SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[Horazon86]

Hello,

I'm having some issues using livestreamer - when I attempt to use it for anything, I receive a SSL3 Certifcate Error. I'm using the default config file and Livestreamer v1.7.2

Here's the error:

$ livestreamer twitch.tv/ongamenet
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1]_ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

Any ideas?

[karlo2105]

Try this.
livestreamer "twitch.tv/ongamenet verify=False" best
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet verify=False
[plugin.twitch][warning] The quality 'high' is not available since it requires a
subscription.
[plugin.twitch][warning] The quality 'source' is not available since it requires
a subscription.
[cli][info] Opening stream: medium
[cli][info] Starting player: 'C:\Program Files (x86)\VideoLAN\VLC\vlc.exe'
[cli][info] Player closed
[cli][info] Stream ended

[Horazon86]

Unfortunately receiving the same error when using:
$ livestreamer "twitch.tv/ongamenet verify=False" best

Error message:
[cli][info] Found matching plugin twitch for URL twitch.tv/ongamenet verify=False
error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

[karlo2105]

Try with uninstalling livestreamer from Add/Remove or Program Functionalities then install the latest livestreamer and try again.

[Horazon86]

Uninstalled both Livestreamer and VLC, and reinstalled (Livestreamer 1.7.2, VLC 2.1.2), same error message. :(

[chrippa]

Do you use some proxy/VPN that might mess with your HTTPS traffic? Does Twitch work in your browser? What OS are you using?

[Horazon86]

It's possible, I'm at work and they do block some stuff (but not much). I unfortunately don't have the ability to tinker with any of their settings.

That said, Twitch does work in my browser. I'm using Win 7 64.

[JoshBour]

I'm getting the exact same error, tried both version (with or without the verify=False), tried uninstalling and installing again but still nothing. Using Win7 x64 and twitch works on my browsers perfectly.
Any updates on this issue?

[xXLupoXx]

Same problem if cyperghost vpn is active....
Is there a way to fix this?

Update:
looked into it and seems to be related to python not checking the certificate right.
(Cyberghost creates a trusted root ca which is used for ssl connectins)
sooo any solution for this?

[hcmh]

Hello,
I had the same problem and after looking at the code, I think I know where the problem is and why adding verify=False to the URL does not work. (Please bear in mind: I don't really know python, so I might be plain wrong):

verify=False only disables the certificate check when really accessing the stream. The Problem with

error: Unable to open URL: https://api.twitch.tv/api/channels/ongamenet/access_token.json ([Errno 1] ssl.c:504: error:14090086:SSL routines:SSL3GET_SERVER_CERTIFICATE:certificate verify failed)

occurs earlier, however, when checking the access token. In utils.py there is a function urlget(url, *args, **kwargs) which is used to get the access token. Here there is the request generating the error, so adding verify=False to the request here (apparently the 'if' path with a session) makes twitch work again. (adding it like this:

try:
    if session:
        res = session.request(method, url, timeout=timeout, data=data, verify=False,
                              *args, **kwargs)
    else:

)

Unfortunately, addingverify=False to the code is not really a good fix, since then no certificates will be checked anymore. Maybe a command line option could take care of this?

[chrippa]

Maybe a command line option could take care of this?

Yes, I'm currently working on a overhaul of the internal HTTP usage in Livestreamer and that will make it possible to add a --http-no-ssl-verify option.

But that is still just a workaround. So far I've figured out that there is something funky with the certificate Twitch is using, which is signed by Godaddy. The Crunchyroll plugin is also having this issue and it is using a Godaddy certificate aswell.

It's unknown what exactly is causing this but it is known to happen when using version 20140223-1 of the ca-certificates package in Arch Linux. If this turns out to be a widespread issue it might be worth setting verify to False in the affected plugins though.

[hcmh]

Ah, yes, that is my ca-certificates package.

While you are working on the overhaul, it might be good to just disable SSL cerification for that one step though, right? If have added the lines needed to turn off verification just for getting the access token here:

diff --git a/src/livestreamer/plugins/justintv_common.py b/src/livestreamer/plugins/justintv_common.py
index 0535021..1022340 100644
--- a/src/livestreamer/plugins/justintv_common.py
+++ b/src/livestreamer/plugins/justintv_common.py
@@ -71,7 +71,9 @@ class APIBase(object):
             params["oauth_token"] = self.oauth_token

         url = "https://api.{0}{1}.{2}".format(host or self.host, path, format)
-        res = urlget(url, params=params, session=self.session)
+        res = urlget(url, params=params, session=self.session,
+                     verify=params.get("verify", "True") )
+

         if format == "json":
             return res_json(res)
@@ -82,7 +84,7 @@ class APIBase(object):

     def channel_access_token(self, channel):
         res = self.call("/api/channels/{0}/access_token".format(channel),
-                        host="twitch.tv")
+                        host="twitch.tv", verify=False)

         return res.get("sig"), res.get("token")

-- 

or on my fork on Github (should I do a pull request for that if you want it? I never used that feature of github..)
Doing it here seems like a better idea to me than adding verify=False in utils.py, since now only the access token is not SSL verified.

[chrippa]

I opted for a sligthly different fix in 5f6a3d3. Thanks for your effort though.