[BUG] ClientConnectorCertificateError

[countthesaints]

Describe the bug

I can no longer rip tracks from Qobuz with the latest version, even after a clean installation of streamrip.

Command Used

rip url https://www.qobuz.com/nz-en/album/deep-in-your-love-alok-bebe-rexha/hk23zcx2bcgmc

Debug Traceback

[17:16:25] INFO     App id/secrets not found, fetching                                   qobuz.py:157
╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/aiohttp/connecto │
│ r.py:992 in _wrap_create_connection                                                              │
│                                                                                                  │
│    989 │   │   │   async with ceil_timeout(                                                      │
│    990 │   │   │   │   timeout.sock_connect, ceil_threshold=timeout.ceil_threshold               │
│    991 │   │   │   ):                                                                            │
│ ❱  992 │   │   │   │   return await self._loop.create_connection(*args, **kwargs)                │
│    993 │   │   except cert_errors as exc:                                                        │
│    994 │   │   │   raise ClientConnectorCertificateError(req.connection_key, exc) from exc       │
│    995 │   │   except ssl_errors as exc:                                                         │
│                                                                                                  │
│ /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py:1112 in │
│ create_connection                                                                                │
│                                                                                                  │
│                                     ... 2 frames hidden ...                                      │
│                                                                                                  │
│ /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/sslproto.py:556 in     │
│ _do_handshake                                                                                    │
│                                                                                                  │
│ /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/ssl.py:979 in do_handshake     │
│                                                                                                  │
│    976 │                                                                                         │
│    977 │   def do_handshake(self):                                                               │
│    978 │   │   """Start the SSL/TLS handshake."""                                                │
│ ❱  979 │   │   self._sslobj.do_handshake()                                                       │
│    980 │                                                                                         │
│    981 │   def unwrap(self):                                                                     │
│    982 │   │   """Start the SSL shutdown handshake."""                                           │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed 
certificate in certificate chain (_ssl.c:1002)

The above exception was the direct cause of the following exception:

╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /Library/Frameworks/Python.framework/Versions/3.11/bin/rip:8 in <module>                         │
│                                                                                                  │
│   5 from streamrip.rip import rip                                                                │
│   6 if __name__ == '__main__':                                                                   │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])                         │
│ ❱ 8 │   sys.exit(rip())                                                                          │
│   9                                                                                              │
│                                                                                                  │
│ /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/click/core.py:11 │
│ 57 in __call__                                                                                   │
│                                                                                                  │
│                                     ... 20 frames hidden ...                                     │
│                                                                                                  │
│ /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/aiohttp/connecto │
│ r.py:1204 in _create_direct_connection                                                           │
│                                                                                                  │
│   1201 │   │   │   )                                                                             │
│   1202 │   │   │                                                                                 │
│   1203 │   │   │   try:                                                                          │
│ ❱ 1204 │   │   │   │   transp, proto = await self._wrap_create_connection(                       │
│   1205 │   │   │   │   │   self._factory,                                                        │
│   1206 │   │   │   │   │   host,                                                                 │
│   1207 │   │   │   │   │   port,                                                                 │
│                                                                                                  │
│ /Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/site-packages/aiohttp/connecto │
│ r.py:994 in _wrap_create_connection                                                              │
│                                                                                                  │
│    991 │   │   │   ):                                                                            │
│    992 │   │   │   │   return await self._loop.create_connection(*args, **kwargs)                │
│    993 │   │   except cert_errors as exc:                                                        │
│ ❱  994 │   │   │   raise ClientConnectorCertificateError(req.connection_key, exc) from exc       │
│    995 │   │   except ssl_errors as exc:                                                         │
│    996 │   │   │   raise ClientConnectorSSLError(req.connection_key, exc) from exc               │
│    997 │   │   except OSError as exc:                                                            │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
ClientConnectorCertificateError: Cannot connect to host play.qobuz.com:443 ssl:True 
[SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self 
signed certificate in certificate chain (_ssl.c:1002)')]

Config File

[downloads]
# Folder where tracks are downloaded to
folder = "/Users/kenji/StreamripDownloads"
# Put Qobuz albums in a 'Qobuz' folder, Tidal albums in 'Tidal' etc.
source_subdirectories = false

