Jackett indexer test fails

[NasKar]

I'm running TrueNAS-12.0-U5.1, Jackett Version v0.18.875 and mono6.8-6.8.0.123. I've notice that I get an error testing some of the indexers.

Code:

An error occurred while testing this indexer
Exception (1337x): Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /wrkdirs/usr/ports/lang/mono6.8/work/mono-6.8.0.123/external/boringssl/ssl/handshake_client.c:1132: The SSL connection could not be established, see inner exception.

I've tried installing openssl and restarting the jail, looked at this thead . But I can't get this fixed.

 

[JohnDigital]

I never really could get Jackett going correctly on BSD I pushed it and Ombi off to a Linux box there always seemed to be some hangup along the way, from the looks of this however, may be it wants the old Mono? Im not sure how often Jackett gets updated. Alot of these sites also have a DDoS bot to protect, could possibly be that, and or VPN issues?

Some indexers are working and not others? Could be blacklisted VPN/IP

 

[Mannekino]

I have the same issue. There is a guide for using Radarr with .NET which I'm using successfully. Perhaps something similar can be done for Jacket.

Radarr v3.2 dotnet5 binary / Radarr v4 dotnet6 binary

---------------------------------------------------- THIS IS NOW IN PORTS/PKG. Please see: https://wiki.servarr.com/radarr/installation#freebsd and https://www.freshports.org/net-p2p/radarr/ THIS GUIDE IS OBSOLETE! YOU CAN USE IT AS AN OUTLINE TO PORTING OTHER DOTNET THINGS TO FREEBSD IF YOU...

www.truenas.com

 

[NasKar]

I pushed it and Ombi off to a Linux box

I have Callabora working in a Linux VM on my TrueNAS I try to see if I can add Jackett from a docker container (not an area of expertise for me).

looks of this however, may be it wants the old Mono

I tried to install with mono 5.10 but can't get Jackett to run. It says it running and service jackett status eventually says it's not running after ~5 seconds.

There is a guide for using Radarr with .NET which I'm using successfully. Perhaps something similar can be done for Jacket.

I was thinking that as well and have Radarr working on .NET but I was unable to get Jackett working with it. Hopefully someone will come up with the steps to accomplish it. Mono has really been a pain in the a..

 

[gt2416]

Using that guide posted above, install prowlarr to replace jacket. Trust me it will make your life so much easier. I’ve had tons of problems with jacket, prowlarr on .net works Really well.

 

[NasKar]

Using that guide posted above, install prowlarr to replace jacket

I didn't know about prowlarr, thanks for pointing it out. Can you share the rcfile you used? What ID and Group ID does it run under?

 

[NasKar]

This is my best attempt at getting it to work. Any thought on what's not correct. prowlarr is running but I can't access the web page. Get the error this site can't be reached.

• Checking the connection
• Checking the proxy and the firewall

Here are my steps.

Code:

echo '{"pkgs":["nano","libunwind","icu","libinotify","openssl","sqlite3","libiconv","mediainfo","curl","ca_root_nss"]}' > /tmp/pkg.json
iocage create --name "prowlarr" -p /tmp/pkg.json -r 12.2-RELEASE ip4_addr="vnet0|192.168.5.252/24" defaultrouter="192.168.5.1" boot="on" host_hostname="prowlarr" vnet="on" allow_raw_sockets=1 allow_mlock=1
rm /tmp/pkg.json
mkdir -p /mnt/v1/apps/prowlarr
#iocage exec prowlarr 'sysrc ifconfig_epair0_name="epair0b"'
iocage exec prowlarr mkdir -p /config
iocage exec prowlarr mkdir -p /mnt/configs
iocage fstab -a prowlarr /mnt/v1/git/freenas-iocage-other/configs /mnt/configs nullfs rw 0 0
iocage fstab -a prowlarr /mnt/v1/apps/prowlarr /config nullfs rw 0 0

