# cclive SSL error



## NuLL3rr0r (Oct 25, 2016)

After a recent upgrade my multimedia/cclive refuses to work with the following error:


```
$ cclive -F "https://www.youtube.com/watch?v={ANY_VIDEO_ID}"
Checking ... ..libquvi: error: Peer certificate cannot be authenticated with
given CA certificates (http/0, conn/0, curl/60)
```

I am using LibreSSL instead of OpenSSL from ports, and it used to work just fine. Reinstalling multimedia/cclive or multimedia/libquvi did not work either.

Your help would be appreciated.


----------



## SirDice (Oct 25, 2016)

Is security/ca_root_nss installed and up to date? It contains the trusted root CA certificates.


----------



## NuLL3rr0r (Oct 25, 2016)

SirDice thank you for the suggestion. `pkg info` confirms that it is installed:


```
$ pkg info | grep ca_root_nss
ca_root_nss-3.27.1             Root certificate bundle from the Mozilla Project
```


----------



## SirDice (Oct 25, 2016)

See if you can get the certificate to validate with curl(1) and/or `openssl s_client -connect example.com:443`. If both these tools validate the certificate it might be a setting within cclive or libquvi. They may be looking in the wrong places for the root certificates.


----------



## NuLL3rr0r (Oct 29, 2016)

I also came to the conclusion that the problem is either cclive or libquvi. Both openssl and curl give me a valid certificate:


```
$ openssl s_client -connect babaei.net:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=babaei.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHVjCCBj6gAwIBAgISA0NsQdkjf1Frns2TRTcMS9DpMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMDYxODA1MDBaFw0x
NzAxMDQxODA1MDBaMBUxEzARBgNVBAMTCmJhYmFlaS5uZXQwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQC8J0haZV7T/xW+NVyoas40vwHdc2cDauCPkxQf
VkKNb83r3Q0ZphQtBf+IZ2GdlVIrlw2kyEcxH5wDTlqiWOBdG/w5rdYgx5oms5q+
qmLRJ8v+ibUj4GaUi/+iCPG6y1y7IBDsJlcDWOi/Y2xu5+Jlt+Lj21zye2w481Gp
QStS59Xp4aBiG1Mik0FsLWu+QtwImSRIW25uOa49SMw/uJ1l44xk1v2qf9j3zo8T
rXw6ziz8Fs4WpEXWq2g7m0s2sOVwxVKBnhEAS3upnszlPAL8NnDUuDn5RERW5DaP
hOZHzrXm8EMn1TC/OPBwpLGxBvJ877tR4zEg5u0Nrs6WW2N2j/q8wbnu36XKw0i9
aY7gX0K5PDY/mIj2P6l49AMhTPOEdkdWTmS6OLlhu94CWq+9kBQPh7vxrwoL6w+T
ItgSeppvS8N5YdLissW24QLpkLcRYFOvi579dBfQVcu2CQb34P3OoPoETiMuoluw
CAEoaJJ1hP55AxzYbEeUNOEApfaEWEPREbOudIw95Ot9UncReNBNPY3oXAbUT+WG
aaZ1CcItKhoMbtUAzopIEhb6076McBqm0Tm6w9hCOE1FKT43aDGnkiTIh7OkLjjt
UE7na/Mi/lHH4b71qcOtsRENfmEg3fqNcvsUuZb5EW089uGydUWF6PHhxEMtRCIo
hY+ZrQIDAQABo4IDaTCCA2UwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTvV5Np70NR
QMrTvddQX3+UFyOFQjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBw
BggrBgEFBQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5s
ZXRzZW5jcnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnLzCCAXEGA1UdEQSCAWgwggFkghAzcnIwci5iYWJhZWku
bmV0ghRhbmFseXRpY3MuYmFiYWVpLm5ldIIPYXV0aC5iYWJhZWkubmV0ggpiYWJh
ZWkubmV0ghBlbWFpbC5iYWJhZWkubmV0gg1mYS5iYWJhZWkubmV0gg5odWIuYmFi
YWVpLm5ldIIPaW1hcC5iYWJhZWkubmV0gg9tYWlsLmJhYmFlaS5uZXSCDW14LmJh
