Skip to content

plugins.nowtvtr: remove plugin #6488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 30, 2025
Merged

plugins.nowtvtr: remove plugin #6488

merged 1 commit into from
Mar 30, 2025

Conversation

bastimeyer
Copy link
Member

@bastimeyer bastimeyer commented Mar 30, 2025
edited
Loading

Ref #6486

The plugin requires a minor change and could be fixed easily. However, the site's using an invalid TLS certificate which can't be validated. They also don't accept TLS 1.3.

Neither my system's CA cert store, nor certifi can validate it. No issue in Chromium or Firefox because they embed their own CA cert stores.

$ streamlink https://www.nowtv.com.tr/canli-yayin
[cli][info] Found matching plugin nowtvtr for URL https://www.nowtv.com.tr/canli-yayin
error: Unable to open URL: https://www.nowtv.com.tr/canli-yayin (HTTPSConnectionPool(host='www.nowtv.com.tr', port=443): Max retries exceeded with url: /canli-yayin (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))))

$ streamlink https://www.nowtv.com.tr/canli-yayin --http-ssl-cert $(python -c 'import certifi;print(certifi.where())')
[cli][info] Found matching plugin nowtvtr for URL https://www.nowtv.com.tr/canli-yayin
error: Unable to open URL: https://www.nowtv.com.tr/canli-yayin (HTTPSConnectionPool(host='www.nowtv.com.tr', port=443): Max retries exceeded with url: /canli-yayin (Caused by SSLError(SSLError(524297, '[SSL] PEM lib (_ssl.c:4107)'))))

$ SSL_CERT_FILE=$(python -c 'import certifi;print(certifi.where())') streamlink https://www.nowtv.com.tr/canli-yayin
[cli][info] Found matching plugin nowtvtr for URL https://www.nowtv.com.tr/canli-yayin
error: Unable to open URL: https://www.nowtv.com.tr/canli-yayin (HTTPSConnectionPool(host='www.nowtv.com.tr', port=443): Max retries exceeded with url: /canli-yayin (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))))

Apparently Python 3.13 doesn't support SSL_CERT_FILE anymore, and the cert file needs to be set on the SSL context object directly. This also didn't work...
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations

diff --git a/src/streamlink/plugins/nowtvtr.py b/src/streamlink/plugins/nowtvtr.py
index 167c708d..69d36831 100644
--- a/src/streamlink/plugins/nowtvtr.py
+++ b/src/streamlink/plugins/nowtvtr.py
@@ -8,6 +8,7 @@ import re
 
 from streamlink.plugin import Plugin, pluginmatcher
 from streamlink.plugin.api import validate
+from streamlink.session.http import SSLContextAdapter
 from streamlink.stream.hls import HLSStream
 
 
@@ -15,6 +16,15 @@ from streamlink.stream.hls import HLSStream
     re.compile(r"https?://(?:www\.)?nowtv\.com\.tr/"),
 )
 class NowTVTR(Plugin):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        adapter = SSLContextAdapter()
+        context = adapter.get_ssl_context()
+        import certifi
+        path = certifi.where()
+        context.load_verify_locations(path)
+        self.session.http.mount("https://", adapter)
+
     def _get_streams(self):
         stream_url = self.session.http.get(
             self.url,
$ curl -vI https://www.nowtv.com.tr/canli-yayin
* Host www.nowtv.com.tr:443 was resolved.
* IPv6: (none)
* IPv4: 176.235.92.171
*   Trying 176.235.92.171:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

$ SSL_CERT_FILE=$(python -c 'import certifi;print(certifi.where())') curl -vI https://www.nowtv.com.tr/canli-yayin
* Host www.nowtv.com.tr:443 was resolved.
* IPv6: (none)
* IPv4: 176.235.92.171
*   Trying 176.235.92.171:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /home/basti/venv/streamlink-313/lib/python3.13/site-packages/certifi/cacert.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

