[bt4g] Exception (bt4g): certificate validation failed: [Subject] CN=[mypersonaldomain] [Issuer] CN=R3, O=Let's Encrypt, C=US[Serial Number] [removed for privacy] [Not Before] 10/19/2021 7:23:13 PM[Not After] 1/17/2022 6:23:12 PM[Thumbprint] [removed for privacy] : The SSL connection could not be established, see inner exception. (Test)

[LeVraiRoiDHyrule]

Have you checked our Troubleshooting page for your issue?

• I have checked the Troubleshooting page

Is there already an issue for your problem?

• I have checked older issues, open and closed

Have you read our Contributing Guidelines?

• I have read the Contributing Guidelines

Environment

2021-11-22 09:21:18 	Info 	

Using HTTP Client: HttpWebClient2

2021-11-22 09:21:18 	Info 	

Using FlareSolverr: http://localhost:8191/

2021-11-22 09:21:18 	Info 	

Using proxy: Disabled

2021-11-22 09:21:18 	Info 	

App config/log directory: /opt/jackett/Jackett

2021-11-22 09:21:18 	Info 	

ThreadPool MaxThreads: 1023 workerThreads, 1000 completionPortThreads

2021-11-22 09:21:18 	Info 	

Running in Docker: No

2021-11-22 09:21:18 	Info 	

File /etc/issue: Raspbian GNU/Linux 11 \n \l

2021-11-22 09:21:18 	Info 	

Jackett variant: CoreLinuxArm32

2021-11-22 09:21:18 	Info 	

OS version: Unix 5.10.63.7

2021-11-22 09:21:18 	Info 	

Environment version: 6.0.0 (/opt/jackett/)

2021-11-22 09:21:16 	Info 	

Starting Jackett v0.20.43

Description

I have this issue with multiple trackers, like RARBG, Torrent Funk, BT4G. I found some issues with the same message, but what is strange is that the domain in "CN" is not the domain of the tracker like in all issues I found, but my personal domain where my Jackett is used (behind an nginx reverse proxy). I had to remove it for privacy in the title of course.

So I don't understand what this error is and can't find any infos about it in the previous issues and docs. Could someone help me? Don't hesitate if you need more infos.

Logged Error Messages

Jackett.Common.IndexerException: Exception (bt4g): certificate validation failed: [Subject]
CN=[mypersonaldomain]

[Issuer]
CN=R3, O=Let's Encrypt, C=US

[Serial Number]

[removed for privacy]

[Not Before]
10/19/2021 7:23:13 PM

[Not After]
1/17/2022 6:23:12 PM

[Thumbprint]

[removed for privacy]

---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Exception: certificate validation failed: [Subject]
CN=[mypersonaldomain]

[Issuer]
CN=R3, O=Let's Encrypt, C=US

[Serial Number]

[removed for privacy]

[Not Before]
10/19/2021 7:23:13 PM

[Not After]
1/17/2022 6:23:12 PM

[Thumbprint]

[removed for privacy]

at Jackett.Common.Utils.Clients.HttpWebClient2.ValidateCertificate(HttpRequestMessage request, X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) in /home/vsts/work/1/s/src/Jackett.Common/Utils/Clients/HttpWebClient2.cs:line 50
at System.Net.Http.ConnectHelper.<>c__DisplayClass1_0.b__0(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
at System.Net.Security.SslStream.CompleteHandshake(ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage request)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation1.WaitWithCancellationAsync(CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken) at FlareSolverrSharp.ClearanceHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken) at Jackett.Common.Utils.Clients.HttpWebClient2.Run(WebRequest webRequest) in /home/vsts/work/1/s/src/Jackett.Common/Utils/Clients/HttpWebClient2.cs:line 170 at Jackett.Common.Utils.Clients.WebClient.GetResultAsync(WebRequest request) in /home/vsts/work/1/s/src/Jackett.Common/Utils/Clients/WebClient.cs:line 185 at Jackett.Common.Indexers.BaseWebIndexer.RequestWithCookiesAsync(String url, String cookieOverride, RequestType method, String referer, IEnumerable1 data, Dictionary2 headers, String rawbody, Nullable1 emulateBrowser) in /home/vsts/work/1/s/src/Jackett.Common/Indexers/BaseIndexer.cs:line 590
at Jackett.Common.Indexers.CardigannIndexer.PerformQuery(TorznabQuery query) in /home/vsts/work/1/s/src/Jackett.Common/Indexers/CardigannIndexer.cs:line 1374
at Jackett.Common.Indexers.BaseIndexer.ResultsForQuery(TorznabQuery query, Boolean isMetaIndexer) in /home/vsts/work/1/s/src/Jackett.Common/Indexers/BaseIndexer.cs:line 401
--- End of inner exception stack trace ---
at Jackett.Common.Indexers.BaseIndexer.ResultsForQuery(TorznabQuery query, Boolean isMetaIndexer) in /home/vsts/work/1/s/src/Jackett.Common/Indexers/BaseIndexer.cs:line 413
at Jackett.Common.Indexers.BaseWebIndexer.ResultsForQuery(TorznabQuery query, Boolean isMetaIndexer) in /home/vsts/work/1/s/src/Jackett.Common/Indexers/BaseIndexer.cs:line 755
at Jackett.Common.Services.IndexerManagerService.TestIndexer(String name) in /home/vsts/work/1/s/src/Jackett.Common/Services/IndexerManagerService.cs:line 306
at Jackett.Server.Controllers.IndexerApiController.Test() in /home/vsts/work/1/s/src/Jackett.Server/Controllers/IndexerApiController.cs:line 132
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Builder.Extensions.UsePathBaseMiddleware.InvokeCore(HttpContext context, String matchedPath, String remainingPath)
at Jackett.Server.Middleware.CustomExceptionHandler.Invoke(HttpContext httpContext) in /home/vsts/work/1/s/src/Jackett.Server/Middleware/CustomExceptionHandler.cs:line 61

Screenshots

No response

[ilike2burnthing]

Please see #12591 for suggested fixes (they're for a Docker install, but should translate across). Also check if the certificate in browser is correct.

