04-09-2018, 06:55 AM | #1 |
Junior Member
Posts: 6
Karma: 10
Join Date: Dec 2010
Device: Sony Reader PRS-350
|
[SSL: CERTIFICATE_VERIFY_FAILED]
Since January (approximately) the functionality of downloading metadata ceased to work properly. Every attempt to download any metadata fails invariably—see following log:
Spoiler:
Calling the urls from the log via Firefox (59.0.2), Edge, and Internet Explorer (11.334.16299.0) results in valid pages, i.e. no error. So now the question is:
Btw: My System:
|
04-09-2018, 07:40 AM | #2 |
creator of calibre
Posts: 44,380
Karma: 23766374
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
You've probably got some software on your computer that is intercepting SSL connections and inserting its own certificates in between. Either malware/trojan of some kind or security software (which is typically also malware, just one that you have to pay for).
|
Advert | |
|
04-09-2018, 10:06 AM | #3 | |
Wizard
Posts: 2,117
Karma: 8796704
Join Date: Jun 2010
Device: Kobo Clara HD,Hisence Sero 7 Pro RIP, Nook STR, jetbook lite
|
Quote:
bernie |
|
04-10-2018, 05:24 AM | #4 |
Junior Member
Posts: 6
Karma: 10
Join Date: Dec 2010
Device: Sony Reader PRS-350
|
Feeding the urls from the log to wget I recognized a similar error. wget too is unable to check the validity of the certificate of www.google.com.
Most convientently wget has an option as --no-check-certificate to avoid certificate errors. According to the docs the same should be possible in Python, either in the code or at runtime via an environment viariable named PYTHONHTTPSVERIFY. @Kovid: How can I tell, if some software is intercepting SSL connection? To me it looks more of a problem with openSSL not finding the appropriate certificates. @gbm: I don't have any "free coupon" tool bars installed. |
04-10-2018, 05:45 AM | #5 |
creator of calibre
Posts: 44,380
Karma: 23766374
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
There's no simple way. Basically you use a tool to manually inspect the certificate returned by opening a connection to the website, compare it to the certificate from a computer that does not exhibit this problem and see if the certificates are the same. If they are not the same them you are sufferring from an SSL MITM attack.
IITRC you can view certificates using the openssl command line tool can be used to view certificates, or if you are not scared to program, you can write a short script that does that in any programming language with openssl bindings. |
Advert | |
|
04-10-2018, 05:46 AM | #6 |
creator of calibre
Posts: 44,380
Karma: 23766374
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
And FYI OpenSSL loads certificates from the windows certificate store on windows.
|
04-12-2018, 09:47 AM | #7 |
Junior Member
Posts: 6
Karma: 10
Join Date: Dec 2010
Device: Sony Reader PRS-350
|
Some further investigation took me to the fact that over the years a multitude of openSSL file versions have accumulated on my system. Every application that comes bundled with some version of openSSL stores the relevant dlls in their own location.
To clean up the mess I downloaded the most recent version of openSSL and read some of the docs, which is obviously always a good idea if something seems to go wrong . In the end I managed to eliminate both the errors with Calibre's metadata download facility and wget complaining about not being able to check certificate validity by pointing openSSL via its environment variables
The certificate collection is necessary because openSSL does not use the Windows certificate store. |
04-12-2018, 10:19 AM | #8 |
creator of calibre
Posts: 44,380
Karma: 23766374
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
|
openssl most definitely does use the windows certificate store. https://github.com/openssl/openssl/b...gines/e_capi.c
If it is not doing so on your system, that is because of problems specific to your system. |
03-02-2020, 05:48 AM | #9 |
Junior Member
Posts: 1
Karma: 10
Join Date: Mar 2018
Device: Kobo Aura
|
CERTIFICATE_VERIFY_FAILED
Hello,
I don't quite understand (not even at all) the advice offered to work around the problem. For my part, I found that by simply launching Google chrome (and closing it), and then launching Caliber and searching for meta data, the problem disappeared. Similarly, when the search (metadata) is performed from a Caliber installed on a virtual machine (VmWare), the problem does not exist. I am completely incompetent to explain this phenomenon. |
Thread Tools | Search this Thread |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
SSL: CERTIFICATE_VERIFY_FAILED Error | Bengb | Library Management | 10 | 07-24-2017 11:56 AM |
Aeon.co - Recipe download failed - CERTIFICATE_VERIFY_FAILED | emanu | Recipes | 13 | 07-16-2016 12:29 AM |
IRC SSL cert | jgoguen | Feedback | 0 | 08-03-2015 12:38 PM |
Does CC support SSL connection? | coleman | Calibre Companion | 7 | 04-03-2014 11:31 PM |