Problems playing https Streams (SSL-certificate problems)

[alegria]

I have an internetserver with a webapplication helping me searching songs and creating playlists (m3u). To protect my music collection I use ssl. Because I use everything private I haven't a special certificate for authentification. This seems to be the problem...

If I want to play a song and open the networkstream with the url:

Code: Select all

https://user:pass@myserver/music/test.mp3

I get the error messages:

Code: Select all

gnutls error: TLS session: access denied gnutls error: Certificate could not be verified gnutls error: Certificate's signer was not found main error: TLS/SSL session handshake error access_http error: cannot establish HTTP/TLS session gnutls error: TLS session: access denied gnutls error: Certificate could not be verified gnutls error: Certificate's signer was not found main error: TLS/SSL session handshake error access_http error: cannot establish HTTP/TLS session

Someone know how to solve this problem without buying a ssl certificate?

P.S. An interesting point is that the vlc player on windows doesnt show any error message although I can not play my file too...

[Rémi Denis-Courmont]

Add a PEM copy of you root CA to

Code: Select all

~/.vlc/certs/

[alegria]

Perfect! Now it works under Linux...
(I copied the server.crt in the new directory certs. Hopefully you meant this when you wrote about "PEM copy of you root CA"?)

Do you know how it works on Windows?

How can I solve this problem with other players (amarok, real, winamp -> all this which havent a certs directory...) without buying a "real" certificate?

[Rémi Denis-Courmont]

It works all the same on Windows, from the user Application Data directory (if I remember correctly, C:\Documents and Settings\username\Application Data\vlc\certs\).

I don't know for other softwares.

[alegria]

F**K! It doesn't work! I was using the VLC from my browser so it doesn't stream the song. Firefox first download the file to /tmp and then VLC opened it! Because of that the error message in VLC (under Linux) is the same as before when open a networkstream with the url:

Code: Select all

https://user:pass@server.com/music/test.mp3

although my server.crt (i'm using OpenSSL not CAcert (http://www.cacert.org/), maybe that's why I haven't a PEM file?) is in the directory ~/.vlc/certs/

Open SSL only make the files server.csr and server.crt.

Any Idea? Maybe there is another open tool/service where I get a better (more accepted) certificate?

[alegria]

I added the server.crt to two other directories (beacause of the error messages...):
/home/alegria/.vlc/ssl/private/server.crt
/usr/share/vlc/ca-certificates.crt
and change your path from ~/.vlc/certs/server.crt to ~/.vlc/ssl/certs/server.crt

Now there no more "real" errors... only the decoding error in the private path...

The whole error message looks now like:

Code: Select all

main debug: adding playlist item `https://user:pass@myserver.dyndns.org/music/test.mp3' ( https://user:pass@myserver.dyndns.org/music/test.mp3 ) main debug: creating new input thread main debug: waiting for thread completion main debug: thread 2968050576 (input) created at priority 0 (input/input.c:265) main debug: creating statistics handler main debug: `https://user:pass@myserver.dyndns.org/music/test.mp3' gives access `https' demux `' path `user:pass@myserver.dyndns.org/music/test.mp3' main debug: creating demux: access='https' demux='' path='user:pass@myserver.dyndns.org/music/test.mp3' main debug: looking for access_demux module: 0 candidates main warning: no access_demux module matched "https" main debug: creating access 'https' path='user:pass@myserver.dyndns.org/music/test.mp3' main debug: looking for access2 module: 9 candidates access_http debug: http: server='myserver.dyndns.org' port=443 file='/buscador/test.mp3 access_http debug: user='user', pwd='pass' main debug: net: connecting to myserver.dyndns.org port 443 main debug: connection in progress main debug: looking for tls module: 1 candidate gnutls debug: GnuTLS v1.6.1 initialized main debug: using tls module "gnutls" main debug: TLS/SSL provider initialized gnutls debug: added x509 credentials (/home/myname/.vlc/ssl/certs/server.crt) gnutls debug: added x509 credentials (/usr/share/vlc/ca-certificates.crt) gnutls warning: cannot add x509 credentials (/home/myname/.vlc/ssl/private/server.crt): Base64 decoding error. gnutls debug: TLS/x509 certificate verified main debug: TLS/SSL client initialized access_http debug: protocol 'HTTP' answer code 302 access_http debug: Server: Apache/2.2.4 (Linux/SUSE) access_http debug: stream size=319 access_http debug: Content-Type: text/html; charset=iso-8859-1 access_http debug: redirection to https://myserver.dyndns.org/music gnutls debug: GnuTLS deinitialized main debug: removing module "gnutls" main debug: TLS/SSL provider deinitialized access_http debug: http: server='myserver.dyndns.org' port=443 file='/music

[vk_dk]

I'm having the same problem with win32 version 0.99
I DID put the certificate to "C:\Documents and Settings\"username"\Application Data\vlc\ssl\certs" and inserted the file name in Preferences > Stream Output Access Output > HTTP > Root CA file.
However, I still get the following from the debug:

Code: Select all

main debug: connection succeeded (socket = 5628) main debug: requested server name: xxxx main debug: looking for tls client module: 1 candidate gnutls debug: GnuTLS v2.6.3 initialized gnutls debug: added x509 credentials (C:\Documents and Settings\xxx\Application Data\vlc/ssl/certs\xxx.crt) gnutls warning: cannot add x509 credentials (C:\Documents and Settings\All Users\Application Data/ssl/certs/ca-certificates.crt): No such file or directory main debug: using tls client module "gnutls" main debug: TIMER module_Need() : 51.000 ms - Total 51.000 ms / 1 intvls (Avg 51.000 ms) gnutls error: TLS session: access denied gnutls error: Certificate could not be verified gnutls error: Certificate's signer was not found main error: TLS client session handshake error gnutls debug: GnuTLS deinitialized main debug: removing module "gnutls" access_http error: cannot establish HTTP/TLS session main warning: no access module matching "https" could be loaded

It's a Cacert root certificate, perfectly accepted by Firefox and other apps

[Rémi Denis-Courmont]

gnutls error: Certificate's signer was not found

means GnuTLS could not find the Root CA. So...

[NickG]

gnutls error: Certificate's signer was not found

meansa GnuTLS could not find the Root CA. So...

To me it seems he already solved that problem, and now has this.

access_http debug: protocol 'HTTP' answer code 302
access_http debug: Server: Apache/2.2.4 (Linux/SUSE)
access_http debug: stream size=319
access_http debug: Content-Type: text/html; charset=iso-8859-1
access_http debug: redirection to https://myserver.dyndns.org/music

302 is a redirect, so I'd look for anything you might use in your config that could redirect.
I.E. in a .htaccess file, or several places in your apache config httpd.conf depending on your setup.

Could be in the global section of the httpd.conf but also within a VirtualHost directive .. if you use that?


/NickG