Certificate errors with upload

I’ve hit another pothole trying to secure my Libretime setup. When I tried to upload a file for the first time, it just sits in Pending import status. Looking in both analyzer.log and liquidsoap.log, this error appears repeatedly:
‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)’

The certificates defined in nginx are from an internal corporate CA, so I think that’s called privately trusted, as compared to publicly trusted if I’d used a 3rd party CA. Is there a setting to allow these certs?

Googling around I’ve found mention of environment variables REQUESTS_CA_BUNDLE and SSL_CERT_FILE that can be set to point at a certificate bundle. Are either of these variables supported by the SSL libraries Libretime uses?

Yes, I think you should try to use REQUESTS_CA_BUNDLE. If I remember correctly all in between service HTTP request in the project should go through the request library.

Where do I add this environment variable?

I could add it as a Environment= to the systemd files, should it go in all of them? I assume though if I run LibreTime install again in the future these would have to be added again. Is there a means to create an EnvironmentFile that would be remembered across installs?

I’ve set the variable in the service files and restarted and analyzer is still getting same error. I’m using the same certificate bundle that nginx is using. Does the ssl library perhaps expect the certificates in a different format?

Do you have the custom root-cert and/ or could you import the Certificate to your system?
Like this? Adding Custom Root CA Certificates to Debian – Grumpy Techie

After the import it might be accepted as a regular cert, and not as self-signed one.

That worked. Thanks.

1 Like