Certificate verification error "bad handshake" #218
Comments
|
This can happen when the local time of the device is off. Does your pi have the current time? |
|
I am receiving the exact same error when trying to authorize GooglePhotos. I checked my Pi's time via SSH and it is local and correct. |
|
Did you just install the device (ie, new SD card) ? |
|
Yes, it was on a fresh install for me |
|
Mine is not a fresh install. |
|
I have the exact same error. |
|
With 3 of us experiencing the same error, it sounds like the problem is being caused by something other than the timestamp. Would very much appreciate you looking for alternative reasons that this problem has occurred. Thanks and regards ... Gary |
|
Would really appreciate you looking at this problem. There are no 4 of us experiencing it and its very frustrating not having a resolution to the problem. Thank you. |
|
Hi all, first of all, I understand the frustration and I am looking into the issue, but since this issue isn't (yet) showing on my own frames, it making this harder to troubleshoot. On top of that, I also work full-time and have a family, and with the holidays around the corner, the amount of spare time is minimal. I hope to find some time during my holiday break to dig into this and also be able to replicate this issue for easier troubleshoot. While this probably is disappointing to hear, I'd rather be honest with my situation than make promises I cannot keep. However, something which would help me out a lot would be if you guys can login to the frame using SSH and provide the output from the following commands (run as root) which will give me some data to look into and compare with. First, run So, in my case, Next, run the following command to grab a complete list of installed packages Finally, share the OpenSSL version string (in my case, |
|
Dear Henric, firstly I wish you to say "Thank You" for taking the time and effort to develop this Photoframe application, which when it is running, we are delighted to be using. That is why it is frustrating when something occurs and prevents us from being able to see our photos. Thanks and regards ... Gary |
|
Thanks :) (and I hope my message didn't come across as whiny, that wasn't my intention). Me and my family and grandparents enjoy this as well, so I totally get you. I hope I'll have some positive information about this later this month. |
|
Hi Henric, I'm also experiencing the same issue. And, in complete transparency, I'm just beginning my journey into PI and non-GUI interfaces. So, I'm sure the issue is my own inexperience. That said, I'm adding this comment so that:
With great appreciation, |
|
... amending with info I hope will be helpful:
Again, I fear that I may be a victim of the limitations of my knowledge about both PI and Google's APIs. So, I apologize if this is unhelpful. |
|
Sounds like I'll need to create a test setup and update my steps. And yes, any testing you want to do and subsequent findings is appreciated. But I have a feeling that the SSL issue stems from outdated software or certificates on the PI. |
|
Just let me know how I can help. I love to tinker and I've got some dev chops, but I'm new to these particular technologies, and I'm using an old PI and screen from a BYO computer kit I bought for my kids about 7 yrs ago (looks like this: https://www.adafruit.com/product/3256), and I thought a photo frame would be a great way to upcycle it. Anyway, I'm happy to be a tester and help in any way I can. Just LMK. Again, thank you! |
|
Hopefully some of this info helps, followed your steps for additional information. Did this on a Pi Zero W that was flashed two weeks ago. And on the note of the Google authentication steps as mentioned by @ZapPappy , it has changed a bit since you made the guide but I was able to get the downloaded .json to verify on my photoframe about several weeks ago before this new issue cropped up. Looking back, I had selected "internal" and "testing," which were enough to get it to work, but I'm not sure if those settings are ideal. |
|
Looks like I am having this problem as well. I can try to help troubleshoot after the holidays. |
|
I've done some digging on what the issue could be and I need a volunteer with SSH access to their pi (and who feel comfortable running commands from shell). note that what I'm about to propose hasn't been tested, but with SSL already broken, this should not make it worse My thoughts are that the root certificates are out of date. Normally you'd run
If successful, please reboot and see if SSL issue is resolved. And in either case, please provide the output in this thread. Sidenote, I have a working Python3 version now of photoframe and I intend to work on creating an updated SD card image based on latest RPi OS but it will mean you need to replace your installation, so to make this less painful, I'm also working on export/import of your configuration (including OAuth if possible) to minimize the effort (ie, install new SD image, import previous config and off you go). |
|
certs.tar.gz AGAIN This will permanently change your debian installation and you may need to reinstall to return it to original state. This is purely for testing. IF you don't know what tar.gz files are, then you should probably let someone else try this first ;-) Where did these come from? From my Kubuntu 23.x installation that I'm writing this on. |
|
(and yes, I purposefully didn't give any specific details for step 2 since that's the step that can mess things up, if you're familiar with console/commandline, this should hopefully not pose a problem) |
|
Well, don't I feel stupid now. The SSL issue "should" be resolved. Turns out that my certificate provider had updated their intermediate certificate but I didn't catch that when I renewed my SSL certificate, so I used the old one, which caused problems during SSL handshake. And depending on your client, it may or may not trigger on this. With me running python3 version for testing, it seems the requests module was fine with this warning while python 2.7 (the official version) wasn't. I confirmed this with Which would show this warning (while still connecting) now the same command has no errors I'd appreciate it if you could confirm that this solves it. Huge apologies to all who were affected by this issue and thanks for your patience. |
|
Yes! It's working again!
Thanks for finding the issue and thanks for the great software.
Rob
On Friday, December 29, 2023 at 12:51:36 PM CST, Henric Andersson ***@***.***> wrote:
Well, don't I feel stupid now. The SSL issue "should" be resolved. Turns out that my certificate provider had updated their intermediate certificate but I didn't catch that when I renewed my SSL certificate, so I used the old one, which caused problems during SSL handshake. And depending on your client, it may or may not trigger on this.
With me running python3 version for testing, it seems the requests module was fine with this warning while python 2.7 (the official version) wasn't. I confirmed this with
openssl s_client -connect photoframe.sensenet.nu:443
Which would show this warning (while still connecting)
depth=0 CN = *.sensenet.nu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.sensenet.nu
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.sensenet.nu
verify return:1
...
Verification error: unable to verify the first certificate
now the same command has no errors
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
verify return:1
depth=0 CN = *.sensenet.nu
verify return:1
I'd appreciate it if you could confirm that this solves it.
Huge apologies to all who were affected by this issue and thanks for your patience.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Genius! It's working. It's fantastic: you've helped me upcycle an old Pi
kit that I got for my kids many many years ago.
Thank you! Do you have a "buymeacoffee" link or something similar?
Jeremy
On Fri, Dec 29, 2023 at 2:41 PM shermanpark ***@***.***>
wrote:
… Yes! It's working again!
Thanks for finding the issue and thanks for the great software.
Rob
On Friday, December 29, 2023 at 12:51:36 PM CST, Henric Andersson
***@***.***> wrote:
Well, don't I feel stupid now. The SSL issue "should" be resolved. Turns
out that my certificate provider had updated their intermediate certificate
but I didn't catch that when I renewed my SSL certificate, so I used the
old one, which caused problems during SSL handshake. And depending on your
client, it may or may not trigger on this.
With me running python3 version for testing, it seems the requests module
was fine with this warning while python 2.7 (the official version) wasn't.
I confirmed this with
openssl s_client -connect photoframe.sensenet.nu:443
Which would show this warning (while still connecting)
depth=0 CN = *.sensenet.nu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.sensenet.nu
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.sensenet.nu
verify return:1
...
Verification error: unable to verify the first certificate
now the same command has no errors
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G4
verify return:1
depth=0 CN = *.sensenet.nu
verify return:1
I'd appreciate it if you could confirm that this solves it.
Huge apologies to all who were affected by this issue and thanks for your
patience.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub
<#218 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AW4T2ZBBC26WGWBOPPKP4QTYL4MHXAVCNFSM6AAAAABAYHCG2WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZSGMYDENJSHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
It's fabulous, it works again. Thank you for the serious of your project and exceptional responsive. Sorry for my English I'm French ^^ congratulations again |
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functionsrule.endpoint
File "/root/photoframe/routes/baseroute.py", line 62, in call
return self.handle(self.app, **kwargs)
File "/root/photoframe/routes/oauthlink.py", line 44, in handle
return self.redirect(self.servicemgr.oauthStart(kwargs['service']))
File "/root/photoframe/modules/servicemanager.py", line 199, in oauthStart
return svc.startOAuth()
File "/root/photoframe/services/base.py", line 274, in startOAuth
return self._OAUTH.initiate()
File "/root/photoframe/modules/oauth.py", line 122, in initiate
self.rid = self.getRedirectId()
File "/root/photoframe/modules/oauth.py", line 118, in getRedirectId
r = requests.get('%s/?register' % self.ridURI)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
The text was updated successfully, but these errors were encountered: