Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
lucasgonze
Visitor

no chain of trust to root cert

HTTP get fails when using EnablePeerVerification(true) on an https server with an intermediate certificate with VeriSign Trust Network that goes to a root cert and it is valid according to

* http://www.digicert.com/help/
* http://www.sslshopper.com/ssl-checker.html
* https://knowledge.verisign.com/support/ ... cale=en_US

This suggests that root certs installed in the system are out of date.
0 Kudos
5 REPLIES 5
RokuKevin
Visitor

Re: no chain of trust to root cert

You need to specify which Certificate Authorities to trust. You can specify our default bundle (same as Firefox) with:


roUrlTransfer.SetCertificatesFile("common:/certs/ca-bundle.crt")


Or use the same call to specify a crt file in your pkg.

--Kevin
0 Kudos
lucasgonze
Visitor

Re: no chain of trust to root cert

Thanks, Kevin. That did the trick perfectly.
0 Kudos
lorenka
Visitor

Re: no chain of trust to root cert

I think I'm having a similar problem regarding trusted CA root certs, but not sure.

I don't need to do mutual authentication (as listed here); I basically just want to send an email address via http post to an https addr via roUrlTransfer.

I have tried using both the cacert.pem included with the SDK, as well as a pem file my client provided for me by request. The client's pem file seems legit as tested with the checker at sslshopper.com, but if I do an "openssl verify" on it I get "error 20 at 0 depth lookup:unable to get local issuer certificate" (not sure it applies).

This is the error I'm getting via the roku debug console:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
getresponsecode -60

Finally, if I'm not doing mutual authentication, do I still need to upload the package as a private test channel in order for this to work properly?

Thanks for any advice!
0 Kudos
lorenka
Visitor

Re: no chain of trust to root cert

Ah answered my own question.. was quite easy. I just viewed the certificate chain via firefox, grabbed the certificate at the top of the chain and created a pem file with it, and used called that in the brightscript code. I thought the intermediate CA certificate was good enough but it wasn't. Problem solved.
0 Kudos
babuhari123
Visitor

Re: no chain of trust to root cert

can you send me snippet code how to do that to solved certificate problem

please...................
0 Kudos