Transmission 3.0 causes all tracker to fail to connect

[yegle]

For new Package Requests, see the guidelines

Setup

Package Name: Transmission
Package Version: 3.0

NAS Model: DS1515+
NAS Architecture: x86_64 (?)
DSM version: DSM 6.2.3-25426 Update 2

Expected behavior

Tracker should connect successfully, as it was with the old 2.9.X version.

Actual behavior

The status of tracker is just "Could not connect to tracker" without other additional information.

Steps to reproduce

1. Update to 3.0
2.
3.

Package log

Check Package Center or /usr/local/{package}/var/

[2020-08-03 14:31:32.093] XXXXX Could not connect to tracker (announcer.c:1085)
[2020-08-03 14:31:32.093] XXXXX Retrying announce in 3604 seconds. (announcer.c:1094)

Other logs

E.g. /var/log/messages or /var/log/synopkg.log

Note: running a curl on the NAS to the tracker announce address returns expected result:

$ curl -v https://tracker.xxxxx/announce.php                                           
...
< HTTP/2 200 

[yegle]

Hmm, if I modify the tracker from https:// to http://, then it was able to connect to the server and get list of peers.

Looks like this is due to SSL certificate issue?

[yegle]

Yes, this is indeed lileky caused by certificate issue (lack of bundled certificate?)

/volume1/@appstore/transmission/bin
$ ./curl -v https://tracker.XXXXX/announce.php
*   Trying XXXXX:443...
* Connected to tracker.XXXXX (XXXXX) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[yegle]

I noticed the changelog of git (also from SynoCommunity repo) contains the following:

Fixed configuration of CA certificates (use DSM ca-certificates that hopefully will be updated by Synology

Does this mean Transmission also need some special configuration?

[yegle]

@hgy59 to raise awareness :-)

[yegle]

Workaround:

Edit /var/packages/transmission/scripts/service-setup and add the following line anywhere in this file:

export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

This file will likely be overwritten the next time this packge is updated, hopefully by that time the SSL issue is fixed.

[listenfree]

update to transmission v3.00-18 still can not support TLS 1.3, only under TLS 1.2

[vjayer]

I've updated to v3.00-17 (the latest available to me) and aside from the tracker connection issue, which I also get and see in the log, I cannot add torrent via urls anymore. Opening via url always returns:

Error adding "https://....": gotMetadataFromURL: http error 0: No Response

is this the same issue?

update:
So it appears to be caused by the same cert issue. I added yegle's workaround and it now works.

[ymartin59]

@hgy59 May you please help about it?

[yegle]

@vjayer yes likely the same issue. The workaround in #4101 (comment) should work.

@ymartin59 it would be faster to just use the same workaround.

[przemek808]

I have this issue, too.
Unfortunately the workaround did not work for me.
Any further ideas? Could you @yegle help me to find the issue?

[yegle]

@przemek808 can you verify using the command in #4101 (comment) that this is the same issue? AFAIKT this bug should've been fixed.

[przemek808]

@yegle indeed it is not exact the same:

• TLSv1.2 (OUT), TLS header, Certificate Status (22):
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS alert, Server hello (2):
• SSL certificate problem: unable to get local issuer certificate
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

[przemek808]

@yegle if you confirm that this is another issue I would open a new ticket if it's not related to a cert issue from the tracker.

[yegle]

Yes I think it's a different issue.