,9 @@ class APIBase(object):
             params["oauth_token"] = self.oauth_token

         url = "https://api.{0}{1}.{2}".format(host or self.host, path, format)
-        res = urlget(url, params=params, session=self.session)
+        res = urlget(url, params=params, session=self.session,
+                     verify=params.get("verify", "True") )
+

         if format == "json":
             return res_json(res)
@@ -82,7 +84,7 @@ class APIBase(object):

     def channel_access_token(self, channel):
         res = self.call("/api/channels/{0}/access_token".format(channel),
-                        host="twitch.tv")
+                        host="twitch.tv", verify=False)

         return res.get("sig"), res.get("token")

-- 

or on my fork on Github (should I do a pull request for that if you want it? I never used that feature of github..)
Doing it here seems like a better idea to me than adding verify=False in utils.py, since now only the access token is not SSL verified.

hcmh commented Mar 18, 2014

Ah, yes, that is my ca-certificates package.

While you are working on the overhaul, it might be good to just disable SSL cerification for that one step though, right? If have added the lines needed to turn off verification just for getting the access token here:

diff --git a/src/livestreamer/plugins/justintv_common.py b/src/livestreamer/plugins/justintv_common.py
index 0535021..1022340 100644
--- a/src/livestreamer/plugins/justintv_common.py
+++ b/src/livestreamer/plugins/justintv_common.py
@@ -71,7 +71,9 @@ class APIBase(object):
             params["oauth_token"] = self.oauth_token

         url = "https://api.{0}{1}.{2}".format(host or self.host, path, format)
-        res = urlget(url, params=params, session=self.session)
+        res = urlget(url, params=params, session=self.session,
+                     verify=params.get("verify", "True") )
+

         if format == "json":
             return res_json(res)
@@ -82,7 +84,7 @@ class APIBase(object):

     def channel_access_token(self, channel):
         res = self.call("/api/channels/{0}/access_token".format(channel),
-                        host="twitch.tv")
+                        host="twitch.tv", verify=False)

         return res.get("sig"), res.get("token")

-- 

or on my fork on Github (should I do a pull request for that if you want it? I never used that feature of github..)
Doing it here seems like a better idea to me than adding verify=False in utils.py, since now only the access token is not SSL verified.

@chrippa chrippa removed the unconfirmed label Mar 18, 2014

@chrippa chrippa closed this in 5f6a3d3 Mar 18, 2014

@chrippa

This comment has been minimized.

Show comment
Hide comment
@chrippa

chrippa Mar 18, 2014

Owner

I opted for a sligthly different fix in 5f6a3d3. Thanks for your effort though.

Owner

chrippa commented Mar 18, 2014

I opted for a sligthly different fix in 5f6a3d3. Thanks for your effort though.

felixonmars-bot pushed a commit to felixonmars/archlinux-community that referenced this issue Mar 19, 2014

dwallace
upgpkg: livestreamer 1.7.5-2
backport #255
chrippa/livestreamer#255


git-svn-id: file:///srv/repos/svn-community/svn@107746 9fca08f4-af9d-4005-b8df-a31f2cc04f65

newkozlukov pushed a commit to newkozlukov/arch-community-packages that referenced this issue Sep 4, 2016

dwallace svntogit
upgpkg: livestreamer 1.7.5-2
backport #255
chrippa/livestreamer#255

git-svn-id: file:///srv/repos/svn-community/svn@107746 9fca08f4-af9d-4005-b8df-a31f2cc04f65

@Mirclus Mirclus referenced this issue in streamlink/streamlink Jul 16, 2017

Closed

Enable certificate verification for Twitch #966

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment