certificate errors after switching to VPN
Forum rules
Help us help you:
Help us help you:
- Are you using the latest stable version of SABnzbd? Downloads page.
- Tell us what system you run SABnzbd on.
- Adhere to the forum rules.
- Do you experience problems during downloading?
Check your connection in Status and Interface settings window.
Use Test Server in Config > Servers.
We will probably ask you to do a test using only basic settings. - Do you experience problems during repair or unpacking?
Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
certificate errors after switching to VPN
I'm getting certificate errors in sabnzbd, even though it seems to successfully download stuff. This started happening ever since I started using a VPN on the machine where sabnzbd is running. Any ideas what I need to do to avoid getting these errors?
Re: certificate errors after switching to VPN
Too vague ... When, where, what?
Re: certificate errors after switching to VPN
Version: 2.0.0 [55c4bef]
Platform: ReadyNas 6.6.1 (debian Jessie)
when an NZB is sent to sabnzbd from sickbeard, the sabnzbd screen displays that the file has been downloaded, however an ERROR is displayed on the sabnzbd main screen which says:
Is this the reason for the ERROR? It looks to me like the only thing that is happening is that its not verifying the server before downloading, but its annoying to have to clean up the error messages. Is there any way to just disable checking of the certificates? I think possibly this only started happening after I started running an openssl VPN client on the same box...so that makes me wonder if this is fixable with configuration, but I'm not sure.
Platform: ReadyNas 6.6.1 (debian Jessie)
when an NZB is sent to sabnzbd from sickbeard, the sabnzbd screen displays that the file has been downloaded, however an ERROR is displayed on the sabnzbd main screen which says:
I also notice in the configuration screen the following warning:Server news.frugalusenet.com uses an untrusted certificate [_ssl.c:489: The handshake operation timed out] - https://sabnzbd.org/certificate-errors
The version of python I have is 2.7.11 but the openssl I have is 1.0.1t, so maybe that is the issue, but I am not sure if I can update openssl on my readynas..since its running debian jessie. I took an initial attempt and installing backported 1.0.2 openssl, but ran into headaches and gave up. I don't want to break my machine otherwise.Warning Secure (SSL) connections from SABnzbd to newsservers and HTTPS websites will be encrypted, however, validating a server's identity using its certificates is not possible. Python 2.7.9 or above, OpenSSL 1.0.2 or above and up-to-date local CA certificates are required.
Is this the reason for the ERROR? It looks to me like the only thing that is happening is that its not verifying the server before downloading, but its annoying to have to clean up the error messages. Is there any way to just disable checking of the certificates? I think possibly this only started happening after I started running an openssl VPN client on the same box...so that makes me wonder if this is fixable with configuration, but I'm not sure.
Re: certificate errors after switching to VPN
Timeout in this case is not caused by the certificate validation, although the error seems to suggest that.
I am not sure why the certificate validation test is failing, but it can also be outdated root certificate on your device.
But the download still continues fine from the server, it doesn't switch to possible backup servers? Then it could just be a timeout, nothing to worry.
I am not sure why the certificate validation test is failing, but it can also be outdated root certificate on your device.
But the download still continues fine from the server, it doesn't switch to possible backup servers? Then it could just be a timeout, nothing to worry.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: certificate errors after switching to VPN
well its working so I'm not that worried, but I'm getting tired of having to close the error messages that show up every day. If there is a way to fix something so that no more error messages I would really appreciate any help for doing that.
The root certificate you mentioned, what is that, where is it and how can I update it? Would that have changed somehow when I started using the VPN client?
The root certificate you mentioned, what is that, where is it and how can I update it? Would that have changed somehow when I started using the VPN client?
Re: certificate errors after switching to VPN
Yes it is possible that the VPN client changed the certificate storage of the system, by adding/replacing to the standard storage.
I wouldn't know exactly where it is located, since it is very OS dependent on Linux. But you can maybe Google or ask the ReadyNas forums?
The server is 3x OK, so it's certificates are fine: https://www.appelboor.com/cgi-bin/check ... usenet.com
I wouldn't know exactly where it is located, since it is very OS dependent on Linux. But you can maybe Google or ask the ReadyNas forums?
The server is 3x OK, so it's certificates are fine: https://www.appelboor.com/cgi-bin/check ... usenet.com
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: certificate errors after switching to VPN
so you don't think I need to worry about the openssl 1.0.2 warning in sabnzbd?
