SSL: CERTIFICATE_VERIFY_FAILED?

[shelbyKiraM]

$ youtube-dl https://www.youtube.com/watch\?v\=WBsyc139pvA
[youtube] WBsyc139pvA: Downloading webpage
ERROR: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)> (caused by URLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'),))

[yan12125]

It's an old problem. See https://github.com/rg3/youtube-dl/search?q=CERTIFICATE_VERIFY_FAILED&type=Issues&utf8=%E2%9C%93 for previous discussions.

[shelbyKiraM]

--no-check-certificate works. Thx. But, you can't fallback to that if it errors?

[jaimeMF]

Post the full output with the --verbose option. If you are not using Windows I would appreciate if you could post the output of wget https://www.youtube.com/watch\?v\=WBsyc139pvA and curl -v https://www.youtube.com/watch\?v\=WBsyc139pvA > /dev/null (to see if they also fail).

--no-check-certificate works. Thx. But, you can't fallback to that if it errors?

It's unsecure, and it seems to be required because of a misconfiguration.

[shelbyKiraM]

wget https://www.youtube.com/watch\?v\=WBsyc139pvA
--2015-03-29 14:43:50--  https://www.youtube.com/watch?v=WBsyc139pvA
Resolving www.youtube.com... 216.58.192.14, 2607:f8b0:4005:801::200e
Connecting to www.youtube.com|216.58.192.14|:443... connected.
ERROR: cannot verify www.youtube.com's certificate, issued by 'CN=Google Internet Authority G2,O=Google Inc,C=US':
  Unable to locally verify the issuer's authority.
To connect to www.youtube.com insecurely, use `--no-check-certificate'.

curl -v https://www.youtube.com/watch\?v\=WBsyc139pvA > /dev/null                                                                                                                                                                                                                  5 ↵
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 216.58.192.14...
*   Trying 2607:f8b0:4005:801::200e...
* Immediate connect fail for 2607:f8b0:4005:801::200e: No route to host
* Connected to www.youtube.com (216.58.192.14) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.google.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /watch?v=WBsyc139pvA HTTP/1.1
> User-Agent: curl/7.37.1
> Host: www.youtube.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 29 Mar 2015 21:44:57 GMT
* Server gwiseguy/2.0 is not blacklisted
< Server: gwiseguy/2.0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube
< Cache-Control: no-cache
< Content-Type: text/html; charset=utf-8
< P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
< Expires: Tue, 27 Apr 1971 19:44:06 EST
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: YSC=Iwm-_Uh8BVA; path=/; domain=.youtube.com; HttpOnly
< Set-Cookie: VISITOR_INFO1_LIVE=gr55qLcKQb4; expires=Sat, 28-Nov-2015 09:37:57 GMT; path=/; domain=.youtube.com; HttpOnly
< Alternate-Protocol: 443:quic,p=0.5
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
{ [data not shown]
100  182k    0  182k    0     0  96317      0 --:--:--  0:00:01 --:--:-- 96327
* Connection #0 to host www.youtube.com left intact

youtube-dl https://www.youtube.com/watch\?v\=WBsyc139pvA -v
[debug] System config: []
[debug] User config: []
[debug] Command-line args: [u'https://www.youtube.com/watch?v=WBsyc139pvA', u'-v']
[debug] Encodings: locale UTF-8, fs utf-8, out UTF-8, pref UTF-8
[debug] youtube-dl version 2015.03.24
[debug] Python version 2.7.9 - Darwin-14.3.0-x86_64-i386-64bit
[debug] exe versions: ffmpeg 2.6.1, ffprobe 2.6.1
[debug] Proxy map: {}
[youtube] WBsyc139pvA: Downloading webpage
ERROR: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)> (caused by URLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'),))
  File "/usr/local/bin/youtube-dl/youtube_dl/extractor/common.py", line 314, in _request_webpage
    return self._downloader.urlopen(url_or_request)
  File "/usr/local/bin/youtube-dl/youtube_dl/YoutubeDL.py", line 1673, in urlopen
    return self._opener.open(req, timeout=self._socket_timeout)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/local/bin/youtube-dl/youtube_dl/utils.py", line 695, in https_open
    req, **kwargs)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)

[jaimeMF]

If you install openssl with hombrew (it should probably be already installed by wget and python), what happens if you run export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem first?

[shelbyKiraM]

17:38:04 user@Daedalus.local Downloads export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem
17:38:18 user@Daedalus.local Downloads youtube-dl https://www.youtube.com/watch\?v\=WBsyc139pvA --verbose
[debug] System config: []
[debug] User config: []
[debug] Command-line args: [u'https://www.youtube.com/watch?v=WBsyc139pvA', u'--verbose']
[debug] Encodings: locale UTF-8, fs utf-8, out UTF-8, pref UTF-8
[debug] youtube-dl version 2015.03.24
[debug] Python version 2.7.9 - Darwin-14.3.0-x86_64-i386-64bit
[debug] exe versions: ffmpeg 2.6.1, ffprobe 2.6.1
[debug] Proxy map: {}
[youtube] WBsyc139pvA: Downloading webpage
ERROR: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)> (caused by URLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'),))
File "/usr/local/bin/youtube-dl/youtube_dl/extractor/common.py", line 314, in _request_webpage
return self._downloader.urlopen(url_or_request)
File "/usr/local/bin/youtube-dl/youtube_dl/YoutubeDL.py", line 1673, in urlopen
return self._opener.open(req, timeout=self._socket_timeout)
File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
result = func(_args)
File "/usr/local/bin/youtube-dl/youtube_dl/utils.py", line 695, in https_open
req, *_kwargs)
File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1197, in do_open
raise URLError(err)

[izzyleung]

Can reproduce this on Mac OS X, latest version of System, and the latest version of youtube-dl.

