Page 1 of 2
"Untrusted certificate" - Just wait or what to do?
Posted: January 21st, 2021, 11:23 am
by iUseNetter
I have read the
WIKI, but I'm not sure if I have to do something:
Currently SABNZBD v3.1.1 [99b5a00] shows this error on my Synology:
Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]
Should I just wait or do I have to check/change something?
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 21st, 2021, 2:44 pm
by sander
Indeed
https://www.sslshopper.com/ssl-checker. ... ng.com:563 tells news.newshosting.com is OK.
So that means your Synology is not uptodate. Update it.
(Or it is your ISP / government spying on you ... but let's assume that it is not that)
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 21st, 2021, 2:52 pm
by iUseNetter
Thanks @sander. Unfortunately, my Synology doesn't show any pending updates.
How exactly could I check if the certificate part ist uptodate?
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 21st, 2021, 4:21 pm
by safihre
Do you maybe have a Python update waiting on your Synology?
Because they fixed something a few months ago regarding the certificates.
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 3:49 am
by iUseNetter
@safihre: There is no DSM update or any other package update pending.
How could I check the certificate part on my Synology?
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 5:02 am
by SABfaninAus
Just a quick "me to" to this post with an almost identical set-up.
For the first time yesterday, I received the "Server [myusenetserver] uses an untrusted certificate [Certificate not valid. This is most probably a server issue.]"
Note my usenet server is a different server to iUseNetter.
However, I'm also running SABnzbd v3.1.1 [99b5a00] on a Synology NAS, so that seems to be the common factor. All of my packages and my Synolgoy DSM are up-to-date.
I appreciate any suggestions on how to fix this.
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 5:40 am
by sander
FWIW:
I tested on my old Synology, and all well with with SSL / NNTPS to news.newshosting.com: I get "Server requires username and password." which proves NNTPS is working. No certificate error. And sabnzbd.log says:
Code: Select all
2020-12-26 04:42:25,813::INFO::[SABnzbd:1185] SSL version = OpenSSL 1.1.1h 22 Sep 2020
2021-01-22 11:41:12,738::INFO::[happyeyeballs:153] Quickest IP address for news.newshosting.com (port 563, ssl 1, preferipv6 True) is 81.171.92.224
2021-01-22 11:41:12,740::DEBUG::[happyeyeballs:156] Happy Eyeballs lookup and port connect took 108 ms
2021-01-22 11:41:12,742::DEBUG::[downloader:142] news.newshosting.com: Connecting to address 81.171.92.224
2021-01-22 11:41:12,810::INFO::[newswrapper:202] [email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
From the SAB GUI:
Code: Select all
Python Version: 3.7.7 (default, Oct 13 2020, 16:39:04) [GCC 4.6.4] [UTF-8]
OpenSSL: OpenSSL 1.1.1h 22 Sep 2020
There is a python upgrade available, so I'm doing that right now. Fingers crossed.
@SABfaninAus I really wonder why you say ""Server [myusenetserver] uses ... " ... is your usenetserver secret?
EDIT:
upgraded python, restarted SAB: all well
rebooted Synology ... all well
So I can't reproduce
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 6:14 am
by iUseNetter
I see this entries in my /volume1/@appstore/sabnzbd/var/logs/sabnzbd.log
2021-01-22 11:56:48,246::INFO::[downloader:515]
[email protected]: Initiating connection
2021-01-22 11:56:48,248::INFO::[downloader:515]
[email protected]: Initiating connection
2021-01-22 11:56:48,251::INFO::[downloader:515]
[email protected]: Initiating connection
...
2021-01-22 11:56:48,333::INFO::[downloader:515]
[email protected]: Initiating connection
2021-01-22 11:56:48,346::INFO::[newswrapper:106]
[email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
2021-01-22 11:56:48,364::INFO::[newswrapper:232] Certificate error for host news.newshosting.com: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)
2021-01-22 11:56:48,365::ERROR::[newswrapper:248] Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki:
https://sabnzbd.org/certificate-errors
2021-01-22 11:56:48,366::INFO::[newswrapper:260] Failed to connect: Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki:
https://sabnzbd.org/certificate-errors [email protected]:563
2021-01-22 11:56:48,367::INFO::[newswrapper:106]
[email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
2021-01-22 11:56:48,374::INFO::[newswrapper:232] Certificate error for host news.newshosting.com: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)
2021-01-22 11:56:48,375::INFO::[newswrapper:260] Failed to connect: Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki:
https://sabnzbd.org/certificate-errors [email protected]:563
2021-01-22 11:56:48,377::INFO::[newswrapper:106]
[email protected]: Connected using TLSv1.3 (TLS_AES_256_GCM_SHA384)
2021-01-22 11:56:48,398::INFO::[notifier:122] Sending notification: Error - Server news.newshosting.com uses an untrusted certificate [Certificate not valid. This is most probably a server issue.] - Wiki:
https://sabnzbd.org/certificate-errors (type=error, job_cat=None)
...
