Jackett frequently fails with OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

[epheterson]

Environment

OS: Synology DSM 6.2.2-24922 Update 4

.Net Runtime: Mono

.Net Version: 5.18.0.240-12

Jackett Version: 0.13.127.0

Are you using a proxy or VPN? No

Description

Usually Jackett works great, e.g. after a fresh boot, but often it'll go into this state where everything fails. Checking for updates fails, and testing every indexer fails. When in this state I've found no solution other than relaunching Jackett, which always works. The other variants I've seen of this on Github are either permanent, i.e. reproduce after a fresh boot, or affect only one indexer.

Logged Error Messages

jackett.log

jackettRelaunched.log

Example while testing indexer:

Jackett.Common.IndexerException: Exception (torrentz2): Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /spksrc/spk/mono/work-x64-6.1/mono-5.18.0.240/external/boringssl/ssl/handshake_client.c:1132 ---> System.Net.Http.HttpRequestException: An error occurred while sending the request ---> System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /spksrc/spk/mono/work-x64-6.1/mono-5.18.0.240/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000ff] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at Mono.Net.Security.AsyncProtocolRequest.StartOperation (System.Threading.CancellationToken cancellationToken) [0x0008b] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00252] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x00126] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at System.Net.WebOperation.Run () [0x0009a] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at System.Net.HttpWebRequest.EndGetResponse (System.IAsyncResult asyncResult) [0x00020] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) [0x0000f] in <30c1a991558c4064acefa7cee0fc6779>:0 
--- End of stack trace from previous location where exception was thrown ---

  at System.Net.Http.HttpClientHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x0041d] in <d79bb9faee264b669b8825270136bfaa>:0 
   --- End of inner exception stack trace ---
  at System.Net.Http.HttpClientHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00478] in <d79bb9faee264b669b8825270136bfaa>:0 
  at CloudflareSolverRe.ClearanceHandler.SendRequestAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00090] in <9640d5c3ce934e55be2d347202d4fc66>:0 
  at CloudflareSolverRe.ClearanceHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000a4] in <9640d5c3ce934e55be2d347202d4fc66>:0 
  at System.Net.Http.HttpClient.SendAsyncWorker (System.Net.Http.HttpRequestMessage request, System.Net.Http.HttpCompletionOption completionOption, System.Threading.CancellationToken cancellationToken) [0x000ca] in <d79bb9faee264b669b8825270136bfaa>:0 
  at Jackett.Common.Utils.Clients.HttpWebClient.Run (Jackett.Common.Utils.Clients.WebRequest webRequest) [0x00497] in <585d4cf8f55a4064831d15198aca2ced>:0 
  at Jackett.Common.Utils.Clients.WebClient.GetString (Jackett.Common.Utils.Clients.WebRequest request) [0x0010b] in <585d4cf8f55a4064831d15198aca2ced>:0 
  at Jackett.Common.Indexers.BaseWebIndexer.RequestStringWithCookies (System.String url, System.String cookieOverride, System.String referer, System.Collections.Generic.Dictionary`2[TKey,TValue] headers) [0x000cb] in <585d4cf8f55a4064831d15198aca2ced>:0 
  at Jackett.Common.Indexers.CardigannIndexer.PerformQuery (Jackett.Common.Models.TorznabQuery query) [0x0086a] in <585d4cf8f55a4064831d15198aca2ced>:0 
  at Jackett.Common.Indexers.BaseIndexer.ResultsForQuery (Jackett.Common.Models.TorznabQuery query) [0x00091] in <585d4cf8f55a4064831d15198aca2ced>:0 
   --- End of inner exception stack trace ---
  at Jackett.Common.Indexers.BaseIndexer.ResultsForQuery (Jackett.Common.Models.TorznabQuery query) [0x000ee] in <585d4cf8f55a4064831d15198aca2ced>:0 
  at Jackett.Common.Indexers.BaseWebIndexer.ResultsForQuery (Jackett.Common.Models.TorznabQuery query) [0x0006b] in <585d4cf8f55a4064831d15198aca2ced>:0 
  at Jackett.Common.Services.IndexerManagerService.TestIndexer (System.String name) [0x000a3] in <585d4cf8f55a4064831d15198aca2ced>:0 
  at Jackett.Server.Controllers.IndexerApiController.Test () [0x000e1] in <fd58646eded74189a57d95a15b1c4db1>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ActionMethodExecutor+TaskOfIActionResultExecutor.Execute (Microsoft.AspNetCore.Mvc.Infrastructure.IActionResultTypeMapper mapper, Microsoft.Extensions.Internal.ObjectMethodExecutor executor, System.Object controller, System.Object[] arguments) [0x00071] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeActionMethodAsync () [0x00131] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeNextActionFilterAsync () [0x0009e] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Filters.ActionExecutedContext context) [0x0001b] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.Next (Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+State& next, Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker+Scope& scope, System.Object& state, System.Boolean& isCompleted) [0x00382] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.InvokeInnerFilterAsync () [0x0002f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeNextResourceFilter () [0x0009f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Rethrow (Microsoft.AspNetCore.Mvc.Filters.ResourceExecutedContext context) [0x0001b] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.Next (Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker+State& next, Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker+Scope& scope, System.Object& state, System.Boolean& isCompleted) [0x00840] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync () [0x0002f] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync () [0x0012e] in <b4ef600f4a594fe2865a8f97f915fb9d>:0 
  at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext httpContext) [0x001cb] in <6092a16d93814eba828b517a2b132f80>:0 
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext context) [0x00384] in <427697fe42b7459ba5302fb76d339d3b>:0 
  at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke (Microsoft.AspNetCore.Http.HttpContext context) [0x0043e] in <f352e566abf6421e87eafbcf57a0b237>:0 
  at Jackett.Server.Middleware.CustomExceptionHandler.Invoke (Microsoft.AspNetCore.Http.HttpContext httpContext) [0x0008a] in <fd58646eded74189a57d95a15b1c4db1>:0 ```

