I would have absolutely no idea where to start and why there is an error referring to OpenSSL. Is there anything special about this setup, ie VMs, remotely run or anything that smells "SSL-ish"? I see also references to MONO, perhaps an issue with the version of Mono you are using?
I do see that the URL that was provided by Sonos to the PI is HTTPS based, so the only thing the PI can do is use it but if that causes intermittent authentication issues, not sure how I can even work around those. Think of it this way: Sonos is the only party that is in a relationship w the music provider, in this case Pandora. The PI has a relationship with the Sonos player but not with Pandora. Album art, in most cases (in the past) was provided by Sonos as a resource to retrieve from Sonos but over the years, a lot of the art gets retrieved straight from the music service so Sonos provides a URL and that's it.
Dirk

No VM's, or anything special. It seems to of started to happen ever since I upgraded to 3.0.0.531. I should of known better...everything was working just fine before...and no, I don't have a backup.

If you click on the link, there is no cert issue. It seems like the PI thinks there is. Is there a way to update the certs? How do I update the MONO version and what should I be running?

I would assume it is failing because of something at this location...CERTIFICATE_VERIFY_FAILED at /tmp/buildd/mono-5.0.1.1/external/boringssl/ssl/handshake_client.c:1132. Would I be correct in thinking it is validating the cert to this file on the PI? I have not changed anything, that didn't come with this PI.

Dallas

This is where someone with Linux experience needs to chime in. The Pi just uses standard (.NET) functions to do an HTTPS get, I doubt this is an HS issue, would suspect .NET->MONO or just a real certification issue but then I would expect to see it fail all the time, unless some art requires just simple HTTP instead of HTTPS. If you turn the PI's debug flag on and you filter on GetPicture, you should see which URLs work and which don't

Filtered, all are HTTPS and they all work when I click on them. Hopefully someone can help me on how to upgrade the MONO, or figure out why this started happening. I understand it probably isn't an HS issue, but I have to think it corrupted it somehow with the upgrade.

Hi Dirk,

I found the problem and thought I would update you, since you may see it from other Sonos/Pandora users. Pandora is signed by Digicert and there is a bug with Ubuntu.

Ubuntu - ca-certificates package - Digicert certificate is not included.

The "DigiCert SHA2 Secure Server" certificate is missing, which means that the system does not trust web sites that are using SSL certificates signed by that root. An example is a popular website in the Netherlands https://marktplaats.nl. The result is that no resources other that the text-only homepage is loaded.

Installing the Digicert root certificte manually from Digicert solves the problem:

https://bugs.launchpad.net/ubuntu/+s...s/+bug/1795242

I installed the Digicert root certificate manually and it resolved the issue.

Thanks,

Dallas

Update!!!

I'm still having the same problem, however not as bad. I'm wondering if it could have something to do with the plugin. Here is why. Within homeseer, I'm getting the following error...
However, when I check it from the terminal it works...

homeseer@hometrollerSEL:~$ curl -v https://mediaserver-cont-ch1-1-v4v6...._500W_500H.jpg
* Hostname was NOT found in DNS cache
* Trying 208.85.44.31...
* Connected to mediaserver-cont-ch1-1-v4v6.pandora.com (208.85.44.31) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=Oakland; O=Pandora Media, Inc.; OU=operations; CN=*.pandora.com
* start date: 2019-03-14 00:00:00 GMT
* expire date: 2021-06-12 12:00:00 GMT
* subjectAltName: mediaserver-cont-ch1-1-v4v6.pandora.com matched
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust TLS RSA CA G1
* SSL certificate verify ok.
> GET /images/public/int/0/2/4/9/075992659420_500W_500H.jpg HTTP/1.1
> User-Agent: curl/7.35.0
> Host: mediaserver-cont-ch1-1-v4v6.pandora.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 02 May 2019 17:16:13 GMT
* Server Apache is not blacklisted
< Server: Apache
< Last-Modified: Sat, 07 Jul 2018 04:38:17 GMT
< ETag: "10988-57061595e48f3"
< Accept-Ranges: bytes
< Content-Length: 67976
< Connection: close
< Content-Type: image/jpeg

Any suggestions?

Thanks,

Dallas

Only suggestion I have is to google MONO SSL issues and maybe upgrade to latest (official) Linux and Mono components .....

See the note at the end of the page (https://www.mono-project.com/downloa.../#download-lin) about "make sure the ca-certificates-mono package is installed."

Mono is fully updated and I checked the ca-certificates-mono, but still having intermittent failures. Is there anyway to turn off the security check within the plugin? Like I stated before, it always works when checked in Linux.

On a side note, I am building a new Linux server on a VM right now. I will try and test it when finished to see if I see the same problem.

Thanks for you help!!!

Dallas

I see two properties on the .NET WebClient component. One is UseDefaultCredentials and one that sets the credentials.
Is there a way for you to test something if I post a test version here?

Sure! Just FYI...I loaded a new install on Ubuntu 18.04 and only enabled the Sonos plugin. It works perfectly. So I think my HomeTrollerSEL is screwed up somehow.