CoreElec / Kodi / connect to FTP -TLS?

kris007 · 23 October 2022 16:00

Is it possible to connect to CoreElec / Kodi with an FTP server using TLS encryption.
The server is set up on linux with the VSFTPD program. In Filezilla the connection works … but in CE / Kodi / option add video source / ftp …, despite many attempts, it does not detect the connection.
The port is specific and is redirected to the CE box on the router.
I have no experience with connecting outside the local LAN. Maybe there is another well-working and proven method of connecting to the server where I have audio video files?

ps. I think I found a program for this: WireGuard …
but the setup is tricky

vpeter · 31 October 2022 18:11

Without kodi debug log file no one can tell what the issue is.

kris007 · 31 October 2022 21:00

I don’t know if the dmesg command can help?

I’m starting to combine settings with WireGuard
but the server is on a fairly weak HC1 hardware (arm) and I think I have to deal with installing a new kernel / wireguard (the operating system is Armbian)
I found interesting entries

I changed data like IP address / port number etc.
FileZilla displays a certificate validation window on the first connection to the server, etc.
… but in CoreElec there is no such possibility, it is not an OS
I also found such info:

VSFTPD can only allow user to login from clients that support encryption services
The command line does not offer encryption services thus producing the error. So, to securely connect to the server, we need a FTP client that supports SSL/TLS connections such as FileZilla .

vpeter · 1 November 2022 07:12

Try adding parameter to the end of the ftp link.

ftp://admin:pass@IP/Videos|auth=TLS

https://forum.kodi.tv/showthread.php?tid=326009

Sure it is

kris007 · 1 November 2022 08:59

I found this topic before and despite adding this post
auth = TLS … unable to connect
but there is already some effect that the CE system is trying to establish a connection.
log info

2022-11-01 09:39:46.252 T:11998   DEBUG <general>: Curl::Debug - TEXT: TLSv1.3 (OUT), TLS alert, unknown CA (560):
2022-11-01 09:39:46.252 T:11998   DEBUG <general>: Curl::Debug - SSL_DATA_OUT: 0
2022-11-01 09:39:46.252 T:11998   DEBUG <general>: Curl::Debug - TEXT: SSL certificate problem: self signed certificate
2022-11-01 09:39:46.252 T:11998   DEBUG <general>: Curl::Debug - TEXT: Closing connection 0
2022-11-01 09:39:46.256 T:11998   ERROR <general>: CCurlFile::Exists - Failed: SSL peer certificate or SSH remote key was not OK(60) for ftp://USERNAME:PASSWORD@x.x.x.x:x2455/media/filmy/|auth=TLS
2022-11-01 09:39:46.256 T:11998 WARNING <general>: Process directory 'ftp://USERNAME:PASSWORD@X.X.X.X:x2455/media/filmy/|auth=TLS' does not exist - skipping scan.

vpeter · 1 November 2022 10:18

Because you are using self signed certificate try to add it to file /storage/.config/cacert.pem.

Or try with Let’s encrypt certificate.

kris007 · 1 November 2022 11:02

Unstable does not work … it is not possible to connect via TLS in the CoreElec system. And using FTP without encryption is dangerous.
I give up

2022-11-01 12:10:37.546 T:4657    DEBUG <general>: Curl::Debug - TEXT: TLSv1.3 (OUT), TLS alert, unknown CA (560):
2022-11-01 12:10:37.546 T:4657    DEBUG <general>: Curl::Debug - SSL_DATA_OUT: 0
2022-11-01 12:10:37.546 T:4657    DEBUG <general>: Curl::Debug - TEXT: SSL certificate problem: self signed certificate
2022-11-01 12:10:37.546 T:4657    DEBUG <general>: Curl::Debug - TEXT: Closing connection 5
2022-11-01 12:10:37.550 T:4657    ERROR <general>: CCurlFile::FillBuffer - Failed: SSL peer certificate or SSH remote key was not OK(60)

vpeter · 1 November 2022 12:29

As you can read certificate can’t be checked. That’s why you need to add it to a file as written above. Did you tried that?

