"Untrusted certificate" - Just wait or what to do?

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
iUseNetter
Jr. Member
Jr. Member
Posts: 77
Joined: December 1st, 2019, 2:53 pm

"Untrusted certificate" - Just wait or what to do?

Post by iUseNetter »

I have read the WIKI, but I'm not sure if I have to do something:

Currently SABNZBD v3.1.1 [99b5a00] shows this error on my Synology:
Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]
Should I just wait or do I have to check/change something?

Image

Image
User avatar
sander
Release Testers
Release Testers
Posts: 9062
Joined: January 22nd, 2008, 2:22 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by sander »

Indeed https://www.sslshopper.com/ssl-checker. ... ng.com:563 tells news.newshosting.com is OK.

So that means your Synology is not uptodate. Update it.

(Or it is your ISP / government spying on you ... but let's assume that it is not that)
iUseNetter
Jr. Member
Jr. Member
Posts: 77
Joined: December 1st, 2019, 2:53 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by iUseNetter »

Thanks @sander. Unfortunately, my Synology doesn't show any pending updates.
How exactly could I check if the certificate part ist uptodate?
User avatar
safihre
Administrator
Administrator
Posts: 5521
Joined: April 30th, 2015, 7:35 am
Contact:

Re: "Untrusted certificate" - Just wait or what to do?

Post by safihre »

Do you maybe have a Python update waiting on your Synology?
Because they fixed something a few months ago regarding the certificates.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
iUseNetter
Jr. Member
Jr. Member
Posts: 77
Joined: December 1st, 2019, 2:53 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by iUseNetter »

@safihre: There is no DSM update or any other package update pending.
How could I check the certificate part on my Synology?
SABfaninAus
Newbie
Newbie
Posts: 19
Joined: October 23rd, 2017, 9:08 am

Re: "Untrusted certificate" - Just wait or what to do?

Post by SABfaninAus »

Just a quick "me to" to this post with an almost identical set-up.

For the first time yesterday, I received the "Server [myusenetserver] uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]"

Note my usenet server is a different server to iUseNetter.

However, I'm also running SABnzbd v3.1.1 [99b5a00] on a Synology NAS, so that seems to be the common factor. All of my packages and my Synolgoy DSM are up-to-date.

I appreciate any suggestions on how to fix this.
User avatar
sander
Release Testers
Release Testers
Posts: 9062
Joined: January 22nd, 2008, 2:22 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by sander »

FWIW:

I tested on my old Synology, and all well with with SSL / NNTPS to news.newshosting.com: I get "Server requires username and password." which proves NNTPS is working. No certificate error. And sabnzbd.log says:

Code: Select all

2020-12-26 04:42:25,813::INFO::[SABnzbd:1185] SSL version = OpenSSL 1.1.1h  22 Sep 2020

2021-01-22 11:41:12,738::INFO::[happyeyeballs:153] Quickest IP address for news.newshosting.com (port 563, ssl 1, preferipv6 True) is 81.171.92.224
2021-01-22 11:41:12,740::DEBUG::[happyeyeballs:156] Happy Eyeballs lookup and port connect took 108 ms
2021-01-22 11:41:12,742::DEBUG::[downloader:142] news.newshosting.com: Connecting to address 81.171.92.224
2021-01-22 11:41:12,810::INFO::[newswrapper:202] [email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
From the SAB GUI:

Code: Select all

Python Version:	3.7.7 (default, Oct 13 2020, 16:39:04) [GCC 4.6.4] [UTF-8]
OpenSSL:	OpenSSL 1.1.1h 22 Sep 2020
There is a python upgrade available, so I'm doing that right now. Fingers crossed.

@SABfaninAus I really wonder why you say ""Server [myusenetserver] uses ... " ... is your usenetserver secret?

EDIT:

upgraded python, restarted SAB: all well
rebooted Synology ... all well

So I can't reproduce
iUseNetter
Jr. Member
Jr. Member
Posts: 77
Joined: December 1st, 2019, 2:53 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by iUseNetter »

I see this entries in my /volume1/@appstore/sabnzbd/var/logs/sabnzbd.log
2021-01-22 11:56:48,246::INFO::[downloader:515] [email protected]: Initiating connection
2021-01-22 11:56:48,248::INFO::[downloader:515] [email protected]: Initiating connection
2021-01-22 11:56:48,251::INFO::[downloader:515] [email protected]: Initiating connection
...
2021-01-22 11:56:48,333::INFO::[downloader:515] [email protected]: Initiating connection
2021-01-22 11:56:48,346::INFO::[newswrapper:106] [email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
2021-01-22 11:56:48,364::INFO::[newswrapper:232] Certificate error for host news.newshosting.com: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)
2021-01-22 11:56:48,365::ERROR::[newswrapper:248] Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki: https://sabnzbd.org/certificate-errors
2021-01-22 11:56:48,366::INFO::[newswrapper:260] Failed to connect: Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki: https://sabnzbd.org/certificate-errors [email protected]:563
2021-01-22 11:56:48,367::INFO::[newswrapper:106] [email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
2021-01-22 11:56:48,374::INFO::[newswrapper:232] Certificate error for host news.newshosting.com: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)
2021-01-22 11:56:48,375::INFO::[newswrapper:260] Failed to connect: Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki: https://sabnzbd.org/certificate-errors [email protected]:563
2021-01-22 11:56:48,377::INFO::[newswrapper:106] [email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
2021-01-22 11:56:48,398::INFO::[notifier:122] Sending notification: Error - Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki: https://sabnzbd.org/certificate-errors (type=error, job_cat=None)
...
2021-01-22 11:56:49,426::INFO::[downloader:733] Connecting [email protected] finished
2021-01-22 11:56:49,442::INFO::[downloader:733] Connecting [email protected] finished
2021-01-22 11:56:49,443::INFO::[downloader:733] Connecting [email protected] finished
SAB GUI config
Version: 3.1.1 [99b5a00]
Python Version: 3.7.7 (default, Oct 13 2020, 16:39:42) [GCC 4.9.3 20150311 (prerelease)] [UTF-8]
OpenSSL: OpenSSL 1.1.1h 22 Sep 2020
User avatar
sander
Release Testers
Release Testers
Posts: 9062
Joined: January 22nd, 2008, 2:22 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by sander »

