SSL Chain Certifcate Setting

Details details details.. Post your requests here!
88keyz
Junior Member
Posts: 6
Joined: 19 Sep 2013 21:28
Status: Offline

SSL Chain Certifcate Setting

Postby 88keyz » 19 Sep 2013 22:02

I recently purchased an SSL certificate for my site from COMODO and it appears that it doesn't work 100% in CouchPotato. The issue is that there is no place in CP to put a path to the certificate authorities SSL chain certifcate. As I'm sure you know that chain certificate info is required in order for the SSL cert verification. For some reason Sick Beard, which has only the same two SSL info fields, works fine and lists the SSL cert as "Verified by: COMODO CA Limited". CP though says "Verified by: Not specified" when you check the SSL certificate info. In SABnzbd, which also works fine, there are three fields for SSL info; HTTPS Certificate, HTTPS Key, HTTPS Chain Certifcates. CP has the the first two fields but is missing the third field for the chain certificate. Any chance we could get that third field for SSL chain certificates added to the SSL setup? Thanks.

User avatar
clinton.hall
Moderator
Posts: 9224
Joined: 28 Jun 2012 12:55
Has thanked: 94 times
Been thanked: 465 times
Contact:
Status: Offline

Re: SSL Chain Certifcate Setting

Postby clinton.hall » 19 Sep 2013 22:21


88keyz
Junior Member
Posts: 6
Joined: 19 Sep 2013 21:28
Status: Offline

Re: SSL Chain Certifcate Setting

Postby 88keyz » 20 Sep 2013 14:13


Bosken85
Junior Member
Posts: 1
Joined: 17 May 2015 13:45
Status: Offline

Re: SSL Chain Certifcate Setting

Postby Bosken85 » 17 May 2015 13:48

You can still make this work by extracting the chain along side with your public certificate. If you know you way around openSsl try following command.

openssl pkcs12 -in myCert.pfx -nokeys -out myCert.cer

RuudBurger
Main Honcho
Posts: 204
Joined: 10 May 2012 12:01
Been thanked: 9 times
Contact:
Status: Offline

Re: SSL Chain Certifcate Setting

Postby RuudBurger » 20 May 2015 11:42

Old thread but you can include all the certificates in 1 single file. Also all the chain certs.

BinaryTB
Junior Member
Posts: 1
Joined: 29 Jun 2017 20:12
Status: Offline

Re: SSL Chain Certifcate Setting

Postby BinaryTB » 29 Jun 2017 20:28

Let's Encrypt intermediate CA certs aren't sent by the CouchPotato HTTPS server:

Code: Select all

>>openssl s_client -connect foo.example.com:5050
CONNECTED(00000003)
depth=0 CN = bar.example2.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bar.example2.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=bar.example2.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
.
.
.


This only manifests in Firefox, since Chrome and Edge use the OS certificate store, but Mozilla uses its own. Apache (and other servers) send the intermediate CA, thus this issue doesn't occur in Firefox.

While all the certs can be concatenated into one file, it would be easier just to have the option to specify the CA file.

The appropriate code in _core.py would be similar to:

Code: Select all

{
        'name': 'ssl_ca',
        'description': 'Path to SSL server.ca',
        'advanced': True,
},


And in runner.py:

Code: Select all

if config['ssl_cert'] and config['ssl_key']:
        ssl_options = {
            'certfile': config['ssl_cert'],
            'keyfile': config['ssl_key'],
            'ca_certs': config.get('ssl_ca', None)
        }

RamonCacHe
Junior Member
Posts: 1
Joined: 23 Sep 2018 08:27
Location: Colombia
Contact:
Status: Offline

SSL Chain Certifcate Setting

Postby RamonCacHe » 24 Sep 2018 18:25

You could still embed a player thats served via SSL the JS or Adobe Flash or Silverlight code that is while streaming a non-SSL resource.


Return to “Feature Requests”