Plugin Update Fails

I received an update notice in Octoprint saying the "Firmware Updater" plugin had an update. But the update fails each time I try to run it.

Running Octoprint 1.3.10 on Octopi 0.15.1. Ran apt-get/update and apt-get/dist-upgrade, so everything is current.

Looks like some kind of Certificate error, but is it at Github end or my Octopi?

Blockquote
Updating...
Updating, please wait.
++++++++++++++++++++++++++++++++++++++
Now updating Firmware Updater to 1.3.1
++++++++++++++++++++++++++++++++++++++
/home/pi/oprint/bin/python2 -m pip install https://github.com/OctoPrint/OctoPrint-FirmwareUpdater/archive/1.3.1.zip --no-cache-dir
Collecting https://github.com/OctoPrint/OctoPrint-FirmwareUpdater/archive/1.3.1.zip
Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /OctoPrint/OctoPrint-FirmwareUpdater/zip/1.3.1
Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /OctoPrint/OctoPrint-FirmwareUpdater/zip/1.3.1
Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /OctoPrint/OctoPrint-FirmwareUpdater/zip/1.3.1
Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /OctoPrint/OctoPrint-FirmwareUpdater/zip/1.3.1
Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /OctoPrint/OctoPrint-FirmwareUpdater/zip/1.3.1
Exception:
Traceback (most recent call last):
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/commands/install.py", line 324, in run
requirement_set.prepare_files(finder)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/req/req_set.py", line 380, in prepare_files
ignore_dependencies=self.ignore_dependencies))
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/req/req_set.py", line 620, in _prepare_file
session=self.session, hashes=hashes)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/download.py", line 821, in unpack_url
hashes=hashes
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/download.py", line 659, in unpack_http_url
hashes)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/download.py", line 853, in _download_http_url
stream=True,
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 521, in get
return self.request('GET', url, **kwargs)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/download.py", line 386, in request
return super(PipSession, self).request(method, url, *args, **kwargs)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 508, in request
resp = self.send(prep, **send_kwargs)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 640, in send
history = [resp for resp in gen] if allow_redirects else []
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 218, in resolve_redirects
**adapter_kwargs
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 618, in send
r = adapter.send(request, **kwargs)
File "/home/pi/oprint/local/lib/python2.7/site-packages/pip/_vendor/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
SSLError: HTTPSConnectionPool(host='codeload.github.com', port=443): Max retries exceeded with url: /OctoPrint/OctoPrint-FirmwareUpdater/zip/1.3.1 (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),))
You are using pip version 9.0.3, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
The update did not finish successfully. Please consult octoprint.log and plugin_softwareupdate_console.log for details.

SOLVED.

The problem was a DNS-based ad-blocker running on my router. One of the blocking lists contained an entry for "codeload.github.com", so the ad-blocker was sending Octoprint's https queries for that domain to a local server (pixelserv-tls). So instead of a simple domain-not-found situation, the result was instead an invalid certificate.

Added codeload.github.com to the ad-blocker's whitelist, and then Octoprint was able to successfully install plugins again!

I've just discovered that i had the exact same issue (using Diversion on my ASUS router). I don't understand how it's possible for this URL from github to be blacklisted by lists used by Diversion ...

@SR-G
Yeah, odd that it got blocked. But not Diversion's fault.... Diversion uses commonly available third-party blocking lists, and it was one of those that blacklisted codeload.github.com.

Someone in charge of one of those lists likely saw SOMETHING that looked like adverts being loaded from a url at codeload.github.com, and decided to add it to their blacklist. The next time your install of Diversion updated its lists (typically weekly) -- it got the codeload.github.com entry.

The Diversion author DOES maintain a hard-coded whitelist for high-priority "never block these" domains, and he has added codeload.github.com to that list. If you update to the latest Diversion (v4.1.0, just released a couple days ago), the whitelisting of codeload.github.com should now be built-in. But it won't hurt to have it whitelisted in your custom list as well (I left it in mine as well).