Jump to content
XPEnology Community
  • 0

Lets Encrypt intermediate certificate expired, affects Sabnzbd


stereoguy

Question

 

 

SO I am encountering an issue with Sabnzbd not connecting to my news servers (Eweka, Thecubenet) with an untrusted certificate from eweka error. I found the following post on Sabnzbd site which seems to translate to an OS issue with incorrect certificates due to  an intermediate signing cert from Lets Encrypt that expired Sept 30 2021. Easy enough to fix on windows, but how about on XPE?

 

https://www.sslshopper.com/ssl-checker. ... news.eweka.nl shows the certificate chain of eweka is correct.

So problem is client side - which in my case is XPE 

https://scotthelme.co.uk/lets-encrypt-o  ... xpiration/ is a very long story, with this sentence "The certificate in here that is going to cause a problem is this one, the IdenTrust DST Root CA X3." ... "expiration date of 30th Sep 2021" ... which is today.

Any ideas on how to fix this? I built a bunch of xpe servers for friends, and the calls are about to start!

 

 

  • Like 3
Link to comment
Share on other sites

Recommended Posts

  • 0
4 hours ago, elmuziko said:

 

So I'm going to show my complete novice at life.

Two things.

sudo cat ${CERT_DIR}/*.crt >> /etc/ssl/certs/ca-certificates.crt
Is giving me :

 


elmuziko@DSM:~$ sudo cat ${CERT_DIR}/*.crt >> /etc/ssl/certs/ca-certificates.crt
-sh: /etc/ssl/certs/ca-certificates.crt: Permission denied



am I doing something wrong?

And secondly, how do I run the for ; do loop from a PUTTY command loop. Will it not take each line as a single command? 

 

Thank you
 

 

@elmuziko No worries, gotta start somewhere!

 

Obviously, all actions are done at your own risk, but this should work unless you stuff something up.

 

What I'd recommend for you is to save the raw script within a text file on one of your shared folders as something like CA_Update.sh

#SSH into your server

#Change directory to where you saved that script:
cd /volume1/SharedFolder/

 

#Confirm you're where the script is:

ls -la *.sh

#Should spit out a line with CA_Update.sh

 

#Make it executable and fix any potential permissions issues

chmod 755 CA_Update.sh

chmod +x CA_Update.sh


#Execute the script

sudo sh ./CA_Update.sh

 

Probably best to reboot DSM to ensure all services restart, or you can try restarting individual services with synoservice and/or service commands.

 

Hope that helps

Link to comment
Share on other sites

  • 0

@humancaviar

 

Thank you for the update.

 

This has worked for me with regards to getting Sab to work with strict certificates. Really appreciate it. Synocommunity isn't working but that's small fry. I can live without updates until RedPill is up and ready.

 

Thank you again. 

 

For anyone else with this, I'm on DSM 6.2.3-25426 Update 3

Link to comment
Share on other sites

  • 0

My problem is can't connect to letsencrypt server and https://packages.synocommunity.com. And here is my fix. hope it will help you. I referenced it here: https://github.com/SynoCommunity/spksrc/issues/4897#issuecomment-937376994

------

Type this command into SSH then Enter

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

  • Like 1
  • Thanks 3
Link to comment
Share on other sites

  • 0
10 hours ago, Chinh Tran said:

My problem is can't connect to letsencrypt server and https://packages.synocommunity.com. And here is my fix. hope it will help you. I referenced it here: https://github.com/SynoCommunity/spksrc/issues/4897#issuecomment-937376994

------

Type this command into SSH then Enter

sudo mv /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.bak && sudo curl -Lko /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem

This does in fact fix my issue as well. I have also  migrated to docker as a workaround as I am unable to update to a new enough synology version to fix properly. 

 

Thanks!!

Link to comment
Share on other sites

  • 0

I dont have this issue, i have a paid wildcard systemwide cert, but have seen simular behaveior on linux web servers 

Try to take out the systemwide lets encrypt from controlpanel --> security --> certificates 

 

 

Then download station should work normally again from its setup custom link 

Sabnzbd is another case, one of the reasons i stoped using it was that its picky at best with https and certificates. 

Try to install nzbget it does exactly the same things as sabnzbd but is les picky on certificates and ssl settings 

 

Link to comment
Share on other sites

  • 0
On 11/29/2021 at 10:21 PM, jeannotmer said:

I do this command and it's solved for me  this will reboot your dsm

 


sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

Indeed! After doing that command and rebooting i was able to update my Let's Encrypt Cert! Thanks.

Link to comment
Share on other sites

  • 0

CubeNet is still erroring out in NZBGET after running the script.

 

It says

 

"TLS certificate verification failed for secure.europe.thecubenet.com: certificate has expired. For more info visit http://nzbget.net/certificate-verification"

 

Did the steps they mention and even manually added the chain files to cacert.pem in the NZBGet "bin" folder, but no luck

 

`openssl s_client -showcerts -connect secure.news.thecubenet.com:80`

 

This command works perfect on the DSM and says "Verify return code: 0 (ok)". Not sure what nzbget is getting hung up on
 

Edited by Jseinfeld
Link to comment
Share on other sites

  • 0
On 10/19/2021 at 5:33 PM, humancaviar said:

@elmuziko No worries, gotta start somewhere!

 

Obviously, all actions are done at your own risk, but this should work unless you stuff something up.

 

What I'd recommend for you is to save the raw script within a text file on one of your shared folders as something like CA_Update.sh

#SSH into your server

#Change directory to where you saved that script:
cd /volume1/SharedFolder/

 

#Confirm you're where the script is:

ls -la *.sh

#Should spit out a line with CA_Update.sh

 

#Make it executable and fix any potential permissions issues

chmod 755 CA_Update.sh

chmod +x CA_Update.sh


#Execute the script

sudo sh ./CA_Update.sh

 

Probably best to reboot DSM to ensure all services restart, or you can try restarting individual services with synoservice and/or service commands.

 

Hope that helps

 

I am getting errors when i try and run this

 

./CA_Update.sh: line 3: $'\r': command not found

./CA_Update.sh: line 7: $'\r': command not found
 

 

Link to comment
Share on other sites

  • 0
On 11/30/2021 at 4:21 AM, jeannotmer said:

I do this command and it's solved for me  this will reboot your dsm

 

sudo -i && cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.ORIG && curl -k "https://letsencrypt.org/certs/isrgrootx1.pem" >> /etc/ssl/certs/ca-certificates.crt && reboot

 

 

from this post 

 

Awesome! It's worked for me.  😍🥰🍑

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...