Roku Developer Program

Developers and content creators—a complete solution for growing an audience directly.
cancel
Showing results for 
Search instead for 
Did you mean: 
lucasgonze
Level 7

no chain of trust to root cert

HTTP get fails when using EnablePeerVerification(true) on an https server with an intermediate certificate with VeriSign Trust Network that goes to a root cert and it is valid according to

* http://www.digicert.com/help/
* http://www.sslshopper.com/ssl-checker.html
* https://knowledge.verisign.com/support/ ... cale=en_US

This suggests that root certs installed in the system are out of date.
0 Kudos
5 Replies
RokuKevin
Level 9

Re: no chain of trust to root cert

You need to specify which Certificate Authorities to trust. You can specify our default bundle (same as Firefox) with:


roUrlTransfer.SetCertificatesFile("common:/certs/ca-bundle.crt")


Or use the same call to specify a crt file in your pkg.

--Kevin
0 Kudos
lucasgonze
Level 7

Re: no chain of trust to root cert

Thanks, Kevin. That did the trick perfectly.
0 Kudos
lorenka
Level 7

Re: no chain of trust to root cert

I think I'm having a similar problem regarding trusted CA root certs, but not sure.

I don't need to do mutual authentication (as listed here); I basically just want to send an email address via http post to an https addr via roUrlTransfer.

I have tried using both the cacert.pem included with the SDK, as well as a pem file my client provided for me by request. The client's pem file seems legit as tested with the checker at sslshopper.com, but if I do an "openssl verify" on it I get "error 20 at 0 depth lookup:unable to get local issuer certificate" (not sure it applies).

This is the error I'm getting via the roku debug console:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086Smiley FrustratedSL routinesSmiley FrustratedSL3_GET_SERVER_CERTIFICATE:certificate verify failed
getresponsecode -60

Finally, if I'm not doing mutual authentication, do I still need to upload the package as a private test channel in order for this to work properly?

Thanks for any advice!
0 Kudos
lorenka
Level 7

Re: no chain of trust to root cert

Ah answered my own question.. was quite easy. I just viewed the certificate chain via firefox, grabbed the certificate at the top of the chain and created a pem file with it, and used called that in the brightscript code. I thought the intermediate CA certificate was good enough but it wasn't. Problem solved.
0 Kudos
babuhari123
Level 7

Re: no chain of trust to root cert

can you send me snippet code how to do that to solved certificate problem

please...................
0 Kudos