tubearchivist/archived-tubearchivist-jf-plugin
1
0
Fork 0
mirror of https://github.com/tubearchivist/tubearchivist-jf-plugin.git synced 2026-03-23 20:37:14 +00:00
Code Issues 12 Projects Packages Wiki Activity

[GH-ISSUE #59] [Bug]: tubearchivist-jf-plugin does not connect to tubearchivist over https (RevocationStatusUnknown, OfflineRevocation) #45

New issue
Open
opened 2026-03-23 20:35:19 +00:00 by mirror · 6 comments
mirror commented 2026-03-23 20:35:19 +00:00
Owner
Copy link

Originally created by @IeP4nieF on GitHub (Aug 11, 2025).
Original GitHub issue: https://github.com/tubearchivist/tubearchivist-jf-plugin/issues/59

Originally assigned to: @DarkFighterLuke on GitHub.

I've read the documentation

  • I'm running the latest version of tubearchivist-jf-plugin.
  • I'm running the latest version of TubeArchivist.
  • I have read the how to open an issue guide, particularly the bug report section.
  • I have searched for both closed and open already existing issues about the problem I am reporting.

Operating System

Linux (Debian 12 in lxc-container)

Your Bug Report

Describe the bug

tubearchivist-jf-plugin does not conect to tubearchivist due to ssl error. I run tubearchivist with a certificate from my CA. The root-certificate of the CA is installed on the host which runs jellyfin (wget https://tubearchivistURL runs fine from this host).

Because of "RevocationStatusUnknown, OfflineRevocation" in the logs I added a CRL Distribution Point to the certificate of tubearchivist:

        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:https://<CRL-URL>

But this does not change anything. The plugin is not trying to download the CRL (shown by webserverlogs).

Steps To Reproduce

Use tubearchivist-jf-plugin with an tubearchivist-setup which uses a certificate of your own CA.

Expected behavior

The plugin should connect to the tubearchivist server and fetch metadata.

Relevant Jellyfin log output

[2025-08-11 20:47:18.891 +00:00] [ERR] Error in "TubeArchivist"
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown, OfflineRevocation
   at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Jellyfin.Plugin.TubeArchivistMetadata.TubeArchivist.TubeArchivistApi.GetChannel(String channelId)
   at Jellyfin.Plugin.TubeArchivistMetadata.Providers.SeriesMetadataProvider.GetMetadata(SeriesInfo info, CancellationToken cancellationToken)
   at MediaBrowser.Providers.Manager.MetadataService`2.ExecuteRemoteProviders(MetadataResult`1 temp, String logName, Boolean replaceData, TIdType id, IEnumerable`1 providers, CancellationToken cancellationToken)

Anything else?

No response

Originally created by @IeP4nieF on GitHub (Aug 11, 2025). Original GitHub issue: https://github.com/tubearchivist/tubearchivist-jf-plugin/issues/59 Originally assigned to: @DarkFighterLuke on GitHub. ### I've read the documentation - [x] I'm running the latest version of tubearchivist-jf-plugin. - [x] I'm running the latest version of TubeArchivist. - [x] I have read the [how to open an issue](https://github.com/tubearchivist/tubearchivist/blob/master/CONTRIBUTING.md#how-to-open-an-issue) guide, particularly the [bug report](https://github.com/tubearchivist/tubearchivist/blob/master/CONTRIBUTING.md#bug-report) section. - [x] I have searched for both closed and open already existing issues about the problem I am reporting. ### Operating System Linux (Debian 12 in lxc-container) ### Your Bug Report ## Describe the bug `tubearchivist-jf-plugin` does not conect to tubearchivist due to ssl error. I run tubearchivist with a certificate from my CA. The root-certificate of the CA is installed on the host which runs `jellyfin` (`wget https://tubearchivistURL` runs fine from this host). Because of "RevocationStatusUnknown, OfflineRevocation" in the logs I added a CRL Distribution Point to the certificate of `tubearchivist`: ``` X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:https://<CRL-URL> ``` But this does not change anything. The plugin is not trying to download the CRL (shown by webserverlogs). ## Steps To Reproduce Use `tubearchivist-jf-plugin` with an `tubearchivist`-setup which uses a certificate of your own CA. ## Expected behavior The plugin should connect to the tubearchivist server and fetch metadata. ### Relevant Jellyfin log output ```shell [2025-08-11 20:47:18.891 +00:00] [ERR] Error in "TubeArchivist" System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown, OfflineRevocation at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem) at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) at Jellyfin.Plugin.TubeArchivistMetadata.TubeArchivist.TubeArchivistApi.GetChannel(String channelId) at Jellyfin.Plugin.TubeArchivistMetadata.Providers.SeriesMetadataProvider.GetMetadata(SeriesInfo info, CancellationToken cancellationToken) at MediaBrowser.Providers.Manager.MetadataService`2.ExecuteRemoteProviders(MetadataResult`1 temp, String logName, Boolean replaceData, TIdType id, IEnumerable`1 providers, CancellationToken cancellationToken) ``` ### Anything else? _No response_
mirror commented 2026-03-23 20:35:20 +00:00
Author
Owner
Copy link

@voice06 commented on GitHub (Sep 9, 2025):

There definitely needs to be an option to disable these SSL integrity checks. Theres no need for that kind of security for a internal-only service.

