Hi All,
I recently upgraded to the current version of Sonarr. I’ve found that Im getting a TrustFailure error in the log:
-- : Unable to connect to indexer, check the log for more details
22-1-24 09:09:48.8|Error|X509CertificateValidationService|Certificate validation for https://api.nzb.su/api?t=caps&apikey=(removed) failed. RemoteCertificateChainErrors
22-1-24 09:09:48.8|Warn|Newznab|Unable to connect to indexer
[v3.0.6.1196] System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.): 'https://api.nzb.su/api?t=caps&apikey=(removed) ---> System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at /build/mono-6.12.0.122/external/boringssl/ssl/handshake_client.c:1132
I uninstalled Sonarr and reinstalled via dietpi-software which all went well and the app is running. Indexer is down due to the above issue though. Is there some way to update the SSL certs for the OS or is there another knows fix for this?
System info below
DietPi version
G_DIETPI_VERSION_CORE=6
G_DIETPI_VERSION_SUB=34
G_DIETPI_VERSION_RC=0
G_GITBRANCH='master'
G_GITOWNER='MichaIng'
Distro version | buster 1
Kernel version | Linux DietPi 5.10.63-v7l+ #1459 SMP Wed Oct 6 16:41:57 BST 2021 armv7l GNU/Linux
SBC model | RPi 4 Model B (armv7l)
Cheers,
clarky
your DietPi version is pretty old (more than a year), can you try to updated to latest version first
to update certificates
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates --fresh
Ive updated to DietPi v8.0.2 and run the commands you provided and restarted but no dice - still the same error in the log.
well you could try to verify the certificate for api.nzb.su
openssl s_client -showcerts -connect api.nzb.su:443
Here’s the output:
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.nzb.su
verify return:1
---
Certificate chain
0 s:CN = api.nzb.su
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFGjCCBAKgAwIBAgISA9pm6hn2wUPIu8W2qZoygKFBMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMTkxNDAzMDhaFw0yMjAzMTkxNDAzMDdaMBUxEzARBgNVBAMT
CmFwaS5uemIuc3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgvCKz
vejkKgTGq2iMJL7fPM32iC3wENbNM7ROPxflhucnrkJTPVwsNjPPTtjI8GrrS5lZ
WZEooqKEEoOmLE0Kyi3Kazin3oHLny8BOTGD/oja5RwW++HYikhaZvJKUKaotONl
GY1642PLSZbkM1eLJOwROxor9HRpLdSvIdVZzPl0+cwy0tC2h8/Q++ffCHRv2vfX
FTWdE+nTsxTh9mEXkgfwPrVvjNzSeWwR8ZuD/Brzxlh7Xxy6yrZxIVerTQPzIqh7
hwbwlzMy1jsn8kUCZjuyMMpaWl1fcdJQW5Dnp5ihqfEQQjg0cKhiBsyjmgC9CKlo
MVp9OWTTZSm0PevXAgMBAAGjggJFMIICQTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FEIPiLqJv9lXftWtTl2UTfTNofNxMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBUG
A1UdEQQOMAyCCmFwaS5uemIuc3UwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYB
BAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5v
cmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBGpVXrdfqRIDC1oolp9PN9ESxB
dL79SbiFq/L8cP5tRwAAAX3TN8nuAAAEAwBHMEUCIQCjwiJZBG7Cv8j4NZiYt8b4
FDYt7yXNtTpB4GIMRq+F+QIgG/glRYY8AB066j1jG21gJXBHav28V4pZUk21DPru
8wsAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAX3TN8t6AAAE
AwBHMEUCID/78/sUwA45kQkr6lSVczkruPQo5hPSaE9v4xHKOpkcAiEA/xl7v512
InsGHJCenMSIcDT/9OQGF3PlpQWkoPvV3k4wDQYJKoZIhvcNAQELBQADggEBAGDQ
MfzxsAJPuBVkYZVAXLwH0xRgl3xuThpQecA8tMrHQb/kjw37lVKp3/rN7ONlAzj9
LSZXFqKZV+0lfbetQe/VFxRzWEa+984uXkNmaZJnmUGj4JkZQrOwk0J4qLgdISAj
dvsAT/k3l5a64s/LV9UOr1zYNYMeTk0yIfJndpVWifQZCV7uTPwRdTzpxMNYtuZ3
72q+nt/s3nNFQbBvsH2v4AiMerUZWtJXeAwbr6ZiB6czh1LIRmOrjLAFkyPmWzdj
cciYtMrimNjcONyVBnUc60pZ5s9hKgcaENRFTYQ1SC6TAod/1aZ2k7TXtTzGKyww
lLpfpP2Tjt1awMSGwwo=
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = api.nzb.su
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4566 bytes and written 382 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4560AA4D7523EA5C8D05267931644DA61C36335C33E017EE8D9B0536A068C2D7
Session-ID-ctx:
Resumption PSK: BAF94A33FB6E8604FE58BC14AB964F1D8AA0E5112002D121DD5A270958801A7FCC12CA2D0A03B92725D6F44874C3D015
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 9e 18 08 7f f2 c5 ff 96-50 49 cd 0f 9f 7c 1d 59 ........PI...|.Y
0010 - ca f0 75 24 f3 2e ab b3-09 5e 62 6e d9 e8 1a 89 ..u$.....^bn....
