Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fanart sometimes doesn't download: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed #373

Closed
msdos opened this issue Aug 22, 2018 · 11 comments

Comments

Projects
None yet
2 participants
@msdos
Copy link

commented Aug 22, 2018

What TMM version are you using?
2.9.13

release, pre-release, nightly, or directly from GitHub/branch?
Release

What is the actual behaviour?
Sometimes, fanart.jpg is not downloaded. This is completely random: for different movies and different combinations of new movies when scraping: a movie that couldn't download fanart, if I remove it from tmm database and try again, may work or not.

What is the expected behaviour?
Download fanart.jpg.

Steps to reproduce:

  • Run the commandline script tinyMediaManagerCMD.sh -updateMovies -scrapeNew -rename. It scrapes the movie but doesn't add the fanart.jpg in the movie folder (but adds a <fanart> tag in movie.nfo). It adds clearlogo.jpg, logo.png, movie.nfo, poster.jpg and thumb.jpg.

Additional
Have you attached the Logfile from the day it happened?

175 2018-08-21 06:20:18,586 ERROR [tmmpool-image-download-task-T3] org.tinymediamanager.scraper.http.Url:312 - Exception getting url https://assets.fanart.tv/fanart/movies/XXX/moviebackground/XXX.jpg ; sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed 
176  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed 
177         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)             
178         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)        
179         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)             
180         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)             
181         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) 
182         at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) 
183         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)        
184         at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)      
185         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)   
186         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) 
187         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) 
188         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) 
189         at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:241) 
190         at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:198) 
191         at okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174) 
192         at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114) 
193         at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:193) 
194         at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:129) 
195         at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:98) 
196         at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) 
197         at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) 
198         at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) 
199         at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:109) 
200         at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) 
201         at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
202         at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
203         at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
204         at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:124)
205         at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
206         at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
207         at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:170)  
208         at okhttp3.RealCall.execute(RealCall.java:60)                           
209         at org.tinymediamanager.scraper.http.Url.getInputStream(Url.java:285)   
210         at org.tinymediamanager.core.MediaEntityImageFetcherTask.run(MediaEntityImageFetcherTask.java:112)
211         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
212         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
213         at java.lang.Thread.run(Thread.java:748)                                
214  Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validit    y check failed
215         at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
216         at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
217         at sun.security.validator.Validator.validate(Validator.java:262)        
218         at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
219         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
220         at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
221         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
222         ... 32 common frames omitted                                            
223  Caused by: java.security.cert.CertPathValidatorException: validity check failed
224         at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
225         at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
226         at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
227         at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
228         at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
229         at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
230         ... 38 common frames omitted                                            
231  Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jun 12 07:25:05 BRT 2018
232         at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
233         at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)  
234         at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
235         at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
236         at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
237         ... 43 common frames omitted

Your Operating system? (win/mac/linux? version?)

openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-8u181-b13-1~deb9u1-b13)
OpenJDK Client VM (build 25.181-b13, mixed mode)

openjdk-8-jdk-headless/stable,now 8u181-b13-1~deb9u1 armhf [installed]
OpenJDK Development Kit (JDK) (headless)

openjdk-8-jre-headless/stable,now 8u181-b13-1~deb9u1 armhf [installed]
OpenJDK Java runtime, using Hotspot JIT (headless)

Debian 9.4

@msdos

This comment has been minimized.

Copy link
Author

commented Aug 22, 2018

After running a lot of times, I've seen that this is not specifically for fanart, but for logo.png as well in another test.

@msdos

This comment has been minimized.

Copy link
Author

commented Aug 22, 2018

This seems like a misconfiguration from fanart webservers.

Create a script with the following:

#!/usr/bin/env bash                                                             
                                                                                
while true; do                                                                  
    servername="https://assets.fanart.tv/"                                      
    curl -I --verbose "$servername"                                                                                                           
    if [[ $? != 0 ]]; then                                                      
        break                                                                   
    fi                                                                          
done

Sometimes the url will return "INVALID CERTIFICATE", thus giving the exception of this issue. Maybe this is the same cause as #369.

I will keep my suggestion: a retry option when having problems to download these resources would be really useful. The default can be 0 and this can be a parameter in tinyMediaManager settings. I prefer retrying 10 times, even if it's wasteful, than waste my time reviewing all scrapings.

@mlaggner

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2018

a retry is already implemented in v3


an option is not planned, since we want to make tmm easy/small - and we're against having too much settings

@mlaggner mlaggner added this to the v3 milestone Aug 22, 2018

@msdos

This comment has been minimized.

Copy link
Author

commented Aug 22, 2018

5 is a nice compromise. Thanks for implementing it.

@msdos

This comment has been minimized.

Copy link
Author

commented Aug 22, 2018

If it's already implemented, can this be closed? From the description above we can see that's a fanart issue and not a tmm one.

@mlaggner

This comment has been minimized.

Copy link
Contributor

commented Aug 23, 2018

yes, would be the best idea..

@msdos

This comment has been minimized.

Copy link
Author

commented Sep 10, 2018

@mlaggner since v3 is not yet a stable release and I still need to use v2, do you know if there's a java parameter that can be used to avoid checking https certificates? I don't mind the security hole of doing this because I'm using an old machine and it's mainly downloading metadata.

@mlaggner

This comment has been minimized.

Copy link
Contributor

commented Sep 11, 2018

IIRC there is no JVM parameter - we could implement a SSL handler which ignores untrusted certificates.. but that has to be implemented..
btw: did you try tmm v3? It is called alpha, but the state of tmm v3 is more like a beta :) (we just hadn't the time to move on in the release plan). I know there are several users which use tmm v3 on a daily basis..

@msdos

This comment has been minimized.

Copy link
Author

commented Sep 11, 2018

we could implement a SSL handler which ignores untrusted certificates..

Should I open a new issue?

@mlaggner

This comment has been minimized.

Copy link
Contributor

commented Sep 12, 2018

just saw that I already did that for v3 :)
if I find some spare time, i will backport that to v2 (since I've already touched v2 api for several other fixes)

no need for another issue

@mlaggner mlaggner reopened this Sep 12, 2018

mlaggner added a commit that referenced this issue Sep 17, 2018

@mlaggner

This comment has been minimized.

Copy link
Contributor

commented Sep 17, 2018

will be in the next release for v2

@mlaggner mlaggner closed this Sep 17, 2018

mlaggner added a commit that referenced this issue Sep 19, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.