[SOLVED] Enabling SSL Certs With Windows 7 Service

Sonarr version (exact version): 2.0.0.4230
OS: Windows 7 (running as a service)
Description of issue:

I currently have Sonarr setup as a Windows service on my Windows 7 HTPC. I bought a simple PositiveSSL cert and I’m trying to enable SSL on Sonarr, but am encountering problems.

I followed this guide from Sonarr’s github page, but it still won’t work, outputting these errors into my log:

16-8-7 15:46:44.3|Debug|netsh.exe|Starting netsh.exe http show sslcert ipport=0.0.0.0:9898
16-8-7 15:46:44.3|Debug|netsh.exe|SSL Certificate bindings: 
16-8-7 15:46:44.3|Debug|netsh.exe|------------------------- 
16-8-7 15:46:44.3|Debug|netsh.exe|The system cannot find the file specified.
16-8-7 15:46:44.4|Debug|netsh.exe|Starting netsh.exe http add sslcert ipport=0.0.0.0:9898 certhash=[redacted] appid={redacted}
16-8-7 15:46:44.4|Debug|netsh.exe|SSL Certificate add failed, Error: 1312
16-8-7 15:46:44.4|Debug|netsh.exe|A specified logon session does not exist. It may already have been terminated.
16-8-7 15:46:44.4|Info|OwinHostController|Listening on the following URLs:
16-8-7 15:46:44.4|Info|OwinHostController|  http://*:8989/
16-8-7 15:46:44.4|Info|OwinHostController|  https://*:9898/

I already opened up the ports on my router, but that doesn’t seem to be an issue since I can’t even access it locally with https://192.168.1.33:9898.

Part of this may simply be my ignorance of certs and how they work, so let me explain my understanding and methodology in generating the certs that Sonarr needs. I was given four files from my issuing authority:

  1. AddTrustExternalCARoot.crt
  2. COMODORSAAddTrustCA.crt
  3. COMODORSADomainValidationSecureServerCA.crt
  4. domain_name.key

I’ve since combined numbers 1 and 2 into a “ssl-bundle.crt” for use on my web server, and renamed number 3 into “mydomain_com.crt” for ease of identification, which leaves me with three files:

  • ssl-bundle.crt (I believe this is equivalent to a cert “chain” or “intermediate cert” that I keep reading about)
  • mydomain_com.crt
  • domain_name.key

So having said that, and given these instructions from Sonarr…

Prerequisites:

  1. SSL certificate with Private Key Create self-signed Certificate or generate your own

  2. Convert PEM to PKCS#12

  3. Load the certificate in Personal store of the Local System

  4. Copy the Hash/thumbprint of the certificate. Thumbprint will contain spaces. Copy thumbprint to clipboard as is.

…I chose to interpret step two as converting both my “mydomain_com.crt” and my “domain_name.key” PEM files into a single PKCS#12 file for Windows to import. Did I misinterpret any steps there?

I verified that the hashes match, and it successfully loaded into Windows Certificates\Personal directory and has server and client authentication as its “intended purposes.” I restarted the service using my local account (which has administrator privileges–I don’t see a dedicated option for “starting the service as an administrator”), but still no joy.

Any help/troubleshooting steps would be appreciated, thanks.

Looks like this blog post talks about doing the same thing so the author could use it for Azure, perhaps it might help ensure the cert is being converted properly?

There isn’t run the executable as administrator (with the service stopped) once then start the service. Sonarr’s ((trace logs)) will also show the start up process and which URLs (including HTTPS ones) are registered.

I followed the blog you provided just to see if it would produce a different thumbprint/hash. It didn’t. It was still the exact same outcome. Thanks anyways though, I think that at least confirms that I’m handling the certs correctly.

Here is my trace log: http://pastebin.com/6m0UJGDk

I can see the correct certificate hash being used in there, but other than that, I’m not sure what I’m supposed to be looking for.

16-3-12 19:17:15.7|Debug|FirewallAdapter|Opening Port for NzbDrone: 8989
16-3-12 19:17:15.7|Info|OwinHostController|Listening on the following URLs:
16-3-12 19:17:15.7|Info|OwinHostController|  http://*:8989/

I don’t see anywhere in the logs (which would follow these messages) that Sonarr is even attempting to listen on the SSL port. What do your SSL settings look like in Sonarr?