Start Time: 1643080010
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 902F6970D1FF4AC630E88EC99BE741C5BB8A966A8136050BD32CDBF61B8AAC3D
Session-ID-ctx:
Resumption PSK: 4170BC4A7CF603F9DFCFAA52CFFB69AD689B1E41B8D3EC02AC353CB9E905FADC97DE64F81BF2A47678130796C9833295
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b9 55 ba 20 ba 87 0a 53-00 36 56 e2 d3 25 48 33 .U. ...S.6V..%H3
0010 - 1d ce 4d 3e b5 cb 55 af-8b 56 b6 17 74 23 0b e7 ..M>..U..V..t#..
Start Time: 1643080010
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
hmm certificate looks fine. Not sure what the issue might be. What you could do in parallel is to ask on a Sonarr specialised board what the issue could be.
I asked on a Sonarr forum about upgrading to the latest version of Sonarr to fix the issue and this is the response I got:
Updating sonarr will not fix your certificate errors
Updating mono and syncing/updating mono’s certs will
So I guess the question is - how do I update mono to the latest version?
Also wondering if it’s possible to update to the latest version of Sonarr but that is a side issue.
Im running
Sonarr
3.0.6.1196
Mono Version
6.12.0.122
Thread here if you are interested: https://www.reddit.com/r/sonarr/comments/sf87px/how_to_update_sonarr_on_dietpi/
Mono is installed directly from official Mono repository https://download.mono-project.com/repo/debian/
Similar applies for Sonarr https://apt.sonarr.tv/debian/
Both are automatically updated via
apt update && apt upgrade
Latest Mono version is 6.12.0.122
https://www.mono-project.com/docs/about-mono/releases/
I ran that and got:
E: Release file for http://raspbian.raspberrypi.org/raspbian/dists/buster/InRelease is not valid yet (invalid for another 11h 3min 13s). Updates for this repository will not be applied.
After a restart I tried again andthe output was:
root@DietPi:~# apt update && apt upgrade
Hit:1 https://download.mono-project.com/repo/debian raspbianbuster InRelease
Hit:2 https://download.mono-project.com/repo/debian stable-buster InRelease
Hit:3 http://raspbian.raspberrypi.org/raspbian buster InRelease
Hit:4 https://mediaarea.net/repo/deb/raspbian buster InRelease
Hit:5 https://archive.raspberrypi.org/debian buster InRelease
Hit:6 https://apt.sonarr.tv/debian buster InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Looking at Sonarr now the version info doesnt appear to have changed:
Version
3.0.6.1196
Package Version
3.0.6 by Team Sonarr
Mono Version
6.12.0.122
first you system time was not correct. This has been solved by the reboot.
There are no other versions available than the one installed. You are up-to-date. As stated above, Mono 6.12.0.122 is the latest one. Check the Mono release version I shared.
Theoretically you could try to reinstall Mono
apt install --reinstall mono
It’s being suggested on the other thread I should sync mono’s certificates. Can you tell me how to do that? Same as the command above?
OK tried apt install --reinstall mono
E: Unable to locate package mono
Also ran cert-sync /etc/ssl/certs/ca-certificates.crt successfully but no change.
sorry my fault as the package name was incorrect
apt install --reinstall mono-devel ca-certificates-mono
https://www.mono-project.com/download/stable/#download-lin-debian
hmm thats completed succsfully but still the same issue
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 2 reinstalled, 0 to remove and 0 not upgraded.
Need to get 24.0 MB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 https://download.mono-project.com/repo/debian raspbianbuster/main armhf ca-certificates-mono all 6.12.0.122-0xamarin1+raspbian10b1 [36.6 kB]
Get:2 https://download.mono-project.com/repo/debian raspbianbuster/main armhf mono-devel all 6.12.0.122-0xamarin1+raspbian10b1 [24.0 MB]
Fetched 24.0 MB in 5s (4610 kB/s)
(Reading database ... 44716 files and directories currently installed.)
Preparing to unpack .../ca-certificates-mono_6.12.0.122-0xamarin1+raspbian10b1_all.deb ...
Unpacking ca-certificates-mono (6.12.0.122-0xamarin1+raspbian10b1) over (6.12.0.122-0xamarin1+raspbian10b1) ...
Preparing to unpack .../mono-devel_6.12.0.122-0xamarin1+raspbian10b1_all.deb ...
Unpacking mono-devel (6.12.0.122-0xamarin1+raspbian10b1) over (6.12.0.122-0xamarin1+raspbian10b1) ...
Setting up ca-certificates-mono (6.12.0.122-0xamarin1+raspbian10b1) ...
Processing triggers for ca-certificates (20200601~deb10u2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Updating Mono key store
Mono Certificate Store Sync - version 6.12.0.122
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
Importing into legacy system store:
I already trust 126, your new list has 126
Import process completed.
Importing into BTLS system store:
I already trust 126, your new list has 126
Import process completed.
Done
done.
Setting up mono-devel (6.12.0.122-0xamarin1+raspbian10b1) ...
honestly I don’t know what the issue is. I mean you could try to upgrade you installation to Debian Bullseye but I doubt it will change anything. Because Sonarr as well as Mono did not offer any other packages on Bullseye as the one already installed.
https://dietpi.com/blog/?p=811
That indexer updated its Let’s Encrypt certificate on December 19th. Did this work before the Sonarr upgrade but after this date?
There are known issues with the new Let’s Encrypt root certificate where in some cases clients still pull the old (now invalid) certification path, or servers still ship that one, e.g. see this issue on Webmin: https://github.com/webmin/webmin/issues/1533
This however was solved by upgrading OpenSSL to latest version. In your case it seems to check and fail within Mono, so probably Mono, or its ca-certificates-mono still suffer from the same issue 
.