SOLVED Jackett issue: could not add losslessclub indexer; SSL connection could not be established

[sleeper52]

Running FreeNAS 11.3-U3.2

I have Jackett installed as a jail (mono version 6.8.0.96). For the most part I have not encountered issues except for adding losslessclub as an indexer.
Whenever I add it, I get an error that "The SSL connection cound not be establised..."

I have tried to add this indexer on a Jackett installed on a Windows machine and it runs completely fine. Afaik, this is only an issue on my FreeNAS jail.

I checked and the OpenSSL version on the jail is 1.0.2s. Do I need to update OpenSSL to resolve this? If so, how do I do that?

Here is the error log when attempting to add losslessclub.com indexer:

Code:

{0} System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /usr/ports/lang/mono/work/mono-6.8.0.96/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <d349126a5c244a1c9241a40862b79e0a>:0
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <d349126a5c244a1c9241a40862b79e0a>:0
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <d349126a5c244a1c9241a40862b79e0a>:0
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <d349126a5c244a1c9241a40862b79e0a>:0
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <d349126a5c244a1c9241a40862b79e0a>:0
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x000c3] in <3163c3a218ad47f0abdb25d4ba342345>:0
   --- End of inner exception stack trace ---
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x00102] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.HttpConnectionPool.CreateConnectionAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00322] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync (System.Threading.Tasks.ValueTask`1[TResult] creationTask) [0x000a2] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x00089] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at System.Net.Http.DecompressionHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ca] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at CloudflareSolverRe.ClearanceHandler.SendRequestAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00090] in <d04cd2ac2811440c84416674a9f38b05>:0
  at CloudflareSolverRe.ClearanceHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000a4] in <d04cd2ac2811440c84416674a9f38b05>:0
  at System.Net.Http.HttpClient.FinishSendAsyncBuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x0017e] in <3163c3a218ad47f0abdb25d4ba342345>:0
  at Jackett.Common.Utils.Clients.HttpWebClient.Run (Jackett.Common.Utils.Clients.WebRequest webRequest) [0x0048a] in <9ed6197a044846538a1cee930676e34f>:0
  at Jackett.Common.Utils.Clients.WebClient.GetString (Jackett.Common.Utils.Clients.WebRequest request) [0x0010b] in <9ed6197a044846538a1cee930676e34f>:0
  at Jackett.Common.Indexers.BaseWebIndexer.RequestLoginAndFollowRedirect (System.String url, System.Collections.Generic.IEnumerable`1[T] data, System.String cookies, System.Boolean returnCookiesFromFirstCall, System.String redirectUrlOverride, System.String referer, System.Boolean accumulateCookies) [0x000cb] in <9ed6197a044846538a1cee930676e34f>:0
  at Jackett.Common.Indexers.CardigannIndexer.DoLogin () [0x00165] in <9ed6197a044846538a1cee930676e34f>:0
  at Jackett.Common.Indexers.CardigannIndexer.ApplyConfiguration (Newtonsoft.Json.Linq.JToken configJson) [0x00079] in <9ed6197a044846538a1cee930676e34f>:0
  at Jackett.Server.Controllers.IndexerApiController.UpdateConfig (Jackett.Common.Models.DTO.ConfigItem[] config) [0x0012d] in <2b6e267ea3cf42e4906d3b7855f56988>:0
  at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor+TaskOfIActionResultExecutor.Execute (Microsoft.AspNetCore.Mvc.Infrastructure.IActionResultTypeMapper mapper, Microsoft.Extensions.Internal.ObjectMethodExecutor executor, System.Object controller, System.Object[] arguments) [0x00071] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync () [0x00131] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync () [0x0009e] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Filters.ActionExecutedContext context) [0x0001b] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next (Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+State& next, Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+Scope& scope, System.Object& state, System.Boolean& isCompleted) [0x00382] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync () [0x0002f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter () [0x0009f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Filters.ResourceExecutedContext context) [0x0001b] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next (Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker+State& next, Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker+Scope& scope, System.Object& state, System.Boolean& isCompleted) [0x00840] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync () [0x0002f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync () [0x0012e] in <b4ef600f4a594fe2865a8f97f915fb9d>:0
  at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext httpContext) [0x001cb] in <6092a16d93814eba828b517a2b132f80>:0
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext context) [0x00384] in <427697fe42b7459ba5302fb76d339d3b>:0
  at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext context) [0x0043e] in <f352e566abf6421e87eafbcf57a0b237>:0
  at Jackett.Server.Middleware.CustomExceptionHandler.Invoke (Microsoft.AspNetCore.Http.HttpContext httpContext) [0x0008a] in <2b6e267ea3cf42e4906d3b7855f56988>:0

 

[Samuel Tai]

The error says CERTIFICATE_VERIFY_FAILED. losslessclub.com's certificate is issued by Sectigo, which isn't in the list of root CAs in the jail's /usr/local/share/certs/ca-root-nss.crt. Try downloading the Sectigo root certs from https://sectigo.com/resource-library/sectigo-root-intermediate-certificate-files. You may need to use OpenSSL to convert these from DER to PEM format needed for the ca-root-nss.crt file.

