[1.2.0] Incorrect SSL certificate warning

Report & discuss bugs found in SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
ErikBrown
Release Testers
Release Testers
Posts: 118
Joined: December 20th, 2009, 1:25 am
Location: Home

[1.2.0] Incorrect SSL certificate warning

Post by ErikBrown »

Windows 10
Smpl
HTTPS certificate verification on

When I configure a RSS feed for https://nzb.is and I click on the "Read feed" button then I get the following warning message: Server https://nzb.is/ uses an untrusted HTTPS certificate

Image

But if I check the site's certificate on for instance https://www.digicert.com/help/ or https://www.ssllabs.com/ssltest/analyze.html?d=nzb.is then the certificate turns out to be OK. Below is a sample summary for it:

Image

Is it maybe possible that the SSL certificate validation of SABnzbd is too critical?
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: [1.2.0] Incorrect SSL certificate warning

Post by safihre »

That's weird.. I also have Windows 10 and I do not get a warning.
What happens if you just do Read-Feed again?
What does it show on the first page of the config for OpenSSL version?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
ErikBrown
Release Testers
Release Testers
Posts: 118
Joined: December 20th, 2009, 1:25 am
Location: Home

Re: [1.2.0] Incorrect SSL certificate warning

Post by ErikBrown »

Pressing Read feed consistently results everytime in the warning message. The OpenSSL version info is as follows: OpenSSL 1.0.2j 26 Sep 2016 [TLS v1.2, TLS v1.1, TLS v1, SSL v3]

Maybe the trusted CAs on my download PC are not as standard. I will check how I can verify that.
User avatar
sander
Release Testers
Release Testers
Posts: 8812
Joined: January 22nd, 2008, 2:22 pm

Re: [1.2.0] Incorrect SSL certificate warning

Post by sander »

Some suggestions:

1) Visit https://nzb.is/ with Chrome and IE and Edge and Firefox, and tell us if they all work. Reason: I don't know which CA is used by python on Windows.

2) If you fill out https://www.appelboor.com/ as RSS-feed in SABnzbd, what do you get? Reason: like nzb.is, appelboor.com uses Letsencrypt

3) How quick does https://nzb.is/ respond when you login with your webbrowser. Reason: I get "The nzb.is page isn’t working / nzb.is is currently unable to handle this request. / HTTP ERROR 500", so the Untrusted error message could be a side-effect of a non-functioning nzb.is site
ErikBrown
Release Testers
Release Testers
Posts: 118
Joined: December 20th, 2009, 1:25 am
Location: Home

Re: [1.2.0] Incorrect SSL certificate warning

Post by ErikBrown »

Today I tried the https://nzb.is feed again and now it consistently works fine. I will try the above mentioned points by Sander when I notice the warning again.
ErikBrown
Release Testers
Release Testers
Posts: 118
Joined: December 20th, 2009, 1:25 am
Location: Home

Re: [1.2.0] Incorrect SSL certificate warning

Post by ErikBrown »

For some reason, since yesterday I get an invalid certificate message for another RSS feed. The feed used to work fine before.
See the screenshot below

Image

If I try the feed URL in Firefox, Chrome or Edge then I do not get a certificate warning. See the screen capture below for Firefox

Image

And creating a new RSS feed with https://www.appleboor.com as the URL gives me the following message:

Image

And the log shows the following:

2017-01-25 15:54:29,905::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 15:54:45,421::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 16:55:28,460::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 16:55:46,288::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 16:56:04,474::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 16:56:20,006::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 17:57:02,920::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 17:57:20,747::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 17:57:39,217::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 17:57:54,904::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate

EDIT:

https://www.digicert.com/help/ gives besides messages that the certificate is valid also the below message:

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

https://www.ssllabs.com/ssltest/analyze ... .oznzb.com shows that the certificate is fine.

On the forum of oznzb.com more persons reported to have an issue with SABnzbd and the RSS feed of https://api.oznzb.com. See the link:
https://www.oznzb.com/forums/viewtopic.php?f=8&t=5534
User avatar
sander
Release Testers
Release Testers
Posts: 8812
Joined: January 22nd, 2008, 2:22 pm

Re: [1.2.0] Incorrect SSL certificate warning

Post by sander »

Summary:
All tests below proof api.oznzb.com's HTTPS is incorrect and thus insecure. OZNZB should solve that.
Or you take the "blue pill", turn off "HTTPS certificate verification" in SABnzbd, and continue working with OZNZB's insecure HTTPS.

Long:

(That oznzb forum link is unreachable for me, so I can't read that.)

