SSL certificate problem ("too weak") after Ubuntu OS upgrade

Support for the Debian/Ubuntu package, created by JCFP.
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
Dilligaf
Newbie
Newbie
Posts: 2
Joined: October 1st, 2018, 10:56 pm

SSL certificate problem ("too weak") after Ubuntu OS upgrade

Post by Dilligaf » October 1st, 2018, 11:41 pm

Hi all -

New here . Have been running SABnzbd for a couple of years now, but just ran into a problem.
Running 2.3.5. No problems on Ubuntu 16.04 LTS. Just upgraded to 18.04 LTS, and now the server won't start as a service or from my user CLI. With the latter, I get this (everything above this line was OK):

Code: Select all

2018-10-01 21:23:17,469::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus STARTING
2018-10-01 21:23:17,533::ERROR::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Error in 'start' listener <bound method Server.start of <cherrypy._cpserver.Server object at 0x7f2f3f9a9690>>
(tried to include traceback error messages, but the forum thought I was trying to post a link and refused to post)

Code: Select all

SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2779)
.
.
ChannelFailures: SSLError(336245134, u'[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2779)')

2018-10-01 21:23:17,735::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus STOPPING
2018-10-01 21:23:17,738::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('0.0.0.0', 8088)) shut down
2018-10-01 21:23:17,738::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE HTTP Server None already shut down
2018-10-01 21:23:17,738::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus STOPPED
2018-10-01 21:23:17,739::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus EXITING
2018-10-01 21:23:17,739::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus EXITED
The certs in the admin directory are 7 years old. Do I need new ones? Or do I need to tweak an OpenSSL setting?

Thanks in advance!

User avatar
safihre
Administrator
Administrator
Posts: 2804
Joined: April 30th, 2015, 7:35 am
Location: Switzerland
Contact:

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Post by safihre » October 2nd, 2018, 1:24 am

You can just delete the certificate files in your admin folder. Then sabnzbd will create new, stronger ones, on startup.

Dilligaf
Newbie
Newbie
Posts: 2
Joined: October 1st, 2018, 10:56 pm

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Post by Dilligaf » October 2nd, 2018, 3:35 am

Thanks! That did it. Running fine now. Guess I should have thought of that! Much appreciated.

User avatar
sander
Release Testers
Release Testers
Posts: 6418
Joined: January 22nd, 2008, 2:22 pm

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Post by sander » October 2nd, 2018, 7:18 am

@Safihre:

It is possible to create a try/excep-catch for this, and give a clear warning/instruction?
And if so, is it worth it?

User avatar
safihre
Administrator
Administrator
Posts: 2804
Joined: April 30th, 2015, 7:35 am
Location: Switzerland
Contact:

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Post by safihre » October 2nd, 2018, 7:25 am

I tried, but because it's deep inside cherrypy it's not possible to catch without modifying cherrypy.

User avatar
sander
Release Testers
Release Testers
Posts: 6418
Joined: January 22nd, 2008, 2:22 pm

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Post by sander » October 2nd, 2018, 8:08 am

A note / HOWTO check your certificate:

On my old Ubuntu 14.04.5:

Code: Select all

$ openssl x509 -in ~/.sabnzbd/admin/server.cert -text -noout | grep -e Signature -e Not -e bit
    Signature Algorithm: md5WithRSAEncryption
            Not Before: Apr 21 09:50:32 2016 GMT
            Not After : Apr 19 09:50:32 2026 GMT
                Public-Key: (1024 bit)
    Signature Algorithm: md5WithRSAEncryption
I think the "md5" is the problem when upgrading to a modern Ubuntu; a new Ubuntu / openssl probably requires some sha, or even sha265.

With a more recent cert, the output is:

Code: Select all

$ openssl x509 -in ~/.sabnzbd/admin/blabla -text -noout | grep -e "Signature Alg"  -e bit | sort -u
                Public-Key: (2048 bit)
    Signature Algorithm: sha256WithRSAEncryption
I'll check if python can do the same.

User avatar
jcfp
Release Testers
Release Testers
Posts: 881
Joined: February 7th, 2008, 12:45 pm

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Post by jcfp » October 3rd, 2018, 2:37 pm

sander wrote:
October 2nd, 2018, 8:08 am
I think the "md5" is the problem
It is indeed. Support for md5 message digests was removed from openssl some time ago, because it's too weak (too easy to generate hash collisions).

Post Reply