Sonarr and SSL not functioning

[LotLits]

I'm having trouble enabling SSL with Sonarr. I followed the steps on Sonarr's wiki to create the cert/key and add the pvk file. Unfortunately, after enabling SSL and restarting, I still can't access the web page over the 9898 SSL port that's configured. I receive a "this webpage is not available" error when accessing https://10.0.0.5:9898/.

From the jail, I can see it's listening on the port:

Code:

tcp4       0      0 127.0.0.1.9898         *.*                    LISTEN
tcp4       0      0 127.0.0.1.8989         *.*                    LISTEN
tcp4       0      0 10.0.0.5.9898         *.*                    LISTEN
tcp4       0      0 10.0.0.5.8989         *.*                    LISTEN
tcp4       0      0 10.0.0.5.12354        *.*                    LISTEN

Additionally, when I run a tcpdump, the traffic is definitely received/acknowledged on the jail

Code:

09:08:47.269827 IP 10.0.0.110.59061 > 10.0.0.5.9898: Flags , seq 3051741438, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 515861234 ecr 0,sackOK,eol], length 0
09:08:47.269839 IP 10.0.0.5.9898 > 10.0.0.110.59061: Flags [S.], seq 3134178924, ack 3051741439, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3391431093 ecr 515861234], length 0
09:08:47.270520 IP 10.0.0.110.59061 > 10.0.0.5.9898: Flags [.], ack 1, win 4117, options [nop,nop,TS val 515861237 ecr 3391431093], length 0
09:08:47.270581 IP 10.0.0.5.9898 > 10.0.0.110.59061: Flags [F.], seq 1, ack 1, win 1023, options [nop,nop,TS val 3391431094 ecr 515861237], length 0
09:08:47.271241 IP 10.0.0.110.59061 > 10.0.0.5.9898: Flags [P.], seq 1:214, ack 1, win 4117, options [nop,nop,TS val 515861237 ecr 3391431093], length 213
09:08:47.271247 IP 10.0.0.5.9898 > 10.0.0.110.59061: Flags [R], seq 3134178925, win 0, length 0
09:08:47.271813 IP 10.0.0.110.59061 > 10.0.0.5.9898: Flags [.], ack 2, win 4117, options [nop,nop,TS val 515861237 ecr 3391431094], length 0
09:08:47.271816 IP 10.0.0.5.9898 > 10.0.0.110.59061: Flags [R], seq 3134178926, win 0, length 0
09:08:47.271817 IP 10.0.0.110.59061 > 10.0.0.5.9898: Flags [F.], seq 214, ack 2, win 4117, options [nop,nop,TS val 515861237 ecr 3391431094], length 0
09:08:47.271819 IP 10.0.0.5.9898 > 10.0.0.110.59061: Flags [R], seq 3134178926, win 0, length 0

Below is the output from httpcfg -list showing it should be on port 9898

Code:

Port: 9898 Thumbprint: 7E0F1CCF47F1CB813FA99C3077FE78B38154B6C4

I haven't been able to find any helpful logs.

I've attempted recreating the jail/installing the plugin a few times but with the same result. Any thoughts or help would be great.

 

[dlavigne]

Anything in /var/log/messages or /var/log/auth.log in the jail?

 

[LotLits]

Unfortunately, I don't think there's anything particularly useful in any of the logs in /var/log/

/var/log/messages

Code:

Apr 10 08:09:43 sonarr_1 newsyslog[87824]: logfile first created
Apr 10 08:09:43 sonarr_1 syslogd: kernel boot file is /boot/kernel/kernel
Apr 10 08:39:07 sonarr_1 pkg: pkg upgraded: 1.3.7 -> 1.4.12
Apr 10 09:12:12 sonarr_1 reboot: rebooted by <user>
Apr 10 09:12:18 sonarr_1 shutdown: reboot by <user>:
Apr 10 09:13:05 sonarr_1 syslogd: exiting on signal 15
Apr 10 09:13:19 sonarr_1 syslogd: kernel boot file is /boot/kernel/kernel

/var/log/auth.log

Code:

Apr 10 08:09:43 sonarr_1 newsyslog[87824]: logfile first created
Apr 10 09:12:18 sonarr_1 shutdown: reboot by <user>: 

 

[Joshua Parker Ruehlig]

maybe check Sonarr's logs in /var/db/sonarr? maybe the service doesn't have permissions to read the key.

also you could possibly post your key+cert for someone on the sonarr forums to try. if it works you know you created it correctly. you'd then want to make a new key unless you trust the person you sent it to.