# Download (and convert) tracks all at once, instead of sequentially. 
# If you are converting the tracks, or have fast internet, this will 
# substantially improve processing speed.
concurrency = true
# The maximum number of tracks to download at once
# If you have very fast internet, you will benefit from a higher value,
# A value that is too high for your bandwidth may cause slowdowns
# Set to -1 for no limit
max_connections = 6
# Max number of API requests per source to handle per minute
# Set to -1 for no limit
requests_per_minute = 60

[qobuz]
# 1: 320kbps MP3, 2: 16/44.1, 3: 24/<=96, 4: 24/>=96
quality = 3
# This will download booklet pdfs that are included with some albums
download_booklets = true

# Authenticate to Qobuz using auth token? Value can be true/false only
use_auth_token = true (used false as well)
# Enter your userid if the above use_auth_token is set to true, else enter your email
email_or_userid = "REDACTED"
# Enter your auth token if the above use_auth_token is set to true, else enter the md5 hash of your plaintext password
password_or_token = "REDACTED"
# Do not change
app_id = ""
# Do not change
secrets = []

[tidal]
# 0: 256kbps AAC, 1: 320kbps AAC, 2: 16/44.1 "HiFi" FLAC, 3: 24/44.1 "MQA" FLAC
quality = 3
# This will download videos included in Video Albums.
download_videos = true

# Do not change any of the fields below
user_id = ""
country_code = ""
access_token = ""
refresh_token = ""
# Tokens last 1 week after refresh. This is the Unix timestamp of the expiration
# time. If you haven't used streamrip in more than a week, you may have to log
# in again using `rip config --tidal`
token_expiry = ""

[deezer]
# 0, 1, or 2
# This only applies to paid Deezer subscriptions. Those using deezloader
# are automatically limited to quality = 1
quality = 2
# An authentication cookie that allows streamrip to use your Deezer account
# See https://github.com/nathom/streamrip/wiki/Finding-Your-Deezer-ARL-Cookie
# for instructions on how to find this
arl = ""
# This allows for free 320kbps MP3 downloads from Deezer
# If an arl is provided, deezloader is never used
use_deezloader = true
# This warns you when the paid deezer account is not logged in and rip falls
# back to deezloader, which is unreliable
deezloader_warnings = true

[soundcloud]
# Only 0 is available for now
quality = 0
# This changes periodically, so it needs to be updated
client_id = ""
app_version = ""

[youtube]
# Only 0 is available for now
quality = 0
# Download the video along with the audio
download_videos = false
# The path to download the videos to
video_downloads_folder = "/Users/kenji/StreamripDownloads/YouTubeVideos"

[database]
# Create a database that contains all the track IDs downloaded so far
# Any time a track logged in the database is requested, it is skipped
# This can be disabled temporarily with the --no-db flag
downloads_enabled = true
# Path to the downloads database 
downloads_path = "/Users/kenji/Library/Application Support/streamrip/downloads.db"
# If a download fails, the item ID is stored here. Then, `rip repair` can be
# called to retry the downloads
failed_downloads_enabled = true
failed_downloads_path = "/Users/kenji/Library/Application Support/streamrip/failed_downloads.db"

# Convert tracks to a codec after downloading them.
[conversion]
enabled = false
# FLAC, ALAC, OPUS, MP3, VORBIS, or AAC
codec = "ALAC"
# In Hz. Tracks are downsampled if their sampling rate is greater than this. 
# Value of 48000 is recommended to maximize quality and minimize space
sampling_rate = 48000
# Only 16 and 24 are available. It is only applied when the bit depth is higher
# than this value.
bit_depth = 24
# Only applicable for lossy codecs
lossy_bitrate = 320

# Filter a Qobuz artist's discography. Set to 'true' to turn on a filter.
# This will also be applied to other sources, but is not guaranteed to work correctly
[qobuz_filters]
# Remove Collectors Editions, live recordings, etc.
extras = false
# Picks the highest quality out of albums with identical titles.
repeats = false
# Remove EPs and Singles
non_albums = false
# Remove albums whose artist is not the one requested
features = false
# Skip non studio albums
non_studio_albums = false
# Only download remastered albums
non_remaster = false

[artwork]
# Write the image to the audio file
embed = true
# The size of the artwork to embed. Options: thumbnail, small, large, original.
# "original" images can be up to 30MB, and may fail embedding. 
# Using "large" is recommended.
embed_size = "large"
# If this is set to a value > 0, max(width, height) of the embedded art will be set to this value in pixels
# Proportions of the image will remain the same
embed_max_width = -1
# Save the cover image at the highest quality as a seperate jpg file
save_artwork = true
# If this is set to a value > 0, max(width, height) of the saved art will be set to this value in pixels
# Proportions of the image will remain the same
saved_max_width = -1

[metadata]
# Sets the value of the 'ALBUM' field in the metadata to the playlist's name. 
# This is useful if your music library software organizes tracks based on album name.
set_playlist_to_album = true
# If part of a playlist, sets the `tracknumber` field in the metadata to the track's 
# position in the playlist instead of its position in its album
renumber_playlist_tracks = true
# The following metadata tags won't be applied
# See https://github.com/nathom/streamrip/wiki/Metadata-Tag-Names for more info
exclude = []

# Changes the folder and file names generated by streamrip.
[filepaths]
# Create folders for single tracks within the downloads directory using the folder_format
# template
add_singles_to_folder = false
# Available keys: "albumartist", "title", "year", "bit_depth", "sampling_rate",
# "id", and "albumcomposer"
folder_format = "{albumartist} - {title} ({year}) [{container}] [{bit_depth}B-{sampling_rate}kHz]"
# Available keys: "tracknumber", "artist", "albumartist", "composer", "title",
# and "albumcomposer", "explicit"
track_format = "{tracknumber}. {artist} - {title}{explicit}"
# Only allow printable ASCII characters in filenames.
restrict_characters = false
# Truncate the filename if it is greater than this number of characters
# Setting this to false may cause downloads to fail on some systems
truncate_to = 120

# Last.fm playlists are downloaded by searching for the titles of the tracks
[lastfm]
# The source on which to search for the tracks.
source = "qobuz"
# If no results were found with the primary source, the item is searched for 
# on this one.
fallback_source = ""

[cli]
# Print "Downloading {Album name}" etc. to screen
text_output = true
# Show resolve, download progress bars
progress_bars = true
# The maximum number of search results to show in the interactive menu
max_search_results = 100

[misc]
# Metadata to identify this config file. Do not change.
version = "2.0"

Operating System

macOS

streamrip version

2.0.2

Screenshots and recordings

No response

Additional context

No response

[tas231]

same here for tidal

[thataboy]

On MacOS Sonoma. Python 3.12.0. Clean installed streamrip via pip.

Trying to download from Tidal for first time, with fresh config.toml, got same error as OP

ClientConnectorCertificateError: Cannot connect to host auth.tidal.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')]

Error came before getting to the point of asking me to log into Tidal.

[thataboy]

I found a solution. The certificates need to be installed. On MacOS

/Applications/Python\ 3.12/Install\ Certificates.command

replace 3.12 with your version of python

[countthesaints]

Thanks, that worked!

[apostoiis]

@thataboy hey, can you explain what I need to do exactly? thank you

python3 --version: 3.10.11

Certificate.command

#!/bin/sh

/Library/Frameworks/Python.framework/Versions/3.10/bin/python3.10 << "EOF"

# install_certifi.py
#
# sample script to install or update a set of default Root Certificates
# for the ssl module.  Uses the certificates provided by the certifi package:
#       https://pypi.org/project/certifi/

import os
import os.path
import ssl
import stat
import subprocess
import sys

STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
             | stat.S_IROTH |                stat.S_IXOTH )

def main():
    openssl_dir, openssl_cafile = os.path.split(
        ssl.get_default_verify_paths().openssl_cafile)

    print(" -- pip install --upgrade certifi")
    subprocess.check_call([sys.executable,
        "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])

    import certifi

    # change working directory to the default SSL directory
    os.chdir(openssl_dir)
    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
    print(" -- removing any existing file or link")
    try:
        os.remove(openssl_cafile)
    except FileNotFoundError:
        pass
    print(" -- creating symlink to certifi certificate bundle")
    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
    print(" -- setting permissions")
    os.chmod(openssl_cafile, STAT_0o775)
    print(" -- update complete")

if __name__ == '__main__':
    main()
EOF