Rclone x509: failed to load system roots

[pchristod]

Hi,

I'm running RClone ARM on my Rasperry Pi2 and RPI 3, Openelec both. I use it to automate uploading my Backups to Google Drive every Night. My RPI2 running Openelec Stable 6.0.3 works fine, my Raspberry Pi3 did also until this Night where i couldn't get it to upload anymoe.

I searched and found your FAQ entry saying it had something to do with the Certificates and looking for them here

"/etc/pki/tls/cacert.pem", // OpenELEC

On my non working Pi3 the Folder is missing entirely, the Pi2 has it.
Openelec updated yesterday to 7.0 Beta 3, so I'm wondering if something changed there http://openelec.tv/news

Unfortunately my knowledge ends here so I can't read that from the Changelog, or if simply the Update has gone wrong.

I'm happy if someone could help me figuring this out.

[ncw]

I don't see anything obvious in the OpenELEC changelog.

rclone will find the cacerts if they are in any of these directories.

"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt",   // Fedora/RHEL
"/etc/ssl/ca-bundle.pem",             // OpenSUSE
"/etc/pki/tls/cacert.pem",            // OpenELEC

But I suspect they aren't.

If you try this (from the FAQ) then it should make rclone work again

mkdir -p /etc/ssl/certs/
curl -o /etc/ssl/certs/ca-certificates.crt https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

I don't know what the exactly problem is though, whether it is an OpenELEC update or if the update went wrong.

[pchristod]

Hi,
Thank you for your answer. I forgot you say that I tried that solution from the Faq, the problem with this is that Openelec has /etc set to read only which cannot be changed (I guess due to the feat that the user could break something).

[ncw]

All the places are in /etc except for this one /system/etc/security/cacerts so you could try putting the ca-certificates.crt file in there.

Does OpenELEC have curl or wget? Try them on an https site and see if they work - I suspect they will give an error which will give you something to report to OpenELEC...

[pchristod]

Hey,

actually i had the time to test this a little bit further. I reinstalled Openelec on another SD Card and also Libreelec (which is a fork of Openelec right now under new Flag). It seems that at least the /etc/pki Folder has been removed, on both clean installs it is not available.

The /etc/ssl Folder however is available and shows the following contents

-rw-r--r-- 1 root root 227344 Apr 25 16:42 cert.pem
-rw-r--r-- 1 root root 745 Apr 25 16:42 openssl.cnf
-rw-r--r-- 1 root root 1006 Apr 25 16:42 x509v3.cnf

Libreelec/Openelec seems to be using curl, I also tried your suggestion and just tested a https test Download which worked fine.

curl -o /storage/ca-test.crt https://raw.githubusercontent.com/bagder/ca-bundle/master/
ca-bundle.crt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 244k 100 244k 0 0 600k 0 --:--:-- --:--:-- --:--:-- 602k

It seems to me that something has changed with the Cert File they are using. However I don't have any knowledge how to Debug this further sadly.

[ncw]

I've reported an issue about this on the openelec project OpenELEC/OpenELEC.tv#4941 as it is a change from 6 -> 7 which has caused rclone to stop working.

[pchristod]

Thank you very much, I will keep an eye on that issue. For now there seems to be nothing that can be done or is there any workaround? Can the –no-check-certificate Option be used to disable the Cert Check entering the Config?
Problem is i can't complete the Config because i get the Cert Error when entering my Token.

[ncw]

I forgot about –no-check-certificate - give it a go. Not sure if it will work for rclone config or not, if not you can copy the config from a different machine see the section here http://rclone.org/remote_setup/

Let me know if it does work for rclone config and if not I'll make it work.

[pchristod]

Yep, that did the Trick. The –no-check-certificate doesn't work for the Config File i checked it, i had to copy the Config like you specified in your Link 👍

Thank you for you help, the Upload works again using the no check in the actual Upload Process!

[ncw]

Looks like openelec have fixed the issue in OpenELEC/OpenELEC.tv#4941 so hopefully it will be working in the next Beta.

I've made a separate issue about the --no-check-certificate not working #468

I'm going to close this one now - thanks for reporting the problem.