[How To] FIX - Sonarr/Mono Certificate Errors (Unable to communicate with SkyHook)

[Frog]

Hey Everyone,

I encountered an issue recently with my Sonarr plugin presenting the following error: "Unable to communicate with SkyHook"
This is caused by FreeBSD's Mono Package missing it's root CA Store. This causes SSL/Certificate errors when attempting to validate certs, and thus prevents connection due to these SSL errors.

A search on the forums shows a few other users have encountered the same issue and I wanted to post the workaround here as a quick, clear reference for anyone else whom might experience similar issues.

# Connect to your Sonarr Jail VIA SSH or VIA the TrueNAS Console
# iocage console <pluginname>
iocage console sonarr

# Install WGET
pkg install wget

# Download the latest available root certficates, use cert-sync to synchronize them
wget -O - https://curl.haxx.se/ca/cacert.pem | cert-sync --user /dev/stdin

# Run these commands from the TrueNAS Shell or SSH Console outside of your Jail
# Copy the CERTs from your Jail to the FreeBSD Jail Package
# Make sure you change <StoragePoolName> to your storage pools name.
# cp -R /mnt/<StoragePoolName>/iocage/jails/sonarr/root/root/.config/.mono/ /mnt/<StoragePoolName>/iocage/releases/12.2-RELEASE/root/usr/share/.mono
cp -R /mnt/Main/iocage/jails/sonarr/root/root/.config/.mono/ /mnt/Main/iocage/releases/12.2-RELEASE/root/usr/share/.mono

 

[jakimcho]

Thank you @Frog for the references. They worked for me

 

[HRS]

Thanks @Frog for posting the instructions.
Do I need to repeat this process (of copying root certificates) routinely?
Just to make sure, are they required to be able to enable the "Certificate Validation" setting?
Please explain what is the function of this option ("certificate validation"), and what value do you recommend: "Enabled" or "Disabled for Local Addresses"?

Lastly, when setting the option to "Enabled" (after copying the the root certificates) I saw an occasional error in the log (see below). Do you have any insight / advice?

Code:

[v3.0.8.1507] System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.): 'https://services.sonarr.tv/v1/time' ---> System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /wrkdirs/usr/ports/lang/mono6.8/work/mono-6.8.0.123/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at System.Net.WebOperation.Run () [0x0009a] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at System.Net.HttpWebRequest.GetResponse () [0x00016] in <2deb8ccd8f0546038e28d46e7bcc1998>:0
  at NzbDrone.Common.Http.Dispatchers.ManagedHttpDispatcher.GetResponse (NzbDrone.Common.Http.HttpRequest request, System.Net.CookieContainer cookies) [0x00123] in <bb4bd9a0099f48de84455bcef8e9c0ae>:0
   --- End of inner exception stack trace ---
  at NzbDrone.Common.Http.Dispatchers.ManagedHttpDispatcher.GetResponse (NzbDrone.Common.Http.HttpRequest request, System.Net.CookieContainer cookies) [0x001ec] in <bb4bd9a0099f48de84455bcef8e9c0ae>:0
  at NzbDrone.Common.Http.HttpClient.ExecuteRequest (NzbDrone.Common.Http.HttpRequest request, System.Net.CookieContainer cookieContainer) [0x00086] in <bb4bd9a0099f48de84455bcef8e9c0ae>:0
  at NzbDrone.Common.Http.HttpClient.Execute (NzbDrone.Common.Http.HttpRequest request) [0x00008] in <bb4bd9a0099f48de84455bcef8e9c0ae>:0
  at NzbDrone.Core.HealthCheck.Checks.SystemTimeCheck.Check () [0x0001b] in <f308258701c9443d9f77fbbaa937a672>:0
  at NzbDrone.Core.HealthCheck.HealthCheckService+<>c.<PerformHealthCheck>b__14_0 (NzbDrone.Core.HealthCheck.IProvideHealthCheck c) [0x00000] in <f308258701c9443d9f77fbbaa937a672>:0
  at System.Linq.Enumerable+SelectArrayIterator`2[TSource,TResult].ToList () [0x00014] in <4e0b4fa81dd04effbc4e22d8fabefb81>:0
  at System.Linq.Enumerable.ToList[TSource] (System.Collections.Generic.IEnumerable`1[T] source) [0x0001f] in <4e0b4fa81dd04effbc4e22d8fabefb81>:0
  at NzbDrone.Core.HealthCheck.HealthCheckService.PerformHealthCheck (NzbDrone.Core.HealthCheck.IProvideHealthCheck[] healthChecks) [0x00025] in <f308258701c9443d9f77fbbaa937a672>:0
  at NzbDrone.Core.HealthCheck.HealthCheckService.HandleAsync (NzbDrone.Core.Lifecycle.ApplicationStartedEvent message) [0x00000] in <f308258701c9443d9f77fbbaa937a672>:0
  at NzbDrone.Core.Messaging.Events.EventAggregator+<>c__DisplayClass6_2`1[TEvent].<PublishEvent>b__2 () [0x00035] in <f308258701c9443d9f77fbbaa937a672>:0
  at System.Threading.Tasks.Task.InnerInvoke () [0x0000f] in <0e6cb1433c7b46f598f86593dd03f528>:0
  at System.Threading.Tasks.Task.Execute () [0x00000] in <0e6cb1433c7b46f598f86593dd03f528>:0

 

[Frog]

@HRS Apologies for the late reply; I'm not on the forum particularly often found myself referencing back to this thread though and saw your questions.

