Custom CA cert self signed SSL certificate not supported

[RedKage]

Describe the bug
Cannot add a server which is on an SSL endpoint with a self signed certificate

To Reproduce

• Have a jellyfin server, like on https://xxxxx:1234/jellyfin
• The jellyfin app is on a subfolder root
• This URL is on an SSL port 1234 with a self signed certificate
• This certificate is manually added in the Windows Certificate Store as a CA cert, so with other apps like Edge browser this cert is seen as valid
• This certificate is manually added to the Kodi cert store in system/certs/cacert.pem
• To add the cert to cacert.pem, I extract the certificate using Chrome browser while navigating to https://xxxxx:1234/jellyfin and saving it as Base-64 encoded X.509 (.CER) then copy/paste this at the end of cacert.pem
• Running Kodi in portable mode with "kodi.exe -p"
• After installing the jellyfin add-on I am prompted with a popup dialog to manually add a server
• I select manual, and write the URL https://xxxxx:1234/jellyfin
• I click connect and have a "Cannot connect to server" error message

Expected behavior
The jellyfin add-on must either

• Use the system OS certificate store to validate the SSL certificate
• Or use the built-in certificate store in Kodi (cacert.pem)

Adding a self signed SSL server must work

Logs

2020-08-10 10:50:15.027 T:17804 NOTICE: JELLYFIN.main -> INFO::service.py:68 -->[ service ]
2020-08-10 10:50:15.029 T:17804 NOTICE: JELLYFIN.main -> INFO::service.py:69 Delay startup by 4 seconds.
2020-08-10 10:50:15.050 T:12544 NOTICE: JELLYFIN.entrypoint.service -> INFO::jellyfin_kodi\entrypoint\service.py:62 --->>>[ JELLYFIN ]
2020-08-10 10:50:15.052 T:12544 NOTICE: JELLYFIN.entrypoint.service -> INFO::jellyfin_kodi\entrypoint\service.py:63 Version: 0.5.8
2020-08-10 10:50:15.053 T:12544 NOTICE: JELLYFIN.entrypoint.service -> INFO::jellyfin_kodi\entrypoint\service.py:64 KODI Version: 18.8 (18.8.0) Git:20200727-45686bddb1
2020-08-10 10:50:15.056 T:12544 NOTICE: JELLYFIN.entrypoint.service -> INFO::jellyfin_kodi\entrypoint\service.py:65 Platform: Windows
2020-08-10 10:50:15.058 T:12544 NOTICE: JELLYFIN.entrypoint.service -> INFO::jellyfin_kodi\entrypoint\service.py:66 Python Version: 2.7.13 (default, Jul 14 2017, 17:41:26) [MSC v.1900 64 bit (AMD64)]
2020-08-10 10:50:15.062 T:12544 NOTICE: JELLYFIN.entrypoint.service -> INFO::jellyfin_kodi\entrypoint\service.py:67 Using dynamic paths: False
2020-08-10 10:50:15.064 T:12544 NOTICE: JELLYFIN.entrypoint.service -> INFO::jellyfin_kodi\entrypoint\service.py:68 Log Level: 1
2020-08-10 10:50:19.082 T:24336 NOTICE: JELLYFIN.monitor -> INFO::jellyfin_kodi\monitor.py:454 --->[ listener ]
2020-08-10 10:50:19.084 T:8920 NOTICE: JELLYFIN.webservice -> INFO::jellyfin_kodi\webservice.py:46 --->[ webservice/57578 ]
2020-08-10 10:50:19.086 T:12544 NOTICE: JELLYFIN.connect -> INFO::jellyfin_kodi\connect.py:35 --[ server/default ]
2020-08-10 10:50:19.098 T:12544 NOTICE: JELLYFIN -> INFO::jellyfin_kodi\jellyfin_init_.py:99 ---[ START JELLYFINCLIENT ]---
2020-08-10 10:50:19.103 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:177 Begin connect
2020-08-10 10:50:19.104 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:58 Begin getAvailableServers
2020-08-10 10:50:20.109 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:240 Found Servers: []
2020-08-10 10:50:20.111 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:65 Found no servers
2020-08-10 10:50:20.112 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:180 connect has 0 servers
2020-08-10 10:50:20.114 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:58 Begin getAvailableServers
2020-08-10 10:50:21.119 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:240 Found Servers: []
2020-08-10 10:50:21.121 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> INFO::jellyfin_kodi\jellyfin\connection_manager.py:65 Found no servers
2020-08-10 10:50:29.247 T:12544 NOTICE: JELLYFIN.jellyfin.api -> INFO::jellyfin_kodi\jellyfin\api.py:393 Sending get request to system/info/public
2020-08-10 10:50:30.408 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> ERROR::jellyfin_kodi\jellyfin\connection_manager.py:149 HTTPSConnectionPool(host='xxxxx', port=1234): Max retries exceeded with url: /jellyfin/system/info/public (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),))
Traceback (most recent call last):
File "jellyfin_kodi\jellyfin\connection_manager.py", line 135, in connect_to_address
response_url = self.API.check_redirect(address)
File "jellyfin_kodi\jellyfin\api.py", line 453, in check_redirect
response = self.send_request(server_address, "system/info/public")
File "jellyfin_kodi\jellyfin\api.py", line 397, in send_request
return request_method(url, **request_settings)
File "D:\kodi-18.8-Leia-x64\portable_data\addons\script.module.requests\lib\requests\api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "D:\kodi-18.8-Leia-x64\portable_data\addons\script.module.requests\lib\requests\api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "D:\kodi-18.8-Leia-x64\portable_data\addons\script.module.requests\lib\requests\sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "D:\kodi-18.8-Leia-x64\portable_data\addons\script.module.requests\lib\requests\sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "D:\kodi-18.8-Leia-x64\portable_data\addons\script.module.requests\lib\requests\adapters.py", line 514, in send
raise SSLError(e, request=request)
SSLError: HTTPSConnectionPool(host='xxxxxx', port=1234): Max retries exceeded with url: /jellyfin/system/info/public (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),))
2020-08-10 10:50:30.409 T:12544 NOTICE: JELLYFIN.jellyfin.connection_manager -> ERROR::jellyfin_kodi\jellyfin\connection_manager.py:150 connectToAddress https://xxxxxxx:1234/jellyfin failed

