I enabled debug logging but nothing is logged when I connect to Sonarr to check the certificate. See the bottom quote for the connection log. Sonarr is running with SSL enabled on port 9898 and sans-SSL on 8989.
I get a cert.pem, fullchain.pem, key.pem, and ca.pem from a opnsense box running an ACME client. (The fullchain.pem works correctly in radarr when converted to pkcs12, but that has a different mechanism for loading the certificate). After conversion, load using mono’s httpcfg, and a Sonarr restart, I still do not see the full chain loaded:
$ openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
$ openssl pkcs12 -export -in fullchain.pem -inkey key.pem -out keystore.p12 -passout pass:
$ httpcfg -add -port 9898 -p12 keystore.p12
or
$ openssl rsa -in key.pem -outform PVK -pvk-none -out key.pvk
$ httpcfg -add -port 9898 -pvk key.pvk -cert fullchain.pem
Either way, when I connect, I see:
$ openssl s_client -connect sonarr.my-redacted-but-real.domain:9898 -verify 10 -verify_return_error
verify depth is 10
CONNECTED(00000005)
depth=0 CN = sonarr.my-redacted-but-real.domain
verify error:num=20:unable to get local issuer certificate
C07D470A01000000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
C07D470A01000000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:269:calling stat(/usr/local/etc/openssl@3/certs)
C07D470A01000000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
C07D470A01000000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:269:calling stat(/usr/local/etc/openssl@3/certs)
C07D470A01000000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1883:
Certificate chain
0 s:CN = sonarr.my-redacted-but-real.domain
i:C = US, O = Let’s Encrypt, CN = R3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 29 19:59:19 2021 GMT; NotAfter: Dec 28 19:59:18 2021 GMT
no peer certificate available
No client certificate CA names sent
SSL handshake has read 1708 bytes and written 330 bytes
Verification error: unable to get local issuer certificate
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 147DF0CF78F0865297931E5859E019C14F74D430A2099DA7500990BE7E94C206
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1633575742
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes