SABnzbd Forums

Hi,

I've read an old topic mentioning the usage of intermediate certificates.
I've not found any other information.
Is it supported and how can we use it?

Thanks

It's not supported.

Hi,

Can the team think about to make it supported?
I guess a lot of people like me have an opportunity to use one provided by their dns for free or a cheap cost.
It would be really appreciated.

I did something similar, where I created a server certificate for use with sabnzbd and FreeNAS. I have an existing OpenVPN install, so I used the CA created for that to sign a cert, imported the OpenVPN CA as trusted into my web browsers to stop errors from popping up. It wasn't terribly complicated, but I'm not sure I'd recommend it to someone who isn't familiar with SSL.

It works for me.

I don't know if something was updated to make this work since this thread was started but it works if you place the CA and intermediate certs in the same file.

Create a new file and paste the two certs after eachother like this:

-----BEGIN CERTIFICATE-----
The CA certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
The Intermediate certificate
-----END CERTIFICATE-----

If someone can explain how any support for this can be implemented in SABnzbd, I would welcome it.
As it is now, I have no idea how this "intermediate" CA stuff is supposed to work
and frankly I don't have the time to study the matter.

I don't know if this might help.

When you have a chained certificate you have three files instead of two; Key, CA certificate and the intermediate certificate.

The Cherrypy class pyOpenSSLAdapter can take a third argument, certificate_chain. That is the intermediate certificate.
http://docs.cherrypy.org/stable/refman/ ... enssl.html

Edit: I noticed that my first post about putting the certs in the same file isn't true. Firefox want it to be chained correctly as described in this post. Chrome and IE doesn't seem to care about the intermediate certificate (that's why i thought it worked).

Is there any way to avoid adding a CA to the browser(s)?
Is this something that can be "fixed" on the server (SABnzbd) side only?

If I understand your question correctly the answer is that it depends the certificate. The certificate must be issued by a company like Comodo, Verisign or Thawte etc, who verify that the domain belongs to you. (I bought mine cheap from Alpha SSL)

I don't know how sabnzbd loads the certificates today but I assumed it was with that cherrypy library I mentioned in my previous post. I any case single file certificates should work good already.

For chained crtificates to work we must be able to specify one more file in the sabnzbd HTTPS settings (the intermediate certificate). Then sabnzbd could use pyOpenSSL to load key+cert if intermediate isn't specified or else to load all three files. If the certificate is good, nothing will have to be added to the browser and you will get the nice green padlock.

A self signed certificate that is created with openssl on the server will always give certificate warnings and it need to be added to the browser to get rid of those warnings.