Authentication failure for Transmission behind proxy for SSL

[KireinaHoro]

The transmission client is behind nginx for HTTPS. I can access the Transmission web control at https://domain.tld and authenticate properly, yet with domain.tld, port 443, ssl on, sonarr says that the authentication failed.

I've also tried using curl https://username:password@domain.tld:443, which returned the control panel correctly instead of HTTP 401. If I remove the username and password section, curl simply returns a 401.

[hellfirehd]

Is it the https part? All connections to indexers (OZnzb and nzbgeek) have been failing for me due to SChannel errors.

[isadon]

I'm currently getting a very similar issue and I believe the issue at least for me lies in that I'm using self signed certificates. How can I tell Sonarr to bypass the certificate checking for connecting to transmission via tls (nginx reverse proxy). I currently get a unable to connect message though I'm sure my parameters are configured correctly.

Here is some great log info:

17-7-16 23:55:36.6|Error|Transmission|Unable to connect to Transmission, please check your settings

[v2.0.0.4855] NzbDrone.Core.Download.Clients.DownloadClientUnavailableException: Unable to connect to Transmission, please check your settings ---> System.Net.WebException: Curl Error SslCaCert for Url https://localhost:443/transmission/rpc, issues with your operating system SSL Root Certificate Bundle (ca-bundle).
  at NzbDrone.Common.Http.Dispatchers.CurlHttpDispatcher.GetResponse (NzbDrone.Common.Http.HttpRequest request, System.Net.CookieContainer cookies) [0x001ee] in <953b74031cc24d85bc9f58633f142756>:0 
  at NzbDrone.Common.Http.Dispatchers.FallbackHttpDispatcher.GetResponse (NzbDrone.Common.Http.HttpRequest request, System.Net.CookieContainer cookies) [0x000ae] in <953b74031cc24d85bc9f58633f142756>:0 
  at NzbDrone.Common.Http.HttpClient.Execute (NzbDrone.Common.Http.HttpRequest request) [0x0007e] in <953b74031cc24d85bc9f58633f142756>:0 
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionProxy.AuthenticateClient (NzbDrone.Common.Http.HttpRequestBuilder requestBuilder, NzbDrone.Core.Download.Clients.Transmission.TransmissionSettings settings, System.Boolean reauthenticate) [0x0004f] in <4f38a7d7a714405098278193b9697ec1>:0 
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionProxy.ProcessRequest (System.String action, System.Object arguments, NzbDrone.Core.Download.Clients.Transmission.TransmissionSettings settings) [0x0001f] in <4f38a7d7a714405098278193b9697ec1>:0 
   --- End of inner exception stack trace ---

[KireinaHoro]

Well, I'm using a rather radical SSL configuration on my nginx server. Here's what's it looks like (if it helps):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

[markus101]

Mono doesn't support TLS 1.1 or 1.2 natively so Sonarr falls back to using libcurl (if it's available).

Curl Error SslCaCert for Url https://localhost:443/transmission/rpc, issues with your operating system SSL Root Certificate Bundle (ca-bundle).

@donileo possible need to update the ca-bundle, but open a thread on the forums for support.

@KireinaHoro what do the logs actually show? Is nginx doing the authentication or is transmission? What if you bypass nginx?

[KireinaHoro]

@markus101

Failed to authenticate with Transmission.: Failed to authenticate with Transmission.

NzbDrone.Core.Download.Clients.DownloadClientAuthenticationException: Failed to authenticate with Transmission.
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionProxy.AuthenticateClient (NzbDrone.Common.Http.HttpRequestBuilder requestBuilder, NzbDrone.Core.Download.Clients.Transmission.TransmissionSettings settings, System.Boolean reauthenticate) [0x000c3] in <4f38a7d7a714405098278193b9697ec1>:0 
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionProxy.ProcessRequest (System.String action, System.Object arguments, NzbDrone.Core.Download.Clients.Transmission.TransmissionSettings settings) [0x0001f] in <4f38a7d7a714405098278193b9697ec1>:0 
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionProxy.GetSessionVariables (NzbDrone.Core.Download.Clients.Transmission.TransmissionSettings settings) [0x00000] in <4f38a7d7a714405098278193b9697ec1>:0 
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionProxy.GetConfig (NzbDrone.Core.Download.Clients.Transmission.TransmissionSettings settings) [0x00000] in <4f38a7d7a714405098278193b9697ec1>:0 
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionProxy.GetClientVersion (NzbDrone.Core.Download.Clients.Transmission.TransmissionSettings settings) [0x00000] in <4f38a7d7a714405098278193b9697ec1>:0 
  at NzbDrone.Core.Download.Clients.Transmission.Transmission.ValidateVersion () [0x0000c] in <4f38a7d7a714405098278193b9697ec1>:0 
  at NzbDrone.Core.Download.Clients.Transmission.TransmissionBase.TestConnection () [0x00000] in <4f38a7d7a714405098278193b9697ec1>:0 