1) My SAB too says https://api.oznzb.com/ is untrusted:

Code: Select all

2017-01-25 19:18:26,923::INFO::[rss:534] Starting scheduled RSS read-out for "oznzb testing"
2017-01-25 19:18:26,925::DEBUG::[rss:307] Running feedparser on https://api.oznzb.com/
2017-01-25 19:18:27,035::DEBUG::[rss:309] Done parsing https://api.oznzb.com/
2017-01-25 19:18:27,036::ERROR::[rss:330] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2017-01-25 19:18:27,036::INFO::[rss:333] Server https://api.oznzb.com/ uses an untrusted HTTPS certificate
2) A python one-liner confirms problems with api.oznzb.com's certificate, and thus confirms what SAB is reporting:

Code: Select all

$ python -c "import urllib2; response = urllib2.urlopen('https://api.oznzb.com/') "
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
3) gnutls-cli confirms problems with api.oznzb.com's certificate:

Code: Select all

$ gnutls-cli api.oznzb.com -p 443
Processed 173 CA certificate(s).
Resolving 'api.oznzb.com:443'...
Connecting to '179.43.170.227:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=*.oznzb.com', issuer `C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA', serial 0x328826d8c96dcc3261e02eaa33771e55, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-01-22 00:00:00 UTC', expires `2018-02-21 23:59:59 UTC', SHA-1 fingerprint `6b067c9c1b5350cd859cc983c21e150793327705'
	Public Key ID:
		d3e0f357fe3087dc3a3ab057a133e84c878ab4a5
	Public key's random art:
		+--[ RSA 2048]----+
		|                 |
		|                 |
		|        .        |
		|       . o    .  |
		|        S .o ... |
		|      . .+= =+.o |
		|     . = =.+.+* o|
		|      E . +.o .* |
		|           ..o...|
		+-----------------+

- Certificate[1] info:
 - subject `C=US,O=GeoTrust Inc.,CN=RapidSSL SHA256 CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', serial 0x023a77, RSA key 2048 bits, signed using RSA-SHA256, activated `2014-08-29 21:39:32 UTC', expires `2022-05-20 21:39:32 UTC', SHA-1 fingerprint `0e34141846e7423d37f20dc0ab06c9bbd843dc24'
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
So:

Code: Select all

- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
4) wget tell it's unsecure:

Code: Select all

$ wget https://api.oznzb.com/ 
--2017-01-26 19:24:19--  https://api.oznzb.com/
Resolving api.oznzb.com (api.oznzb.com)... 179.43.170.227
Connecting to api.oznzb.com (api.oznzb.com)|179.43.170.227|:443... connected.
ERROR: cannot verify api.oznzb.com's certificate, issued by ‘CN=RapidSSL SHA256 CA,O=GeoTrust Inc.,C=US’:
  Unable to locally verify the issuer's authority.
To connect to api.oznzb.com insecurely, use `--no-check-certificate'.

5) https://www.sslshopper.com/ssl-checker. ... zb.com:443 says "The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error."

6) testssl.sh says:

Code: Select all

$ ./testssl.sh --ip one api.oznzb.com | grep -i "not ok" 
 Chain of trust               NOT ok (chain incomplete)
7) SSLlabs:
https://www.ssllabs.com/ssltest/analyze ... .oznzb.com shows that the certificate is fine.
No, https://www.ssllabs.com/ssltest/analyze ... .oznzb.com says "This server's certificate chain is incomplete."

Conclusion

So 7 independent tools show OZNZB has HTTPS certificate problems and they should solve that. SABnzbd is correctly reporting that.

You could instruct SABnzbd to not verify HTTPS certificate (thereby ignoring the goal of HTTPS) via http://127.0.0.1:8080/config/general/#e ... rification

Does this answer your question?
User avatar
sander
Release Testers
Release Testers
Posts: 8812
Joined: January 22nd, 2008, 2:22 pm

Re: [1.2.0] Incorrect SSL certificate warning

Post by sander »

Hi ErikBrown,

Could you please follow up to my elaborate post?

Thank you.
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: [1.2.0] Incorrect SSL certificate warning

Post by safihre »

I think the oznb issue resolved itself, if I know click the test links they don't report failures anymore.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
User avatar
sander
Release Testers
Release Testers
Posts: 8812
Joined: January 22nd, 2008, 2:22 pm

Re: [1.2.0] Incorrect SSL certificate warning

Post by sander »

safihre wrote:I think the oznb issue resolved itself, if I know click the test links they don't report failures anymore.
Both wget and testssl.sh are indeed happy now.

Pity ErikBrown didn't come back ...
ErikBrown
Release Testers
Release Testers
Posts: 118
Joined: December 20th, 2009, 1:25 am
Location: Home

Re: [1.2.0] Incorrect SSL certificate warning

Post by ErikBrown »

Hi Sander, thanks for letting us know that it was the certificate and not SABnzbd that was at fault. I have temporarily disabled certificate checking.

The issue brought up another point. I have a few RSS rulesets that have two URLs linked to them. One of them is the URL of oznzb.com that has the certificate issue. Due to that, the rulesets did not return any RSS matches while the other URL of the ruleset should have returned matches. So it appears that if a RSS ruleset has multiple URLs and one of them has an error, that the ruleset ignores the other URL(s).
Last edited by ErikBrown on January 27th, 2017, 1:45 pm, edited 1 time in total.
User avatar
sander
Release Testers
Release Testers
Posts: 8812
Joined: January 22nd, 2008, 2:22 pm

Re: [1.2.0] Incorrect SSL certificate warning

Post by sander »

ErikBrown wrote:Hi Sander, thanks for letting us know that it was the certificate and not SABnzbd that was at fault. I have temporarily disabled certificate checking.
You can turn it on again: OZNZB has solved its HTTPS problems ... :)
Post Reply