2021-01-22 11:56:49,426::INFO::[downloader:733] Connecting
[email protected] finished
2021-01-22 11:56:49,442::INFO::[downloader:733] Connecting
[email protected] finished
2021-01-22 11:56:49,443::INFO::[downloader:733] Connecting
[email protected] finished
SAB GUI config
Version: 3.1.1 [99b5a00]
Python Version: 3.7.7 (default, Oct 13 2020, 16:39:42) [GCC 4.9.3 20150311 (prerelease)] [UTF-8]
OpenSSL: OpenSSL 1.1.1h 22 Sep 2020
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 6:29 am
by sander
From my log with DEBUG on:
Quickest IP address for news.newshosting.com (port 563, ssl 1, preferipv6 True) is 81.171.92.224
@iUseNetter: can you set SAB's logging to +DEBUG (via the wrench symbol), try again, post the log with DEBUG info.
In your current log I see and random IP address (weird!) ... 185.90.196.97
Quite a different IP address. A whois reveals it belongs to Eweka. Eweka is HighWinds. news.newshosting.com is also Highwinds, but still suspicious.
So @iUseNetter ... set to debug, and we know more.
Oh, and can you this:
$ host news.newshosting.com
news.newshosting.com is an alias for deu.eu.news.geo.newshosting.com.
deu.eu.news.geo.newshosting.com is an alias for news.fr7.newshosting.com.
news.fr7.newshosting.com has address 185.90.196.97
news.fr7.newshosting.com has address 185.90.196.129
news.fr7.newshosting.com has address 185.90.196.65
Hey ... the IP address used by @iUseNetter is different ... that is strange. But where does my SAB get the 81.171.92.224 from, then?
Oh, second run
sander@brixit:~$ host news.newshosting.com
news.newshosting.com is an alias for news.ams.newshosting.com.
news.ams.newshosting.com has address 81.171.92.224
news.ams.newshosting.com has address 81.171.92.238
So DNS is providing different IP addresses ...
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 6:43 am
by sander
Ah, found it! Problem on server side:
Code: Select all
sander@brixit:~/git/testssl.sh$ ./testssl.sh --ip 185.90.196.97 news.newshosting.com:nntps
...
Chain of trust NOT ok (expired)
EV cert (experimental) no
Certificate Validity (UTC) expired (2020-06-08 23:36 --> 2020-09-06 23:36)
Brrr. So one of the servers of news.newshosting.com is expired since 2020-09-06. SSL and SABnzbd did a good job to detect and not allow that.
But now ... newshosting.com should solve that. But first they have to understand and acknowledge it. That is the hardest part.
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 6:53 am
by iUseNetter
Thank you for your investigations, @sander!
I'm just curious: I doubt that I am the only customer at news.newshosting.com facing this problem.
What exactly should I report to the support @ newshosting.com?
For the record:
I don't have a command like "HOST", just traceroute showing:
Code: Select all
traceroute news.newshosting.com
traceroute to news.newshosting.com (185.90.196.97),
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 6:58 am
by sander
Maybe I have something easier for you:
Instead of news.newshosting.com use news.ams.newshosting.com (as all servers for news.ams.newshosting.com are OK).
Problem gone?
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 7:14 am
by iUseNetter
Yep! Great!
With news.ams.newshosting.com the certificate warning is gone. Thanks for that hint.
A PING to news.ams.newshosting.com returns now 81.171.92.224
Should I forget the report to newshosting support?
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 8:00 am
by sander
iUseNetter wrote: ↑January 22nd, 2021, 7:14 am
Yep! Great!
With news.
ams.newshosting.com the certificate warning is gone. Thanks for that hint.
If you like our support, check our special newsserver deal or donate at:
https://sabnzbd.org/donate
A PING to news.ams.newshosting.com returns now 81.171.92.224
Yes, that's good.
Should I forget the report to newshosting support?
Worth a try: send them this message
"Certificate expired on 185.90.196.97: Certificate Validity (UTC) expired (2020-06-08 23:36 --> 2020-09-06 23:36)"
That's it. Send it to them, and just wait. A big chance they will go into denial. And a small chance they'll say "Oh, thanks! Solved! A free month of access for you!"
Re: "Untrusted certificate" - Just wait or what to do?
Posted: January 22nd, 2021, 8:37 am
by iUseNetter
sander wrote: ↑
Worth a try: send them this message
"Certificate expired on 185.90.196.97: Certificate Validity (UTC) expired (2020-06-08 23:36 --> 2020-09-06 23:36)"
That's it. Send it to them, and just wait. A big chance they will go into denial. And a small chance they'll say "Oh, thanks! Solved! A free month of access for you!"
Done!
And of course I will donate the free month of access to you.
