SABnzbd Forums

Using a crt/key from LetsEncrypt, when i add them to the config sabnzbd no longer starts. I have to go into the config file and disable HTTPS to get it to start again. Hers the log:

2020-04-10 15:04:28,742::INFO::[SABnzbd:1164] --------------------------------
2020-04-10 15:04:28,742::INFO::[SABnzbd:1165] SABnzbd.exe-2.3.9 (rev=03c10dce91e13918bc2e6f8ca9c309196b90be11)
2020-04-10 15:04:28,742::INFO::[SABnzbd:1166] Full executable path = C:\DOWNLOADERS\SABnzbd\SABnzbd.exe
2020-04-10 15:04:28,742::INFO::[SABnzbd:1172] Platform = Windows-2012ServerR2-6.3.9600 (win64)
2020-04-10 15:04:28,742::INFO::[SABnzbd:1177] Python-version = 2.7.16 (v2.7.16:413a49145e, Mar 4 2019, 01:37:19) [MSC v.1500 64 bit (AMD64)]
2020-04-10 15:04:28,742::INFO::[SABnzbd:1178] Arguments = C:\DOWNLOADERS\SABnzbd\SABnzbd.exe
2020-04-10 15:04:28,742::INFO::[SABnzbd:1183] Preferred encoding = cp1252
2020-04-10 15:04:28,742::INFO::[SABnzbd:1193] SSL version = OpenSSL 1.0.2q 20 Nov 2018
2020-04-10 15:04:28,742::INFO::[SABnzbd:1200] Loaded additional certificates from C:\DOWNLOADERS\SABnzbd\cacert.pem
2020-04-10 15:04:29,242::DEBUG::[SABnzbd:1207] Available certificates: {'x509': 146, 'x509_ca': 144, 'crl': 0}
2020-04-10 15:04:29,242::DEBUG::[SABnzbd:1214] My local IPv4 address = 192.168.1.4
2020-04-10 15:04:29,349::DEBUG::[SABnzbd:1220] My public IPv4 address = 100.11.56.85
2020-04-10 15:04:29,349::DEBUG::[SABnzbd:1228] Could not determine my IPv6 address
2020-04-10 15:04:29,558::DEBUG::[SABnzbd:1234] CPU Pystone available performance = 181094
2020-04-10 15:04:29,558::DEBUG::[SABnzbd:1239] CPU model = Intel(R) Xeon(R) CPU E5-2667 v3 @ 3.20GHz
2020-04-10 15:04:29,558::INFO::[SABnzbd:1241] Read INI file C:\Users\lan\AppData\Local\sabnzbd\sabnzbd.ini
2020-04-10 15:04:29,558::DEBUG::[__init__:982] [sabnzbd\rss.pyo.__init__] Loading data for rss_data.sab from C:\Users\lan\AppData\Local\sabnzbd\admin\rss_data.sab
2020-04-10 15:04:29,558::DEBUG::[__init__:982] [sabnzbd\bpsmeter.pyo.read] Loading data for totals10.sab from C:\Users\lan\AppData\Local\sabnzbd\admin\totals10.sab
2020-04-10 15:04:29,558::DEBUG::[bpsmeter:180] Read quota q=0.0 l=0.0 reset=0
2020-04-10 15:04:29,558::DEBUG::[downloader:164] Initializing downloader/decoder
2020-04-10 15:04:29,558::INFO::[postproc:100] Loading postproc queue
2020-04-10 15:04:29,558::DEBUG::[__init__:982] [sabnzbd\postproc.pyo.load] Loading data for postproc2.sab from C:\Users\lan\AppData\Local\sabnzbd\admin\postproc2.sab
2020-04-10 15:04:29,558::DEBUG::[__init__:982] [sabnzbd\nzbqueue.pyo.read_queue] Loading data for queue10.sab from C:\Users\lan\AppData\Local\sabnzbd\admin\queue10.sab
2020-04-10 15:04:29,572::DEBUG::[__init__:982] [sabnzbd\dirscanner.pyo.__init__] Loading data for watched_data2.sab from C:\Users\lan\AppData\Local\sabnzbd\admin\watched_data2.sab
2020-04-10 15:04:29,572::DEBUG::[__init__:982] [sabnzbd\rating.pyo.__init__] Loading data for Rating.sab from C:\Users\lan\AppData\Local\sabnzbd\admin\Rating.sab
2020-04-10 15:04:29,572::INFO::[__init__:985] [sabnzbd\rating.pyo.__init__] C:\Users\lan\AppData\Local\sabnzbd\admin\Rating.sab missing
2020-04-10 15:04:29,572::DEBUG::[scheduler:180] Scheduling RSS interval task every 60 min (delay=40)
2020-04-10 15:04:29,572::DEBUG::[scheduler:192] Scheduling VersionCheck on day 4 at 21:27
2020-04-10 15:04:29,572::INFO::[scheduler:207] Setting schedule for midnight BPS reset
2020-04-10 15:04:29,572::DEBUG::[__init__:598] PAUSED_ALL inactive
2020-04-10 15:04:29,572::INFO::[__init__:349] All processes started
2020-04-10 15:04:29,572::INFO::[SABnzbd:285] Web dir is C:\DOWNLOADERS\SABnzbd\interfaces\Plush
2020-04-10 15:04:29,572::INFO::[SABnzbd:285] Web dir is C:\DOWNLOADERS\SABnzbd\interfaces\Config
2020-04-10 15:04:29,572::INFO::[config:853] Writing settings to INI file C:\Users\lan\AppData\Local\sabnzbd\sabnzbd.ini
2020-04-10 15:04:29,572::DEBUG::[sabtray:187] SysTray uses codepage 1252
2020-04-10 15:04:29,572::INFO::[SABnzbd:409] SABYenc module (v3.3.5)... found!
2020-04-10 15:04:29,572::INFO::[SABnzbd:426] Cryptography module (v2.6.1)... found!
2020-04-10 15:04:29,572::INFO::[SABnzbd:431] par2 binary... found (C:\DOWNLOADERS\SABnzbd\win\par2\par2.exe)
2020-04-10 15:04:29,572::INFO::[SABnzbd:436] MultiPar binary... found (C:\DOWNLOADERS\SABnzbd\win\par2\multipar\par2j64.exe)
2020-04-10 15:04:29,572::INFO::[SABnzbd:441] UNRAR binary... found (C:\DOWNLOADERS\SABnzbd\win\unrar\x64\UnRAR.exe)
2020-04-10 15:04:29,572::INFO::[SABnzbd:456] unzip binary... NOT found!
2020-04-10 15:04:29,572::INFO::[SABnzbd:459] 7za binary... found (C:\DOWNLOADERS\SABnzbd\win\7zip\7za.exe)
2020-04-10 15:04:29,572::INFO::[SABnzbd:1397] Starting web-interface on 192.168.1.4:9090
2020-04-10 15:04:29,572::INFO::[_cplogging:219] [10/Apr/2020:15:04:29] ENGINE Bus STARTING
2020-04-10 15:04:29,917::INFO::[_cplogging:219] [10/Apr/2020:15:04:29] ENGINE Serving on http://192.168.1.4:8080
2020-04-10 15:04:29,917::ERROR::[_cplogging:219] [10/Apr/2020:15:04:29] ENGINE Error in 'start' listener <bound method Server.start of <cherrypy._cpserver.Server object at 0x0000000002C0CBA8>>
Traceback (most recent call last):
File "cherrypy\process\wspbus.pyo", line 207, in publish
File "cherrypy\_cpserver.pyo", line 167, in start
File "cherrypy\_cpserver.pyo", line 158, in httpserver_from_self
File "cherrypy\_cpwsgi_server.pyo", line 64, in __init__
File "cherrypy\wsgiserver\ssl_builtin.pyo", line 56, in __init__
IOError: [Errno 9] Bad file descriptor

