SSL no longer works after mono update

I’m running sonarr on a CentOS 7 system, using mono 3.10.0 and had SSL enabled. After I updated mono to version 4.0.2 SSL stopped working. I get an SSL connection error page. I checked my certificate is still in mono httpcfg, it was and reinstalled it anyway. I could not see anything in the logs about SSL. I removed mono 4.0.2 and reinstalled 3.10.0 and SSL is working again.

Is there any reason to upgrade my mono version if 3.10.0 has been working perfectly as far as i can see?

At the moment, no. mono 4 might be required in a future Sonarr version, but I’m not aware of anything in mono 4 that Sonarr requires.

I have the exact same issue, but on Raspbian. I recently updated Raspbian from Wheezy to Jessie and decided to strip all manually installed packages in favor of packages from repositories. This included mono 3.10, which I downloaded according to a tutorial on This version of mono was designed to run on a Banana Pi but also worked on my Raspberry Pi 2. To provide my Pi 2 with the “best fitting” mono I decided to use the official mono repo as described on their install page. This unfortunately caused my SSL to be broken. I have followed both methods described in this topic, but neither worked. I am using a certificate chain of three nodes, which I created by following this guide. It has worked well in the past, for Sonarr but also for NZBget and CouchPotato. After the upgrade to mono 4, specifically Stable, this chain appears to be causing problems, but only for Sonarr. Both NZBget and CouchPotato still work just fine. I have tried various browsers and tools, but all report an SSL_HANDSHAKE_ERROR. Example output of openssl is below. The same output is produced when forcing either -ssl3 or -tls1.

C:\Users\Geert>openssl s_client -ssl3 -connect ip_address:8081
Loading 'screen' into random state - done
depth=0 /C=NL/ST=Gelderland/L=Nijmegen/O=Hidden/CN=ip_address/
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=NL/ST=Gelderland/L=Nijmegen/O=Hidden/CN=ip_address/
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=NL/ST=Gelderland/L=Nijmegen/O=Hidden/CN=ip_address/
verify error:num=21:unable to verify the first certificate
verify return:1
9656:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1146:SSL alert number 40
9656:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:572:

Below here is the output that chrome://net-internals shows.

47340: SOCKET
Start Time: 2015-07-16 13:00:05.933

t=2812 [st=   0] +SOCKET_ALIVE  [dt=1437]
                  --> source_dependency = 47339 (CONNECT_JOB)
t=2812 [st=   0]   +TCP_CONNECT  [dt=2]
                    --> address_list = ["ip_address:8081"]
t=2812 [st=   0]      TCP_CONNECT_ATTEMPT  [dt=2]
                      --> address = "ip_address:8081"
t=2814 [st=   2]   -TCP_CONNECT
                    --> source_address = ""
t=2814 [st=   2]   +SOCKET_IN_USE  [dt=1435]
                    --> source_dependency = 47338 (CONNECT_JOB)
t=2814 [st=   2]     +SSL_CONNECT  [dt=1435]
t=2814 [st=   2]        SOCKET_BYTES_SENT
                        --> byte_count = 164
t=2819 [st=   7]        SOCKET_BYTES_RECEIVED
                        --> byte_count = 47
t=2819 [st=   7]        SOCKET_BYTES_RECEIVED
                        --> byte_count = 1460
t=2820 [st=   8]        SOCKET_BYTES_RECEIVED
                        --> byte_count = 78
t=2820 [st=   8]        SSL_CLIENT_CERT_REQUESTED
t=2820 [st=   8]        SSL_CLIENT_CERT_PROVIDED
                        --> cert_count = 0
t=2820 [st=   8]        SOCKET_BYTES_SENT
                        --> byte_count = 338
t=4249 [st=1437]        SOCKET_BYTES_RECEIVED
                        --> byte_count = 7
t=4249 [st=1437]        SSL_HANDSHAKE_ERROR
                        --> error_lib = 16
                        --> error_reason = 1040
                        --> file = "c:\\b\\build\\slave\\win\\build\\src\\third_party\\boringssl\\src\\ssl\\s3_pkt.c"
                        --> line = 998
                        --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
                        --> ssl_error = 1
t=4249 [st=1437]     -SSL_CONNECT
                      --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
t=4249 [st=1437]      SOCKET_CLOSED
t=4249 [st=1437]   -SOCKET_IN_USE
t=4249 [st=1437] -SOCKET_ALIVE

Any help with this? Does this require a bugfix for Sonarr or perhaps Mono?

I continue to try different things to get SSL working, all with no success. However the message I get using chrome “Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have.” has got me thinking about how SSL worked before I updated. I’m wondering if my setup was every working properly. Before when i would access https://sonarr.local:9898 a window would open allowing my to select a user certificate. I would always press cancel and then sonarr would open. Was this normal behavior? I get the same window now, but if I cancel I get the SSL connection error.

I got SSL working by importing my user certificate into the personal store on the client computer. I was able to use my OpenVPN certificate that I already had. I’m still curious if everyone else using SSL are seeing the pop-up window to select a certificate? I use a smart cart for work and have those certificates installed, may be that is why I get the pop-up.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.