SSL Root certifcate validation for Podcast plugin | Fixing the Breakage from the AddTrust External CA Root Expiration

Hi,

Since few days, I have some podcasts that were perfectly working that cannot be played anymore due to certificate non validated.

It seems that one of the certificates has changed 4 days ago and that gnutls is not managing it properly.

Here the check on the ssl certficate for one of the concerned URL :
https://www.sslshopper.com/ssl-checker.html#hostname=https://rf.proxycast.org/2bac8238-7f93-4283-8ddc-2f330874d720/20108-05.05.2020-ITEMA_22334674-3-1779455909.m4a

Related post that explains the issue :
https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration

So I think there is a need to do some updates on volumio to handle this otherwise we will have to wait for all servers using this certificate to hopefully fix it.

Cheers,

Pierre.

1 Like

Good find…

This should do the trick (for now! And as usual caveat emptor)

#!/usr/bin/env bash
# Patch certificates 
# https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

if [[ "$EUID" -ne 0 ]]; then
  echo "Please rerun as root"
  exit 1
fi

if [[ -f /etc/ca-certificates.conf ]]; then
    sed -i "s|^mozilla/AddTrust_External_Root.crt$|# Disabling for now to fix Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020\n# mozilla/AddTrust_External_Root.crt|" /etc/ca-certificates.conf
    update-ca-certificates
fi

I think this is not a good idea: any manual intervention will prevent updates to apply correctly

I also have some issues with this web radio

https://nr4.newradio.it/proxy/marcroma?mp=/stream&1591189448327

it used to works till few days ago, now I get some errors with certificate trying to play it

I would agree but I did the change in /etc/ca-certificates.conf anyway.
Difficult to negotiate with 4 and 6 years old children who wants their favorite podcast. :slight_smile: