Let's Encrypt, Root CAs and python used with Calibre

jindroush · 10-01-2021, 05:01 PM

Hi,
recently the root CA which signed Let's Encrypt certs expired. Is it possible that this may be the reason some plugins can't connect to the websites using LE?

This website uses Let's Encrypt, it's called from databazeknih plugin (https://www.mobileread.com/forums/sh...&postcount=178)

Failed to make identify query: 'https://www.databazeknih.cz/index.php?stranka=search&q=Lovec'
No cover found

The same query from Firefox works. Is it possible, that the python3 bundled with Calibre, uses https code with its own CA store which is old, therefore can't verify Let's Encrypt https communication?
I'm running on Windows 10 PRO x64 eng.

https://letsencrypt.org/docs/dst-roo...eptember-2021/

jhowell · 10-01-2021, 06:31 PM

Python (and calibre) when running under Windows uses the Windows system certificate store.

That can sometimes causes problems because that store is typically only updated when used. In most cases calibre root certificate problems can be corrected by opening Internet Explorer (or Edge) and navigating to the site that is experiencing problems.

However in this case when I tried it for a Let's Encrypt based site that was giving my plugin trouble at the end of September it still did not correct the problem. I was eventually able to get it working by removing an expired intermediate certificate from the Windows store. My assumption is that the presence of this certificate was causing python's SSL/TLS handling to fail. More details in this post.

kovidgoyal · 10-01-2021, 07:46 PM

Ironically, calibre actually bundles the same certificate bundle as firefox and it is used on platforms other than windows because OpenSSL doesn't use the system stores there (macOS) or the system stores are often garbage (Linux). But on windows it does use the system store.

jindroush · 10-02-2021, 04:22 AM

Thanks. Deleting R3 from Intermediate Certs helped. I'd still call it a bug in the https implementation, but that does not matter.
Worse thing is how to inform users about the problem and solution.

10-01-2021, 05:01 PM	#1
jindroush Connoisseur Posts: 94 Karma: 104 Join Date: Nov 2014 Device: Kindle	Let's Encrypt, Root CAs and python used with Calibre Hi, recently the root CA which signed Let's Encrypt certs expired. Is it possible that this may be the reason some plugins can't connect to the websites using LE? This website uses Let's Encrypt, it's called from databazeknih plugin (https://www.mobileread.com/forums/sh...&postcount=178) Failed to make identify query: 'https://www.databazeknih.cz/index.php?stranka=search&q=Lovec' No cover found The same query from Firefox works. Is it possible, that the python3 bundled with Calibre, uses https code with its own CA store which is old, therefore can't verify Let's Encrypt https communication? I'm running on Windows 10 PRO x64 eng. https://letsencrypt.org/docs/dst-roo...eptember-2021/

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Updating CAs on Kindle 3G	LarBob	Kindle Developer's Corner	6	04-23-2018 07:33 PM
Is it possible to further encrypt an EPUB document by password	TES	General Discussions	28	02-16-2012 03:42 PM
Why encrypt epub	balmydrizzle	ePub	2	10-28-2010 10:17 PM
iLiad Maxima or other CAS?	maciekdendzik	iRex Developer's Corner	8	07-21-2008 04:53 PM

10-01-2021, 06:31 PM	#2
jhowell Grand Sorcerer Posts: 7,071 Karma: 91577715 Join Date: Nov 2011 Location: Charlottesville, VA Device: Kindles	Python (and calibre) when running under Windows uses the Windows system certificate store. That can sometimes causes problems because that store is typically only updated when used. In most cases calibre root certificate problems can be corrected by opening Internet Explorer (or Edge) and navigating to the site that is experiencing problems. However in this case when I tried it for a Let's Encrypt based site that was giving my plugin trouble at the end of September it still did not correct the problem. I was eventually able to get it working by removing an expired intermediate certificate from the Windows store. My assumption is that the presence of this certificate was causing python's SSL/TLS handling to fail. More details in this post.

10-01-2021, 07:46 PM	#3
kovidgoyal creator of calibre Posts: 45,347 Karma: 27182818 Join Date: Oct 2006 Location: Mumbai, India Device: Various	Ironically, calibre actually bundles the same certificate bundle as firefox and it is used on platforms other than windows because OpenSSL doesn't use the system stores there (macOS) or the system stores are often garbage (Linux). But on windows it does use the system store.

10-02-2021, 04:22 AM	#4
jindroush Connoisseur Posts: 94 Karma: 104 Join Date: Nov 2014 Device: Kindle	Thanks. Deleting R3 from Intermediate Certs helped. I'd still call it a bug in the https implementation, but that does not matter. Worse thing is how to inform users about the problem and solution.

Advert