Untrusted Certificate thundernews.com

[jcfp]

Note that the dns record for "news-us.usenetserver.com" is a CNAME with a 5 minute TTL. Could well have pointed to different servers over time, which might explain the intermittent nature of the error.

[airguy]

So it's an intermittent error, that's very strange. Sander, do you have a clue how that could be?
We need to read out the certificate, can you run this command:

openssl s_client -connect news-us.usenetserver.com:563

Here is the results of that command:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Program Files (x86)\F-Secure\Web User Interface\bin>openssl s_client -connect
news-us.usenetserver.com:563
Loading 'screen' into random state - done
CONNECTED(000001C8)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=news.usenetserver.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJADCCB+igAwIBAgISBBkCKzF6RbQud9kqMlvPz1X+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA2MjAxNjU1MDBaFw0x
NzA5MTgxNjU1MDBaMCAxHjAcBgNVBAMTFW5ld3MudXNlbmV0c2VydmVyLmNvbTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANXuHY7jp++ptpNPBxP072xB
3RhQXAsFN0ZrcgNMJZw5gfh7t0gzZ2cZr+w3e7LgiOHToXaPV8zKx/M9YriNq472
xO7AHJU5WU75gehd1r/68ZIdS++x4D/bwhy56aGIZgrxfMoNnwtG0s4DWTV0tVlR
TB3gWV50Al8xzYVg9K1QSZBKRdTj7/+qjs7l/Zk4ULki+/xtVyksh4ll34F5WWkK
vWTMNsmSobT8ZafB6hIjDj6gLwEB+KPD8kWTegiaTNKCnRPEV8G28IZI9K3jQWrK
gbTvgQjqzxxjjxuEB8padM6mEQP/goosI49BH6eqYcDYiG6wZNILfW+rADWIyZpZ
KVR0dT0K80hFcL+B7l/hw/iJbBhFw8iOqTARdiYOVKHxMo7DchQHW0ivp3FC/V/H
98jnUQ3EUlRSrOKgFr0duNaX4vt3hirTlzxvluvW2NVS6Vfki+Yf3bPAGZN1Cyuy
LJ4lCN3nWvwGR0RthA58h4I1OZStKfA6EjRT/rQw+GdM3CPaNBA9qhXLpBlSAek3
GWZs5QX3p39JxM6WovCfpuY+pU0omkrEaB40tznmeLs0tVBpgLBCLA1JoILFw6Ce
xCACNe91B0ONQrkhasqBWT9s+4/564PVmKEF2DFBcmvlWbs2k4yyPewQ9ZFO8sKg
nTB9zsC6ZsuknZrD7L+JAgMBAAGjggUIMIIFBDAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFDC5I71EOfIbbnOHEH2s2cFnA0gxMB8GA1UdIwQYMBaAFKhKamMEfd265tE5
t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j
c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl
cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wggMRBgNVHREEggMIMIIDBIIVYmV0
YS51c2VuZXRzZXJ2ZXIuY29tghhjaGljYWdvLnVzZW5ldHNlcnZlci5jb22CFWVh
c3QudXNlbmV0c2VydmVyLmNvbYIXaHNwbHVzLnVzZW5ldHNlcnZlci5jb22CGmhz
cHNlY3VyZS51c2VuZXRzZXJ2ZXIuY29tghNteS51c2VuZXRzZXJ2ZXIuY29tghhu
ZXdzLWV1LnVzZW5ldHNlcnZlci5jb22CGW5ld3MtZXU2LnVzZW5ldHNlcnZlci5j
b22CGG5ld3MtdXMudXNlbmV0c2VydmVyLmNvbYIZbmV3cy11czYudXNlbmV0c2Vy
dmVyLmNvbYIZbmV3cy5hbXMudXNlbmV0c2VydmVyLmNvbYIYbmV3cy5ldS51c2Vu
ZXRzZXJ2ZXIuY29tghluZXdzLmZyNy51c2VuZXRzZXJ2ZXIuY29tghluZXdzLmlh
ZC51c2VuZXRzZXJ2ZXIuY29tghhuZXdzLnVzLnVzZW5ldHNlcnZlci5jb22CFW5l
d3MudXNlbmV0c2VydmVyLmNvbYIWbmV3czYudXNlbmV0c2VydmVyLmNvbYIVbm50
cC51c2VuZXRzZXJ2ZXIuY29tghZubnRwMS51c2VuZXRzZXJ2ZXIuY29tghdubnRw
MTAudXNlbmV0c2VydmVyLmNvbYIWbm50cDIudXNlbmV0c2VydmVyLmNvbYIWbm50
cDMudXNlbmV0c2VydmVyLmNvbYIWbm50cDQudXNlbmV0c2VydmVyLmNvbYIWbm50
cDYudXNlbmV0c2VydmVyLmNvbYIWbm50cDcudXNlbmV0c2VydmVyLmNvbYIWbm50
cDgudXNlbmV0c2VydmVyLmNvbYIWbm50cDkudXNlbmV0c2VydmVyLmNvbYIXc2Vj
dXJlLnVzZW5ldHNlcnZlci5jb22CG3NlY3VyZWJldGEudXNlbmV0c2VydmVyLmNv
bYIVdGVzdC51c2VuZXRzZXJ2ZXIuY29tghV3ZXN0LnVzZW5ldHNlcnZlci5jb20w
gf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIw
gZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5
IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhl
IENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0
Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEASzUDIw+ehZGITrhs
/MDkjlvFeCrnC+tpn32FA4Ypnu+50kuuEg6zkNNx//ntgrW/PMdtD31JfKeUkPmQ
p3MZN6gCAI7ssdurHDrm953ZcvK21S2bGS55MZ2wf/KdfdVtJWLkBd8xJXUn0UdQ
X57uf0D4DajDuh8tU2cmOxDBCqr6qrXXJEWCzFMDxB1612HP3fRk8KNhTiWwXMRp
i01Igmzk5FmF/MHPJTD5KoxWeUIFrlknzUA6r0IUDh02hH1P/fpQrMeGGHYS/PjG
cHKHpCxJi96ah17nVNMikXIthL+K0Pfk5G+e0GiXlrOceeiR4ivh68BUBiZfA2x7
k97UUw==
-----END CERTIFICATE-----
subject=/CN=news.usenetserver.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3647 bytes and written 706 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 4096 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 27FB570371C0E25817F506271D1FBA406FB78B975A09A8DEBAFFE40017831DFA

