motioneye-project
Telegram notification test: error setting certificate verify locations:\n CAfile: /etc/pki/tls/certs/ca-bundle.crt
I'm running Motioneye inside a docker container, brand new deployment and when trying to configure a Telegram notification I set the API token and recipient and when I hit the "Test" button I get the following error:
This is the error inside the container:
INFO: no files
ERROR: telegram notification test failed: (77, 'error setting certificate verify locations:\n CAfile: /etc/pki/tls/certs/ca-bundle.crt\n CApath: none')
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/motioneye/handlers/config.py", line 730, in test
sendtelegram.send_message(
File "/usr/local/lib/python3.11/dist-packages/motioneye/sendtelegram.py", line 41, in send_message
c.perform()
pycurl.error: (77, 'error setting certificate verify locations:\n CAfile: /etc/pki/tls/certs/ca-bundle.crt\n CApath: none')
Looks like the path doesn't exist in the container:
root@1586d314a079:/# ls -l /etc/pki
ls: cannot access '/etc/pki': No such file or directory
root@1586d314a079:/#
Same here (clean install) on a Pi with Debian GNU/Linux 12 (bookworm)
motionEye Version | 0.43.1b1
Motion Version | 4.6.0
Look like the default path has been change ?
i created the folder/path /etc/pki/tls/certs and copied the ca-certificate.crt from /etc/ssl/certs/ca-certificates.crt and renamed it to ca-bundle.crt
thats help for me as a workaround.
Yeah, copying /etc/ssl/certs/ca-certificates.crt to /etc/pki/tls/certs/ca-bundle.crt solved it for me.
I've got this issue too, manually copying over and changing name to ca-bundle.crt didn't work edit: nevermind, I realised I named the file correctly but accidentally put it inside a folder of the same name, taking it out and putting it where it should be fixed it
Jep. this is the pycurl bug @zagrim linked. We do not define the CA cert path, this is (falsely) auto-detected by pycurl.
To verify and workaround for now:
sudo python3 -m pip install pycurl==7.45.2
Creating the symlink works as well, of course, but I am no fans of telling others to create new files/symlinks and dirs as workaround, which will be forgotten and rot on the filesystem forever 😉.
I ended up having the same issue. I looked up for the file needed. It looks liek the location/path are different for actual file existing in the sytem versus the path provided. Unfortunately there is no crontab available so I was not able to fix this and everytime you start the container you need to do so manually. Fix : if we give a symlink for /etc/ssl/certs/ca-certificates.crt at /etc/pki/tls/certs/ca-bundle.crt then that should probably fix this issue. Keeping certificated at redundant location is not my preference tbh hence symlink. Otheroption is that the author who create the container can fix the path in the docker file if this is something updated by ssl packages certs for their default paths.
Yes, please check above threads/messages. Probably you missed some of them. In short copy or create shortcut. More details above.
Ok, but when I update the image and restart the container I Have to re-apply the change 😑
I solved in this way:
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/ssl/certs/ca-certificates.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
Bye
My fix looks like this which takes care of copying cert every time. I add/mount a custom entrypoint,sh script in volumes section of the docker compose file.
volumes:
- ./scripts/certfix2.sh:/entrypoint.sh #certificate fix path
and my certfix2.sh file inside script directory looks like
#!/bin/bash
if [ "$HOSTNAME" = motioneye ]; then
printf '\n%s\n\n%s\n\n' "On the right host." "Executing scripts to fix certificate error for telegram bot notitfications integration. "
mkdir -p /etc/pki/tls/certs && cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
printf '\n\n%s\n' "Scripts Execution Completed! Telegram notifications should work now. Go Test it! "
else
printf '\n%s\n%s\n' "Uh-oh, not on motioneye. " "Cannot execute this command as it was designed for motioneye docker container for its certificate fix and not to be run on other systems or host system."
fi
# We need to chown at startup time since volumes are mounted as root. This is fugly.
mkdir -p /run/motioneye
chown motion:motion /run/motioneye
[ -f '/etc/motioneye/motioneye.conf' ] || cp -a /etc/motioneye.conf.sample /etc/motioneye/motioneye.conf
exec su -g motion motion -s /bin/dash -c "LANGUAGE=en exec /usr/local/bin/meyectl startserver -c /etc/motioneye/motioneye.conf "
# mkdir -p /etc/pki/tls/certs && cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
Note/Explaination : The latter part mentioning chown is default code. I simply added the if part at the start. It checks for hotname to be motioneye (that is how I have setup at my place you can remove this and simple keep mkdir and copy commands there.), then it creates directory if not already present and ignores if already present and copies the files.
Rest of the things can be adjusted as per your need.
TLDR : You need to add mkdir and cp commands.
All of this unless maintainer themselves add the fix or pycurl fixes it from their side. So welcome to pointing the finger part of open source.
Good luck.
Looking back at the pycurl issue, it seems that it got resolved in the end of last year, and the fix should have been included in 7.45.4 of pycurl.
This should now be resolved with the 7.45.4 wheels. There is now runtime autodetection of the CA bundle path.
So, in case there are no dependency version conflicts that would prevent that and that version is available for you, a possible workaround (inverting the idea of pycurl downgrade MichaIng mentioned earlier) might be to upgrade pycurl to version 7.45.4.