certificate errors after switching to VPN

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

certificate errors after switching to VPN

Post by Dewdman42 »

I'm getting certificate errors in sabnzbd, even though it seems to successfully download stuff. This started happening ever since I started using a VPN on the machine where sabnzbd is running. Any ideas what I need to do to avoid getting these errors?
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: certificate errors after switching to VPN

Post by sander »

Too vague ... When, where, what?
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

Re: certificate errors after switching to VPN

Post by Dewdman42 »

Version: 2.0.0 [55c4bef]
Platform: ReadyNas 6.6.1 (debian Jessie)

when an NZB is sent to sabnzbd from sickbeard, the sabnzbd screen displays that the file has been downloaded, however an ERROR is displayed on the sabnzbd main screen which says:
Server news.frugalusenet.com uses an untrusted certificate [_ssl.c:489: The handshake operation timed out] - https://sabnzbd.org/certificate-errors
I also notice in the configuration screen the following warning:
Warning Secure (SSL) connections from SABnzbd to newsservers and HTTPS websites will be encrypted, however, validating a server's identity using its certificates is not possible. Python 2.7.9 or above, OpenSSL 1.0.2 or above and up-to-date local CA certificates are required.
The version of python I have is 2.7.11 but the openssl I have is 1.0.1t, so maybe that is the issue, but I am not sure if I can update openssl on my readynas..since its running debian jessie. I took an initial attempt and installing backported 1.0.2 openssl, but ran into headaches and gave up. I don't want to break my machine otherwise.

Is this the reason for the ERROR? It looks to me like the only thing that is happening is that its not verifying the server before downloading, but its annoying to have to clean up the error messages. Is there any way to just disable checking of the certificates? I think possibly this only started happening after I started running an openssl VPN client on the same box...so that makes me wonder if this is fixable with configuration, but I'm not sure.
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: certificate errors after switching to VPN

Post by safihre »

Timeout in this case is not caused by the certificate validation, although the error seems to suggest that.
I am not sure why the certificate validation test is failing, but it can also be outdated root certificate on your device.
But the download still continues fine from the server, it doesn't switch to possible backup servers? Then it could just be a timeout, nothing to worry.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

Re: certificate errors after switching to VPN

Post by Dewdman42 »

well its working so I'm not that worried, but I'm getting tired of having to close the error messages that show up every day. If there is a way to fix something so that no more error messages I would really appreciate any help for doing that.

The root certificate you mentioned, what is that, where is it and how can I update it? Would that have changed somehow when I started using the VPN client?
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: certificate errors after switching to VPN

Post by safihre »

Yes it is possible that the VPN client changed the certificate storage of the system, by adding/replacing to the standard storage.

I wouldn't know exactly where it is located, since it is very OS dependent on Linux. But you can maybe Google or ask the ReadyNas forums?
The server is 3x OK, so it's certificates are fine: https://www.appelboor.com/cgi-bin/check ... usenet.com
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

Re: certificate errors after switching to VPN

Post by Dewdman42 »

so you don't think I need to worry about the openssl 1.0.2 warning in sabnzbd?

The readynas forum is not likely to be able to help but I will ask, where does sabnzbd expect the root certificates to be?

In case I can't figure that out, is it possible to configure sabnzbd to not bother checking the certificate?

I'm just running openvpn as the vpn client on this box.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: certificate errors after switching to VPN

Post by sander »

Hi Dewdman42,

When do you get the message "Server news.frugalusenet.com uses an untrusted certificate"? Always thus also with the VPN not active, or only if the VPN is on/activated?

The problem could be in your OS root store (first case), or the VPN could be the Man-in-the-Middle (second case).
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

Re: certificate errors after switching to VPN

Post by Dewdman42 »

I will have to turn off VPN and wait a while to see what happens. I am not sure exactly when the message happens, I presume when sabnzbd first gets the nzb request from sickbeard and attempts to connect to my usenet provider.

can you explain a little bit more abou tthe OS root store you mentioned?
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

Re: certificate errors after switching to VPN

Post by Dewdman42 »

I will say this for now... if I go into sabnzbd server config and "test server", then it works with my VPN client turned off. If I am running the VPN client then "test server" returns an error after trying for a while.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: certificate errors after switching to VPN

Post by sander »

Dewdman42 wrote:I will say this for now... if I go into sabnzbd server config and "test server", then it works with my VPN client turned off. If I am running the VPN client then "test server" returns an error after trying for a while.
Bingo! That means your VPN is the cause, and maybe the Man in the Middle. The SSL warning is exactly against Man in the Middle problems: SSL/TLS is there to guarantee that
1) you're talking to the host you think you're talking to
2) someone in between cannot eavesdrop what you're communicating.

So .. the VPN breaks 1 and/or 2, and SAB/Python is warning for that.

Which VPN-service do you use?
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

Re: certificate errors after switching to VPN

Post by Dewdman42 »

I'm using IPVanish as a service....but I'm not using their client, I'm just using openvpn as the client on my side.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: certificate errors after switching to VPN

Post by sander »

IPVanish ... they have no free test-account, so I can't test that for you.

This is a long shot, but let's try it:

With the VPN off, execute this command on your ReadyNas:

Code: Select all

echo "\n" | openssl s_client  -connect news.frugalusenet.com:nntps  | head -10
and post the output here.

Do the same with the VPN on.

Here's the output on my Ubuntu 17.04:

Code: Select all

sander@Stream-13:~$ echo "\n" | openssl s_client  -connect news.frugalusenet.com:nntps  | head -10
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = Maine, L = Alfred, O = BITS TO BYTES COMPUTING, CN = usnews.blocknews.net
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=Maine/L=Alfred/O=BITS TO BYTES COMPUTING/CN=usnews.blocknews.net
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
If you see different results in the certificate chain, we have something interesting.
Dewdman42
Newbie
Newbie
Posts: 16
Joined: September 2nd, 2015, 10:16 pm

Re: certificate errors after switching to VPN

Post by Dewdman42 »

well.. I updated the firmware on my readynas, hoping that would update openssl. It did not. That also installed an older version of python into /usr/bin which messed up things. I have 2.7.11 installed under /usr/local/bin and somehow that was working before with that version of python, but after the firmeware update it didn't work anymore.

When I upgraded that /usr/bin/python to 2.7.9, the problem seems to have gone away with or without the VPN. its all kind of confusing, I have no idea why its fixed now since it didn't work before with 2.7.11 either.

Its remotely possible that openvpn needs to be started before starting sabnzbd, so I'm not sure what happens on the next reboot...

I'm curious about your test so I will try that in a bit..
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: certificate errors after switching to VPN

Post by sander »

Dewdman42 wrote:
I'm curious about your test so I will try that in a bit..

I'm curious too ... so did you do the openssl-cli-test?
Post Reply