[garfield69]

Hmm, from what I can see in the log, it would appear that the problem started after the auto update finished updating from 0.12.1815 to 0.13.127 and the Jackett service was started back up.
So to eliminate the update cycle as a suspect, I would like you to access your Jackett dashboard and set the disable auto update switch on, followed by clicking the apply server settings button.
Then reboot the platform to get a good fresh start.

Then monitor Jackett over the 5 days or so, and see if you get a repeat of the problem as regularly as you used to get.

[epheterson]

Thanks I’ll try that, FWIW when I try manual updates it usually succeeds and when I checked just now it updated to 0.13.135 without issues.

[ngosang]

I can reproduce the issue in Mono build. Manual search for "" on shokweb with 0 results.

02-21 21:59:20 Info Starting Jackett v0.13.160.0 
02-21 21:59:21 Info Environment version: 4.0.30319.42000 (/usr/lib/mono/4.5) 
02-21 21:59:21 Info OS version: Unix 5.4.13.1 (64bit OS) (64bit process) 
02-21 21:59:21 Info Jackett variant: Mono 
02-21 21:59:21 Info ThreadPool MaxThreads: 400 workerThreads, 200 completionPortThreads 
02-21 21:59:21 Info App config/log directory: /home/xxx/.config/Jackett 
02-21 21:59:21 Info issue: Arch Linux \r (\l) 
02-21 21:59:21 Info mono version: 6.4.0 (makepkg/fe64a4765e6 Sat 16 Nov 2019 04:59:42 PM UTC) 
02-21 21:59:21 Info Using HTTP Client: HttpWebClient

....