YmFlaS5uZXSCDm5zMS5iYWJhZWkubmV0gg5uczIuYmFiYWVpLm5ldIIOcG9wLmJh
YmFlaS5uZXSCDnB3ZC5iYWJhZWkubmV0ghFyZXN1bWUuYmFiYWVpLm5ldIIacm91
bmRjdWJlLmVtYWlsLmJhYmFlaS5uZXSCD3NtdHAuYmFiYWVpLm5ldIIVc29nby5l
bWFpbC5iYWJhZWkubmV0ghRzdWJzY3JpYmUuYmFiYWVpLm5ldIIOd3d3LmJhYmFl
aS5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAEnPBUvYy
MhcxWEOXmGFhCDwVi+HO3lEguL527KZeV7Jil4RCQkWHfBHgKpXyKVeyz/HeOXP9
Ag6ohXiQUFUZzvYxl0R+wkIJm4wacr68XueWKTLDNY6NCten0Na59QyzovZTmttZ
3wiYmzFXCxnVOPkuLavdQRyeG/nN0Ac+7is9b31zVMZlM+k8+Rb9I7J7+9OgEIuB
xx1wOyVc9qbYsBbovktcRpomLoDpO2kgYb+t23+hTodUAm1MMJePUyFfiRp0jCw3
vHcJry2ZVkkA9+off/4J+mQ9HNXB9G4VkpYYS8XhQUD/4UZKW6/iPL/Bp+QhoDCi
QUtf0GZkk8UDgw==
-----END CERTIFICATE-----
subject=/CN=babaei.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3854 bytes and written 465 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9E98981C9034020F120859914B8459788E943FCF64A1531D820A3C34B73EF5EE
    Session-ID-ctx:
    Master-Key: 7FF69FAA1FC32DB670E615B82CE05710305229AE52ED4685789EBAA76DBA551BA4A98170C86E60EA305F28B0978E9E9A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1477765404
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
```


```
$ curl -v https://babaei.net
* Rebuilt URL to: https://babaei.net/
*   Trying 2607:fc50:1000:7100:216:3eff:fe0b:c26b...
* TCP_NODELAY set
* Connected to babaei.net (2607:fc50:1000:7100:216:3eff:fe0b:c26b) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=babaei.net
*  start date: Oct  6 18:05:00 2016 GMT
*  expire date: Jan  4 18:05:00 2017 GMT
*  subjectAltName: host "babaei.net" matched cert's "babaei.net"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: babaei.net
> User-Agent: curl/7.50.3
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Sat, 29 Oct 2016 18:28:06 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Keep-Alive: timeout=16
< Location: https://www.babaei.net/
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host babaei.net left intact
```


----------



## fernandel (Nov 13, 2016)

NuLL3rr0r said:


> After a recent upgrade my multimedia/cclive refuses to work with the following error:
> 
> 
> ```
> ...


Try if works for you (it works for me):

```
cclive -s best https://www.youtube.com/watch?v=V_gOZDWQj3Q
```


----------



## NuLL3rr0r (Nov 13, 2016)

fernandel said:


> Try if works for you (it works for me):
> 
> ```
> cclive -s best https://www.youtube.com/watch?v=V_gOZDWQj3Q
> ```



Thanks for the suggestion, but it didn't work. Despite the fact that Curl and OpenSSL give me valid certificates it seems the issue lies in security/ca_root_nss. I experienced a similar problem with `go get`.

Re-installing from ports did not resolve the issue; but, I did a `pkg install -f ca_root_nss` which resolved the issue temporarily for both multimedia/cclive and `go get`. After another ports upgrade this one won't work either.

It's one of the weirdest things I've seen in FreeBSD so far.


----------