<!-- gh-comment-id:3272171714 --> @voice06 commented on GitHub (Sep 9, 2025): There definitely needs to be an option to disable these SSL integrity checks. Theres no need for that kind of security for a internal-only service.
mirror commented 2026-03-23 20:35:20 +00:00
Author
Owner
Copy link

@DarkFighterLuke commented on GitHub (Oct 23, 2025):

This is not a bug, but a feature request. Btw, I'll put it on the list :)

<!-- gh-comment-id:3439043605 --> @DarkFighterLuke commented on GitHub (Oct 23, 2025): This is not a bug, but a feature request. Btw, I'll put it on the list :)
mirror commented 2026-03-23 20:35:20 +00:00
Author
Owner
Copy link

@IeP4nieF commented on GitHub (Oct 24, 2025):

This is not a bug, but a feature request. Btw, I'll put it on the list :)

Thank you!

(Nevertheless I would say, that one can discuss if this has to be called a bug or a feature request. The point is, that the plugin ignores the root certificates, which are installed on the host. Everyone expect a service running on a host to take into account the installed root certificates.)

<!-- gh-comment-id:3441090094 --> @IeP4nieF commented on GitHub (Oct 24, 2025): > This is not a bug, but a feature request. Btw, I'll put it on the list :) Thank you! (Nevertheless I would say, that one can discuss if this has to be called a bug or a feature request. The point is, that the plugin ignores the root certificates, which are installed on the host. Everyone expect a service running on a host to take into account the installed root certificates.)
mirror commented 2026-03-23 20:35:20 +00:00
Author
Owner
Copy link

@IeP4nieF commented on GitHub (Oct 24, 2025):

There definitely needs to be an option to disable these SSL integrity checks. Theres no need for that kind of security for a internal-only service.

I don't agree. The idea of "secure" internal networks seems to be a little bit out of time. I would not suggest adding an option to disable SSL integrity checks. Instead the plugin should take the installed root certificates into account.

<!-- gh-comment-id:3441093354 --> @IeP4nieF commented on GitHub (Oct 24, 2025): > There definitely needs to be an option to disable these SSL integrity checks. Theres no need for that kind of security for a internal-only service. I don't agree. The idea of "secure" internal networks seems to be a little bit out of time. I would not suggest adding an option to disable SSL integrity checks. Instead the plugin should take the installed root certificates into account.
mirror commented 2026-03-23 20:35:21 +00:00
Author
Owner
Copy link

@kraftnix commented on GitHub (Nov 2, 2025):

I would also appreciate the plugin using the host's root certificates so I can actually use this plugin.

<!-- gh-comment-id:3477473647 --> @kraftnix commented on GitHub (Nov 2, 2025): I would also appreciate the plugin using the host's root certificates so I can actually use this plugin.
mirror commented 2026-03-23 20:35:21 +00:00
Author
Owner
Copy link

@kraftnix commented on GitHub (Nov 14, 2025):

If anyone wants a silly workaround, I am using Caddy to hackily workaround the cert issue.

Make a caddyfile like

{
  admin off
  auto_https off
}

http://127.0.0.1:3949 {
  reverse_proxy https://my-home-tube-archvisit.url:443 {
    header_up Host my-home-tube-archvisit.url
  }
}

Run the proxy with caddy run --config /path/to/abovefile --adapter caddyfile

And then set the url in the metadata plugin to http://127.0.0.1:3949

<!-- gh-comment-id:3530616491 --> @kraftnix commented on GitHub (Nov 14, 2025): If anyone wants a silly workaround, I am using Caddy to hackily workaround the cert issue. Make a caddyfile like ```caddyfile { admin off auto_https off } http://127.0.0.1:3949 { reverse_proxy https://my-home-tube-archvisit.url:443 { header_up Host my-home-tube-archvisit.url } } ``` Run the proxy with `caddy run --config /path/to/abovefile --adapter caddyfile` And then set the url in the metadata plugin to http://127.0.0.1:3949
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
feature/playlists-sync-pagination
feature/playlists-sync
jellyfin-10.11
bugfix/sync-usernames
ta-v0.5.0
playback-progress
jellyfin-10.9
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.1
v1.1.0
v1.0.0
Labels
Clear labels   
bug

   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

  
wontfix
No labels
bug
enhancement
pull-request
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
tubearchivist/archived-tubearchivist-jf-plugin#45
No description provided.