Jackett.Common.IndexerException: Exception (shokweb): Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /build/mono/src/mono/external/boringssl/ssl/handshake_client.c:1132 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /build/mono/src/mono/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <9bd67acb7e9448b0ae17ea9ad68db84f>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <9bd67acb7e9448b0ae17ea9ad68db84f>:0 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <9bd67acb7e9448b0ae17ea9ad68db84f>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <9bd67acb7e9448b0ae17ea9ad68db84f>:0 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <9bd67acb7e9448b0ae17ea9ad68db84f>:0 
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x000c3] in <dfcbfc91f2224480a512506bc7a7dd22>:0 
   --- End of inner exception stack trace ---
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x00102] in <dfcbfc91f2224480a512506bc7a7dd22>:0 
  at System.Net.Http.HttpConnectionPool.CreateConnectionAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00322] in <dfcbfc91f2224480a512506bc7a7dd22>:0 
  at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync (System.Threading.Tasks.ValueTask`1[TResult] creationTask) [0x000a2] in <dfcbfc91f2224480a512506bc7a7dd22>:0 
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x00089] in <dfcbfc91f2224480a512506bc7a7dd22>:0 
  at System.Net.Http.DecompressionHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000ca] in <dfcbfc91f2224480a512506bc7a7dd22>:0 
  at CloudflareSolverRe.ClearanceHandler.SendRequestAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00090] in <9640d5c3ce934e55be2d347202d4fc66>:0 
  at CloudflareSolverRe.ClearanceHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x000a4] in <9640d5c3ce934e55be2d347202d4fc66>:0 
  at System.Net.Http.HttpClient.FinishSendAsyncBuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x0017e] in <dfcbfc91f2224480a512506bc7a7dd22>:0 
  at Jackett.Common.Utils.Clients.HttpWebClient.Run (Jackett.Common.Utils.Clients.WebRequest webRequest) [0x00497] in <de7ea32dc9e5426da7e33652c177e0fa>:0 
  at Jackett.Common.Utils.Clients.WebClient.GetString (Jackett.Common.Utils.Clients.WebRequest request) [0x0010b] in <de7ea32dc9e5426da7e33652c177e0fa>:0 
  at Jackett.Common.Indexers.BaseWebIndexer.RequestStringWithCookies (System.String url, System.String cookieOverride, System.String referer, System.Collections.Generic.Dictionary`2[TKey,TValue] headers) [0x000cb] in <de7ea32dc9e5426da7e33652c177e0fa>:0 
  at Jackett.Common.Indexers.CardigannIndexer.PerformQuery (Jackett.Common.Models.TorznabQuery query) [0x0086a] in <de7ea32dc9e5426da7e33652c177e0fa>:0 
  at Jackett.Common.Indexers.BaseIndexer.ResultsForQuery (Jackett.Common.Models.TorznabQuery query) [0x00091] in <de7ea32dc9e5426da7e33652c177e0fa>:0 
   --- End of inner exception stack trace ---
  at Jackett.Common.Indexers.BaseIndexer.ResultsForQuery (Jackett.Common.Models.TorznabQuery query) [0x000ee] in <de7ea32dc9e5426da7e33652c177e0fa>:0 
  at Jackett.Common.Indexers.BaseWebIndexer.ResultsForQuery (Jackett.Common.Models.TorznabQuery query) [0x0006b] in <de7ea32dc9e5426da7e33652c177e0fa>:0 
  at Jackett.Server.Controllers.ResultsController.Results (Jackett.Common.Models.DTO.ApiSearch requestt) [0x00287] in <7aba1958e4c345398336df0e5c8a4a13>:0 

[epheterson]

@garfield69 I've disabled auto updates and Jackett is currently in the bug state:

Jackett.Common.IndexerException: Exception (yts): Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /spksrc/spk/mono/work-x64-6.1/mono-5.18.0.240/external/boringssl/ssl/handshake_client.c:1132 ---> System.Net.Http.HttpRequestException: An error occurred while sending the request ---> System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /spksrc/spk/mono/work-x64-6.1/mono-5.18.0.240/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00038] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000a1] in <63552ca6ec3f4cb28de3f8c0aa59b164>:0 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)

[ngosang]

@epheterson Try this (and restart Jackett) => https://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync
Related: mono/mono#12406

[epheterson]

Thanks, I tried the cert-sync command and will keep an eye on it now to see if this resolves it:

user@computer:/volume2/@appstore/mono/bin$ ./cert-sync /etc/ssl/certs/ca-certificates.crt
Mono Certificate Store Sync - version 5.18.0.240
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:
I already trust 173, your new list has 173
Import process completed.

Importing into BTLS system store:
I already trust 171, your new list has 173
Certificate added: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
Certificate added: C=US, O="VeriSign, Inc.", OU=Class 3 Public Primary Certification Authority
2 new root certificates were added to your trust store.
Import process completed.

[epheterson]

Unfortunately that didn’t work, it’s still hitting the same errors.

[ngosang]

I can't help you more because it is a Mono issue, not Jackett. You can try to update your system and then execute sudo cert-sync again.
We are recommending users to install the .NetCore version instead of Mono because this kind of problems. I don't know if they can run in Synologic but you can try and share your results.

[garfield69]

some syno users have had success with the .net core builds from docker https://hub.docker.com/r/linuxserver/jackett/

[dpons039]

I'm using a Synology and I was getting the same annoying messages... after investigating, I have set a daily task that performs the following (My Nas is set to reboot every day also):

wget -q https://curl.haxx.se/ca/cacert.pem -O /volume1/MyFiles/cacert.pem
/var/packages/mono/target/bin/cert-sync /volume1/MyFiles/cacert.pem
cp /volume1/MyFiles/cacert.pem /volume1/\@appstore/jackett/cert.pem

Edit the paths as needed, if you do not reboot the nas you might need to restart jackett using synoservicectl

This way I have manage to reduce the times that the issue appears.

In those rare cases that it appears (can't remember when was the last time), I just need to re-run those commands and restart Jackett.

Hope this helps!

[ngosang]

https://github.com/Jackett/Jackett/wiki/Synology-installation