VLC - quick solution for problems with HTTPS certs

Can't play music or video over HTTPS and VLC output looks similar?

[0x83916dc] gnutls tls client error: TLS session: access denied
[0x83916dc] gnutls tls client error: Certificate could not be verified
[0x83916dc] gnutls tls client error: Certificate's signer was not found
[0x83916dc] main tls client error: TLS client session handshake error

System certificates

Update /etc/ssl/certs and ca-certificates.crt file.

$ sudo update-ca-certificates --fresh --verbose

VLC certificates

Feed VLC with certificates shipped with Mozilla browser.

$ mkdir -p ~/.local/share/vlc/certs/
$ cat /usr/share/ca-certificates/mozilla/* | tee ~/.local/share/vlc/certs/ca-certifcates.crt

stunnel

Use stunnel proxy in client mode if nothing else help.

$ sudo apt-get install stunnel
$ cat << EOF | tee ~/stunnel.conf
client     = yes
foreground = yes
[proxy]
accept  = 127.0.0.1:11234
connect = example.org:443
EOF
$ sudo stunnel stunnel.conf
2017.10.22 04:59:33 LOG5[ui]: stunnel 5.39 on x86_64-pc-linux-gnu platform
2017.10.22 04:59:33 LOG5[ui]: Compiled with OpenSSL 1.1.0c  10 Nov 2016
2017.10.22 04:59:33 LOG5[ui]: Running  with OpenSSL 1.1.0f  25 May 2017
2017.10.22 04:59:33 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2017.10.22 04:59:33 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2017.10.22 04:59:33 LOG5[ui]: Reading configuration from file /home/milosz/stunnel.conf
2017.10.22 04:59:33 LOG5[ui]: UTF-8 byte order mark not detected
2017.10.22 04:59:33 LOG5[ui]: FIPS mode disabled
2017.10.22 04:59:33 LOG4[ui]: Service [proxy] needs authentication to prevent MITM attacks
2017.10.22 04:59:33 LOG5[ui]: Configuration successful
2017.10.22 04:59:43 LOG5[0]: Service [proxy] accepted connection from 127.0.0.1:40398
2017.10.22 04:59:43 LOG5[0]: s_connect: connected 93.184.216.34:443
2017.10.22 04:59:43 LOG5[0]: Service [proxy] connected remote server from 192.168.1.112:57022
2017.10.22 04:59:44 LOG5[0]: Connection closed: 80 byte(s) sent to TLS, 478 byte(s) sent to socket
...

Use the local port to access remote service.

$ curl http://localhost:11234/
Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.

Gdansk, Poland https://sleeplessbeastie.eu