Issue connecting to download clients via Nginx reverse proxy

donileo · July 17, 2017, 7:54pm

Sonarr version (exact version): 2.0.0.4855
Mono version (if Sonarr is not running on Windows): 4.8.1
OS: FreeBSD 11.0
((Debug logs)): https://pastebin.com/BfLCmXY5
Description of issue:

Sonarr fails to work with self signed certificates and seems to be to using libcurl instead of mono for TLS though mono seems to be configured correctly with the env var MONO_TLS_PROVIDER=legacy.

If I could somehow get sonarr to use mono for the TLS i could add my self signed certificate or my own certificate authority via mono’s certmgr instead of having to manually add the certificate to my OS root CA certificates store. I have verified that adding my custom CA cert which I used to sign my certificate to my OS cert store allows libcurl/curl (and therefore Sonarr) to successfully connect via my nginx reverse proxy so my proxy setup is good.

Taloth · July 17, 2017, 9:01pm

The legacy tls provider in mono doesn’t support tls 1.1/1.2 which is standard nowadays. Which is why Sonarr uses libcurl as fallback in the first place. btls was support to bring mono tls support up to standard, but it’s been very unreliable on certain platforms.

donileo · July 18, 2017, 12:41am

Ok. Currently I need to set an environment variable so that libcurl can pick up my custom ca certificate, SSL_CERT_DIR="…". With this variable curl/libcurl is able to successfully connect via https. I am passing it in via env and also in the script that runs sonarr via “export” but sonarr still has issues connecting via libcurl. Would the mono environment nzbdrone.exe is running in prevent it from seeing my exported variable when sonarr makes the libcurl calls? Trying to see what viable option I have without having to add my ca to my os trusted ca store.

Taloth · July 18, 2017, 1:39pm

I don’t know if that export is specific to curl or also used in libcurl. But what’s your objection against adding your ca to the trust store? That’s usually how you’re supposed to do it.

donileo · July 18, 2017, 2:52pm

Yea you can feel free to close this thread. My initial objection rose due to how annoying it was having to add my custom CA to the OS CA Store when the OS would overwrite the file on updates. You can imagine how annoying it’d be having to manually append the CA everytime to that file let alone detecting when the OS actually updated the file. I think I have a good solution now where I have a script that is run on root’s crontab every 24hrs that generates a new OS CA store based on the original CA Store appended with my new custom CA. After that I recompiled curl to use my new CA Store instead of the one actually updated by the OS. Thanks!

Taloth · July 18, 2017, 3:08pm

Euh… I think you’ve been adding the ca to the wrong file.

http://manpages.ubuntu.com/manpages/precise/man8/update-ca-certificates.8.html

Furthermore all certificates found below /usr/local/share/ca-certificates are also included as implicitly trusted.

donileo · July 18, 2017, 3:19pm

I’m on FreeBSD 11.0 which uses the security/ca-root-nss port and the CA store /usr/local/share/certs/ca-root-nss.crt. The design is different in which the entire directory is not monitored but just that file.

Taloth · July 18, 2017, 3:23pm

Right, good to know FreeBSD is different. tnx.

system · September 16, 2017, 3:23pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.