From my log with DEBUG on:

Quickest IP address for news.newshosting.com (port 563, ssl 1, preferipv6 True) is 81.171.92.224

@iUseNetter: can you set SAB's logging to +DEBUG (via the wrench symbol), try again, post the log with DEBUG info.

In your current log I see and random IP address (weird!) ... 185.90.196.97
Quite a different IP address. A whois reveals it belongs to Eweka. Eweka is HighWinds. news.newshosting.com is also Highwinds, but still suspicious.

So @iUseNetter ... set to debug, and we know more.

Oh, and can you this:

$ host news.newshosting.com
news.newshosting.com is an alias for deu.eu.news.geo.newshosting.com.
deu.eu.news.geo.newshosting.com is an alias for news.fr7.newshosting.com.
news.fr7.newshosting.com has address 185.90.196.97
news.fr7.newshosting.com has address 185.90.196.129
news.fr7.newshosting.com has address 185.90.196.65

Hey ... the IP address used by @iUseNetter is different ... that is strange. But where does my SAB get the 81.171.92.224 from, then?

Oh, second run

sander@brixit:~$ host news.newshosting.com
news.newshosting.com is an alias for news.ams.newshosting.com.
news.ams.newshosting.com has address 81.171.92.224
news.ams.newshosting.com has address 81.171.92.238

So DNS is providing different IP addresses ...
User avatar
sander
Release Testers
Release Testers
Posts: 9062
Joined: January 22nd, 2008, 2:22 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by sander »

Ah, found it! Problem on server side:

Code: Select all

sander@brixit:~/git/testssl.sh$ ./testssl.sh --ip 185.90.196.97 news.newshosting.com:nntps

...
   Chain of trust               NOT ok (expired)
   EV cert (experimental)       no
   Certificate Validity (UTC)   expired (2020-06-08 23:36 --> 2020-09-06 23:36)

Brrr. So one of the servers of news.newshosting.com is expired since 2020-09-06. SSL and SABnzbd did a good job to detect and not allow that.

But now ... newshosting.com should solve that. But first they have to understand and acknowledge it. That is the hardest part.
iUseNetter
Jr. Member
Jr. Member
Posts: 77
Joined: December 1st, 2019, 2:53 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by iUseNetter »

Thank you for your investigations, @sander!

I'm just curious: I doubt that I am the only customer at news.newshosting.com facing this problem. ;)
What exactly should I report to the support @ newshosting.com?

For the record:
I don't have a command like "HOST", just traceroute showing:

Code: Select all

traceroute news.newshosting.com
traceroute to news.newshosting.com (185.90.196.97),
User avatar
sander
Release Testers
Release Testers
Posts: 9062
Joined: January 22nd, 2008, 2:22 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by sander »

Maybe I have something easier for you:

Instead of news.newshosting.com use news.ams.newshosting.com (as all servers for news.ams.newshosting.com are OK).

Problem gone?
iUseNetter
Jr. Member
Jr. Member
Posts: 77
Joined: December 1st, 2019, 2:53 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by iUseNetter »

Yep! Great!
With news.ams.newshosting.com the certificate warning is gone. Thanks for that hint.

A PING to news.ams.newshosting.com returns now 81.171.92.224

Should I forget the report to newshosting support?
User avatar
sander
Release Testers
Release Testers
Posts: 9062
Joined: January 22nd, 2008, 2:22 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by sander »

iUseNetter wrote: January 22nd, 2021, 7:14 am Yep! Great!
With news.ams.newshosting.com the certificate warning is gone. Thanks for that hint.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
A PING to news.ams.newshosting.com returns now 81.171.92.224
Yes, that's good.
Should I forget the report to newshosting support?
Worth a try: send them this message

"Certificate expired on 185.90.196.97: Certificate Validity (UTC) expired (2020-06-08 23:36 --> 2020-09-06 23:36)"

That's it. Send it to them, and just wait. A big chance they will go into denial. And a small chance they'll say "Oh, thanks! Solved! A free month of access for you!"
iUseNetter
Jr. Member
Jr. Member
Posts: 77
Joined: December 1st, 2019, 2:53 pm

Re: "Untrusted certificate" - Just wait or what to do?

Post by iUseNetter »

sander wrote: Worth a try: send them this message

"Certificate expired on 185.90.196.97: Certificate Validity (UTC) expired (2020-06-08 23:36 --> 2020-09-06 23:36)"

That's it. Send it to them, and just wait. A big chance they will go into denial. And a small chance they'll say "Oh, thanks! Solved! A free month of access for you!"
Done!
And of course I will donate the free month of access to you. O0
Post Reply