$ echo | openssl s_client -showcerts -connect www.nowtv.com.tr:443
Connecting to 176.235.92.171
CONNECTED(00000003)
depth=0 CN=www.nowtv.com.tr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=www.nowtv.com.tr
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=www.nowtv.com.tr
verify return:1
---
Certificate chain
 0 s:CN=www.nowtv.com.tr
   i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  9 00:00:00 2025 GMT; NotAfter: Jan 11 23:59:59 2026 GMT
-----BEGIN CERTIFICATE-----
MIIGMDCCBRigAwIBAgIQDWBZuyzjdZ7ZzPHyj6fWyTANBgkqhkiG9w0BAQsFADBg
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR8wHQYDVQQDExZHZW9UcnVzdCBUTFMgUlNBIENBIEcx
MB4XDTI1MDEwOTAwMDAwMFoXDTI2MDExMTIzNTk1OVowGzEZMBcGA1UEAxMQd3d3
Lm5vd3R2LmNvbS50cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANN3
nvdVh06TlEJEZnB8Kc+1LwuDxAsbSxxs2gGBDQOLUolCgAawy9/7m65RzuJ+3pOI
S7mQIKV2XQbLq8IIN2aZReQF7Akq5z/VO5dyS+85c/jD3mg5SAECUouAxXO/3lZB
0GZ/LzjgDHZdT/WGB7eN65BcT5SIPaNgICXN7OaFW0Ck5M+l+nU/Lx2GAtRHW00Y
O2dmirjc1lUSqzUzt8+DMOBSbE+GmmuJC+0HkJDDgm0x931Eelk/5DLHplVdau2m
FlLTOc/jaGOG0RThOY3+KP0PC1YBHNRwILvXsZmTfSGqMVtBDN1BIQOxgrgBtMG2
pBP2tfrabVVP445WD6UCAwEAAaOCAykwggMlMB8GA1UdIwQYMBaAFJRP1F2L5KTi
poD+/dj5AO+jvgJXMB0GA1UdDgQWBBRFSFJMhqS2cShS7r6DWS9qQ/eJCTApBgNV
HREEIjAgghB3d3cubm93dHYuY29tLnRyggxub3d0di5jb20udHIwPgYDVR0gBDcw
NTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5j
b20vQ1BTMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NkcC5nZW90cnVzdC5jb20v
R2VvVHJ1c3RUTFNSU0FDQUcxLmNybDB2BggrBgEFBQcBAQRqMGgwJgYIKwYBBQUH
MAGGGmh0dHA6Ly9zdGF0dXMuZ2VvdHJ1c3QuY29tMD4GCCsGAQUFBzAChjJodHRw
Oi8vY2FjZXJ0cy5nZW90cnVzdC5jb20vR2VvVHJ1c3RUTFNSU0FDQUcxLmNydDAM
BgNVHRMBAf8EAjAAMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwCWl2S/VViX
rfdDh2g3CEJ36fA61fak8zZuRqQ/D8qpxgAAAZRKj1LoAAAEAwBIMEYCIQDbjaF8
8VYyuR0VAT4lRvXtzCHWXZWqueAUdzc6jx3eiwIhAPLFA/Uy5iXsn/NduBKMahC5
wHHZBllNK4umTRQa2N6/AHYAZBHEbKQS7KeJHKICLgC8q08oB9QeNSer6v7VA8l9
zfAAAAGUSo9SvAAABAMARzBFAiEAwMj+JihkfVxP+oagorujxEeTnGSsXtdH3qQp
BzFn2EcCIDoUKrpkb+smOtJizk4LEtlICKlVY+NzGY7U1ZbzYnpfAHcASZybad4d
fOz8Nt7Nh2SmuFuvCoeAGdFVUvvp6ynd+MMAAAGUSo9SzgAABAMASDBGAiEA4j+d
OvWTIXBJoKnlBqABraXM/uKLyCOl7Dh6IgxhXVYCIQCAian43lEK7Sh3KYIhnZzu
tMKy5WxUeC4pcPMZIDR5NDANBgkqhkiG9w0BAQsFAAOCAQEAcH4zWcfTlqJag28o
ScjpgCmajSHmEPsqJVj3TVQTAVBCJYrk0/uCnuWQPNubCDPNgZhW251V8Hsr+XA+
0+uAzXZcYTEL2f8qAXaNiJP12MOrDZSnd0J+d30MZ3AH9ckDUYbV4XP2knT6GgIz
/LiZslucyg/SrR/VcyIiCBq+tW/kOl6JeiStAvOCYKPBYJ7xFwTk4vWi1jYiZvFp
ojFOw144zfkxnzCAr1QJP2O0PWBCKX/A1Zuiufsu4bzMDlouzDOYVHLLqpmL3ntk
05Jwc0WBtO3ZIy+HKAwMNrQJ98mdZqCGBNhbMtPEwbDrjHweskFmfU4RXSl+WYi0
Od5NgA==
-----END CERTIFICATE-----
---
Server certificate
subject=CN=www.nowtv.com.tr
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust TLS RSA CA G1
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2087 bytes and written 453 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 3476C6BA5B027C8D2B344E8766D0D5CB28367A3814C94A1AE6ACD4CA71E02FA7
    Session-ID-ctx: 
    Master-Key: CCC33F1F74C01EADC7C0F8606AA72DD22515F1273D69581F19F6792FE512596A6E6FBE50D18A8BF0A7F4E89C53F0EE2E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1743334391
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
DONE

@bastimeyer bastimeyer merged commit 178d0db into streamlink:master Mar 30, 2025
23 checks passed
@bastimeyer bastimeyer deleted the plugins/nowtvtr/remove branch March 30, 2025 11:42
@dmrcghn
Copy link

dmrcghn commented Jun 15, 2025

@bastimeyer Is this site still serving an invalid TLS certificate for you?

@bastimeyer bastimeyer mentioned this pull request Jun 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
plugin removal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bastimeyer @dmrcghn