Tiny Tiny RSS: Community

HTTP code 302: Failed to open stream


#1

Describe the problem you’re having:

Can no longer get feeds from this website: https://lsecities.net/feed/ My TT-RSS gives me this error: “60 Peer certificate cannot be authenticated with known CA certificates”. Tried myfeedsucks and the output is below (tried both http and https):

file_get_contents(http://lsecities.net/feed/): failed to open stream: operation failed
HTTP code: 302
Used curl: NO
Content type: 

I searched the forum first and found this old thread, which unfortunately didn’t provide much help: https://tt-rss.org/oldforum/viewtopic.php?t=3286

tt-rss version (including git commit id):

Tiny Tiny RSS v17.4 (22adcd7)

Platform (i.e. Linux distro, PHP, PostgreSQL, etc) versions:

OpenShift platform, Cron 1.4, PHP 5.4, MySQL 5.5


#2
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.lsecities.net
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

i’ve never even heard of any of those certificate authorities before. most likely their root certificates are missing on openshift which is why connection fails. fwiw it doesn’t work on debian either.

SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 47.

i have no idea about openshift but on normal linux you can add certificates to local trust store manually. exact method depends on the distro.

e: also, i’d like to note that your problem has nothing to do with tt-rss per se.


#3

The weird thing is that if I check https://lsecities.net/ in Chrome it works fine, and reports a certificate from LetsEncrypt. If I use curl or wget it fails complaining about that wildcard *.lsecities.net certificate from gandi.net. And ‘openssl s_client’ also reports that wildcard certificate, but verifies it without problems.

But, yes, this is something to do with certificate(s) from that site, not a tt-rss problem. At closest it’s some CA cert not being in your OS bundle.


#4

Thanks both for prompt and detailed replies. I’ll contact OpenShift guys for how best to add this certificate to my OS.