 

[blahhumbug]

I've been having the same issue. At first I was running httpcfg as 'root'. This is wrong since sonarr is not running under the root account, and so the mono settings were being put into /root/.config/.mono/httplistener/ of the plugin jail.

So it looks like the user account that sonarr is run under needs to have an actual home directory instead of /nonexistant as well as a valid shell like /bin/tcsh. After setting that up, I was able to su to the sonarr account from within the jail, and rerun httpcfg and verify that files are now in the sonarr homedirectory area.

Unfortunately, after making those changes, my situation has not improved and sonarr still shows as listening on port 9898, but no connection can be established. I'm hoping this additional info will be useful in helping figure out what else I am missing.

 

[Joshua Parker Ruehlig]

I've been having the same issue. At first I was running httpcfg as 'root'. This is wrong since sonarr is not running under the root account, and so the mono settings were being put into /root/.config/.mono/httplistener/ of the plugin jail.

So it looks like the user account that sonarr is run under needs to have an actual home directory instead of /nonexistant as well as a valid shell like /bin/tcsh. After setting that up, I was able to su to the sonarr account from within the jail, and rerun httpcfg and verify that files are now in the sonarr homedirectory area.

Unfortunately, after making those changes, my situation has not improved and sonarr still shows as listening on port 9898, but no connection can be established. I'm hoping this additional info will be useful in helping figure out what else I am missing. :)

Waht version of the Sonarr freenas plugin do you have installed? I fixed a similar issue before by setting the XDG_CONFIG_HOME variable.

 

[blahhumbug]

I'm using sonarr-2.0.0.2850-amd64. I also had sonarr self update itself to its latest code which is newer than what was in the plugin.

I'm also overriding the sonar user/group in /etc/rc.conf so that sonarr runs under an account UID that is compatible with the CIFS shares I have mounted in /media of the sonarr jail.

I grepped around and see that /usr/pbi/sonarr-amd64/etc/rc.d/sonarr is setting XDG_CONFIG_HOME to point to the sonarr data directory. This is a different directory than the user home directory where httpcfg placed the key/cert for mono.

I tried copying ~/.config/.mono/httplistener/ to /var/db/sonarr/.config/.mono/httplistener to see if Sonarr would pick them up there based on the XDF_CONFIG_HOME override, but no luck yet.

 

[Joshua Parker Ruehlig]

ok, thanks for the info! I'll look into a way of solving this for the plugin.

 

[blahhumbug]

Thanks, I really appreciate all the plugin help you provide on these forums! I'm currently looking into's mono httplistener code to see if I can enable any debug logs to see whether the problem really is that it can't find the pvk/cert files, or at least to try and figure out exactly where it's trying to load them from.

 

[Joshua Parker Ruehlig]

@blahhumbug
Can you try installing the cert to /var/db/sonarr/.mono/httplistener

Thanks

 

[NahsiN]

Just curious, has anybody got SSL to work in sonarr plugin yet?

 

[diedrichg]

What are all the FreeNAS GUI Advanced settings for the jail?

 

[Joshua Parker Ruehlig]

Just curious, has anybody got SSL to work in sonarr plugin yet?

