SABnzbd

Wiki

User Manual FAQ Contact Introduction Installation Configuration Scripts Advanced Topics Extensions for SABnzbd

Incorrect or missing information? SABnzbd and SSL/TLS security

Usenet (aka News servers) offers SSL/TLS security. It’s called NNTPS, or NNTP with SSL. Just like HTTPS, it has two functions:

  1. Confirm you really are talking to the server you want to talk to.
  2. Encrypts communications between client and server so others can’t see information like your login credentials and what you are downloading.

When you add a new server and enable SSL its Certificate verification setting will be set to Strict by default which enforces both functions described above.

You can completely turn off SABnzbd’s security checks and encryption, but you won’t have the security described above.


Online news server SSL/TLS check

Verify the SSL/TLS security of your news server using the tool provided by sanderjo.


News server problems

Q: I get this error message “untrusted certificate”. What can I do?

Failed to connect: Server news.someserver.com uses an untrusted certificate [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)]

A: SABnzbd cannot verify the server’s identity using the provided certificates. The reason is one of these:

  1. The certificates provided by the server are not valid and cannot be verified by a trusted authority.
  2. Your system has an invalid certificate validation-setup (see below how to check).
  3. The certificates provided by the server are malicious.

Solutions:

  1. Easy but not secure: Don’t use SSL (untick SSL).
  2. Easy but less secure: Tell SABnzbd to ignore the problem: in SABnzbd’s Server-settings, under Advanced, set Certificate verification to Disabled.
    WARNING Disabling this check allows anyone to redirect and intercept your traffic using any certificate! It is comparable to not using SSL at all.
  3. Hard but secure: Test the status of your news server online (above) or check out the News servers with SSL/TLS overview.

    1. If the test (or overview) shows an error message such as OK NOK NOK or NOK NOK NOK, the problem is on the side of the news server. You can ask the news server provider to fix this. But, they could deny there is a problem.
    2. If the test says OK OK OK or OK OK NOK, then the problem is local (i.e. your computer/NAS): incorrect (root) certificates, a virusscanner doing strange things, or something else. This is not something SABnzbd can solve for you. And the solutions are OS-dependent.

Q: I get this error message “hostname … doesn’t match”

Failed to connect: Server news.someserver.com uses an untrusted certificate [hostname 'news.someserver.com' doesn't match either of '*.othersite.com', 'othersite.com']

A: Your news server provider has some level of SSL, but their setup is not correct: they are using certificates that do not belong to the hostname you’re using.

Solutions:

  1. Easy and half/half-secure: in SABnzbd’s Server-settings, under Advanced, set Certificate verification to Default/Minimal. Then try again.
    WARNING Disabling this check allows anyone to redirect and intercept your traffic using any valid certificate! It is comparable to not using SSL at all.
  2. You can ask the news server provider to fix this. But, they could deny there is a problem.

Q: Which News server provider should I choose?

A: Choose one with OK OK OK on our News servers with SSL/TLS overview


Q: I am a news server provider, what can I do?

A: That depends on your circumstances:

  • If you are a (Omicron, Xennanews, etc) reseller, contact your wholesale provider (Omicron, Xennanews, etc) to solve this. You will most likely need to provide a certificate to your provider.
  • If you are hosting your own news server, contact your administrator.

NZB / RSS Index site problems

NZB / RSS Index sites are HTTPS sites. HTTPS/SSL/TLS problems on the server side are (in 2017) uncommon because web browsers have been rejecting incorrect SSL/TLS setups for some time.

Q: I get a certificate error trying to read a RSS or NZB

Failed to retrieve RSS from https://nzbindex.nl/rss/?q=bla&sort=agedesc&max=25: hostname u'nzbindex.nl' doesn't match either of 'www.nzbindex.com', 'nzbindex.com'

A: Open the same URL in your Chrome web browser on the same machine, and on another machine. If Chrome complains too, you know the problem is on the server side.

Solutions:

  1. Check if there is another URL that is secure. For example: nzbindex.COM is secure.
  2. Contact the site owner and inform them of the problem.
  3. Turn off HTTPS certificate verification in SABnzbd.

If Chrome does not complain, the problem might be on your side. This is not something SABnzbd can solve for you. And the solutions are OS-dependent.


Tools to test SSL/TLS news servers and websites