iocage exec prowlarr ln -s /usr/local/lib/libsqlite3.so /usr/local/lib/libe_sqlite3
iocage exec prowlarr "fetch https://github.com/Prowlarr/Prowlarr/releases/download/v0.1.1.875/Prowlarr.develop.0.1.1.875.freebsd-core-x64.tar.gz -o /usr/local/share"
iocage exec prowlarr "tar -xzvf /usr/local/share/Prowlarr.develop.0.1.1.875.freebsd-core-x64.tar.gz -C /usr/local/share"
iocage exec prowlarr rm /usr/local/share/Prowlarr.develop.0.1.1.875.freebsd-core-x64.tar.gz
iocage exec prowlarr "pw user add prowlarr -c prowlarr -u 819 -d /nonexistent -s /usr/bin/nologin"
iocage exec prowlarr chown -R prowlarr:prowlarr /usr/local/share/Prowlarr /config
iocage exec prowlarr mkdir /usr/local/etc/rc.d

Create rcfile at /usr/local/etc/rc.d/prowlarr

Code:

#!/bin/sh

# $FreeBSD$
#
# PROVIDE: prowlarr
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# prowlarr_enable:    Set to YES to enable prowlarr
#            Default: NO
# prowlarr_user:    The user account used to run the prowlarr daemon.
#            This is optional, however do not specifically set this to an
#            empty string as this will cause the daemon to run as root.
#            Default: prowlarr
# prowlarr_group:    The group account used to run the prowlarr daemon.
#            This is optional, however do not specifically set this to an
#            empty string as this will cause the daemon to run with group wheel.
#            Default: prowlarr
# prowlarr_data_dir:    Directory where prowlarr configuration
#            data is stored.
#            Default: /var/db/prowlarr

. /etc/rc.subr
name=prowlarr
rcvar=${name}_enable
load_rc_config $name

: ${prowlarr_enable:="NO"}
: ${prowlarr_user:="prowlarr"}
: ${prowlarr_group:="prowlarr"}
: ${prowlarr_data_dir:="/config"}

pidfile="${prowlarr_data_dir}/${name}prowlarr.pid"
pidfile_child="${prowlarr_data_dir}/${name}_child.pid"
command="/usr/sbin/daemon"

start_precmd=${name}_precmd
prowlarr_precmd() {
    if [ ! -d ${prowlarr_data_dir} ]; then
    install -d -o ${prowlarr_user} -g ${prowlarr_group} ${prowlarr_data_dir}
    fi

    export XDG_CONFIG_HOME=${prowlarr_data_dir}
    rc_flags="-r -f -p ${pidfile_child} -P ${pidfile} /usr/local/share/prowlarr/prowlarr --data=${prowlarr_data_dir} --nobrowser >> /dev/null 2>&1 ${rc_flags}"

}

run_rc_command "$1"

Then run these commands

Code:

iocage exec prowlarr chmod u+x /usr/local/etc/rc.d/prowlarr
iocage exec prowlarr sysrc "prowlarr_enable=YES"
iocage exec prowlarr service prowlarr start
iocage restart prowlarr

echo "prowlarr should be available at http://192.168.5.252:9696"

 

[gt2416]

Ok first off, If you really want jackett to work try this, in the jackett jail run
cert-sync /usr/local/share/certs/ca-root-nss.crt

Restart jail / jackett and use SHIFT + F5 to reload the webpage if using chrome

Now about prowlarr, I don't know how to install in from scratch like what you have tried, but there's a way easier automated way. Follow this guide:
freebsd-port-sooners/Prowlarr_Installation_TrueNAS_GUI.md at main · Thefrank/freebsd-port-sooners · GitHub

 

[NasKar]

Ok first off, If you really want jackett to work try this, in the jackett jail run
cert-sync /usr/local/share/certs/ca-root-nss.crt

Get the same error after that command.

Thanks for the link I got it installed. The link was broken on his page but this one worked LINK

 

[NasKar]

Got Prowlarr working but it's still blocking 1337x and a few others. Turns out Cloudflare DDOS is blocking me. Any ideas on a solution? The Prowlarr Discord support says TrueNAS is a niche OS so no support for it.