No, you shouldn't need to repeat this frequently; I usually only find myself needing to run these commands when I update my Sonarr Plugin / Jail.
Certificate Validation, is as the name implies to validate the SSL certificate in use. You can read more about the basics of what certificate validation is here: https://www.ssl.com/article/browsers-and-certificate-validation/

Personally; I leave the option set to Enabled.

The error you're displaying appears to be an authentication failure, specifically related to a certificate authentication failing. This can happen for many reasons unfortunately I can't provide further insight as to why the error is occurring for you.

 

[Mohkhasa]

Hey Everyone,

I encountered an issue recently with my Sonarr plugin presenting the following error: "Unable to communicate with SkyHook"
This is caused by FreeBSD's Mono Package missing it's root CA Store. This causes SSL/Certificate errors when attempting to validate certs, and thus prevents connection due to these SSL errors.

A search on the forums shows a few other users have encountered the same issue and I wanted to post the workaround here as a quick, clear reference for anyone else whom might experience similar issues.

Thank you so much Frog,
This helped me out, and now it's working, I just had to change the release version to match the one I am using and it worked!

# cp -R /mnt/<StoragePoolName>/iocage/jails/sonarr/root/root/.config/.mono/ /mnt/<StoragePoolName>/iocage/releases/13.1-RELEASE/root/usr/share/.mono

 

[ShameSpear]

Thanks to Mohkhasa for cracking that for me, for anyone who comes next be sure to change the name of your jail in the path as well! Mine is named Sonarr and turns out it's case sensitive. Dashed my head against that for a while but it works now!

Here's the update with all that I had to change \/

# cp -R /mnt/<StoragePoolName>/iocage/jails/<jail name>/root/root/.config/.mono/ /mnt/<StoragePoolName>/iocage/releases/<release #>-RELEASE/root/usr/share/.mono

 

[cjmartiny]

Thanks to Mohkhasa for cracking that for me, for anyone who comes next be sure to change the name of your jail in the path as well! Mine is named Sonarr and turns out it's case sensitive. Dashed my head against that for a while but it works now!

Here's the update with all that I had to change \/

I have tried what you have done here, made sure my pool name was the same and made sure the jail was spelled correctly and case sensitive and all but I still get "no such directory exists". I know im not very smart when it comes to this stuff but I think I can change the name of my storage pool and what not.

Any idea what might be causing the issue?

 

[ShameSpear]

I have tried what you have done here, made sure my pool name was the same and made sure the jail was spelled correctly and case sensitive and all but I still get "no such directory exists". I know im not very smart when it comes to this stuff but I think I can change the name of my storage pool and what not.

Any idea what might be causing the issue?

I'll need a bigger picture to be able to tell. Can you run the commands (Frog's original and the edited one Mohkhasa figured out) again and paste a screen shot or copy/paste the text. That plus your data like your storage pool name, jail name, and release number

 

[cjmartiny]

I have attached the images, Lidarr and Radarr seem to work find but Sonarr is the one giving me problems. I know the first command "iocage" said it is not a command so maybe im not doing that one correct.

Thanks for your help.

 

[ShameSpear]

Thanks for your help.

FWIW I also got that error for iocage on mine, but it ended up fine.

Okay, so if it's not finding the directory, let's find it the old fashioned way. Go to your TrueNAS shell, and 'cd' your way through it. CD to each step of the command, find the right directory names, and when you get there you'll have the full path command to use.

As you can see in my screenshots, I went through and I found the right folders, ending up with [/mnt/Pool0/iocage/releases/13.1-RELEASE/root/usr/share/.mono]. When you go through that maybe you'll find a directory that was a little off in your original command and you can just go change that.

One thing my old school IT brain is thinking is that typically shell commands haven't liked empty spaces. So your pool name being "Storage Pool" could be the culprit. If the file path commands don't find any oddities, I'd change your pool name. Even just putting an underscore instead of a space would fix that if it's the problem.

Let me know if either of those work!

 

[cjmartiny]

ShameSpear, I really appreciate your help with all of this and it seems to be fixed now. I did end up changing the name of the pool to help with any future projects. I believe the space in the name was an issue.

After renaming the pool, reinstalling the ARR stack im using, everything seems to be working great. Getting Sonarr set up now.

Thanks again.

 

[HughT]

Apologies for resurrecting this thread but I'm a little stuck on this as none of my Releases (of which I have 12.3 though to 13.2) appear to contain a ".mono" directory in them (I've also searched for the "certs" directory too

Any thoughts on what I might be missing?

 

[ShameSpear]

Apologies for resurrecting this thread but I'm a little stuck on this as none of my Releases (of which I have 12.3 though to 13.2) appear to contain a ".mono" directory in them (I've also searched for the "certs" directory too

View attachment 67528
Any thoughts on what I might be missing?

HughT, it is odd to me that it's missing, but the folder not existing in that directory doesn't really matter at the end of the day. The reason we have to do this whole thing is because that folder doesn't even have the correct data! As long as your Sonaar path ( /mnt/<StoragePoolName>/iocage/jails/sonarr/root/root/.config/.mono/ ]) has the mono folder, you can just create the .mono folder in your RELEASE folder path and copy over the data you need!

Hope that does it for you

 

[HughT]

HughT, it is odd to me that it's missing, but the folder not existing in that directory doesn't really matter at the end of the day. The reason we have to do this whole thing is because that folder doesn't even have the correct data! As long as your Sonaar path ( /mnt/<StoragePoolName>/iocage/jails/sonarr/root/root/.config/.mono/ ]) has the mono folder, you can just create the .mono folder in your RELEASE folder path and copy over the data you need!

Hope that does it for you

Ah, that makes sense thank you for the explanation. I manually created the dir, copied across and it all works, many thanks!