Session-ID-ctx:
Master-Key: 01B3520FEAA3166A20B5AD45AC9A7931166E17E76CCEA452FF3EA70D880D24D9
A2D34888BCA4F1CC81953597B0525BFC
Key-Arg : None
Start Time: 1498732902
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
200 news.usenetserver.com Welcome! (fx16.iad)

The problem is not intermittent. It started out that way. Now I can no longer connect to this server without the untrusted certificate error.

[sander]

Possible DNS Hijack?

Check your sabnzbd.log for lines with "news-us.usenetserver.com" in it, and post them here.

This is from my sabnzbd.log:

Code: Select all

2017-06-29 14:21:55,004::INFO::[downloader:484] 1@news-us.usenetserver.com: Initiating connection
2017-06-29 14:21:55,996::INFO::[happyeyeballs:138] Quickest IP address for news-us.usenetserver.com (port 563, ssl 1, preferipv6 True) is 69.16.179.26
2017-06-29 14:21:56,294::INFO::[newswrapper:122] 1@news-us.usenetserver.com: Connected using TLSv1/SSLv3 (AES128-SHA)

That reveals:
- IP address
- protocol and cipher used

[airguy]

Possible DNS Hijack?

Check your sabnzbd.log for lines with "news-us.usenetserver.com" in it, and post them here.

This is from my sabnzbd.log:

Code: Select all

2017-06-29 14:21:55,004::INFO::[downloader:484] 1@news-us.usenetserver.com: Initiating connection
2017-06-29 14:21:55,996::INFO::[happyeyeballs:138] Quickest IP address for news-us.usenetserver.com (port 563, ssl 1, preferipv6 True) is 69.16.179.26
2017-06-29 14:21:56,294::INFO::[newswrapper:122] 1@news-us.usenetserver.com: Connected using TLSv1/SSLv3 (AES128-SHA)

That reveals:
- IP address
- protocol and cipher used

Here are some lines from my log with news-us.usenetserver.com. Might be a little lengthy:

2017-06-29 10:26:14,239::INFO::[downloader:489] 1@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,663::INFO::[happyeyeballs:138] Quickest IP address for news-us.usenetserver.com (port 563, ssl 1, preferipv6 True) is 69.16.179.27
2017-06-29 10:26:14,663::DEBUG::[happyeyeballs:140] Happy Eyeballs lookup and port connect took 423 ms
2017-06-29 10:26:14,663::DEBUG::[downloader:132] news-us.usenetserver.com: Connecting to address 69.16.179.27
2017-06-29 10:26:14,667::INFO::[downloader:489] 2@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,667::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,668::INFO::[downloader:489] 3@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,670::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,671::INFO::[downloader:489] 4@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,671::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,696::INFO::[downloader:489] 5@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,696::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,698::INFO::[downloader:489] 6@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,698::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,700::INFO::[downloader:489] 7@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,700::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,703::INFO::[downloader:489] 8@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,703::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,706::INFO::[downloader:489] 9@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,707::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,709::INFO::[downloader:489] 10@news.usenetserver.com:563: Initiating connection
2017-06-29 10:26:14,709::DEBUG::[downloader:113] news-us.usenetserver.com: Re-using address 69.16.179.27
2017-06-29 10:26:14,862::ERROR::[newswrapper:260] Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors
2017-06-29 10:26:14,862::ERROR::[newswrapper:260] Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors
2017-06-29 10:26:14,862::ERROR::[newswrapper:260] Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors
2017-06-29 10:26:14,862::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 1@69.16.179.27:563
2017-06-29 10:26:14,862::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 2@69.16.179.27:563
2017-06-29 10:26:14,864::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 3@69.16.179.27:563
2017-06-29 10:26:14,874::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 6@69.16.179.27:563
2017-06-29 10:26:14,878::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 4@69.16.179.27:563
2017-06-29 10:26:14,878::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 8@69.16.179.27:563
2017-06-29 10:26:14,878::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 5@69.16.179.27:563
2017-06-29 10:26:14,888::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 7@69.16.179.27:563
2017-06-29 10:26:14,898::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 9@69.16.179.27:563
2017-06-29 10:26:14,911::INFO::[newswrapper:269] Failed to connect: Server news-us.usenetserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)] - https://sabnzbd.org/certificate-errors 10@69.16.179.27:563

[airguy]

I wanted to note that I have changed my DNS servers that my network uses, just in case it's a possible DNS Hijack.

[sander]

news-eu.usenetserver.com and news-us.usenetserver.com use different certificate issuers:

EU uses GoDaddy, see:
https://www.sslshopper.com/ssl-checker. ... er.com:563

US uses Let's Encrypt Authority X3 / DST Root CA X3, see:
https://www.sslshopper.com/ssl-checker. ... er.com:563

So as your system does not trust the US server, I think your DST Root CA X3 root certificate is missing in your system.
As you are running SAB on Windows (right?), you should
- update your Windows, update again, update, reboot ... in other words: the usual Windows sequence
- you can check your root certificate. EDIT: you need to start a Powershell session, and then type "Get-ChildItem -Recurse Cert:", and in the output search for "Root CA X3".

[sander]

To verify my hypothesis about the root certificate for Let's Encrypt Authority X3 / DST Root CA X3 missing on your Windows: Can you run these two commands and post the output here:

Code: Select all

python -c "import urllib2; print urllib2.urlopen('https://www.appelboor.com/').read()[:80] 

Code: Select all

python -c "import urllib2; print urllib2.urlopen('https://self-signed.badssl.com/').read()[:80] "

PS: Oh, you're on Windows. So I'm not sure if you have / can run Python ...

[airguy]

news-eu.usenetserver.com and news-us.usenetserver.com use different certificate issuers:

EU uses GoDaddy, see:
https://www.sslshopper.com/ssl-checker. ... er.com:563

US uses Let's Encrypt Authority X3 / DST Root CA X3, see:
https://www.sslshopper.com/ssl-checker. ... er.com:563

So as your system does not trust the US server, I think your DST Root CA X3 root certificate is missing in your system.
As you are running SAB on Windows (right?), you should
- update your Windows, update again, update, reboot ... in other words: the usual Windows sequence
- you can check your root certificate. EDIT: you need to start a Powershell session, and then type "Get-ChildItem -Recurse Cert:", and in the output search for "Root CA X3".

Well, managed to fix it! Thanks to your help, I found that the "Root CA X3" certificate was not present on my WHS 2011 Server. So, I found it on my Win7 machine, exported it to a usb thumb drive, then imported it into my WHS 2011 server. Works fine now!

Not sure why the certificate got deleted or lost.

Thanks so much for showing me how to work with certificates.