I don't think I ever tried. Mind trying if my theory here is correct?
https://forums.freenas.org/index.php?threads/sonarr-and-ssl-not-functioning.29578/#post-205030

 

[NahsiN]

Sure, I created the var/db/sonarr/.mono/httplistener directory and put in my server.pvk and server.crt files inside. I also changed permissions of the files so that media was the owner. I then enabled the Enable SSL setting in the GUI and restarted the jail. I still can't connect using https. Note I did not use httpcfg for the configuration because the program is not installed in the jail.
Here's an excerpt from the nzbdrone.txt log file
15-8-9 19:11:19.8|Info|OwinHostController|Listening on the following URLs:
15-8-9 19:11:19.8|Info|OwinHostController| http://*:8989/
15-8-9 19:11:19.8|Info|OwinHostController| https://*:9898/
As far as I can tell httpcfg should just copy the .pvk and .crt files to the .mono/httplistener directory. I am completely unaware of what the -port command accomplishes though.

 

[Joshua Parker Ruehlig]

Sure, I created the var/db/sonarr/.mono/httplistener directory and put in my server.pvk and server.crt files inside. I also changed permissions of the files so that media was the owner. I then enabled the Enable SSL setting in the GUI and restarted the jail. I still can't connect using https. Note I did not use httpcfg for the configuration because the program is not installed in the jail.
Here's an excerpt from the nzbdrone.txt log file
15-8-9 19:11:19.8|Info|OwinHostController|Listening on the following URLs:
15-8-9 19:11:19.8|Info|OwinHostController| http://*:8989/
15-8-9 19:11:19.8|Info|OwinHostController| https://*:9898/
As far as I can tell httpcfg should just copy the .pvk and .crt files to the .mono/httplistener directory. I am completely unaware of what the -port command accomplishes though.

I suggest you try the following.

• create a second test instance of the sonarr plugin
• in the new sonarr jail...
  • edit /usr/local/etc/rc.d/sonarr to comment out the XDG_HOME_CONFIG line
  • create a home for the media user that it can write to
  • make sure your SSL setup work with that and document the location you placed the SSL cert, and save your working cert setup

From there we could figure out what if anything needs to be changed about the plugin to make this possible.

 

[diedrichg]

What is the jail IP? Is NAT checked? Is VIMAGE checked? I'm not in front of a computer; are there any other DHCP settings?

 

[NahsiN]

What is the jail IP? Is NAT checked? Is VIMAGE checked? I'm not in front of a computer; are there any other DHCP settings?

The jail IP is 192.168.0.xxx and it's on the same network as my LAN. DHCP is checked. VIMAGE is checked. NAT is unchecked since DHCP is checked.

I suggest you try the following.

• create a second test instance of the sonarr plugin
• in the new sonarr jail...
  • edit /usr/local/etc/rc.d/sonarr to comment out the XDG_HOME_CONFIG line
  • create a home for the media user that it can write to
  • make sure your SSL setup work with that and document the location you placed the SSL cert, and save your working cert setup

From there we could figure out what if anything needs to be changed about the plugin to make this possible.

What's the command for creating a home for the media user? By default it's /nonexistent and the shell is a nologin shell.

 

[nimble-goose]

@blahhumbug
Can you try installing the cert to /var/db/sonarr/.mono/httplistener

Thanks

This worked for me!

I'd followed Sonarr's Linux / OS X SSL instructions and ended up with the httplistener dir in /root/.config/.mono/httplistener; I moved this dir to /var/db/sonarr/.mono/httplistener, chowned it to my Sonarr user (nobody for me, media by default), and restarted the Sonarr service. HTTPS working fine now.

 

[Joshua Parker Ruehlig]

This worked for me!

I'd followed Sonarr's Linux / OS X SSL instructions and ended up with the httplistener dir in /root/.config/.mono/httplistener; I moved this dir to /var/db/sonarr/.mono/httplistener, chowned it to my Sonarr user (nobody for me, media by default), and restarted the Sonarr service. HTTPS working fine now.

Thanks for testing this out!

Ok, so from my understanding it is possible to enable SSL in the Sonarr plugin on FreeNAS and there's no changes needed at this time.

 

[NahsiN]

How are people managing to use httpcfg inside the sonarr jail? For me it's not installed! I have installed a freebsd jail and installing mono (pkg install mono) gives me httpcfg but in the sonarr plugin, there is no httpcfg. Did you upgrade mono yourself inside the jail?