$ youtube-dl https://www.youtube.com/watch\?v\=7NZ9X9A2efA -v
[debug] System config: []
[debug] User config: []
[debug] Command-line args: [u'https://www.youtube.com/watch?v=7NZ9X9A2efA', u'-v']
[debug] Encodings: locale UTF-8, fs utf-8, out UTF-8, pref UTF-8
[debug] youtube-dl version 2015.03.28
[debug] Python version 2.7.9 - Darwin-14.3.0-x86_64-i386-64bit
[debug] exe versions: none
[debug] Proxy map: {}
[youtube] 7NZ9X9A2efA: Downloading webpage
ERROR: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)> (caused by URLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'),))
  File "/usr/local/bin/youtube-dl/youtube_dl/extractor/common.py", line 314, in _request_webpage
    return self._downloader.urlopen(url_or_request)
  File "/usr/local/bin/youtube-dl/youtube_dl/YoutubeDL.py", line 1673, in urlopen
    return self._opener.open(req, timeout=self._socket_timeout)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/local/bin/youtube-dl/youtube_dl/utils.py", line 695, in https_open
    req, **kwargs)
  File "/usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)

SSL_CERT_FILE environment variable already exported:

$ echo $SSL_CERT_FILE
/usr/local/etc/openssl/cert.pem

Can use --no-check-certificate to download the video, but wonder what is going wrong with the certs.

Thanks in advance for your reply.

[izzyleung]

Found a solution:

Manually install ca-cert, then export this cert as an environment variable

A script to install certs: https://gist.github.com/1stvamp/2158128

and then export SSL_CERT_FILE="/usr/share/curl/ca-bundle.crt" in your .bashrc

[jaimeMF]

@izzyleung note that on that the script ca-cert is downloaded over http, probably not the most secure option.

[izzyleung]

@jaimeMF Yep, thanks for mentioning that.

And, just wonder why I have to manually install the certs rather than just use the system default. :-(

[izzyleung]

@blacRose @jaimeMF

Found out the solution, I think it might be the problem of the certs installed by brew's openssl, they might be expired.

Just force uninstall openssl by brew remove openssl, then rm -rf /usr/local/etc/openssl.
Finally, reinstall openssl by brew install openssl, it will reinstall the certs for you, and now youtube-dl should work fine without --no-check-certificate and you don't have to export the environment variable.
Link to the solution: Homebrew/legacy-homebrew#38800

You guys can also add this solution to README of this project to remind those who have the certificate problem.

[DomT4]

Problem and temporary workaround detailed below for via Homebrew installations. This isn't a solution, just a dirty hack until OpenSSL do something with the upstream bug report, or Apple do something with the cert situation.

Homebrew/legacy-homebrew#38800 (comment)
Homebrew/legacy-homebrew#38495
Homebrew/legacy-homebrew#38491

[jaimeMF]

Thanks for finding the "solution", I'm closing the issue. Feel free to submit a PR adding it to the FAQ

[ghost]

This solved the problem for me, thank you!

brew uninstall --force openssl
brew install openssl

[DomT4]

You shouldn't need to force removal of the existing OpenSSL first - Just brew update && brew reinstall openssl.

[slmingol]

Just confirming that I had this problem and the solution to do this worked:

brew update && brew reinstall openssl

[ghost]

please help me remove the same error in Ubuntu. I have tried uninstalling openssl using apt-get.

[Paddywhacker]

Is this relevant for SSL Certificate failure in Win 7, using youtube-dl updated 18 Dec, and also using youtube-dl-GUI-0.3.7-win? The GUI always fails, the command line only sometimes.

[yan12125]

Things are different on Windows and Unix-like systems. See #7309 for more information. Especially, @skarp7c1 provides a possible solution in #7309 (comment).

[starrychloe]

How do you fix this in Windows and Chocolatey? I already have

SSL_CERT_FILE=C:\ruby200\cacert.pem

Which I got from http://curl.haxx.se/ca/cacert.pem

[yan12125]

If I got it right Chocolatey uses official Windows installers from python.org, so you need to do the same - delete expired CA certificates.

[starrychloe]

What do you mean "delete expired CA certificates"? It's just a text file. Which certificate? They are all encoded. I don't feel like decoding every one to find it's expiration date. I don't even have openssl installed in Windows.

[yan12125]

See #7309 for detailed steps. Note that @skarp7c1's approach (install Google's new certificate) is incorrect. You should remove invalid certificates instead of add new ones.

[pjobson]

This can also happen if you have something set as your LD_LIBRARY_PATH.

For example exporting plex's lib path...

export LD_LIBRARY_PATH=/usr/lib/plexmediaserver:$LD_LIBRARY_PATH

Causes similar errors. Sorry to bounce up an old bug, couldn't find a useful place to put this as it may be helpful for someone else.

[yan12125]

@outhud: remove the broken OpenSSL installation in /usr/local (1.1.1-dev) and rebuild Python if necessary

[marek-knappe]

Found a solution:

Manually install ca-cert, then export this cert as an environment variable

A script to install certs: https://gist.github.com/1stvamp/2158128

and then export SSL_CERT_FILE="/usr/share/curl/ca-bundle.crt" in your .bashrc

Worked for me.

[eaglepie]

Found a solution:

Manually install ca-cert, then export this cert as an environment variable

A script to install certs: https://gist.github.com/1stvamp/2158128

and then export SSL_CERT_FILE="/usr/share/curl/ca-bundle.crt" in your .bashrc

I used this method , and it's worked!