youtube-dl: yt-dl.org (YouTube-DL main Hosting Site) broken certificate
Checklist
- I’m reporting a broken site support issue
- I’ve verified that I’m running youtube-dl version 2020.05.29
- I’ve checked that all provided URLs are alive and playable in a browser
- I’ve checked that all URLs and arguments with special characters are properly quoted or escaped
- I’ve searched the bugtracker for similar bug reports including closed ones
- I’ve read bugs section in FAQ
Verbose log
wget https://yt-dl.org/downloads/latest/youtube-dl
--2020-06-01 10:50:40-- https://yt-dl.org/downloads/latest/youtube-dl
Resolving yt-dl.org (yt-dl.org)... 95.143.172.170
Connecting to yt-dl.org (yt-dl.org)|95.143.172.170|:443... connected.
ERROR: cannot verify yt-dl.org's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’:
Issued certificate has expired.
To connect to yt-dl.org insecurely, use `--no-check-certificate'.
Description
The main site that hosts the download of the YouTube-DL binary program itself, has an expired security certificate. The error message says:
"ERROR: cannot verify yt-dl.org's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’: Issued certificate has expired."
This started occurring on approximately Friday 2020-05-29, though I’m not certain exactly. You can reproduce the issue by typing this command at a bash prompt:
wget https://yt-dl.org/downloads/latest/youtube-dl
This problem affects me, because I do not want to download and use the latest version of YouTube-DL if there is a security risk on the site hosting it.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 23
@dstftw
Your server (yt-dl.org) is sending the expired intermediate cert (the last one in the below openssl output, “COMODO RSA Certification Authority”), which is what’s causing validation to fail in python. Browsers are evidently smart enough to ignore it, and build an alternate chain, but the python client is not.
@dstftw
you have to stop sending the expired intermediate cert because your own python client can’t handle it
https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration
Same problem on my raspi (Raspbian Jessie), even after running update-ca-certificates. I worked around this by using the wget download line with --no-check-certificate, but that’s not a real fix - please make sure that you use a certificate which is valid out of the box for all OSes including old ones, without requiring users to mess up with CAs.
I’d argue this issue should be reopened. As it is, I cannot install youtube-dl using the curl or wget commands provided in the download page.
With Curl:
With wget:
A workaround that every user needs to apply is not a fix.