Failed to connect - untrusted certificate - Windows with non-Microsoft virusscaner and SABnzbd 4.4.0

[Temujin]

Failed to connect: Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki: https://sabnzbd.org/certificate-errors [email protected]:563 (news.iad.newshosting.com)

Prevents downloads.

I accessed the site to Check SSL of Newsserver news.newshosting.com and they passed.

Newshosting's site has a link with steps to check some stuff, but i don't show the same items they list to check
https://support.newshosting.com/kb/arti ... on-failed/

Windows users may be able to resolve the issue by following these steps:

Open Run and type mmc.exe
Select <File>, <Add/Remove Snap-In>
Choose <Certificates>
Select <My User Account>, and click<OK>
Expand <Certificates - Current User>
Expand <Intermediate Certificate Authorities>, and Click <Certificates>
Find and delete the expired DST Root CA X3 and/or Let's Encrypt R3 certificates. <-- not on my PC

SABnzbd version: 4.4.0
Windows 11
No crazy VPN or firewalls running

[safihre]

What virusscanner do you use?
See https://github.com/sabnzbd/sabnzbd/issues/2993

[Temujin]

Using Avast. I disabled cert verification for now, I'm not going turn off HTTPS scanning in Avast for the whole PC, that seems extreme.
Hope a better solution is found eventually.
Thanks for the links and quick reply, I'm able to download again.

[safihre]

If you disable certificate validation, your SSL becomes basically useless and anyone could perform a man-in-the-middle attack.

[sander]

If you disable certificate validation, your SSL becomes basically useless and anyone could perform a man-in-the-middle attack.

The OP already has a man-in-the-middle attack going on. It's called his virusscanner.

With his/her "I disabled cert verification for now", any (other) MitM can now happen.

[blackbat]

Hmm - I also started getting the exact same issue yesterday, but with a different news host. I haven't been able to resolve it yet and also don't have the certificates which it is suggested may have expired. Also using Avast.

[OJBakker]

It is a problem of the latest sabnzbd version 4.4.0
I had the same problem, started early this morning after updating sabnzbd yesterday evening.
When sabnzbd failed I have tried another program using the same server and this worked without errors, so it is not a server problem.
I have reinstalled version 4.3.3 and the certificate problem is gone.

My system is Windows 10 x64, sabnzbd installed with the installer for windows.

[sander]

Guys, before inventing the wheel again ... please join this thread: https://github.com/sabnzbd/sabnzbd/issu ... 2541553589

EDIT: create a github account to join, to retrieve the binary, and to share your feedback

Use the Sabnzbd Windows binary provided there, and provide feedback there.

Your help is needed!

[blackbat]

Use the Sabnzbd Windows binary provided there, and provide feedback there.

Your help is needed!

I don't see any binary to test?

[sander]

You need a github account for that. So if you can create that, then we can get your experience and solve it.

[sander]

OK, guys: summary from the github progress: test work to do for you:

With the plain SABnzbd 4.4.0:

Go to server settings http://127.0.0.1:8080/config/server/
In the upper right corner: turn Advanced Settings on
Then, at server Show Details: change Port from 563 to 443.
Click Test Server ... does it work, and without errors? Good! Click Save Changes.

And please report back the result:
- which newsserver
- which virusscanner
- does this workaround work for you?

For example
- news.newshosting.com
- AVG Free
- Yes, works with port 443 set

[sander]

... or just use the binary just released: https://github.com/sabnzbd/sabnzbd/issu ... 2543341811 ... github account needed.

[Temujin]

Switching ports from 563 to 443 has worked for me.

Sabnzb: 4.4.0
Newshost: newshosting
AV: Avast

[hdhock3y]

I am also receiving the error, workaround seems to have fixed it.

AV: AVG Free
Sabnzb: 4.4.1

news.newsgroupdirect switched from 563 to 80 - Fixed it
super.newsgroupdirect switched from 563 to 443 - Fixed it
reader.usenight switched from 563 to 443 - Fixed it
news.vipernews switched from 563 to 443 - Fixed it

[sander]

I am also receiving the error, workaround seems to have fixed it.

AV: AVG Free
Sabnzb: 4.4.1

news.newsgroupdirect switched from 563 to 80 - Fixed it
super.newsgroupdirect switched from 563 to 443 - Fixed it
reader.usenight switched from 563 to 443 - Fixed it
news.vipernews switched from 563 to 443 - Fixed it

Good to hear. I myself prefer your method: change port to 443 (=standard HTTPS).

But I inform you and others about the other method: as of SABnzbd 4.4.1, per defined news server, with advanced options checked on, at "Certificate verification" you can select "Medium" and then keep using port 563.

From the SABnzbd's Server page https://127.0.0.1:8080/config/server/ :

Certificate verification

When SSL is enabled:
- Strict: enforce full certificate verification. This is the most secure setting.
- Medium: verify that the certificate is valid and matches the server address, but allow certificates locally injected (for example by firewall or virus scanner).
- Minimal: verify that the certificate is valid. This is not secure, any valid certificate could be used.
- Disabled: no certification verification. This is not secure at all, anyone could intercept your connection.