SponsorBlock API; certificate verify failed

[nicolaasjan]

I was advised by @pukkandan in this issue to ask this here.

In my Windows 10 VM I got this error:

C:\Windows\System32>dlp -v https://www.youtube.com/watch?v=eQ_8F4nzyiw
[debug] User config file: C:\Users\Nico\AppData\Roaming\yt-dlp\config.txt
[debug] User config: ['-i', '--no-mtime', '-o', '~/Desktop/%(title)s.%(ext)s', '-f', 'bestvideo[height<=1080][ext=mp4]+bestaudio[ext=m4a]/best[ext=mp4]/best', '--embed-thumbnail', '--add-metadata', '--external-downloader', 'aria2c', '--external-downloader-args', 'aria2c:-x 10 -s 10 -j 10 -k 1M --log-level=info --file-allocation=none', '--sponsorblock-remove', 'all']
[debug] Command-line config: ['-v', 'https://www.youtube.com/watch?v=eQ_8F4nzyiw']
[debug] Encodings: locale cp1252, fs utf-8, out utf-8, pref cp1252
[debug] yt-dlp version 2021.09.25 (exe)
[debug] Python version 3.9.3 (CPython 64bit) - Windows-10-10.0.19041-SP0
[debug] exe versions: ffmpeg 2021-09-22-git-447cf53774-essentials_build-www.gyan.dev, ffprobe 2021-09-22-git-447cf53774-essentials_build-www.gyan.dev
[debug] Optional libraries: Crypto, mutagen, sqlite, websockets
[debug] Proxy map: {}
[debug] [youtube] Extracting URL: https://www.youtube.com/watch?v=eQ_8F4nzyiw
[youtube] eQ_8F4nzyiw: Downloading webpage
[youtube] eQ_8F4nzyiw: Downloading android player API JSON
[debug] Sort order given by extractor: quality, res, fps, source, codec:vp9.2, lang
[debug] Formats sorted by: hasvid, ie_pref, quality, res, fps, source, vcodec:vp9.2(10), acodec, lang, filesize, fs_approx, tbr, vbr, abr, asr, proto, vext, aext, hasaud, id
[debug] SponsorBlock query: https://sponsor.ajay.app/api/skipSegments/3cce?service=YouTube&categories=%5B%22sponsor%22%2C+%22intro%22%2C+%22outro%22%2C+%22interaction%22%2C+%22preview%22%2C+%22music_offtopic%22%2C+%22selfpromo%22%5D
ERROR: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1123)>
Traceback (most recent call last):
  File "urllib\request.py", line 1346, in do_open
  File "http\client.py", line 1253, in request
  File "http\client.py", line 1299, in _send_request
  File "http\client.py", line 1248, in endheaders
  File "http\client.py", line 1008, in _send_output
  File "http\client.py", line 948, in send
  File "http\client.py", line 1422, in connect
  File "ssl.py", line 500, in wrap_socket
  File "ssl.py", line 1040, in _create
  File "ssl.py", line 1309, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "yt_dlp\YoutubeDL.py", line 1227, in wrapper
  File "yt_dlp\YoutubeDL.py", line 1265, in __extract_info
  File "yt_dlp\YoutubeDL.py", line 1315, in process_ie_result
  File "yt_dlp\YoutubeDL.py", line 2272, in process_video_result
  File "yt_dlp\YoutubeDL.py", line 3043, in pre_process
  File "yt_dlp\YoutubeDL.py", line 2996, in run_pp
  File "yt_dlp\postprocessor\sponsorblock.py", line 36, in run
  File "yt_dlp\postprocessor\sponsorblock.py", line 40, in _get_sponsor_chapters
  File "yt_dlp\postprocessor\sponsorblock.py", line 82, in _get_sponsor_segments
  File "yt_dlp\postprocessor\sponsorblock.py", line 90, in _get_json
  File "yt_dlp\YoutubeDL.py", line 3256, in urlopen
  File "urllib\request.py", line 517, in open
  File "urllib\request.py", line 534, in _open
  File "urllib\request.py", line 494, in _call_chain
  File "yt_dlp\utils.py", line 2834, in https_open
  File "urllib\request.py", line 1349, in do_open
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1123)>

I was able to work around it by manually importing the certificate of https://sponsor.ajay.app/ (from opening the site in Internet Explorer as admin...) After that the download and segment skipping succeeded.

However, this certificate expires 20211101. Do I have to repeat this workaround then?

[ajayyy]

Probably, there is nothing wrong with this cert. You probably need to add the let's encrypt root key.

[nicolaasjan]

Thanks.

[pukkandan]

Was the certificate changed recently? because I can also reproduce this

[ajayyy]

Looks like it would be this https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[nicolaasjan]

So on older devices we have to install ISRG Root X1?

[pukkandan]

Thanks. That is definitely the issue.

I am not sure why windows 10 does not have their "new" certificates in the default store though.

@nicolaasjan

However, this certificate expires 20211101. Do I have to repeat this workaround then?

So to answer this, you just need to add the letsencrypt root certificate to your store and shouldn't need to renew sponsor.ajay.app's certificate again

[Informatic]

We are stumbling upon this on webOS devices which are missing ISRG Root CA X1 and it's impossible to update trusted CA store without rooting.

One server-side fix for that would be switching to https://zerossl.com/ which offers unlimited free 90-day ACME certificates (equivalent to let's encrypt, requires a minor configuration option change in ACME client) signed by COMODO/UserTrust CA, which seems to be globally respected.

[ajayyy]

Right now I use a multi domain cert, which isn't supported

[Informatic]

Pricing tab on ZeroSSL is utterly unreadable... Everything that's marked as unsupported in free tier applies only to certificates issued manually in their management panel, and not to ACME API. Multi-domain and wildcard certs are supported in free tier, as long as they are issued via ACME - https://zerossl.com/features/acme/

[ajayyy]

I tried setting using https://github.com/zerossl/zerossl-bot and renewing my certs and on my end it still shows the cert as from let's encrypt, but let me know if I'm misreading it.

[pukkandan]

For https://sponsor.ajay.app? It still shows as derived from ISRG X1 for me too

[nicolaasjan]

Comprehensive site to analyze your domain: https://www.ssllabs.com/ssltest/analyze.html?d=sponsor.ajay.app

[Informatic]

Everything that needs to be done to convert certbot setup (assuming you use that) from letsencrypt to zerossl is add these three options: https://github.com/zerossl/zerossl-bot/blob/master/zerossl-bot.sh#L10 (EAB can be copied from zerossl adminitration panel: "Developer" → "EAB Credentials for ACME Clients") and then likely run certbot renew --force-renewal command.