 

[alexr]

I'm having similar certificate problems with a non-Jackett indexer on an 11.4-RELEASE-p13 jail. As a test:

Code:

root@radarr:~ # openssl s_client -connect x.labs.apnic.net:443
CONNECTED(00000004)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
0 s:/CN=y.labs.apnic.net
   i:/C=US/O=Let's Encrypt/CN=R3
1 s:/CN=y.labs.apnic.net
   i:/C=US/O=Let's Encrypt/CN=R3
2 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFOjCCBCKgAwIBAgISA9p1cz/WcqRrEupLhC3eqd7rMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MjgyMzMyNDlaFw0yMTEyMjcyMzMyNDhaMBsxGTAXBgNVBAMT
EHkubGFicy5hcG5pYy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDJYqicb4MYpy5nwyTIJzRXM0d2h7G3ok74pHkELgVg0idjWRPx85xp2T0NVXel
nIKSWN4utJOt8RDvSZIjGfHSkKjU/9uEll53x3Hiio/WL7zBjBNy1U38Cdx886PB
MEuwkuU9jvIQnm2MD5QGsSzEPfi7UKs/FsM8jX2ha79kH6sYLJdRX9l1Dwgh/M7j
E3+Ju0AMuI3gLjZ18RsiXbEjcgu9j0HpYAmYZuLX2EWrIW4TbYcyt6gcBO/vby8J
q9lyXMSrQqu16ROvhHwk+OdlTVeYYva0k8msctN5QfTxShBWomC8knShqHKsCOrQ
cHpXY7L6juixraUA4jwGXbYTAgMBAAGjggJfMIICWzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFHHoIkfOPfLq2d/vQdXbDwERLaLOMB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMC8GA1UdEQQoMCaCEioueS5sYWJzLmFwbmljLm5ldIIQeS5sYWJzLmFwbmlj
Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC
BAIEgfUEgfIA8AB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLCAAAB
fC734KwAAAQDAEcwRQIgMmT4IFzthr2/EXPuR/PMBtRrjco3q+XU0b3qcg52vxUC
IQCI3XCsyKkoRG0rXxmKS7aGxC1D44CqhbkvbQXz8o0vQQB2APZclC/RdzAiFFQY
CDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABfC734KEAAAQDAEcwRQIhAPVV62nNQjDv
Cw4e50xbMrbf5C1Xu8QFeVvPvi/w+nU6AiBGrqD+RVJf+7e4M0IAiqLumWiVFQyu
0F9bFDdkO6cL/DANBgkqhkiG9w0BAQsFAAOCAQEAGeCx0D2HbxT+rLssMy0ZwjNX
ILi2z3Gjk8xxxD6bfuhzwnPw9bwLhez1TX0YGo8Khpt2z3ey3+jia+M8t7KSkGNH
oMOEtSYKlp15WawMb5Iwh+MnLiEh7FF0FOSPnADls/gejFDeMHx7MJhebm2WR/pH
UlGH6o3y9fbWtpA/mcQYXMActFWaUskUsWyRjHiBfCEyJQ4OqImjdcf2I8rE3acu
Bzvqt7RKoNDWSJdH7D/JPHewqcZU8w4jVCVEGeFrUcqe/RvWZKovSBbHVIbuF7fK
vDxrhqk6/bs3rEBFlVLfJDUMcy5Q3hoa2BcNpGN5uHU1esiYhWu9M+vikXntiw==
-----END CERTIFICATE-----
subject=/CN=y.labs.apnic.net
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5886 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4A3FF16C00DD884122299452EB49D5EB5399E16CFD9817850CE6CB7AEF299515
    Session-ID-ctx:
    Master-Key: 54C9985F0FF084BD902C33D210A1773822FB7CBB712D2D87143FBA6340A2EF3550186F79DA86DE4D00DF34801C818B51
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1633582618
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
closed
root@radarr:~ # cert-sync /usr/local/share/certs/ca-root-nss.crt
Mono Certificate Store Sync - version 6.8.0.123
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:
I already trust 128, your new list has 127
Import process completed.

Importing into BTLS system store:
I already trust 128, your new list has 127
Import process completed.
root@radarr:~ #

I've also tried pkg install openssl and that also doesn't help. Clearly some old certificates are in use somewhere in the system and mono is relying on them.

