Unable to connect to server (SSL Error)

[fatgeek]

Version: (Ex: 0.5.0 Final): 1.2.1 [d32cf57]
OS: (Ex: Windows XP SP2, OSX Leopard, Ubuntu Gutsy): unRAID (linuxserver Docker container)
Install-type: (Ex: Windows Installer, Windows zip, OSx .app, OSx source, python source, linux repository, NAS package): Docker
Skin (if applicable): (Ex: Default, Plush, Smpl) Default
Firewall Software: (Ex: None, XP SP2 Firewall, Zone Alarm, Norton Internet Security, Kerio): N/A
Are you using IPV6? (yes/no - most likely no): No
Is the issue reproducible? (yes/no): Yes
Python Version: 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609] [ANSI_X3.4-1968]
OpenSSL: OpenSSL 1.0.2g 1 Mar 2016 [TLS v1.2, TLS v1.1, TLS v1]

Hello,

I'm running into an error connecting to one of my providers. I have 5 other servers that connect without issue. When I test the connection from the server config page I see the following error:

Code: Select all

[Errno 111] ('_ssl.c:574: The handshake operation timed out',)

I do not have any ciphers specified under Config > Switches > SSL Ciphers.

I tested the server using OpenSSL and it supports the following ciphers:

• ECDHE-RSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA
  DHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-SHA256
  DHE-RSA-AES256-SHA
  DHE-RSA-CAMELLIA256-SHA
  ECDHE-RSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA
  DHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA
  DHE-RSA-SEED-SHA
  DHE-RSA-CAMELLIA128-SHA

The issue seems to have started a few days ago. I reached out to my provider and they say they haven't made any SSL changes in months. Could it be that Sab does not support any of the above listed ciphers? I have tried all three of the options under Servers > Advanced > Certificate verification. I have about 4 hours worth of debug logs available if anyone wants to take a look.

[sander]

I'm running into an error connecting to one of my providers.

Which provider / newsserver?

What happens when you fill out that newsserver on https://sabnzbd.org/wiki/advanced/certificate-errors and click on Test Server?

[fatgeek]

I'm running into an error connecting to one of my providers.

Which provider / newsserver?

What happens when you fill out that newsserver on https://sabnzbd.org/wiki/advanced/certificate-errors and click on Test Server?

Altopia (news.altopia.com)

When I use the tester I get:

Code: Select all

Server not found, no SSL on port 563, or other error

Altopia is listed as OK x3 on https://www.appelboor.com/newsservers/n ... h-SSL.html

I tried with NZBGet on WIndows and was able to connect with identical settings.

[safihre]

Did you try actually just downloading?

Altopia is strange in the way that they have very long delays after some unsuccessful login event. They add a delay of 20 seconds or something, what Sab considers too long. But usually the downloading actually works fine.

[sander]

quotes from my sabnzbd.log (Ubuntu 17.04):

Code: Select all

2017-03-07 23:50:46,912::INFO::[sabnzbdplus:1250] SSL version OpenSSL 1.0.2g  1 Mar 2016
2017-03-07 23:50:46,912::INFO::[sabnzbdplus:1251] SSL supported protocols ['TLS v1.2', 'TLS v1.1', 'TLS v1']

2017-03-07 23:51:41,272::INFO::[newswrapper:230] [email protected]: Connected using TLSv1.2 (ECDHE-RSA-AES256-GCM-SHA384)
2017-03-07 23:53:05,240::INFO::[newswrapper:230] [email protected]: Connected using TLSv1.2 (ECDHE-RSA-AES256-GCM-SHA384)
2017-03-07 23:53:36,036::INFO::[newswrapper:230] [email protected]: Connected using TLSv1.2 (ECDHE-RSA-AES256-GCM-SHA384)

So no problem with NNTPS, connecting via ECDHE-RSA-AES256-GCM-SHA384 (which is in your OpenSSL overview)

[fatgeek]

Did you try actually just downloading?

Altopia is strange in the way that they have very long delays after some unsuccessful login event. They add a delay of 20 seconds or something, what Sab considers too long. But usually the downloading actually works fine.

I have. Your question actually answers a huge issue I've been having lately though. I get some downloads that enter the queue and stay on checking forever. They never get to failed, they just stick in checking forever. I had Altopia set in my server list as priority 1 with another set to 0. I just went in and disabled Altopia and tried a few of the nzbs that I know spun forever and they downloaded fine. So, if Altopia is doing something that is causing my downloads to do this, I'll probably end up canceling with them and finding another backup.

[sander]

I tried with NZBGet on WIndows and was able to connect with identical settings.

