SABnzbd Forums

I'm getting certificate errors in sabnzbd, even though it seems to successfully download stuff. This started happening ever since I started using a VPN on the machine where sabnzbd is running. Any ideas what I need to do to avoid getting these errors?

Too vague ... When, where, what?

Version: 2.0.0 [55c4bef]
Platform: ReadyNas 6.6.1 (debian Jessie)

when an NZB is sent to sabnzbd from sickbeard, the sabnzbd screen displays that the file has been downloaded, however an ERROR is displayed on the sabnzbd main screen which says:

Server news.frugalusenet.com uses an untrusted certificate [_ssl.c:489: The handshake operation timed out] - https://sabnzbd.org/certificate-errors

I also notice in the configuration screen the following warning:

Warning Secure (SSL) connections from SABnzbd to newsservers and HTTPS websites will be encrypted, however, validating a server's identity using its certificates is not possible. Python 2.7.9 or above, OpenSSL 1.0.2 or above and up-to-date local CA certificates are required.

The version of python I have is 2.7.11 but the openssl I have is 1.0.1t, so maybe that is the issue, but I am not sure if I can update openssl on my readynas..since its running debian jessie. I took an initial attempt and installing backported 1.0.2 openssl, but ran into headaches and gave up. I don't want to break my machine otherwise.

Is this the reason for the ERROR? It looks to me like the only thing that is happening is that its not verifying the server before downloading, but its annoying to have to clean up the error messages. Is there any way to just disable checking of the certificates? I think possibly this only started happening after I started running an openssl VPN client on the same box...so that makes me wonder if this is fixable with configuration, but I'm not sure.

Timeout in this case is not caused by the certificate validation, although the error seems to suggest that.
I am not sure why the certificate validation test is failing, but it can also be outdated root certificate on your device.
But the download still continues fine from the server, it doesn't switch to possible backup servers? Then it could just be a timeout, nothing to worry.

well its working so I'm not that worried, but I'm getting tired of having to close the error messages that show up every day. If there is a way to fix something so that no more error messages I would really appreciate any help for doing that.

The root certificate you mentioned, what is that, where is it and how can I update it? Would that have changed somehow when I started using the VPN client?

Yes it is possible that the VPN client changed the certificate storage of the system, by adding/replacing to the standard storage.

I wouldn't know exactly where it is located, since it is very OS dependent on Linux. But you can maybe Google or ask the ReadyNas forums?
The server is 3x OK, so it's certificates are fine: https://www.appelboor.com/cgi-bin/check ... usenet.com

so you don't think I need to worry about the openssl 1.0.2 warning in sabnzbd?

The readynas forum is not likely to be able to help but I will ask, where does sabnzbd expect the root certificates to be?

In case I can't figure that out, is it possible to configure sabnzbd to not bother checking the certificate?

I'm just running openvpn as the vpn client on this box.

Hi Dewdman42,

When do you get the message "Server news.frugalusenet.com uses an untrusted certificate"? Always thus also with the VPN not active, or only if the VPN is on/activated?

The problem could be in your OS root store (first case), or the VPN could be the Man-in-the-Middle (second case).

I will have to turn off VPN and wait a while to see what happens. I am not sure exactly when the message happens, I presume when sabnzbd first gets the nzb request from sickbeard and attempts to connect to my usenet provider.

can you explain a little bit more abou tthe OS root store you mentioned?

I will say this for now... if I go into sabnzbd server config and "test server", then it works with my VPN client turned off. If I am running the VPN client then "test server" returns an error after trying for a while.

Dewdman42 wrote:I will say this for now... if I go into sabnzbd server config and "test server", then it works with my VPN client turned off. If I am running the VPN client then "test server" returns an error after trying for a while.

Bingo! That means your VPN is the cause, and maybe the Man in the Middle. The SSL warning is exactly against Man in the Middle problems: SSL/TLS is there to guarantee that
1) you're talking to the host you think you're talking to
2) someone in between cannot eavesdrop what you're communicating.

So .. the VPN breaks 1 and/or 2, and SAB/Python is warning for that.

Which VPN-service do you use?

I'm using IPVanish as a service....but I'm not using their client, I'm just using openvpn as the client on my side.

IPVanish ... they have no free test-account, so I can't test that for you.

This is a long shot, but let's try it:

With the VPN off, execute this command on your ReadyNas:
and post the output here.

Do the same with the VPN on.

Here's the output on my Ubuntu 17.04:
If you see different results in the certificate chain, we have something interesting.

well.. I updated the firmware on my readynas, hoping that would update openssl. It did not. That also installed an older version of python into /usr/bin which messed up things. I have 2.7.11 installed under /usr/local/bin and somehow that was working before with that version of python, but after the firmeware update it didn't work anymore.

When I upgraded that /usr/bin/python to 2.7.9, the problem seems to have gone away with or without the VPN. its all kind of confusing, I have no idea why its fixed now since it didn't work before with 2.7.11 either.

Its remotely possible that openvpn needs to be started before starting sabnzbd, so I'm not sure what happens on the next reboot...

I'm curious about your test so I will try that in a bit..

Dewdman42 wrote:
I'm curious about your test so I will try that in a bit..

I'm curious too ... so did you do the openssl-cli-test?