2020-04-10 15:04:29,917::ERROR::[_cplogging:219] [10/Apr/2020:15:04:29] ENGINE Shutting down due to error in start listener:
Traceback (most recent call last):
File "cherrypy\process\wspbus.pyo", line 245, in start
File "cherrypy\process\wspbus.pyo", line 225, in publish
ChannelFailures: IOError(9, 'Bad file descriptor')

2020-04-10 15:04:29,917::INFO::[_cplogging:219] [10/Apr/2020:15:04:29] ENGINE Bus STOPPING
2020-04-10 15:04:29,917::INFO::[_cplogging:219] [10/Apr/2020:15:04:29] ENGINE HTTP Server None already shut down
2020-04-10 15:04:30,036::INFO::[_cplogging:219] [10/Apr/2020:15:04:30] ENGINE HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('192.168.1.4', 8080)) shut down
2020-04-10 15:04:30,036::INFO::[_cplogging:219] [10/Apr/2020:15:04:30] ENGINE Bus STOPPED
2020-04-10 15:04:30,036::INFO::[_cplogging:219] [10/Apr/2020:15:04:30] ENGINE Bus EXITING
2020-04-10 15:04:30,036::INFO::[_cplogging:219] [10/Apr/2020:15:04:30] ENGINE Bus EXITED

I've made your subject more specific.

Read viewtopic.php?t=19684

This the mapping
letsencrypt---cert.pem unto server.cert
letsencrypt---privkey.pem unto server.key

Hi thanks for the reply. I'm on Windows so this a bit different for me. I followed the flow and it doesnt seem like you've done anything to the certificate/key other than rename them, move them, and change their permissions levels.

I've copied my crt/key to the correct folder and renamed them to server.cert and server.key in the c:\users\<user>\appdata\roaming\sabnzbd\admin folder.

I was hoping the above was the assie as the error in the log is "bad file descriptor". Its not a very descriptive message to begin with.

I think the only thing left for me to test from that thread is different supported cipher suites. I can use certutil in windows, but I also used OpenSSL to extract the cert/key from the pfx supplied by LetsEncrypt. Ill report back.

EDIT: for what its worth, using the default generated cert/key I can get sab to load. Though that certificate isnt trusted and we want to use an known CA, not a self signed one. So I at least know the issue is Sab not liking my cert/key. Just have to figure out what it is.