Or you can also add this option to ftp link which prevents certificate checking

|verifypeer=false

https://kodi.wiki/view/SSL_certificates

kris007 · 1 November 2022 13:11

2022-11-01 14:06:25.624 T:5967    ERROR <general>: GetDirectory - Error getting ftp://USERNAME:PASSWORD@/media/filmy/|verifypeer=false
2022-11-01 14:06:25.624 T:5967    DEBUG <general>: Thread waiting 3548373632 terminating
2022-11-01 14:06:25.626 T:4168    DEBUG <CAddonSettings[metadata.themoviedb.org.python]>: trying to load setting definitions from old format...
2022-11-01 14:06:25.628 T:4168    ERROR <general>: CGUIMediaWindow::GetDirectory(ftp://USERNAME:PASSWORD@X.X.X.X:55555/media/filmy/|verifypeer=false) failed
2022-11-01 14:06:25.628 T:4168    DEBUG <general>: CGUIMediaWindow::GetDirectory (sources://video/

by adding this parameter, even an attempt to connect via FTP cannot be found in the logs
I found such a topic on LibreElec and although it is not CE, it has similar folders … but this howto does not work
https://forum.libreelec.tv/thread/24673-cannot-install-update-addons/?postID=161675#post161675

vpeter · 1 November 2022 13:15

You need to use both parameters.

|auth=TLS&verifypeer=false

One link Option to specify TLS mode & CA Certificates in Curl FTP sources via GUI

kris007 · 1 November 2022 13:30

maybe there is something wrong with the certificate created on linux / vsftpd? … but weird because FileZilla works OK?

vpeter · 1 November 2022 13:46

I don’t know why this is there if verifypeer=false.

SSL: certificate subject name 'kris' does not match target host name 'xxxxxx'

I think you will have to play little more. I’m sure it must work.

kris007 · 1 November 2022 13:54

black magic … maybe the settings in vsftpd.conf? … the server was created for virtual users according to this tutorial (sory but in Polish)
https://ubuntu.pl/forum/viewtopic.php?f=150&t=184275
because the login is not the name of Kris … it is only the data entered in the certificate, such as: province / city / email / name: Kris etc.
ps. now I’m “fighting” with WireGuard …FTP (vsftpd) / TLS does not work on CE

vpeter · 1 November 2022 18:22

Create certificates correctly and it will work. And maybe add it to cacert.pem.

kris007 · 1 November 2022 20:28

I already tried it, ie I removed the old vsftpd.pem
I created a new one with the command:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
I changed the entries:
CN = kris … on IP adress / hostname … and when logging in to FileZilla for the first time, there were no errors and red entries when verifying the certificate.
But it did not do anything when connecting FTP (vsftpd) to CE … once I managed to connect and check the login and password and approve them … but it was not possible to list directories with audio video files again … .upssss.
You can endlessly test this way without success … something is wrong with FTP server VSFTPD / CE / TLS
my configuration that works fine on FileZilla (/etc/vsftpd.conf)

anonymous_enable=NO
listen_port=XXXX
local_enable=YES
chroot_local_user=YES
virtual_use_local_privs=YES
dual_log_enable=YES
listen=YES
tcp_wrappers=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_config_dir=/etc/vsftpd_user_conf
guest_enable=NO
pam_service_name=ftp
nopriv_user=XXXXX (login ftp)
allow_writeable_chroot=YES
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
xferlog_enable=YES
write_enable=YES
download_enable=YES
write_enable=YES
anon_other_write_enable=YES
utf8_filesystem=YES
use_localtime=YES
ssl_ciphers=HIGH
ascii_upload_enable=YES
ascii_download_enable=YES
pasv_enable=YES
pasv_min_port=
pasv_max_port=

EUREKA !!! … thanks @vpeter for your patience!
I managed … but it helped to generate a new certificate (without errors, the so-called red entries when logging in to FileZilla) I also copied the file: /etc/ssl/private/vsftpd.pem from the vsftpd server to CE path: /storage/.config (but whether did it matter?)
However, it was very important to enter the path to the FTP server resources! I always typed: /media/filmy because that was how it was set for a given virtual user. And you only had to enter:
/|auth=TLS
and the path showed automatically! (from ftp server settings)
maybe it will be useful to someone

vpeter · 2 November 2022 06:27

Yes, until correctly set up

Glad that you got it working.

kris007 · 2 November 2022 21:34

@vpeter I have a request to remove an IP address from descriptions

SSL: certificate subject name ‘kris’ does not match target host name ‘X.X.X.X’
thanks
Ps.
I checked to be sure and for correct operation / connection of CE with vsftpd / TLS server, in addition to the correct entries as above.
server certificate file is required: vsftpd.pem … but you need to rename it to: cacert.pem and put it in the path
/storage/.config
a CE reboot is also required! … thanks again @vpeter I wouldn’t have made that up

vpeter · 5 November 2022 12:31

If you have just one certificate file to add it can be just renamed. But to add yet another certificate you need to copy/paste the content to this file.

system · 19 November 2022 12:31

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.