---

Transmission is doing the authentication. Nginx simply does a proxy_pass like this:

    location / {
        proxy_read_timeout 300;
        proxy_pass_header  X-Transmission-Session-Id;
        proxy_set_header   X-Forwarded-Host $host;
        proxy_set_header   X-Forwarded-Server $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

        # if you changed the port number for transmission daemon, then adjust the
        # folllowing line
        proxy_pass         http://127.0.0.1:9091/transmission/web/;
    }

    location /rpc {
        proxy_pass         http://127.0.0.1:9091/transmission/rpc;
    }

    location /upload {
        proxy_pass         http://127.0.0.1:9091/transmission/upload;
    }

---

Directly adding the client by using port 9091 (thus plain HTTP) works.

[KireinaHoro]

What's worth noting may be that I'm getting failed Indexers like this as well:

Rarbg  Error: SecureChannelFailure (The authentication or decryption has failed.)
Nyaa.si https://nyaa.si/?page=rss&cats=1_37&filter=1 Error: SecureChannelFailure (The authentication or decryption has failed.)

It would be great if instructions on how to install the appropriate libcurl for other distributions (I'm using Debian 9).

[hellfirehd]

I rolled mono back to 4.8.1.0 and everything started working again. So something in mono 5.x broke SSL/TLS.

[isadon]

I am very very close to getting it working on my FreeBSD 11 system. Here is what I found:

1. I tried nearly everything going with the self signed certificate route and none of it worked so instead I went with creating my own CA ( certificate authority) and using that to sign my cert. All thats left after that is adding my CA cert to the list of trusted root CA certs on my system. I think you may be able to self sign as well and instead add the self signed cert to the trusted cert store but I haven't tested this.

2. Sonarr seems to be using libcurl and on FreeBSD if you didnt build libcurl/curl from source the list of trusted CA certs libcurl uses for validation of certs is hardcoded to be /usr/local/share/certs/ca-root-nss.crt. Technically, appending my generated CA crt in pem format to this file should get Sonarr working but as soon as the security/ca_root_nss port updates (and it does very often) I'm assuming the file will get replaced.

Finding an appropriate/easy solution to this problem is where I'm stuck. If you build curl/libcurl from source you can specify the ca bundle location which you can then use to link to your own managed ca roots cert file. That way even when the ca-root-nss.crt changes as it inevitably will you can simple update your managed ca roots file to match and it should work. This is where I last left off.

[isadon]

On another note looking at the mono documentation it seems like its possible to get mono to independently trust certs. That approach may be way easier than how I'm currently going about it. @markus101 Doing a quick glance I'm reading that mono does support TLS 1.2 natively in 4.8+ so why is the fallback to libcurl still occurring?

Update: Ok so apparently TLS 1.2 support is built in but not normally enabled. It is supported using BoringSSL (a Google fork of OpenSSL not meant for general use).

[markus101]

@KireinaHoro Check the Trace logs to see the response from Transmission. The snippets of errors don't really help much, it looks like you're having some issues with secure connections, but if Transmission is actually sending a response, that part is working (unless the authentication is failing because the response fails).

@donileo mono 5.0 and BoringSSL is not working 100% of the time, so we still recommend 4.8 or 5.0 with the legacy TLS provider. See #1928 (or the multiple forum threads on the issue).

This issue is fractured with multiple issues and is not the correct location for support. Please open a thread on the forums for support and we can help troubleshoot.