Outdated SSL CA Root bundle on Windows

[korden32]

Checklist

• I'm reporting a broken site support issue
• I've verified that I'm running youtube-dl version 2020.05.29
• I've checked that all provided URLs are alive and playable in a browser
• I've checked that all URLs and arguments with special characters are properly quoted or escaped
• I've searched the bugtracker for similar bug reports including closed ones
• I've read bugs section in FAQ

Verbose log

youtube-dl -v https://vk.com
[debug] System config: []
[debug] User config: []
[debug] Custom config: []
[debug] Command-line args: ['-v', 'https://vk.com']
[debug] Encodings: locale cp1251, fs mbcs, out cp866, pref cp1251
[debug] youtube-dl version 2020.05.29
[debug] Python version 3.4.4 (CPython) - Windows-10-10.0.18362
[debug] exe versions: ffmpeg 4.2.2, ffprobe 4.2.2
[debug] Proxy map: {}
[generic] vk: Requesting header
WARNING: Could not send HEAD request to https://vk.com: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)>
[generic] vk: Downloading webpage
ERROR: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)> (caused by URLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)'),))
  File "C:\Users\dst\AppData\Roaming\Build archive\youtube-dl\ytdl-org\tmpxtvjzx45\build\youtube_dl\extractor\common.py", line 627, in _request_webpage
  File "C:\Users\dst\AppData\Roaming\Build archive\youtube-dl\ytdl-org\tmpxtvjzx45\build\youtube_dl\YoutubeDL.py", line 2238, in urlopen
  File "C:\Python\Python34\lib\urllib\request.py", line 464, in open
  File "C:\Python\Python34\lib\urllib\request.py", line 482, in _open
  File "C:\Python\Python34\lib\urllib\request.py", line 442, in _call_chain
  File "C:\Users\dst\AppData\Roaming\Build archive\youtube-dl\ytdl-org\tmpxtvjzx45\build\youtube_dl\utils.py", line 2736, in https_open
  File "C:\Python\Python34\lib\urllib\request.py", line 1185, in do_open

Description

AddTrust External CA Root certificate expired yesterday.
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
Seems like ytdl dependencies for Windows has outdated CA bundle that doesn't contain USERTRust CA. That broke downloading from sites with such certificates.

[comsomisha]

You should see #7309 (comment)
First, you should try option --no-check-certificate

[korden32]

@comsomisha yeah, --no-check-certificate working, I tried that first.

Seems like this one related https://bugs.python.org/issue36011

[korden32]

Reproduced that using Windows Sandbox. Can confirm now that this is core issue - https://bugs.python.org/issue36011

Simple workaround: open required site once in a browser that uses Windows trust store (IE/Edge/Chromium-based, but not Firefox). This will trigger required Root CA download.

[Hrxn]

Another possible workaround: Use the certifi bundled cert package on PyPI.

[Derp0]

Can confirm opening https://ytdl-org.github.io/youtube-dl/download.html in IE fixes this issue. Thank you.