SABnzbd Forums

Posted: **October 1st, 2018, 11:41 pm**

Hi all -

New here . Have been running SABnzbd for a couple of years now, but just ran into a problem.
Running 2.3.5. No problems on Ubuntu 16.04 LTS. Just upgraded to 18.04 LTS, and now the server won't start as a service or from my user CLI. With the latter, I get this (everything above this line was OK):

Code: Select all

2018-10-01 21:23:17,469::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus STARTING
2018-10-01 21:23:17,533::ERROR::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Error in 'start' listener <bound method Server.start of <cherrypy._cpserver.Server object at 0x7f2f3f9a9690>>

(tried to include traceback error messages, but the forum thought I was trying to post a link and refused to post)

Code: Select all

SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2779)
.
.
ChannelFailures: SSLError(336245134, u'[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2779)')

2018-10-01 21:23:17,735::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus STOPPING
2018-10-01 21:23:17,738::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('0.0.0.0', 8088)) shut down
2018-10-01 21:23:17,738::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE HTTP Server None already shut down
2018-10-01 21:23:17,738::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus STOPPED
2018-10-01 21:23:17,739::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus EXITING
2018-10-01 21:23:17,739::INFO::[_cplogging:219] [01/Oct/2018:21:23:17] ENGINE Bus EXITED

The certs in the admin directory are 7 years old. Do I need new ones? Or do I need to tweak an OpenSSL setting?

Thanks in advance!

Posted: **October 2nd, 2018, 1:24 am**

You can just delete the certificate files in your admin folder. Then sabnzbd will create new, stronger ones, on startup.

Posted: **October 2nd, 2018, 3:35 am**

Thanks! That did it. Running fine now. Guess I should have thought of that! Much appreciated.

Posted: **October 2nd, 2018, 7:18 am**

@Safihre:

It is possible to create a try/excep-catch for this, and give a clear warning/instruction?
And if so, is it worth it?

Posted: **October 2nd, 2018, 7:25 am**

I tried, but because it's deep inside cherrypy it's not possible to catch without modifying cherrypy.

Posted: **October 2nd, 2018, 8:08 am**

A note / HOWTO check your certificate:

On my old Ubuntu 14.04.5:

Code: Select all

$ openssl x509 -in ~/.sabnzbd/admin/server.cert -text -noout | grep -e Signature -e Not -e bit
    Signature Algorithm: md5WithRSAEncryption
            Not Before: Apr 21 09:50:32 2016 GMT
            Not After : Apr 19 09:50:32 2026 GMT
                Public-Key: (1024 bit)
    Signature Algorithm: md5WithRSAEncryption

I think the "md5" is the problem when upgrading to a modern Ubuntu; a new Ubuntu / openssl probably requires some sha, or even sha265.

With a more recent cert, the output is:

Code: Select all

$ openssl x509 -in ~/.sabnzbd/admin/blabla -text -noout | grep -e "Signature Alg"  -e bit | sort -u
                Public-Key: (2048 bit)
    Signature Algorithm: sha256WithRSAEncryption

I'll check if python can do the same.

Posted: **October 3rd, 2018, 2:37 pm**

sander wrote: ↑October 2nd, 2018, 8:08 amI think the "md5" is the problem

It is indeed. Support for md5 message digests was removed from openssl some time ago, because it's too weak (too easy to generate hash collisions).

SABnzbd Forums

SSL certificate problem ("too weak") after Ubuntu OS upgrade

SSL certificate problem ("too weak") after Ubuntu OS upgrade

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade

Re: SSL certificate problem ("too weak") after Ubuntu OS upgrade