Thread: New York Times Recipe failing to verify SSL Cert
View Single Post
Old 02-19-2015, 05:55 AM   #3
Ramblurr
Member
Ramblurr began at the beginning.
 
Posts: 11
Karma: 10
Join Date: Apr 2010
Device: Kindle
Thanks for responding Kovid.

I reinstalled my distros ca-certificates (which uses mozilla's bundle btw). I definitely have the root certificate.

The issue is in fact that calibre, or a library, is looking in the wrong place for the cert bundle.

But first let me demonstrate I do in fact have the root CA's cert.

Using Chrome, which bundles its own certs, I see the chain as:

Code:
1. GeoTrust Global CA
    DE 28 F4 A4 FF E5 B9 2F A3 C5 03 D1 A3 49 A7 F9 96 2A 82 12

2. RapidSSL CA
    C0 39 A3 26 9E E4 B8 E8 2D 00 C5 3F A7 97 B5 A1 9E 83 6F 47

3. *.nytimes.com

    DB 76 F2 CF 5F A4 05 5E D2 95 63 6E 6A 8D 5F 6A 66 D9 54 56

all fingerprints SHA1
Checking to see whether the GeoTrust Global CA with above fingerprint, is in my system

Code:
$ awk -v cmd='openssl x509 -noout -fingerprint' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.trust.crt  | grep DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12 -B1

SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
So it is there. Verifying manually with openssl (see original post), confirms this too. I have the root cert installed.

Looking in the wrong place

I used strace to that the CA cert bundle isn't being accessed.

using
Code:
$ strace -e open,access ebook-convert nytimes.recipe foo.mobi --test --username XXX --password ZZZ &> strace.log
If you want the whole log I can post it, but the important bit is bolded below.

Code:
open("/opt/calibre/lib/python2.7/site-packages/calibre/urllibmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/calibre/lib/python2.7/site-packages/calibre/urllib.py", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/calibre/lib/python2.7/site-packages/calibre/urllib.pyo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
open("/etc/ssl/cert.pem", O_RDONLY)     = -1 ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
open("/opt/calibre/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 3
open("/opt/calibre/lib/libnss_mdns4_minimal.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libnss_mdns4_minimal.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/opt/calibre/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 3
Traceback (most recent call last):
  File "site.py", line 51, in main
  File "site-packages/calibre/ebooks/conversion/cli.py", line 360, in main
  File "site-packages/calibre/ebooks/conversion/plumber.py", line 1041, in run
  File "site-packages/calibre/customize/conversion.py", line 241, in __call__
  File "site-packages/calibre/ebooks/conversion/plugins/recipe_input.py", line 116, in convert
  File "site-packages/calibre/web/feeds/news.py", line 887, in __init__
  File "<string>", line 391, in get_browser
  File "site-packages/mechanize/_mechanize.py", line 203, in open
  File "site-packages/mechanize/_mechanize.py", line 230, in _mech_open
  File "site-packages/mechanize/_opener.py", line 193, in open
  File "site-packages/mechanize/_urllib2_fork.py", line 344, in _open
  File "site-packages/mechanize/_urllib2_fork.py", line 332, in _call_chain
  File "site-packages/mechanize/_urllib2_fork.py", line 1170, in https_open
  File "site-packages/mechanize/_urllib2_fork.py", line 1118, in do_open
URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
open("/opt/calibre/lib/python2.7/site-packages/calibre/shutil.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/calibre/lib/python2.7/site-packages/calibre/shutilmodule.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/calibre/lib/python2.7/site-packages/calibre/shutil.py", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/opt/calibre/lib/python2.7/site-packages/calibre/shutil.pyo", O_RDONLY) = -1 ENOENT (No such file or directory)
+++ exited with 1 +++
On my system the cert bundle is in /etc/pki/tls/cert.pem or /etc/ssl/certs/ca-bundle.crt, which are both symlinks to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Symlinking the bundle to /etc/ssl/cert.pem, and running calibre fixes the validation error.

However this isn't a good solution nor workaround. I assume the bug is in python, not in calibre proper. But could you add additional cert path search locations?

Here is a simple proof of concept: https://gist.github.com/Ramblurr/bf48299caaadeb17d392
Last edited by Ramblurr; 02-19-2015 at 06:01 AM. Reason: fixed poc url
Ramblurr is offline   Reply With Quote