https access issues after renewing SSL cert [QNAP]

[OneCD]

Hmm, I'm not sure what else to check.

@sander: any thoughts on this?

[sander]

My thoughts:
- I suspect a QNAP / package thing, not SABnzbd
- OP should each time check sabnzbd.log, and especially Traceback

[OneCD]

My understanding from @GTunney on the QNAP forum is that this only started when they upgraded to SAB 3.2.0. There were no problems prior to that with HTTPS.

This didn't require an updated QPKG to be released - just a 'git pull' from within the existing package is sufficient.

But, I guess a refresh couldn't hurt. @GTunney, can you please run a 'clean' operation on that package?

Code: Select all

/etc/init.d/sabnzbd3.sh clean

This will ensure your local git clone of SAB is completely removed and refreshed from GitHub. Your settings will be retained.

[sander]

My understanding from @GTunney on the QNAP forum is that this only started when they upgraded to SAB 3.2.0. There were no problems prior to that with HTTPS.

If so, that is important information which he/she did not share here. Pity.

If so: go back to SAB 3.1.1 and verify.

[GTunney]

My understanding from @GTunney on the QNAP forum is that this only started when they upgraded to SAB 3.2.0. There were no problems prior to that with HTTPS.

This didn't require an updated QPKG to be released - just a 'git pull' from within the existing package is sufficient.

But, I guess a refresh couldn't hurt. @GTunney, can you please run a 'clean' operation on that package?

Code: Select all

/etc/init.d/sabnzbd3.sh clean

This will ensure your local git clone of SAB is completely removed and refreshed from GitHub. Your settings will be retained.

I've run a clean and it's still doing the same issue. OneCD I'm happy to speak privately on the QNAP forums if you want to do some testing?

If so, that is important information which he/she did not share here. Pity.

If so: go back to SAB 3.1.1 and verify.

I'm sorry, I was trying to narrow down whether it was the renewal of my SSL cert or the upgrade to 3.2.0, I thought I'd mentioned it but must have been on QNAP forums and not here.

[OneCD]

I've run a clean and it's still doing the same issue. OneCD I'm happy to speak privately on the QNAP forums if you want to do some testing?

No, let's keep the discussion here for now - it's easier to track the issue if everything is in one place.

If so: go back to SAB 3.1.1 and verify.

Good idea.

@GTunney, if you don't mind downgrading to SAB 3.1.1 for testing purposes, here's how to do it:

1. Edit the SAB3 QPKG service script file:

   Code: Select all

   nano $(getcfg SABnzbd Install_Path -f /etc/config/qpkg.conf)/sabnzbd3.sh

2. Near the start of the script, there's a line that says:

   Code: Select all

       readonly SOURCE_GIT_BRANCH=master

   Please change this to:

   Code: Select all

       readonly SOURCE_GIT_BRANCH=3.1.1

   ... then exit the editor and save the changed script file.
3. Now, restart SAB with:

   Code: Select all

   /etc/init.d/sabnzbd3.sh restart

   ... and the script will automatically downgrade your SAB instance.
4. Then test for HTTPS operability.

[GTunney]

I've run a clean and it's still doing the same issue. OneCD I'm happy to speak privately on the QNAP forums if you want to do some testing?

No, let's keep the discussion here for now - it's easier to track the issue if everything is in one place.

No probs, thought I'd just update with some extra info for help.

I also installed Stephanes qnapclub sab 3.2.0 version and copied over my config etc. Although not a direct comparison as his is running python 3.7.8 this one has currently been up and running now for over 18 hours and I can still access via https.

I shall follow your steps tomorrow to rollback your version to 3.1.1 but it does seem now this issue is pointing towards the sherpa upgrade to 3.2.0

[OneCD]

Including this from the QNAP forum in-case it's relevant:

Not sure if this is something that might help with my SSL issue, just saw this in the logs from today.

Code: Select all

2021-03-01 16:07:01,625::INFO::[notifier:122] Sending notification: Error - [01/Mar/2021:16:07:01] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
  File "/opt/lib/python3.9/site-packages/cheroot/server.py", line 1810, in serve
    self._connections.run(self.expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 201, in run
    self._run(expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 218, in _run
    new_conn = self._from_server_socket(self.server.socket)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 271, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/opt/lib/python3.9/site-packages/cheroot/ssl/builtin.py", line 277, in wrap
    s = self.context.wrap_socket(
  File "/opt/lib/python3.9/ssl.py", line 500, in wrap_socket
  File "/opt/lib/python3.9/ssl.py", line 1040, in _create
  File "/opt/lib/python3.9/ssl.py", line 1309, in do_handshake
ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:1122)
 (type=error, job_cat=None)
2021-03-01 16:07:01,625::ERROR::[_cplogging:213] [01/Mar/2021:16:07:01] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
  File "/opt/lib/python3.9/site-packages/cheroot/server.py", line 1810, in serve
    self._connections.run(self.expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 201, in run
    self._run(expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 218, in _run
    new_conn = self._from_server_socket(self.server.socket)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 271, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/opt/lib/python3.9/site-packages/cheroot/ssl/builtin.py", line 277, in wrap
    s = self.context.wrap_socket(
  File "/opt/lib/python3.9/ssl.py", line 500, in wrap_socket
  File "/opt/lib/python3.9/ssl.py", line 1040, in _create
  File "/opt/lib/python3.9/ssl.py", line 1309, in do_handshake
ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:1122)