What if you try SABnzbd on Windows? Does altopia work then?

Two more things:

- on your unRaid, if you set the connection the plain NNTP (port 199, no SSL), can you make a connection?
- on your unrRaid, can you set the connection to NTTPS, but with no checking (under Advanced)?

[safihre]

It should've been fixed indeed in 1.2.1, worked with Altopia to fix it.. But seems wasn't enough.

Their servers have quite a lot of timeout!

[fatgeek]

I tried with NZBGet on WIndows and was able to connect with identical settings.

What if you try SABnzbd on Windows? Does altopia work then?

Two more things:

- on your unRaid, if you set the connection the plain NNTP (port 199, no SSL), can you make a connection?
- on your unrRaid, can you set the connection to NTTPS, but with no checking (under Advanced)?

I just installed Sab on Windows and it worked fine. I did notice some different versions. Maybe that's the issue:

Sab: 1.2.2 [555d841]
Python: 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:42:59) [MSC v.1500 32 bit (Intel)] [cp1252]
OpenSSL: OpenSSL 1.0.2j 26 Sep 2016 [TLS v1.2, TLS v1.1, TLS v1, SSL v3]

On unRAID, it does work on 119, no SSL. By "no checking" do you mean the certificate verification? If so, I've tried all three options and none worked.

[safihre]

1.2.2=1.2.1,was only a fix for a Windows problem
So it is platform specific? Hmmm that's weird.
I can't really explain that.. Sander maybe?

[sander]

I can only think of one thing: incorrect / incomplete CA Root store. That does not explain everything, but I have no other hypotheses.

@fatgeek: which container image do you use? And how do you start it? I can't find it ... unless you mean "linuxserver/sabnzbd"

Code: Select all

$ sudo docker run -it linuxserver/unraid /bin/bash
Unable to find image 'linuxserver/unraid:latest' locally
Pulling repository docker.io/linuxserver/unraid
docker: Error: image linuxserver/unraid:latest not found.

Code: Select all

$ sudo docker run -it linuxserver:unraid /bin/bash
Unable to find image 'linuxserver:unraid' locally
Pulling repository docker.io/library/linuxserver
docker: Error: image library/linuxserver:unraid not found.

Code: Select all

$ sudo docker search unraid
NAME                                  DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
tyler43636/unraid-plexpass            Ubuntu Linux Docker with Plex Media Server...   2                    [OK]
manubocquet/unraid-squid              Unraid squid                                    1                    [OK]
manubocquet/unraid-mosquitto          mosquitto for unraid server                     0                    [OK]
topdockercat/minio-unraid             Minio is an Amazon S3 compatible object st...   0                    [OK]
airbillion/youtube-dl-unraid          Youtube-dl container for Unraid                 0                    [OK]
manubocquet/unraid-netdata            Unraid net data                                 0                    [OK]
tyler43636/unraid-plex                Ubuntu Linux Docker with Plex Media Server...   0                    [OK]
tyler43636/unraid-plexpy              Ubuntu Linux Docker with PlexPy installed       0                    [OK]
tyler43636/unraid-jackett             Jackett install on top of the official mon...   0                    [OK]
tyler43636/unraid-sonarr              Sonarr install on top of the official mono...   0                    [OK]
htpcguides/unraid-nzbget              unRAID NZBGet                                   0                    [OK]
notsteve/sagetv-unraid                For unraid                                      0                    [OK]
smirgel/unraid                        Unraid docker images                            0                    [OK]
codechimporg/unraid-dockers-elk       ELK stack for docker on unraid                  0                    [OK]
htpcguides/unraid-plex                unRAID Plex Docker                              0                    [OK]
roninkenji/unraid-dev-docker          Docker for development under Slackware use...   0                    [OK]
savestheday/docker-ventrilo-unraid    Ventrilo for unRAID                             0                    [OK]
leonowski/unraid-ha-bridge            unraid ha bridge                                0                    [OK]
adamrbell/unraid-udpt                 Build and run udpt tracker on unRAID            0                    [OK]
manubocquet/unraid-telegraf           Telegraf dockerfile                             0                    [OK]
hernandito/sonos-api-unraid           Sonos API Docker to be used in unRAID.          0                    [OK]
drewster727/glances-unraid            Glances for unRAID                              0                    [OK]
codechimporg/unraid-dockers-haproxy   HAProxy for docker on unraid                    0                    [OK]
adamrbell/unraid-qbittorrent          **TESTING** This is a playground for my pe...   0                    [OK]
airbillion/unraid-borgjs              borgjs docker                                   0                    [OK]

