Sonarr version (exact version): 2.0.0.5228 Mono version (if Sonarr is not running on Windows): OS: Windows Server 2016 Debug logs: (Make sure debug logging is enabled in settings and post the full log to hastebin/pastebin/dropbox/google drive or something similar, do not post them directly here. Post in .txt not .doc, .rtf or some other formatted document) Description of issue: Unable to get SSL working without certificate warnings when using an SSL issued from an intermediate CA.
Details:
I just redid my PKI. Previously I had an internal CA that issued a certificate which was used by several web services running on my system including Sonarr. All certs were imported into windows local cert store and thumbprint was added to sonarr config. Everything worked great.
In my new infrastructure I have introduced an intermediate CA for signing client requests. I have issued a similar certificate which is in use by CouchPotato, sabNZBd, Plex, and also Sonarr.
Sonarr is the only app that continues to give me certificate warnings.
When examining the certificate on the the Sonarr server itself (in windows certificate store) I can see the full path from the cert up the intermediate to the root CA (all 3 certs are installed on the server). However when I examine the certificate warnings on the client it only shows me the name of the certificate itself in the certification path. It does not list the intermediate (or the root).
If I install the intermediate certificate on my client system, everything works. However this should not be necessary. Only root certificates should need to be installed and it is the job of the server application to let the client know about the certificate chain.
As additional proof/demonstration that you shouldn’t need the intermediate CA installed simply visit https://www.microsoft.com.
If you examine their cert you will see it is signed by the intermediate CA “Microsoft IT TLS CA 4”, but you will not find that CA trusted anywhere on your system. You will however find the “Baltimore CyberTrust Root” stored within your trusted root certs.
I found this article which discusses issues with using intermediate certificates with Mono on OSX/Linux, but I don’t think these should apply to Windows.
I’m pretty sure that the issue is with Sonarr, since my configuration looks ok.
Is this a known limitation of Sonarr on Windows as well? If so, what is the hope of a fix?
Correct, but if a server is using SSL that has an intermediate certificate that certificate needs to be installed as well. From Digicert’s page:
RapidSSL uses an Intermediate CAs to enhance the security of SSL certificates. When installing a RapidSSL SSL certificate, it is essential to install the correct Intermediate CA at the same time as the SSL certificate. This ensures that the SSL certificate is fully trusted by all browsers and client computers which prevents errors from appearing when users visit a secure website.
That’s right, the server requires that all intermediate certificates are installed so that it can provide that information to the client so the client may validated by the correct root CA. I think I stated in my OP that I have installed all certs on the server side - that isn’t in question.
But - you absolutely should not need to install the intermediate cert on your clients. Which is what I am finding I need to do to validate the chain.
What I need to know is:
Is there a known issue with intermediate certs on windows like there is on mono?
Ia anyone aware of a properly working install of snoarr using an intermediate cert signing authority functioning properly with only the root cert distributed to clients.
If I can get confirmation on 1&2 I can put more work into figuring it out on my end. Just really would like to know if I am barking up the wrong tree, because I just discovered deluge has an issue that can’t be worked around until the patch makes it into the next release.
Ok thanks. I’m not sure what happened, but all is working now.
I triple checked last time, but I removed all the certificates from the server while troubleshooting something else and when I added them all back (presumably like I did before…but maybe not?), things seem to work now.
I might have had some sort of caching issue but knowing that there wasn’t a known issue I played some more.
Thanks for the confirmation and I can just add another confirmation that this is working on my Windows 2016 server running sonarr to my clients (windows and android).