Enabling https gives error

[pven]

I created a host.key and a host.cert, after this I restart sabnzbd.

Unfortunately enabling https fails:

Code: Select all

2018-07-24 13:20:53,158::ERROR::[misc:1454] Error creating SSL key and certificate
2018-07-24 13:20:53,159::INFO::[misc:1455] Traceback:
Traceback (most recent call last):
  File "/volume1/@appstore/sabnzbd/share/SABnzbd/sabnzbd/misc.py", line 1450, in create_https_certificates
    private_key = generate_key(key_size=2048, output_file=ssl_key)
  File "/volume1/@appstore/sabnzbd/share/SABnzbd/sabnzbd/utils/certgen.py", line 39, in generate_key
    backend=default_backend()
  File "/var/packages/python/target/lib/python2.7/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/var/packages/python/target/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/var/packages/python/target/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 23, in <module>
    from cryptography.hazmat.backends.openssl import aead
ImportError: cannot import name aead
2018-07-24 13:20:53,167::WARNING::[SABnzbd:1293] Disabled HTTPS because of missing CERT and KEY files

The options below are grepped from config.ini:

Code: Select all

https_port = 9090
https_key = host.key
https_chain = /usr/local/sabnzbd/var/admin/cert
enable_https = 1
https_cert = host.cert
enable_https_verification = 0

Both files are stored in /usr/local/sabnzbd/var/admin/cert/. Privileges are set to 755, and ownership is set to sc-sabnzbd for the user, and sabnzbd for the group (synology). But it fails ...

How can I fix this? I am out of options.

[sander]

Fill out path and extensions correctly

[pven]

Please be more specific. The mentioned path and filenames are, as far as I know, correct.

[safihre]

This function is called when it cannot find the paths to the certificates, so it tries to make new ones. Double check that the paths are correct, like Sander said.
It seems to be a Synology package problem.
How did you create these host.key and host.cert files?

[pven]

Thanks for the answers off course!

I placed both files in /usr/local/sabnzbd/var/admin/cert (since that path is mentioned). Is that ok? Or am I doing something wrong? (I am not good at this https-stuff. ;-) )

I followed https://sabnzbd.org/wiki/advanced/https to create the keys:

Code: Select all

openssl genrsa 1024 > host.key
openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert

[sander]

Why would you want to manually create a self-signed certificate? Sabnzbd can do that for you automagically.

[pven]

I really don't care how it is created, so if SABnzbd can do it: fine :-)

I removed both files, restarted SABnzb and it looks like the issue is still there:

Code: Select all

2018-07-25 10:07:20,227::ERROR::[misc:1454] Error creating SSL key and certificate
2018-07-25 10:07:20,228::INFO::[misc:1455] Traceback:
Traceback (most recent call last):
  File "/volume1/@appstore/sabnzbd/share/SABnzbd/sabnzbd/misc.py", line 1450, in create_https_certificates
    private_key = generate_key(key_size=2048, output_file=ssl_key)
  File "/volume1/@appstore/sabnzbd/share/SABnzbd/sabnzbd/utils/certgen.py", line 39, in generate_key
    backend=default_backend()
  File "/var/packages/python/target/lib/python2.7/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/var/packages/python/target/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/var/packages/python/target/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 23, in <module>
    from cryptography.hazmat.backends.openssl import aead
ImportError: cannot import name aead
2018-07-25 10:07:20,271::WARNING::[SABnzbd:1293] Disabled HTTPS because of missing CERT and KEY files

When I try as user sc-sabnzbd to create a file in /usr/local/sabnzbd/var/admin/cert that works

It feels like it tries to write to a different path?

[pven]

I just changed everything in my sabnzb-folder to full privileges for everyone (777). The result is still the same ...

[jcfp]

The ImportError cannot import name aead is a failure in the cryptography module install on your device. That code isn't part of sab nor typically supplied with it in a single package. So if you want that traceback fixed, file a bug with whoever supplies that module for your system.

[sander]

Before we try to solve this, I have a few questions for you:

1) Why are you trying to enable HTTPS? What is your goal?
2) With which browser do you want to access SABnzbd over HTTPS?
3) Did you trying enabling HTTPS in SABnzbd: Config -> General -> "Enable HTTPS"
4) What happens when you that now, so in SABnzbd: Config -> General -> "Enable HTTPS"

[pven]

Thanks! I will look at that.

To answer this questions:
1) Why are you trying to enable HTTPS? What is your goal?
I want to be able to open SABnzbd over the big bad internet without VPN or so.

2) With which browser do you want to access SABnzbd over HTTPS?
Chrome on Windows (latest stable release)

3) Did you trying enabling HTTPS in SABnzbd: Config -> General -> "Enable HTTPS"
Yes

4) What happens when you that now, so in SABnzbd: Config -> General -> "Enable HTTPS"
I will get the error shown above

[safihre]

@sanderjo: This is the SynoCommunity package that I help create.
It clearly is something missing the the python-cryptography module building.
pven is using SAB's build-in ceterificate generating, but because the missing part it is failing.
He's doing the right thing, just the package of SynoCommunity is somehow broken.

[safihre]

@pven It should, however, be possible to use your own certificates as long as you specify the paths correctly.
Since the SABnzbd package is running as sc-sabnzbd (part of sc-download group) you also need to make sure that that user or group can reach every part of the path to the certificate.
That doesn't seem to be the case, otherwise it wouldn't be trying to generate it's own certificates. So check permissions

[sander]

@sanderjo: This is the SynoCommunity package that I help create.
It clearly is something missing the the python-cryptography module building.
pven is using SAB's build-in ceterificate generating, but because the missing part it is failing.
He's doing the right thing, just the package of SynoCommunity is somehow broken.

Triggered by @jcfp : That line "from cryptography.hazmat.backends.openssl import aead"
1) does not exist on my Ubuntu set (and SAB works great)
2) does exist in the github version of cryptography https://github.com/pyca/cryptography/bl ... end.py#L23

[pven]

@pven It should, however, be possible to use your own certificates as long as you specify the paths correctly.
Since the SABnzbd package is running as sc-sabnzbd (part of sc-download group) you also need to make sure that that user or group can reach every part of the path to the certificate.
That doesn't seem to be the case, otherwise it wouldn't be trying to generate it's own certificates. So check permissions

I played around, and am able to start SABnzbd with https ENabled!

What I did was using the full path and filename for the key and certificate, and leave the chain-directory empty. Doing this, it will load the certificate I generated with openssl.

However: when I load the generated certificate in chrome, it still tells me SABnzbd is not safe, I need to look at that further. But my SABnzbd-issue is solved! But not the way I expected. :-)