Code: Select all

$ sudo docker search linuxserver
NAME                       DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
linuxserver/plex           A Plex Media Server container, brought to ...   257                  [OK]
linuxserver/sonarr         A Sonarr container, brought to you by Linu...   187                  [OK]
linuxserver/couchpotato    A CouchPotato container, brought to you by...   182                  [OK]
linuxserver/sabnzbd        A Sabnzbd container, brought to you by Lin...   80                   [OK]
linuxserver/plexpy         A PlexPy container, brought to you by Linu...   80                   [OK]
linuxserver/nzbget         An Nzbget container, brought to you by Lin...   80                   [OK]
linuxserver/deluge         A Deluge container, brought to you by Linu...   69                   
linuxserver/sickrage       A SickRage container, brought to you by Li...   61                   
linuxserver/transmission   A Transmission container, brought to you b...   57                   
linuxserver/headphones     A Headphones container, brought to you by ...   56                   [OK]
linuxserver/unifi          A Unifi container, brought to you by Linux...   40                   
linuxserver/syncthing      A Syncthing container, brought to you by L...   35                   
linuxserver/radarr         A Radarr container, brought to you by Linu...   31                   
linuxserver/hydra          An NzbHydra container, brought to you by L...   28                   
linuxserver/smokeping      A Smokeping container, brought to you by L...   27                   [OK]
linuxserver/muximux        A Muximux container, brought to you by Lin...   27                   
linuxserver/jackett        A Jackett container, brought to you by Lin...   25                   
linuxserver/htpcmanager    An HTPCManager container, brought to you b...   22                   
linuxserver/plexrequests   A PlexRequests container, brought to you b...   22                   
linuxserver/beets          A Beets container, brought to you by Linux...   20                   
linuxserver/rutorrent      A Rutorrent container, brought to you by L...   18                   
linuxserver/pydio          A Pydio container, brought to you by Linux...   16                   
linuxserver/nginx          An Nginx container, brought to you by Linu...   14                   
linuxserver/quassel-core   A Quassel core container, brought to you b...   12                   [OK]
linuxserver/mariadb        A Mariadb container, brought to you by Lin...   11                   

[fatgeek]

I can only think of one thing: incorrect / incomplete CA Root store. That does not explain everything, but I have no other hypotheses.

@fatgeek: which container image do you use? And how do you start it? I can't find it ... unless you mean "linuxserver/sabnzbd"

Code: Select all

$ sudo docker run -it linuxserver/unraid /bin/bash
Unable to find image 'linuxserver/unraid:latest' locally
Pulling repository docker.io/linuxserver/unraid
docker: Error: image linuxserver/unraid:latest not found.

Code: Select all

$ sudo docker run -it linuxserver:unraid /bin/bash
Unable to find image 'linuxserver:unraid' locally
Pulling repository docker.io/library/linuxserver
docker: Error: image library/linuxserver:unraid not found.

Code: Select all

$ sudo docker search unraid
NAME                                  DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
tyler43636/unraid-plexpass            Ubuntu Linux Docker with Plex Media Server...   2                    [OK]
manubocquet/unraid-squid              Unraid squid                                    1                    [OK]
manubocquet/unraid-mosquitto          mosquitto for unraid server                     0                    [OK]
topdockercat/minio-unraid             Minio is an Amazon S3 compatible object st...   0                    [OK]
airbillion/youtube-dl-unraid          Youtube-dl container for Unraid                 0                    [OK]
manubocquet/unraid-netdata            Unraid net data                                 0                    [OK]
tyler43636/unraid-plex                Ubuntu Linux Docker with Plex Media Server...   0                    [OK]
tyler43636/unraid-plexpy              Ubuntu Linux Docker with PlexPy installed       0                    [OK]
tyler43636/unraid-jackett             Jackett install on top of the official mon...   0                    [OK]
tyler43636/unraid-sonarr              Sonarr install on top of the official mono...   0                    [OK]
htpcguides/unraid-nzbget              unRAID NZBGet                                   0                    [OK]
notsteve/sagetv-unraid                For unraid                                      0                    [OK]
smirgel/unraid                        Unraid docker images                            0                    [OK]
codechimporg/unraid-dockers-elk       ELK stack for docker on unraid                  0                    [OK]
htpcguides/unraid-plex                unRAID Plex Docker                              0                    [OK]
roninkenji/unraid-dev-docker          Docker for development under Slackware use...   0                    [OK]
savestheday/docker-ventrilo-unraid    Ventrilo for unRAID                             0                    [OK]
leonowski/unraid-ha-bridge            unraid ha bridge                                0                    [OK]
adamrbell/unraid-udpt                 Build and run udpt tracker on unRAID            0                    [OK]
manubocquet/unraid-telegraf           Telegraf dockerfile                             0                    [OK]
hernandito/sonos-api-unraid           Sonos API Docker to be used in unRAID.          0                    [OK]
drewster727/glances-unraid            Glances for unRAID                              0                    [OK]
codechimporg/unraid-dockers-haproxy   HAProxy for docker on unraid                    0                    [OK]
adamrbell/unraid-qbittorrent          **TESTING** This is a playground for my pe...   0                    [OK]
airbillion/unraid-borgjs              borgjs docker                                   0                    [OK]

