Reverse proxy - ssl - kodi client

[aderlopas]

I added your pem file from the browser to the generic cacerts.pem file, copied it into Android profile with the Kodi file manager and then pointed to it with advancedsettings.xml  To get you going you can unzip this to USB or a share and copy them to your profile folder with Kodi File Manager

Code:

<advancedsettings>
  <network>
    <catrustfile>special://masterprofile/cacert.pem</catrustfile>
  </network>
</advancedsettings>

It connects but it fails on the PIN as expected.  You should see my info in your logs

You probably want to create and test cacert.pem on a filesystem based system to make your life easier. 

This is way I hate when users hijack threads.  The thread goes off topic and potentially resolved but who knows if someone can find this next time.

Martin

Many thanks Martin 
I have placed the file and the setting and this works.

I am sorry I hijacked the thread but it looked to me the right thread to place the problem from what I read (at some point discussion was diverted elsewhere but original issue was about setting up SSL forwarding and making use of it via Kodi and the addon so I thought it was relevant). Won't do it again.
Many thanks again for the assistance and understanding.

[mvallevand]

You can pretty much link any new thread to an old post somehow but that makes the forum hard for everyone and since no users bother writing the wiki documentation once they have it working so it's an ongoing annoyance for me. Glad it is working.

Note that I am in discussion with Kodi Team to see why the generic intermediate R3 LE cert I added is not in their default trusted file. It is also possible that you are creating the cert incorrectly.

Martin

[aderlopas]

You can pretty much link any new thread to an old post somehow but that makes the forum hard for everyone and since no users bother writing the wiki documentation once they have it working so it's an ongoing annoyance for me. Glad it is working.

Note that I am in discussion with Kodi Team to see why the generic intermediate R3 LE cert I added is not in their default trusted file.  It is also possible that you are creating the cert incorrectly.

Martin

Many thanks Martin. I'll try and write up a wiki page on that, I owe you as much. I used Lets'Encrypt certbot to generate the certificate using the --certonly switch so it should be correct

[mvallevand]

@aderlopas wnsipex from Team Kodi told me that your certbot configuration must be bad. Comparing your domain with forums.nextpvr.com https://www.ssllabs.com/ssltest/analyze....extpvr.com you can see a difference. Sub's cert includes the R3 intermediate cert which I added and yours does not.

Martin

[aderlopas]

@aderlopas wnsipex from Team Kodi told me that your certbot configuration must be bad.  Comparing your domain with forums.nextpvr.com https://www.ssllabs.com/ssltest/analyze....extpvr.com you can see a difference.  Sub's cert includes the R3 intermediate cert which I added and yours does not.

Martin

Hi Martin,

I deleted whole certbot folder, and installed the latest certbot version.
I run it with the the standalone option and generated new files.

I setup the new files on my Apache webserver.
I tried from a Kodi from my windows laptop without the additional advancedsettings you shared and it still gives out an error.
If I try to connect to my webserver to the nextpvr page I do so successfully, and when I display certificate trust chain it shows it correctly under R3. See uploaded picture below.
Is there a file or log I need to send for the Kodi team to check what is going on?

[mvallevand]

The browser works differently from curl you can see here https://www.ssllabs.com/ssltest/analyze....d.ddns.net your cert doesn't include the ISRG Root X1 cert and curl doesn't try to find it. My change added the R3 cert as trusted which you do include.

Martin

[aderlopas]

The browser works differently from curl you can see here  https://www.ssllabs.com/ssltest/analyze....d.ddns.net  your cert doesn't include the ISRG Root X1 cert and curl doesn't try to find it.  My change added the R3 cert as trusted which you do include.

Martin

Hi Martin,

It may be the case that I haven't setup all needed certificates in Apache.

I haven't defined the below directives:

#  Server Certificate Chain:
#  Point SSLCertificateChainFile at a file containing the
#  concatenation of PEM encoded CA certificates which form the
#  certificate chain for the server certificate. Alternatively
#  the referenced file can be the same as SSLCertificateFile
#  when the CA certificates are directly appended to the server
#  certificate for convenience.
#SSLCertificateChainFile "${SRVROOT}/conf/cert.pem"
#SSLCertificateChainFile "${SRVROOT}/conf/isrgrootx1.pem"

#  Certificate Authority (CA):
#  Set the CA certificate verification path where to find CA
#  certificates for client authentication or alternatively one
#  huge file containing all of them (file must be PEM encoded)
#  Note: Inside SSLCACertificatePath you need hash symlinks
#        to point to the certificate files. Use the provided
#        Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "${SRVROOT}/conf/ssl.crt"
#SSLCACertificatePath "${SRVROOT}/conf/isrgrootx1.pem"
#SSLCACertificateFile "${SRVROOT}/conf/ssl.crt/ca-bundle.crt"

#  Certificate Revocation Lists (CRL):
#  Set the CA revocation path where to find CA CRLs for client
#  authentication or alternatively one huge file containing all
#  of them (file must be PEM encoded).
#  The CRL checking mode needs to be configured explicitly
#  through SSLCARevocationCheck (defaults to "none" otherwise).
#  Note: Inside SSLCARevocationPath you need hash symlinks
#        to point to the certificate files. Use the provided
#        Makefile to update the hash symlinks after changes.
#SSLCARevocationPath "${SRVROOT}/conf/ssl.crl"
#SSLCARevocationFile "${SRVROOT}/conf/ssl.crl/ca-bundle.crl"
#SSLCARevocationCheck chain


I tried to specify the isrgrootx1.pem certificate but Apache was not coming up complaining that the server name is not part of that certificate.
Do you know perhaps what needs to be specified in those directives or point me to any documentation that clarifies the same?

[mvallevand]

No sorry I don't know what to suggest.

Martin

[aderlopas]

No sorry I don't know what to suggest.

Martin

Hi Matin, 

I managed to bypass the error, by adding the below directive to Apache:

SSLCertificateChainFile "${SRVROOT}/conf/ssl/fullchain.pem"

Then I got another problem as Nextpvr was reporting general failure and http 400...

I then understood that since I had setup port 80 (http) to be redirected to port 443 (SSL) I should not be using port 443 directly but rather configure the addon to use port 80 instead.
With this, I don't even need to setup the hostprotocol to https as http will be redirected to https automatically by the web server.

Now it works correctly, I believe I now have a configuration I can present in a wiki page :-)

Thanks a lot for your time and valuable assistance!

[mvallevand]

Your cert still has problems because your are including an expired cert but I guess that gets past the curl error. (I still see one here though)

By using port http/80 your password will be sent in the clear as you aren't even using SSL

Martin