And what is inside the two letsencrypt files you 'give' to SABnzbd? The first line should say

-----BEGIN PRIVATE KEY-----

resp

-----BEGIN CERTIFICATE-----

and the rest should be numbers and letters.

Compare high-level with the SAB generated files.

BTW: do you have python3 installed on your Windows system, or can you install it? If so, we can do an extra test of the certifacates; I've written a small python3 program to check.

Hey there. I can certainly install python no problem. I'm hoping to get to this in the coming days. Had a busy weekend and now back at work. I dump'd the details for the certificate and I think the cryptogrphic provider might be something that sab doesnt like:


Provider = Microsoft Enhanced Cryptographic Provider v1.0

I'm a software engineer at work and the software we support allows for 100% secure communication between all components by binding certificates to the ports that the applications users. I'm talking alot more than just your basic HTTP/HTTPS traffic. The software though requires the certificates used to have specific attributes, one of which is the c ryptographic provider. Its wants Microsoft RSA. I've used Open SSL in the past to change that cryptographic provider when customers supply certificates that dont quite meet all those requirements.

This is something thats piqued my curiosity and want to get working. Hope you can bear with me this week as I find the time. I'll get python installed ASAP. I think that may give a better understanding of what the message in the log means, rather than shooting in the dark at certificate attributes.

I've installed python if you want to link me to that program you wrote I'll give it a run.

Wait ... you said Let's Encrypt ... so what is the "Provider = Microsoft Enhanced Cryptographic Provider v1.0"?

And can you answer my questions in viewtopic.php?p=120595&sid=d2ee5e8e0a67 ... 34#p120584 ?

The certificates are issued by LetsEncrypt. The cryptographic service provider is one attribute of the certificate:

https://en.wikipedia.org/wiki/Cryptogra ... e_Provider

Also to answer your question about what the cert/key starts with. There was some additonal text before -----BEGIN PRIVATE KEY-----

Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: {10F82ECD-F5A1-4E3F-83B5-78599EC183B7}
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10

I've removed that text from both the certificate and the key, but the issue remains.

Its worth noting at work I support another a windows based apache instance on our software that requires a cert/key. We use LetsEncrypt cert/keys and I dump them into the appropriate folder without removing those lines. I'm unsure if this is a Sabnzbd requirement to have those lines removed. If so I'll have to keep that min mind when developing scripts to automate this.

When you get the cert/key from Letsencrypt it's plain (start line, base64 encoded, end line). Right? So what happens when you put those two files directly to sabnzbd's admin directory, with the correct names (which a described in the other thread)?

No, this is all windows so my Windows LetsEncrypt program supplies a .pfx (PKCS #12) which is a archive format that contains a private key and and X.509 certificate. Its typically only used in Microsoft based environments, but is not exclusive to it. Using OpenSSL the key and certificate can be extracted from the .pfx which is what I've done. This is the technique I've used for other software that cannot natively access the archive to extract the cert/key. Just think of it as a password protected zip file that contains the cert/key.

I dont seem to have the original key/certificate. But there has to be something about the certificate that Sabnzbd isnt liking. Just need to figure out what it is.

When I place them in the Admin folder:

https://imgur.com/a/BpzJcmL

I get the above error in the OP.

Ok so as mentioned, I lost the original server.cert and server.key so I installed sab on another PC to retrieve them. I used what was available on the website as latest. Both appear to be version 2.3.9 [03c10dc], same version of OpenSSL 1.0.2q 20 Nov 2018 and same version of python 2.7.16 (v2.7.16:413a49145e, Mar 4 2019, 01:37:19) [MSC v.1500 64 bit (AMD64)] [cp1252].

However the one one i just installed behaves differently than my production when I apply my LetsEncrypt certificates. It gives a different error message, and doesnt crash, but rather contines to load without the HTTPS.


The error message this time:

WARNING a few seconds ago [13/Apr/2020:13:03:16] ENGINE socket.error 1
Traceback (most recent call last):
File "cherrypy\wsgiserver\__init__.pyo", line 1402, in communicate
File "cherrypy\wsgiserver\__init__.pyo", line 602, in parse_request
File "cherrypy\wsgiserver\__init__.pyo", line 635, in read_request_line
File "cherrypy\wsgiserver\__init__.pyo", line 304, in readline
File "cherrypy\wsgiserver\__init__.pyo", line 1219, in readline
File "cherrypy\wsgiserver\__init__.pyo", line 1070, in recv
File "ssl.pyo", line 754, in recv
File "ssl.pyo", line 641, in read
SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1946)


So it definitely doesnt like the certificaates. Just have to figure out what about them it is, and then can possibly either modify them,.

Ok... so after some additional screwing around with extracting the cert/key out of the pfx I was able to get it to work I did have ot manually remove the text before BEGIN CERTIFICATE. There has to be something else because I have another copy of the cert/key from when I was extracting before and those dont work.

I'd like to get a brand new .pfx from LetsEncrypt but apparently I've reached my limit for the week so I will not be able to continue this until next week.