 

[sleeper52]

The error says CERTIFICATE_VERIFY_FAILED. losslessclub.com's certificate is issued by Sectigo, which isn't in the list of root CAs in the jail's /usr/local/share/certs/ca-root-nss.crt. Try downloading the Sectigo root certs from https://sectigo.com/resource-library/sectigo-root-intermediate-certificate-files. You may need to use OpenSSL to convert these from DER to PEM format needed for the ca-root-nss.crt file.

Hi Sam. I have downloaded all of the Sectigo root certs and have placed them in the Jackett jail. How do I convert them from CER to PEM using OpenSSL?

EDIT: I found how to do it using the following command:

Code:

openssl x509 -inform der -in certificate.cer -out certificate.pem

I am converting them now. Will try it out.

EDIT2: I have converted them to .pem for each .cer certificate using the code above. I placed them all in the /usr/local/share/certs/ directory. I then restarted jackett. I am still getting the same error. Do I need to do anything else after I convert them to .pem files?

Code:

root@jackett:/usr/local/share/certs # ls
AAACertificateServices.pem              ca-root-nss.crt
AddTrustClass1CARoot.pem                COMODOCertificationAuthority.pem
AddTrustExternalCARoot.pem              SecureCertificateServices.pem
AddTrustPublicCARoot.pem                TrustedCertificateServices.pem
AddTrustQualifiedCARoot.pem
root@jackett:/usr/local/share/certs #

 

[Samuel Tai]

This is not like Linux, which can tolerate multiple cert files in that folder. All of these have to be appended to the ca-root-nss.crt file.

 

[sleeper52]

This is not like Linux, which can tolerate multiple cert files in that folder. All of these have to be appended to the ca-root-nss.crt file.

I am still getting the same error :(

What I have done so far:

I have appended the .pem files into the ca-root-nss.crt file

Code:

cat AAACertificateServices.pem >> ca-root-nss.crt
cat AddTrustClass1CARoot.pem >> ca-root-nss.crt
...

I then moved all the other .pem files to a backup outside of the cert directory.
The only file left is ca-root-nss.crt

Code:

root@jackett:/usr/local/share/certs # ls
ca-root-nss.crt

If I do a nano ca-root-nss.crt the certificates have been appended at the end of the contents of the original ca-root-nss.crt file.
I did a reboot of the jackett jail as well.

 

[Samuel Tai]

OK, next thing to check is the networking in the jail. Do you have a default gateway and DNS servers defined in the jail?

 

[sleeper52]

OK, next thing to check is the networking in the jail. Do you have a default gateway and DNS servers defined in the jail?

I defined the default gateway as 192.168.1.1.

As for default DNS server, I don't recall I did. I tried to do a nslookup in the jackett jail but it outputs nslookup: Command not found

I can, however, do a nslookup at my freenas root which uses a Pihole DNS sinkhole I made inside an FreeNAS Ubuntu server VM (piggybacks to Cloudflare's 1.1.1.2 DNS server):

Code:

root@Nasgul:~ # nslookup google.com
Server:         192.168.1.239
Address:        192.168.1.239#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.3.206
Name:   google.com
Address: 2607:f8b0:400a:809::200e

 

[Samuel Tai]

Try cat /etc/resolv.conf inside the jail to see what your DNS settings are.

 

[sleeper52]

Try cat /etc/resolv.conf inside the jail to see what your DNS settings are.

Yes, the DNS server is set to the Pihole server

Code:

root@jackett:~ # cat /etc/resolv.conf
# Generated by resolvconf
search local Router-R7000
nameserver 192.168.1.239
nameserver 1.1.1.2
nameserver 9.9.9.9

 

[Samuel Tai]

This may be a bug in the installed OpenSSL library. I tried connecting to losslessclub.com using curl, and curl says the certificate is expired, but it's not.

 

[sleeper52]

This may be a bug in the installed OpenSSL library. I tried connecting to losslessclub.com using curl, and curl says the certificate is expired, but it's not.

Oh no. Are you using the same version of OpenSSL as me (1.0.2s)? Do you think updating to a newer version of OpenSSL will resolve this?
Is there a reason why it works on Jackett running in Windows?

 

[Samuel Tai]

Yes, same version. Looks like jails get auto-built with OpenSSL 1.0.2s in /usr/bin/openssl and /usr/lib/libssl.so.8. Pkg installs 1.1.1g in /usr/local/bin/openssl and /usr/local/lib/libssl.so.11.

 

[sleeper52]

Yes, same version. Looks like jails get auto-built with OpenSSL 1.0.2s in /usr/bin/openssl and /usr/lib/libssl.so.8. Pkg installs 1.1.1g in /usr/local/bin/openssl and /usr/local/lib/libssl.so.11.

Ok. Thanks for your hep Sam. I'll keep this thread open then and monitor it until the bug is resolved.
Thanks again.

 

[sleeper52]

UPDATE: There was an update to the Jackett jail
pkg update && pkg upgrade -y

The update to the ca_root_nss to 3.55 seems to have resolved the issue. Losslessclub can now be added as an indexer.