Sorry, PasteBin is pretty limiting without a Pro account. Here’s a section from the log you may be interested in:

16-8-9 19:11:22.9|Debug|netsh.exe|    Reserved URL            : https://*:9898/ 
16-8-9 19:11:22.9|Debug|netsh.exe|        User: \Everyone
16-8-9 19:11:22.9|Debug|netsh.exe|            Listen: Yes
16-8-9 19:11:22.9|Debug|netsh.exe|            Delegate: No
16-8-9 19:11:22.9|Debug|netsh.exe|            SDDL: D:(A;;GX;;;WD) 
16-8-9 19:11:22.9|Info|Router|Application mode: Interactive
16-8-9 19:11:22.9|Debug|Router|Console selected
16-8-9 19:11:23.0|Debug|FirewallAdapter|Opening Port for NzbDrone: 8989
16-8-9 19:11:23.1|Debug|netsh.exe|Starting netsh.exe http show sslcert ipport=0.0.0.0:9898
16-8-9 19:11:23.1|Debug|netsh.exe|SSL Certificate bindings: 
16-8-9 19:11:23.1|Debug|netsh.exe|------------------------- 
16-8-9 19:11:23.1|Debug|netsh.exe|    IP:port                 : 0.0.0.0:9898 
16-8-9 19:11:23.1|Debug|netsh.exe|    Certificate Hash        : [redacted]
16-8-9 19:11:23.1|Debug|netsh.exe|    Application ID          : {c2172af4-f9a6-4d91-baee-c2e4ee680613} 
16-8-9 19:11:23.1|Debug|netsh.exe|    Certificate Store Name  : (null) 
16-8-9 19:11:23.1|Debug|netsh.exe|    Verify Client Certificate Revocation    : Enabled
16-8-9 19:11:23.1|Debug|netsh.exe|    Verify Revocation Using Cached Client Certificate Only    : Disabled
16-8-9 19:11:23.1|Debug|netsh.exe|    Usage Check    : Enabled
16-8-9 19:11:23.2|Debug|netsh.exe|    Revocation Freshness Time : 0 
16-8-9 19:11:23.2|Debug|netsh.exe|    URL Retrieval Timeout   : 0 
16-8-9 19:11:23.2|Debug|netsh.exe|    Ctl Identifier          : (null) 
16-8-9 19:11:23.2|Debug|netsh.exe|    Ctl Store Name          : (null) 
16-8-9 19:11:23.2|Debug|netsh.exe|    DS Mapper Usage    : Disabled
16-8-9 19:11:23.2|Debug|netsh.exe|    Negotiate Client Certificate    : Disabled
16-8-9 19:11:23.2|Debug|netsh.exe|Starting netsh.exe http delete sslcert ipport=0.0.0.0:9898
16-8-9 19:11:23.8|Debug|netsh.exe|SSL Certificate successfully deleted
16-8-9 19:11:23.8|Debug|netsh.exe|Starting netsh.exe http add sslcert ipport=0.0.0.0:9898 certhash=[redacted] appid={C2172AF4-F9A6-4D91-BAEE-C2E4EE680613}
16-8-9 19:11:23.8|Debug|netsh.exe|SSL Certificate add failed, Error: 1312
16-8-9 19:11:23.8|Debug|netsh.exe|A specified logon session does not exist. It may already have been terminated.
16-8-9 19:11:23.8|Info|OwinHostController|Listening on the following URLs:
16-8-9 19:11:23.9|Info|OwinHostController|  http://*:8989/
16-8-9 19:11:23.9|Info|OwinHostController|  https://*:9898/

I tried re-adding the private key to the bundle/chain, password protecting it, making it exportable from MMC, and then restarting the sonarr process, and it eventually worked for external access, but internally (https://192.168.1.33:9898) it gives me an “insecure” warning for whatever reason.

I’ll count my blessings, though. Thanks!

Because you’re accessing it by IP and the cert is valid for the domain name, you’d need to use the same DNS name internally (or another one allowed in the cert).

Glad to hear you got it working.

Ahh, okay. Makes sense.

No real need for encrypting a local connection in my humble abode anyhow, so this will work swimmingly :slight_smile:

On to the rest of the usenet application stack! I have a feeling couchpotato and sabnzbd won’t be nearly as forgiving.

Sonarr is by far and away the most useful, polished usenet app; my sincerest gratitude to all the dev and support team.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.