Update youtube-dl CA root trust store for Let's Encrypt
complete
Genesis
Since the DST Root CA X3 root certificate that Let's Encrypt uses expired on September 30th 2021 (see https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/), video URLs hosted on servers that use Let's Encrypt SSL certificates will fail with the following error. I was able to work around it by manually installing the ISRG Root X1 root certificate from https://letsencrypt.org/certs/isrgrootx1.der
2021.10.06 13:27:46 Log - NativeProcess.Start: started process id [4552]: C:/Users/XXXXX/AppData/LocalLow/VRChat/VRChat\Tools/youtube-dl.exe (...)
2021.10.06 13:27:47 Log - NativeProcess.HasExited: process exited with code 1, took 998 ms. Command line: C:/Users/XXXXX/AppData/LocalLow/VRChat/VRChat\Tools/youtube-dl.exe (...)
2021.10.06 13:27:47 Error - [Behaviour] ERROR: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)> (caused by URLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)')))
2021.10.06 13:27:47 Log - User XXXXX added URL https://xxxxxxxxxx.xxx/path/to/video.mp4
2021.10.06 13:27:52 Error - [Behaviour] Can't play movie []
Log In
Tupper - VRChat Head of Community
complete
We have mitigated this by swapping to yt-dlp.
This update is now live.
The executable is still named youtube-dl.exe because we wanted to avoid updating the client.
Genesis
My other computer was still having SSL validation errors when playing videos to play in VRChat even after renewing my server certificate with the self-signed ISRB Root X1 certificate so I ended up doing the following steps to work around:
- Delete the DST Root CA X3 certificate from certmgr.msc (Start > Run > certmgr.msc)
- Trusted Root Certification Authorities > Certificates > DST Root CA X3
- Third-Party Root Certification Authorities > Certificates > DST Root CA X3
- Clear the SSL Cache (Control Panel > Internet Options > Content > Clear SSL state)
- Reboot Windows
It seems that youtube-dl or the underlying openssl library is still looking at the untrusted certificate chain first which should not happen.