https access issues after renewing SSL cert [QNAP]

[GTunney]

Hi All,

I'm running into some issues trying to access sab over https, I've been running sab over https for years with my a purchased Sectigo SSL cert for my home domain.

Lately sab seems to be really unstable over SSL, it starts up and I can access the web interface over https but then after about 20 seconds I can't access anymore. Access via http still works absolutely fine. No errors reported in any of the logs from what I can see, it just spins on loading when trying to access over https.

SSL cert has been renewed like I do every year and is working fine for all my other apps, Watcher, Plex, Sickchill, Tautulli and the actual NAS itself

[sander]

pastebin + DEBUG on ... good!

FWIW: you have also posted your public IPv4 address.

Now to your problem:

You don't specify from where and how you try to access SAB. So: can you access SAB via

https://127.0.0.1:5012 from the device itself?
https://192.168.0.2 5012 from another device on your LAN?

Please post pastebin SAB logging with web access

BTW: What kind of device is it? A NAS / QNAP / embedded thing?

[sander]

Oh, and to rule out a cause in the Sectigo SSL certificates:

Can you remove those Sectigo SSL certificates, and then let SAB itself create the self-signed certificates?

If that works, the problem is in the Sectigo SSL certificates
If that neither works, the problem is in your plain SAB setup / network

[GTunney]

I'm running sab on a QNAP NAS.

I can't access https from the device itself or from my LAN over https.

I've tried to let sab create it's own cert as well but get the error., when I hover over the refresh button it's greyed out.

Popped my old cert on which had expired and got exactly the same issue with that which had worked fine for a year.

Code: Select all

2021-02-28 14:23:41,612::INFO::[notifier:122] Sending notification: Error - Error creating SSL key and certificate (type=error, job_cat=None)
2021-02-28 14:23:41,611::ERROR::[misc:763] Error creating SSL key and certificate
2021-02-28 14:23:41,612::INFO::[misc:764] Traceback: 
Traceback (most recent call last):
  File "/share/CACHEDEV1_DATA/.qpkg/SABnzbd/SABnzbd/sabnzbd/misc.py", line 759, in create_https_certificates
    private_key = generate_key(key_size=2048, output_file=ssl_key)
  File "/share/CACHEDEV1_DATA/.qpkg/SABnzbd/SABnzbd/sabnzbd/utils/certgen.py", line 27, in generate_key
    with open(output_file, "wb") as f:
FileNotFoundError: [Errno 2] No such file or directory: ''
2021-02-28 14:23:41,639::INFO::[notifier:122] Sending notification: Warning - Disabled HTTPS because of missing CERT and KEY files (type=warning, job_cat=None)
2021-02-28 14:23:41,639::WARNING::[SABnzbd:1295] Disabled HTTPS because of missing CERT and KEY files
2021-02-28 14:23:41,640::INFO::[notifier:122] Sending notification: Warning - Disabled HTTPS because of invalid CERT and KEY files (type=warning, job_cat=None)
2021-02-28 14:23:41,640::WARNING::[SABnzbd:1305] Disabled HTTPS because of invalid CERT and KEY files
2021-02-28 14:23:41,640::INFO::[SABnzbd:1306] Traceback: 
Traceback (most recent call last):
  File "/share/CACHEDEV1_DATA/.qpkg/SABnzbd/SABnzbd/SABnzbd.py", line 1302, in main
    trialcontext.load_cert_chain(https_cert, https_key)
FileNotFoundError: [Errno 2] No such file or directory

[sander]

That is bad. That means SABnzbd has no writing rights to ~/.sabnzbd/admin/ , where it wants to create server.cert and server.key

You have to solve that. SABnzbd can't do that for you.

[GTunney]

That is bad. That means SABnzbd has no writing rights to ~/.sabnzbd/admin/ where it wants to create server.cert and server.key

You have to solve that. SABnzbd can't do that for you.

That actually looks like its done the trick, Sab now working with my sectigo cert after changing CHMOD on the admin dir.

I'll get onto the developer for the QNAP app and let them know what the issue was, must have been done when 3.2.0 was packaged.

[GTunney]

I tell a lie it’s still doing it

Really annoying now that it’s doesn’t list anything in the logs and just randomly happens after a certain amount of time.

[OneCD]

... and just randomly happens after a certain amount of time.

@GTunney, are you running Qboost by any chance?

[GTunney]

... and just randomly happens after a certain amount of time.

@GTunney, are you running Qboost by any chance?

No I’ve had it turned off since they first released it.

[OneCD]

Good.

When this problem occurs, are the permissions for the [.qpkg/SABnzbd/config] directory reset? Or is it only the [.qpkg/SABnzbd/config/admin] directory? What permissions are being assigned?

[GTunney]

Good.

When this problem occurs, are the permissions for the [.qpkg/SABnzbd/config] directory reset? Or is it only the [.qpkg/SABnzbd/config/admin] directory? What permissions are being assigned?

Not from what I can see. I gave it full access 777.

[OneCD]

So, after you set 777 on [.qpkg/SABnzbd/config/admin], that settings is applied. Are you applying a recursive change to admin and all files or just the admin directory?

You then restart SAB to generate new certs, everything works fine for a while, then you're unable to login via HTTPS, and the permissions for [.qpkg/SABnzbd/config/admin] are still 777?

What are the permissions for [.qpkg/SABnzbd/config]?

Are permissions for the certificate files being changed instead?

[GTunney]

So, after you set 777 on [.qpkg/SABnzbd/config/admin], that settings is applied. Are you applying a recursive change to admin and all files or just the admin directory?

You then restart SAB to generate new certs, everything works fine for a while, then you're unable to login via HTTPS, and the permissions for [.qpkg/SABnzbd/config/admin] are still 777?

What are the permissions for [.qpkg/SABnzbd/config]?

Are permissions for the certificate files being changed instead?

I’ve set 777 for the entire Sab directory just now and all sub files so will see if this automatically changes. It may not even be the permissions changing.

I don’t generate new certs as I’m using my own certs which are stored in a different directory to sab and this is how I’ve run sab for years.

It’s also totally random when it eventually stops https access. It could be 2 mins, it could be 10 mins.

Like right now sab has been up for 22 mins and I can still access over https.

[OneCD]

Yup, really need to know if any permissions change when the problem occurs.

BTW: if you're only accessing SAB via your LAN (or via your local VPN server instance when outside your LAN), there's no-need for HTTPS. Any reason you're using it?

I don't know if the SAB login UI is safe to expose to the Internet. Maybe the guys here can advise?

[GTunney]

Yup, really need to know if any permissions change when the problem occurs.

BTW: if you're only accessing SAB via your LAN (or via your local VPN server instance when outside your LAN), there's no-need for HTTPS. Any reason you're using it?

I don't know if the SAB login UI is safe to expose to the Internet. Maybe the guys here can advise?

Ok this morning access over https lasted just over an hour and now it’s gone off again.

Checked Sab, config and admin folders all still have 777.

I know I probably shouldn’t buy I access anywhere which is why I use https so I check when I’m out and about. I’ve done this for years and never had any issues up until now.