Let's Encrypt Certificate Chain

Sonarr version (exact version): 3.0.6.1342
Mono version (if Sonarr is not running on Windows): 6.12.0.157 (preview) or 6.12.0.122
OS: Mac OS Big Sur (11.6)
Debug logs: N/A
Description of issue:

Since the Let’s Encrypt X3 certificate expiration, I’ve been unable to get clients to validate the SSL chain when connecting to Sonarr. Looking at https://github.com/mono/mono/issues/20505, it appeared that mono didn’t support sending intermediate certificates until that issue’s PR was merged. I updated mono from 6.12.0.122 to the preview release 6.12.0.157, but I’m still having the same problem: only the certificate for my Sonarr host is being used and none of the intermediate certificates are sent. My clients generally seem to fall back to the showing expired chain and fail.

How can I get Sonarr to send the full chain over SSL without manually installing the unexpired intermediates on all of my clients?

Why do you believe debug logs are N/A?

If you’re talking Sonarr -> External clients then this /should/ be fixed and the mono-workaround used if you are indeed on 3.0.6.1342

I enabled debug logging but nothing is logged when I connect to Sonarr to check the certificate. See the bottom quote for the connection log. Sonarr is running with SSL enabled on port 9898 and sans-SSL on 8989.

I get a cert.pem, fullchain.pem, key.pem, and ca.pem from a opnsense box running an ACME client. (The fullchain.pem works correctly in radarr when converted to pkcs12, but that has a different mechanism for loading the certificate). After conversion, load using mono’s httpcfg, and a Sonarr restart, I still do not see the full chain loaded:

$ openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)

$ openssl pkcs12 -export -in fullchain.pem -inkey key.pem -out keystore.p12 -passout pass:
$ httpcfg -add -port 9898 -p12 keystore.p12

or

$ openssl rsa -in key.pem -outform PVK -pvk-none -out key.pvk
$ httpcfg -add -port 9898 -pvk key.pvk -cert fullchain.pem

Either way, when I connect, I see:

$ openssl s_client -connect sonarr.my-redacted-but-real.domain:9898 -verify 10 -verify_return_error
verify depth is 10
CONNECTED(00000005)
depth=0 CN = sonarr.my-redacted-but-real.domain
verify error:num=20:unable to get local issuer certificate
C07D470A01000000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
C07D470A01000000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:269:calling stat(/usr/local/etc/openssl@3/certs)
C07D470A01000000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file
C07D470A01000000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:269:calling stat(/usr/local/etc/openssl@3/certs)
C07D470A01000000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1883:

Certificate chain
0 s:CN = sonarr.my-redacted-but-real.domain
i:C = US, O = Let’s Encrypt, CN = R3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 29 19:59:19 2021 GMT; NotAfter: Dec 28 19:59:18 2021 GMT

no peer certificate available

No client certificate CA names sent

SSL handshake has read 1708 bytes and written 330 bytes
Verification error: unable to get local issuer certificate

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 147DF0CF78F0865297931E5859E019C14F74D430A2099DA7500990BE7E94C206
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1633575742
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

This is absolutely correct and why we don’t support HTTPS on Sonarr when running under mono (non-Windows).

Is this actually fixed in the preview release? The error you’re getting appears to indicate it’s not.

Sonarr doesn’t have nay control over this, it’s all handled by mono’s http.sys implementation.

Drat. Considering the mono PR was closed a long time ago, I was assuming it would be fixed in the preview release. I guess I was just hoping someone knew something I didn’t about how to make it work.

Thanks for looking.