System (please complete the following information):

• OS: Windows
• Jellyfin Version: 10.6.2
• Kodi Version: 18.8
• Addon Version: 0.5.8

[TrueTechy]

Not sure why it's not trusting the cert if your OS trusts the cert. As a workaround till we can look into the code causing this issue you can disable ssl verification in the settings of the addon. That should allow you to connect to jellyfin with your self signed cert

[RedKage]

Yes, I'm currently trying to disable the check with the "Verify connection" toggle in the settings.
I added my non-SSL endpoint so now I can fiddle with the settings

[RedKage]

Hmmm doesn't seem to work, I still have CERTIFICATE_VERIFY_FAILED errors even with <setting id="sslverify">false</setting>

[RedKage]

Here is another log after I changed the URL to the SSL endpoint with sslverify=false
kodi.log

Addtional info that I didn't mention in the ticket is : I'm running Kodi in portable mode with the "-p" switch
EDIT: Info about portable mode added to the steps to repro

[TrueTechy]

The settings("sslverify") is returning the string "false" and not the bool False, so the check we do for this needs to be amended.

Nope got better. needs to be settings("sslverify.bool") to return the bool as expected

[budulinek]

Still an issue, please reopen.

Not sure why it's not trusting the cert if your OS trusts the cert.

Because jellyfin-kodi relies on root certs profided by certifi:
~/.kodi/addons/script.module.certifi/lib/certifi/cacert.pem

Please remove the dependency on certifi. Instead, the jellyfin add-on must either

• Use the system OS certificate store to validate the SSL certificate
• Or use the built-in certificate store in Kodi (in /etc/ssl/cacert.pem or /run/libreelec/cacert.pem)

[mcarlton00]

In a word, no. At this point, it's not an issue, it's a feature request we have no interest in encouraging.

We use the requests library for our network code. requests depends on certifi. And there's no way we're rewriting all of our network code for the half a dozen people out there who want this. If you want to use a self signed cert, you can disable verification.

[budulinek]

OK, thanks for quick reply. I did not know it would be so difficult to get rid of certifi.