[LeVraiRoiDHyrule]

Please see #12591 for suggested fixes (they're for a Docker install, but should translate across). Also check if the certificate in browser is correct.

Thanks for your answer. But I have only 1 certificate for my whole domain, not 2 like the other who had this error. I tried reinstalling the certificate with certbot, restarted everything, but still the same error on those trackers (some trackers, like YGGtorrent, Nyaa and Sharewood work though, but RARBG, BT4G and Torrent Funk fail with this error). And I can't set volume mappings as I'm not in Docker. I'm not sure it's the same issue.

[ilike2burnthing]

Well we have certbot as a common thread here, could be the cause. Unfortunately I have no experience with it though.

Could you try adding a Docker install to see if you can replicate the issue, then see if volume mapping resolves it?

[ilike2burnthing]

Please check #12591 again, as the issue came down to being a DNS issue. See if setting the DNS to Google or Cloudflare on your device resolves things.

[LeVraiRoiDHyrule]

Please check #12591 again, as the issue came down to being a DNS issue. See if setting the DNS to Google or Cloudflare on your device resolves things.

Hi,

I made further tests. My DNS is already set to Cloudflare, so I don't think it's the issue.
I tried installing in a Docker container instead of natively on my Pi, but the issue stays the same.

What is very strange, is that I also tried completely disconnecting Jackett from my Reverse proxy. I deleted its profile in Nginx, and I am accessing it directly through the port 9117 (not 443). But it still says this error related to my personal domain. I don't see how this could be happening, as Jackett should be completely unaware that I even have a domain. How could it throw me an error with my domain when it is completely unrelated to it ?

I would like to provide more informations but I don't know where to search

[ilike2burnthing]

Do you have any kind of anti-malware, firewall, ad blocker or pi-hole set on your device? Is Jackett's traffic passing through an external VPN or proxy?

If you run curl -v https://bt4g.org/ on your device, what is the output?

[LeVraiRoiDHyrule]

Do you have any kind of anti-malware, firewall, ad blocker or pi-hole set on your device? Is Jackett's traffic passing through an external VPN or proxy?

If you run curl -v https://bt4g.org/ on your device, what is the output?

Thanks for your answer.

Ni pi-hole, no anti-malware, no firewall (except the one integrated in my router, but shouln't cause any issue as I can access bt4g or any other website that has issue with Jackett perfectly on other devices. And never had any problems with it so I don't think that's the problem).

No VPN or proxy. Jackett is directly on my Pi, either accessed directly through port 9117 or through port 443 using an Nginx reverse proxy (Jackett behaviour is the same in both cases).

Here is the output of curl -v https://bt4g.org/:

root@DietPi:~# curl -v https://bt4g.org/
*   Trying ::1:443...
* Connected to bt4g.org (::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=[mypersonaldomain]
*  start date: Oct 19 18:23:13 2021 GMT
*  expire date: Jan 17 18:23:12 2022 GMT
*  subjectAltName does not match bt4g.org
* SSL: no alternative certificate subject name matches target host name 'bt4g.org'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'bt4g.org'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

At line * subject: CN=[mypersonaldomain], it still is my personal domain for my Nginx server reverse proxy. Same error as in Jackett. So I may have an issue with certificates, but I don't understand why it is here the same way it is in Jackett.

[ilike2burnthing]

Try curl -4 -v https://bt4g.org/ to force IPv4. If that works, you'll need to try disabling IPv6 on your Pi.

If you don't want to disable it system wide, you can run Jackett through Docker and disable IPv6 just for the container.

[LeVraiRoiDHyrule]

Try curl -4 -v https://bt4g.org/ to force IPv4. If that works, you'll need to try disabling IPv6 on your Pi.

If you don't want to disable it system wide, you can run Jackett through Docker and disable IPv6 just for the container.

Thanks for your answer.

I get a similar error with curl -4 -v https://bt4g.org/, here it is:

root@DietPi:~# curl -4 -v https://bt4g.org/
*   Trying 127.0.0.1:443...
* Connected to bt4g.org (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=[mydomain]
*  start date: Oct 19 18:23:13 2021 GMT
*  expire date: Jan 17 18:23:12 2022 GMT
*  subjectAltName does not match bt4g.org
* SSL: no alternative certificate subject name matches target host name 'bt4g.org'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'bt4g.org'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[ilike2burnthing]

I'm at a bit of a loss as to what else could cause this. Might be worth looking at https://github.com/MichaIng/DietPi/issues for some more specific help.

Given that we've determined this is a system wide issue for you, I think this issue can be closed. I'll leave it open for a few days in case someone else can help you.

If you do find a solution though, please let us know.

[Joulinar]

Issue solved. There was a dhcpd running, overwriting STATIC IP/DNS settings. dhcpd5 package has been purged and DNS resolution is done correctly via Cloudflare now https://dietpi.com/phpbb/viewtopic.php?p=40564#p40564

[ilike2burnthing]

Glad to hear it, and thanks for letting us know.