[Puzzled]

A Google search for that error line gives this suggestion: https://stackoverflow.com/questions/654 ... -key-share

[GTunney]

Uptime with the QNAPclub 3.2.0 was over 24 hours and could still access via https.

I've now downgraded the sherpa package to 3.1.1 and will monitor.

[GTunney]

Including this from the QNAP forum in-case it's relevant:

Not sure if this is something that might help with my SSL issue, just saw this in the logs from today.

Code: Select all

2021-03-01 16:07:01,625::INFO::[notifier:122] Sending notification: Error - [01/Mar/2021:16:07:01] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
  File "/opt/lib/python3.9/site-packages/cheroot/server.py", line 1810, in serve
    self._connections.run(self.expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 201, in run
    self._run(expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 218, in _run
    new_conn = self._from_server_socket(self.server.socket)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 271, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/opt/lib/python3.9/site-packages/cheroot/ssl/builtin.py", line 277, in wrap
    s = self.context.wrap_socket(
  File "/opt/lib/python3.9/ssl.py", line 500, in wrap_socket
  File "/opt/lib/python3.9/ssl.py", line 1040, in _create
  File "/opt/lib/python3.9/ssl.py", line 1309, in do_handshake
ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:1122)
 (type=error, job_cat=None)
2021-03-01 16:07:01,625::ERROR::[_cplogging:213] [01/Mar/2021:16:07:01] ENGINE Error in HTTPServer.serve
Traceback (most recent call last):
  File "/opt/lib/python3.9/site-packages/cheroot/server.py", line 1810, in serve
    self._connections.run(self.expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 201, in run
    self._run(expiration_interval)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 218, in _run
    new_conn = self._from_server_socket(self.server.socket)
  File "/opt/lib/python3.9/site-packages/cheroot/connections.py", line 271, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/opt/lib/python3.9/site-packages/cheroot/ssl/builtin.py", line 277, in wrap
    s = self.context.wrap_socket(
  File "/opt/lib/python3.9/ssl.py", line 500, in wrap_socket
  File "/opt/lib/python3.9/ssl.py", line 1040, in _create
  File "/opt/lib/python3.9/ssl.py", line 1309, in do_handshake
ssl.SSLError: [SSL: BAD_KEY_SHARE] bad key share (_ssl.c:1122)

Https access with Sherpa 3.1.1 has just gone off. Checked the logs and same error as above in the logs so doesn’t seem linked to 3.2.0 but deffo linked to Sherpa.

[OneCD]

A Google search for that error line gives this suggestion: https://stackoverflow.com/questions/654 ... -key-share

Nice find @Puzzled.

I've just modified sherpa to use the PIP 'pyopenssl' package instead of the IPKG 'python3-pyopenssl' package provided by Entware. Let's see if it solves the problem.

@GTunney, can you please run the following to switch the Python SSL modules?

Code: Select all

sherpa clean
sherpa reinstall sab

This will put you back on SAB 3.2.0.

[safihre]

We don't use pyOpenSSL in SABnzbd! So that won't change anything.

[GTunney]

A Google search for that error line gives this suggestion: https://stackoverflow.com/questions/654 ... -key-share

Nice find @Puzzled.

I've just modified sherpa to use the PIP 'pyopenssl' package instead of the IPKG 'python3-pyopenssl' package provided by Entware. Let's see if it solves the problem.

@GTunney, can you please run the following to switch the Python SSL modules?

Code: Select all

sherpa clean
sherpa reinstall sab

This will put you back on SAB 3.2.0.

That hasn’t worked. If anything it’s worse. Only access on https for a few mins

[OneCD]

That hasn’t worked. If anything it’s worse. Only access on https for a few mins

Bah!

We don't use pyOpenSSL in SABnzbd! So that won't change anything.

Ah, no worries. Thank you.

@GTunney, are you able to post your entire SABnzbd log, and indicate the timestamps for each of your HTTPS access attempts?