Code: Select all

$ sudo docker search linuxserver
NAME                       DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
linuxserver/plex           A Plex Media Server container, brought to ...   257                  [OK]
linuxserver/sonarr         A Sonarr container, brought to you by Linu...   187                  [OK]
linuxserver/couchpotato    A CouchPotato container, brought to you by...   182                  [OK]
linuxserver/sabnzbd        A Sabnzbd container, brought to you by Lin...   80                   [OK]
linuxserver/plexpy         A PlexPy container, brought to you by Linu...   80                   [OK]
linuxserver/nzbget         An Nzbget container, brought to you by Lin...   80                   [OK]
linuxserver/deluge         A Deluge container, brought to you by Linu...   69                   
linuxserver/sickrage       A SickRage container, brought to you by Li...   61                   
linuxserver/transmission   A Transmission container, brought to you b...   57                   
linuxserver/headphones     A Headphones container, brought to you by ...   56                   [OK]
linuxserver/unifi          A Unifi container, brought to you by Linux...   40                   
linuxserver/syncthing      A Syncthing container, brought to you by L...   35                   
linuxserver/radarr         A Radarr container, brought to you by Linu...   31                   
linuxserver/hydra          An NzbHydra container, brought to you by L...   28                   
linuxserver/smokeping      A Smokeping container, brought to you by L...   27                   [OK]
linuxserver/muximux        A Muximux container, brought to you by Lin...   27                   
linuxserver/jackett        A Jackett container, brought to you by Lin...   25                   
linuxserver/htpcmanager    An HTPCManager container, brought to you b...   22                   
linuxserver/plexrequests   A PlexRequests container, brought to you b...   22                   
linuxserver/beets          A Beets container, brought to you by Linux...   20                   
linuxserver/rutorrent      A Rutorrent container, brought to you by L...   18                   
linuxserver/pydio          A Pydio container, brought to you by Linux...   16                   
linuxserver/nginx          An Nginx container, brought to you by Linu...   14                   
linuxserver/quassel-core   A Quassel core container, brought to you b...   12                   [OK]
linuxserver/mariadb        A Mariadb container, brought to you by Lin...   11                   

unRAID is the OS, Docker runs on top of unRAID. The container I'm using is linuxserver/sabnzbd: https://hub.docker.com/r/linuxserver/sabnzbd/

unRAID has a GUI that allows for administering Docker containers. Under the GUI, my run line ends up looking like this:

Code: Select all

docker run -d --name="sabnzbd" --net="bridge" -e TZ="America/New York" -e HOST_OS="unRAID" -e "PUID"="99" -e "PGID"="100" -p 8080:8080/tcp -p 9090:9090/tcp -v "/mnt/user/downloads/":"/downloads":rw -v "/mnt/user/downloads/sab-temp/":"/incomplete-downloads":rw -v "/mnt/user/appdata/sabnzbd":"/config":rw linuxserver/sabnzbd

[fatgeek]

I just tried running update-ca-certificates:

Code: Select all

root@tower:~# docker exec -it sabnzbd /bin/bash
root@0bb56fa6e4f7:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@0bb56fa6e4f7:/#

[sander]

I ran linuxserver/sabnzbd (docker image) on my Ubuntu, and I can successfully connect to Altopia:

Code: Select all

2017-03-08 19:24:48,277::INFO::[newswrapper:250] [email protected]: Connected using TLSv1.2 (ECDHE-RSA-AES256-GCM-SHA384)

So I can't reproduce. :-(

[fatgeek]

I've been doing some more troubleshooting on this and this is what I have so far:

I tried another docker container on unRAID, needo/sabnzbd and it also was unable to connect to Altopia.

I then installed sab on an Ubuntu 16.04 VM from jfcp/nobetas and it was able to connect fine. I then ran the linuxserver/sabnzbd docker container on that same VM and it also connected fine.

So, I'm starting to think that the issue lies with unRAID, but have no idea how.