Untrusted certificate [Eweka, newshosting, Let's encrypt R3]

[brimstn]

Does anyone have any idea how to fix this in FreeBSD?

[theskeptic]

Same issue reported here, Win 10, started today.

Followed chrblack's solution, worked like a charm. Fantastic work!

[Gr33nsn]

I originally contacts Eweka and got some really duff advice "You can solve the problem by turning off the SSL or by using another news client."

Thanks to a great post from Chrblack, I ignored this obviously incorrect support advice from eweka

I have a really old Windows 7 machine and I decided to update all the effected certificates. Not sure if this was overkill.

1. Open Run and type mmc.exe
2. Select <File>, <Add/Remove Snap-In..>
3. Choose <Certificates>
4. Select <My User Account>, and click<OK>
5. Expand <Certificates - Current User>
6. Expand <Intermediate Certificate Authorities>, and Click <Certificates>
7. Find any R3's and delete them.
8. Expand <Trusted Root Certificate Authorities>, and Click <Certificates>
9. Find the ISRG Root X1 and delete it.
10. Go to h t t p s : / / l e t s e n c r y p t . o r g / c e r t i f i c a t e s /
11. Scroll down to Root Certificates, Active, SRG Root X1, Self-signed and download the 'der' certificate
12. Scroll down to Intermediate Certificates, Active, Let’s Encrypt R3, Signed by ISRG Root X1 and download the 'der' certificate
13. Double click the downloaded der file from 11. > Click open > Click Install Certificate > next > click Place certificates in selected store > browse > Trusted Root Certification Authorities > OK > Next.
14. Double click the downloaded der file from 12. > Click open > Click Install Certificate > next > click Place certificates in selected store > browse > Intermediate Certificates Authorities > OK > Next.

[elmuziko]

Anyone know how to resolve this on a Synology?

Thank you

[tranb3r]

Anyone know how to resolve this on a Synology?

Thank you

Same question for QNAP.

[alfred_j_kwack]

Anyone know how to resolve this on a Synology?

Checked all the ".pem" files I could for the offending "DST Root CA X3" cert and removed it from essentially all the python versions. No dice though. At least you can scrap that off your list.

[chrblack]

Anyone know how to resolve this on a Synology?

Checked all the ".pem" files I could for the offending "DST Root CA X3" cert and removed it from essentially all the python versions. No dice though. At least you can scrap that off your list.

For me it was an expired intermediate certificate "R3", not root. Did you check that?

[alfred_j_kwack]

Anyone know how to resolve this on a Synology?

Checked all the ".pem" files I could for the offending "DST Root CA X3" cert and removed it from essentially all the python versions. No dice though. At least you can scrap that off your list.

For me it was an expired intermediate certificate "R3", not root. Did you check that?

Here's a search:

Code: Select all

user@system# openssl crl2pkcs7 -nocrl -certfile ./@appstore/sabnzbd/env/lib/python3.8/site-packages/pip/_vendor/certifi/cacert.pem  | openssl pkcs7 -print_certs -text -noout | grep -A 1 2021
            Not After : Dec 15 08:00:00 2021 GMT
        Subject: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
--
            Not After : Mar 17 18:33:33 2021 GMT
        Subject: C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority
--
            Not After : Apr  6 07:29:40 2021 GMT
        Subject: C=FI, O=Sonera, CN=Sonera Class2 CA
--
            Not After : Dec 15 08:00:00 2021 GMT
        Subject: O=Cybertrust, Inc, CN=Cybertrust Global Root

I'll try and remove the two old ones and see what happens.

-- Update. No dice. No change
-- Update2. SOLVED Ugrading to the latest DSM on Synology, reloading the SAB packages from community fixed the issue for me

[dreamk21]

I am on QNAP, also getting errors due to the Let's Encrypt CA Certificate problem.
Would it be possible for someone to please list step-by-step instructions on how to delete the expired CA or intermediate certificate(s)?
I can SSH into the QNAP as admin, but I'm not able to work out what to do from there.
thanks in advance!

SABNZBD version 3.4.0
Config File: /share/CE_CACHEDEV1_DATA/.qpkg/QSabNZBd3/SAB_CONFIG/config.ini
OpenSSL: OpenSSL 1.1.1
Python Version: 3.7.8

QNAP Firmware version 4.5.4.1800 (up to date as of 1 October 2021)

[OneCD]

For the QNAP NAS users: which QPKG are you using please? Are you using Stephane's QSabNZBdPlus, or the one installed via sherpa?

I've checked the sherpa one with Newshosting and SSL - works fine.

[dreamk21]

I am using the qnapclub store version SabNZBPlus 3 from https://www.qnapclub.eu/en/qpkg/1012

For the QNAP NAS users: which QPKG are you using please? Are you using Stephane's QSabNZBdPlus or the one installed via sherpa?

I've checked the sherpa one with Newshosting and SSL - works fine.

[elmuziko]

Anyone know how to resolve this on a Synology?

Checked all the ".pem" files I could for the offending "DST Root CA X3" cert and removed it from essentially all the python versions. No dice though. At least you can scrap that off your list.

For me it was an expired intermediate certificate "R3", not root. Did you check that?

Where is this hiding at?

I can confirm simply removing sab and re-installing on Synology does not work.
Sadly, I'm using Xpenology (Synology on non-branded hardware) and cannot update DSM any further than 6.2.3-25426 at present.

[dreamk21]

I installed the Sherpa version. Working fine now.

Perhaps it is related to one of the following differences that I can find:

Python version 3.9.6 (3.7.8 with Qoolbox SabNZBPlus 3)
OpenSSL version 1.1.1k (1.1.1 with Qoolbox SabNZBPlus 3)

If not, I am out of ideas.

I will stick with the Sherpa version now anyway.

I am using the qnapclub store version SabNZBPlus 3 from https://www.qnapclub.eu/en/qpkg/1012

For the QNAP NAS users: which QPKG are you using please? Are you using Stephane's QSabNZBdPlus or the one installed via sherpa?

I've checked the sherpa one with Newshosting and SSL - works fine.

[OneCD]

I will stick with the Sherpa version now anyway.

[dreamk21]

thanks for creating and maintaining it!

I will stick with the Sherpa version now anyway.