The readynas forum is not likely to be able to help but I will ask, where does sabnzbd expect the root certificates to be?
In case I can't figure that out, is it possible to configure sabnzbd to not bother checking the certificate?
I'm just running openvpn as the vpn client on this box.
The readynas forum is not likely to be able to help but I will ask, where does sabnzbd expect the root certificates to be?
In case I can't figure that out, is it possible to configure sabnzbd to not bother checking the certificate?
I'm just running openvpn as the vpn client on this box.
Re: certificate errors after switching to VPN
Hi Dewdman42,
When do you get the message "Server news.frugalusenet.com uses an untrusted certificate"? Always thus also with the VPN not active, or only if the VPN is on/activated?
The problem could be in your OS root store (first case), or the VPN could be the Man-in-the-Middle (second case).
When do you get the message "Server news.frugalusenet.com uses an untrusted certificate"? Always thus also with the VPN not active, or only if the VPN is on/activated?
The problem could be in your OS root store (first case), or the VPN could be the Man-in-the-Middle (second case).
Re: certificate errors after switching to VPN
I will have to turn off VPN and wait a while to see what happens. I am not sure exactly when the message happens, I presume when sabnzbd first gets the nzb request from sickbeard and attempts to connect to my usenet provider.
can you explain a little bit more abou tthe OS root store you mentioned?
can you explain a little bit more abou tthe OS root store you mentioned?
Re: certificate errors after switching to VPN
I will say this for now... if I go into sabnzbd server config and "test server", then it works with my VPN client turned off. If I am running the VPN client then "test server" returns an error after trying for a while.
Re: certificate errors after switching to VPN
Bingo! That means your VPN is the cause, and maybe the Man in the Middle. The SSL warning is exactly against Man in the Middle problems: SSL/TLS is there to guarantee thatDewdman42 wrote:I will say this for now... if I go into sabnzbd server config and "test server", then it works with my VPN client turned off. If I am running the VPN client then "test server" returns an error after trying for a while.
1) you're talking to the host you think you're talking to
2) someone in between cannot eavesdrop what you're communicating.
So .. the VPN breaks 1 and/or 2, and SAB/Python is warning for that.
Which VPN-service do you use?
Re: certificate errors after switching to VPN
I'm using IPVanish as a service....but I'm not using their client, I'm just using openvpn as the client on my side.
Re: certificate errors after switching to VPN
IPVanish ... they have no free test-account, so I can't test that for you.
This is a long shot, but let's try it:
With the VPN off, execute this command on your ReadyNas:
and post the output here.
Do the same with the VPN on.
Here's the output on my Ubuntu 17.04:
If you see different results in the certificate chain, we have something interesting.
This is a long shot, but let's try it:
With the VPN off, execute this command on your ReadyNas:
Code: Select all
echo "\n" | openssl s_client -connect news.frugalusenet.com:nntps | head -10
Do the same with the VPN on.
Here's the output on my Ubuntu 17.04:
Code: Select all
sander@Stream-13:~$ echo "\n" | openssl s_client -connect news.frugalusenet.com:nntps | head -10
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = Maine, L = Alfred, O = BITS TO BYTES COMPUTING, CN = usnews.blocknews.net
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=Maine/L=Alfred/O=BITS TO BYTES COMPUTING/CN=usnews.blocknews.net
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
Re: certificate errors after switching to VPN
well.. I updated the firmware on my readynas, hoping that would update openssl. It did not. That also installed an older version of python into /usr/bin which messed up things. I have 2.7.11 installed under /usr/local/bin and somehow that was working before with that version of python, but after the firmeware update it didn't work anymore.
When I upgraded that /usr/bin/python to 2.7.9, the problem seems to have gone away with or without the VPN. its all kind of confusing, I have no idea why its fixed now since it didn't work before with 2.7.11 either.
Its remotely possible that openvpn needs to be started before starting sabnzbd, so I'm not sure what happens on the next reboot...
I'm curious about your test so I will try that in a bit..
When I upgraded that /usr/bin/python to 2.7.9, the problem seems to have gone away with or without the VPN. its all kind of confusing, I have no idea why its fixed now since it didn't work before with 2.7.11 either.
Its remotely possible that openvpn needs to be started before starting sabnzbd, so I'm not sure what happens on the next reboot...
I'm curious about your test so I will try that in a bit..
Re: certificate errors after switching to VPN
Dewdman42 wrote:
I'm curious about your test so I will try that in a bit..
I'm curious too ... so did you do the openssl-cli-test?