Server xxxx.xxxxxxxx.xx uses an untrusted certificate

[MacLeod]

Hi,

Hope that someone still reads this post. Have updated to version 1.2.0 on my Synology NAS
I also receive the: Server xxxx.xxxxxxxx.xx uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] error

However I cannot find the option to disable https verification.

Hope someone can help me with this.

Best regards,

MacLeod

[sander]

Have updated to version 1.2.0 on my Synology NAS
I also receive the: Server xxxx.xxxxxxxx.xx uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] error

On the xxx ... that is the name of the newsserver, right? Not a webserver?

Why did you leave out the server name? Now we can't determine if the problem is on the server side, or on your Synology NAS

[safihre]

Click 'Advanced' in the Servers settings to see the Certificate Validation settings.

But indeed, which server is it? We need to name-and-shame them

[MacLeod]

Hi Sander,

You are correct, the xxx is the name of the news server. I have already contacted my (news) provider, and they use a self signed certificate.

[sander]

Hi Sander,

You are correct, the xxx is the name of the news server. I have already contacted my (news) provider, and they use a self signed certificate.

- Still no server name? Is it a secret server? I have compiled a list of good and bad newsserver (see https://github.com/sabnzbd/sabnzbd/issu ... -246098127) ... and each new newsserver is welcome
- is your news provider going to get a real certificate? That's the idea of SSL/TLS: the right security.
- with a self-signed certificate you don't know if the connection is secure. So, apart from what Safihre said, you can also use a plain NNTP connection.

[MacLeod]

Hi Sander,

No it's not a secret ;-) news.tweak.nl and news.tweakdsl.nl
My provider (they provide both my internet and news) state that because the servers are only available in their own network, a self-signed cert should be sufficient.

I use these servers for almost a decade now. Haven't had any problems connecting in the past that I know of. Has there been in change in sabnzbd that causes the connection to fail?

I prefer to encrypt my connection to the provider (for both security and privacy reasons), that's why I enabled SSL.

[MacLeod]

Click 'Advanced' in the Servers settings to see the Certificate Validation settings.

But indeed, which server is it? We need to name-and-shame them

This did the trick, and as you can see in my previous post, I have made the naming and shaming possible!

Thanks guys for your assistance!

[sander]

No it's not a secret ;-) news.tweak.nl and news.tweakdsl.nl

news.tweaknews.nl is also is also unsecure as in self-signed. Is that the same company?

My provider (they provide both my internet and news) state that because the servers are only available in their own network, a self-signed cert should be sufficient.

Because there is only 100 km between you and the newsserver, including routers, switches and intercept hardware, so who possibly could listen to your traffic, check what you're downloading, harvest your newsserver password and be a man-in-the-middle ...

I use these servers for almost a decade now. Haven't had any problems connecting in the past that I know of. Has there been in change in sabnzbd that causes the connection to fail?

Because of the all hacks and eavesdroppers, security is getting more and more strict. Google Chrome is moving towards "everything encrypted", refusing insecure HTTPS connections, warning you when you fill out passwors over a non-secure connection. SABnzbd and Python (on which it's built) are going that way too. And you selected SSL/TLS at your newsserver settings, so SABnzbd refused insecure connections. Unless you overrule that, as you did.

I prefer to encrypt my connection to the provider (for both security and privacy reasons), that's why I enabled SSL.

Yeah, but now you have fake security. Your system told you it's unsecure, and you have overruled that ... :-(

[sander]

Ongoing rant:

A valid certificate used to cost 10 or 100 Euro per year. Now it costs ... 0 Euro; via Let's Encrypt. See https://letsencrypt.org/

So I see no reason why tweak would use a self-signed certificate.

For Google and Naming & Shaming:

Code: Select all

[Errno 111] Failed to connect: Server news.tweak.nl uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)] [email protected]:563

Code: Select all

[Errno 111] Failed to connect: Server news.tweakdsl.nl uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)] [email protected]:563

Code: Select all

[Errno 111] Failed to connect: Server news.tweaknews.nl uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)] [email protected]:563

Only news.tweaknews.EU is correct.

Shame on Tweak.

[MacLeod]

Hi Sander,

I get your points (I use a valid free certificate on my own server for that reason). Will try to convince the provider to purchase a (free) certificate for the reasons you mention in your accurate rant!

[sander]

Hi Sander,

I get your points (I use a valid free certificate on my own server for that reason). Will try to convince the provider to purchase a (free) certificate for the reasons you mention in your accurate rant!

Good!

I've created a new overview of SSL/TLS newsservers: https://docs.google.com/spreadsheets/d/ ... sp=sharing

[MacLeod]

Hi Sander,

I checked the webserver for tweak.nl and that server uses a valid certicate (even a wildcard certificate) so I suggested that they use this cert on their news server as well, along with the points you mentioned. I will let you know how they react to this.

[sander]

Hi Sander,

I checked the webserver for tweak.nl and that server uses a valid certicate (even a wildcard certificate)

Oh, indeed: https://www.tweak.nl/ has a certificate for *.tweak.nl, so they can use that certificate for news.tweaks.nl