 

[tumpanaios]

Useful link for people who want to use .NET ,but a bit outdated versions of jackett and similar software . To solve the issue with expired old root LetsEncypt certificate the mono certificate trust store has to be updated without that root certificate. See issue . So edit a copy of the file /usr/local/share/certs/ca-root-nss.crt ,search and remove the 'DST Root CA X3'. Then run rm -rf /usr/share/.mono/ and then run again cert-sync copied_file.crt

 

[jgreco]

We're currently discussing this over at https://www.truenas.com/community/threads/system-update-not-working.95703/ ... it would be great to unify the multiple discussion threads about the DST Root X3 certificate in one spot, hint hint ;-)

 

[alexr]

We're currently discussing this over at https://www.truenas.com/community/threads/system-update-not-working.95703/ ... it would be great to unify the multiple discussion threads about the DST Root X3 certificate in one spot, hint hint ;-)

Yes. For anyone who ends up in this thread, I can confirm that the fix in that thread applied in the jail, followed by a cert-sync /usr/local/share/certs/ca-root-nss.crt resolves the issue. (And the mono folks need to be taken out back and dispatched for having their own trust store that needs syncing like this.)

 

[jgreco]

Yes. For anyone who ends up in this thread, I can confirm that the fix in that thread applied in the jail, followed by a cert-sync /usr/local/share/certs/ca-root-nss.crt resolves the issue. (And the mono folks need to be taken out back and dispatched for having their own trust store that needs syncing like this.)

Perhaps. Ten or twenty years ago, I thought like that, but the problem is more complex.

What do you do on a system without an existing trust store?

What do you do when you've sourced your system trust store from a web browser (Mozilla)?

Do you trust Mozilla, whose primary goal is going to be to make sure that web client to web site SSL is protected (a relatively low bar)?

What about code signing or client identity services?

What about enterprise (private) CA's? Ditto, for specific purposes?

All of these lean towards private per-application trust stores. On one hand, it's virtually required. On the other hand, keeping these updated is incredibly difficult in practice. I don't see a happy solution, but agree it is super frustrating.

 

[NasKar]

Deleted the DST Root CA from ca-root-nss.crt but when I run cert-sync /usr/local/share/certs/ca-root-nss.crt I get command not found.

 

[SweetAndLow]

nvm

 

[Grinas]

Useful link for people who want to use .NET ,but a bit outdated versions of jackett and similar software . To solve the issue with expired old root LetsEncypt certificate the mono certificate trust store has to be updated without that root certificate. See issue . So edit a copy of the file /usr/local/share/certs/ca-root-nss.crt ,search and remove the 'DST Root CA X3'. Then run rm -rf /usr/share/.mono/ and then run again cert-sync copied_file.crt

this worked for me thank you.

for those who need the commands.

Code:

# copy the crt
cp /usr/local/share/certs/ca-root-nss.crt copied_file.crt
# find and remove the crt that contains DST Root CA X3 using vi or what ever text editor you like
vi copied_file.crt
# remove mono directory
rm -rf /usr/share/.mono/
#  sync certs
cert-sync copied_file.crt
# go to jackett and test to see if the indexers that were previously giving you the error still are.

 

[paradoxiom]

this worked for me thank you.

for those who need the commands.

Code:

# copy the crt
cp /usr/local/share/certs/ca-root-nss.crt copied_file.crt
# find and remove the crt that contains DST Root CA X3 using vi or what ever text editor you like
vi copied_file.crt
# remove mono directory
rm -rf /usr/share/.mono/
#  sync certs
cert-sync copied_file.crt
# go to jackett and test to see if the indexers that were previously giving you the error still are.

Could you say where in the file this DST Root CA X3 to be removed is? I'm scrolling through it slowly in nano and I don't really see where that would be.
Edit: just opened it in notepad++ and searched it.
Is this still how to get flaresolverr running fine in a jacket jail?

Edit: I didn't remove the mono directory because I wasn't sure if Jackett was using it (I think it is), but I restarted Jackett with just syncing the certificates and now it can fetch the feed from nyaa.si fine that I was having problems with.

I still need to finish setting up flaresolverr so I can use 133x though.

 

[zamana]

(...)

I still need to finish setting up flaresolverr so I can use 133x though.

Hi!

Take a look here, please.

I just upload it.

I hope this helps you and others.