Skip to content

HTTPS certs signed by custom CAs installed in System keychain don't work (Mac OS X)

Versions:

  • Mac OS X 10.8.3
  • VLC Version 2.0.6 Twoflower (Intel 64bit)

Description: If you are attempting to Open Source via a Network URL that uses SSL/TLS that's signed with a custom Certificate Authority that, by default, doesn't exist in the System keychain you'll get the following error from GnuTLS:

access_http debug: http: server='zeus.justinbull.ca' port=443 file='/song.mp3'
main debug: net: connecting to zeus.justinbull.ca port 443
main debug: connection succeeded (socket = 10)
main debug: looking for tls client module: 1 candidate
gnutls debug: GnuTLS v2.12.23 initialized
gnutls debug: browsing x509 credentials in /Users/justinbull/Library/Application Support/org.videolan.vlc/ssl/certs...
gnutls warning: cannot access x509 in /Users/justinbull/Library/Application Support/org.videolan.vlc/ssl/certs: No such file or directory
gnutls debug: browsing x509 credentials in /Users/justinbull/Library/Application Support/org.videolan.vlc/ssl/private...
gnutls warning: cannot access x509 in /Users/justinbull/Library/Application Support/org.videolan.vlc/ssl/private: No such file or directory
gnutls debug: loading x509 credentials from /Users/justinbull/Library/Preferences/org.videolan.vlc/ssl/certs/ca-certificates.crt...
gnutls warning: cannot access x509 in /Users/justinbull/Library/Preferences/org.videolan.vlc/ssl/certs/ca-certificates.crt: No such file or directory
main debug: using tls client module "gnutls"
main debug: TIMER module_need() : 2.448 ms - Total 2.448 ms / 1 intvls (Avg 2.448 ms)
gnutls debug: TLS handshake: Resource temporarily unavailable, try again.
macosx debug: no optical media found
gnutls debug: TLS handshake: Resource temporarily unavailable, try again.
gnutls debug: TLS handshake: Resource temporarily unavailable, try again.
gnutls debug: TLS handshake: Success.
gnutls error: TLS session: access denied
gnutls error: Certificate could not be verified
gnutls error: Certificate's signer was not found
main error: TLS client session handshake error
gnutls debug: GnuTLS deinitialized
access_http error: cannot establish HTTP/TLS session
main debug: no access module matching "https" could be loaded
main debug: TIMER module_need() : 933.882 ms - Total 933.882 ms / 1 intvls (Avg 933.882 ms)
main error: open of `https://zeus.justinbull.ca/song.mp3' failed

Even if you install the custom CA into your keychain, VLC (or GnuTLS?) cannot find/recognize the CA unless you add it to the ca-certificates.crt file mentioned in Workaround and error.

Steps to Reproduce:

  1. Download and install the following CA into your System keychain: https://zeus.justinbull.ca/ca.crt (1)
  2. Attempt to play this Network URL: https://zeus.justinbull.ca/song.mp3 (2)

Workaround to fix:

  1. Manually add CAs into the file below: ~/Library/Preferences/org.videolan.vlc/ssl/certs/ca-certificates.crt
  2. Play

Footnotes:

  1. You will want to uninstall/remove the CA afterwards reproduction, since you shouldn't trust my CA!
  2. Music copyright: "Revolve" by hisboyelroy 2005 - Licensed under Creative Commons Noncommercial Sampling Plus: http://creativecommons.org/licenses/nc-sampling+/1.0/
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance