Sonarr is a PVR for Usenet and BitTorrent users. It can monitor multiple RSS feeds for new episodes of your favorite shows and will interface with clients and indexers to grab, sort, and rename them. It can also be configured to automatically upgrade the quality of files already downloaded when a better quality format becomes available. You can find us on discord at https://discord.sonarr.tv/
Enabling SSL confusion
Hi,
I'm trying to enable SSL on Sonarr using a certificate signed by my local CA. (Before everyone tells me to reverse proxy/lets encrypt.. I want SSL enabled on my local network)
I have SSL working with local certs on radarr, which has a GUI option for uploading a cert.
Sonarr doesn't have this option. When I click "Enable SSL" I don't see any option to upload my certifcate. Reading the wiki (https://github.com/Sonarr/Sonarr/wiki/SSL) I see I have to use a cert hash. So I generated a cert hash from my .crt using openssl x509 -noout -fingerprint -sha256 -inform pem -in sonarr.crt and manually edit config.xml <SslCertHash> field with this value.
This doesn't work.. I tried the cert hash separated by ":" (the default output from openssl), separated by " " (the default on windows apparently), and with no separation. Nothing works.
Sonarr is binding to the port, but browser reports the sonarr unexpectedly closed the connection.
I have tried enabling log level debug and trace but it makes zero difference to sonarr log output.. I don't think it even works?
Edit: my bad I see debug/trace logs to different files. When I run with trace I see nothing in the logs when I try and connect.
I'm trying to connect with curl from within the jail (to make sure there isnt' firewall/whatever issues)
curl -k localhost:9898
curl: (52) Empty reply from server
Has anyone actually got this working?
Sonarr is running on freebsd in a jail, if that makes any difference Version 3.0.9.1549 Package Version 3.0.9.1549 by [email protected] Mono Version 6.8.0.123
Using a LetsEncrypt cert doesn't prevent this, this is how I'm setup. You just need to enable hairpin NAT at your router, so that the request for your own public IP coming from behind the firewall is directed properly. It's a better setup too, because then you don't have to dink around with certificate validity from outside your local network, assuming you ever connect that way.
I think they are trying to secure their internal network communications to prevent bad actors intercepting traffic if someone were to gain access somehow.
I’m going to still recommend a reverse proxy. Even if you only plan on connecting locally, one of the huge benefits of a reverse proxy is simplifying and automating certificate provisioning and renewals. It will work just great on your local network if you set up some local DNS provider like unbound, pihole, Adguard etc. as well as being great for managing traffic from the internet.
Hi u/Lunarghini -
There are many resources available to help you troubleshoot and help the community help you. Please review this comment and you can likely have your problem solved without needing to wait for a human.
Most troubleshooting questions require debug or trace logs. In all instances where you are providing logs please ensure you followed the Gathering Logs wiki article to ensure your logs are what are needed for troubleshooting.
Logs should be provided via the methods prescribed in the wiki article. Note that
Infologs are rarely helpful for troubleshooting.Dozens of common questions & issues and their answers can be found on our FAQ.
Please review our troubleshooting guides that lead you through how to troubleshoot and note various common problems.
Searches, Indexers, and Trackers - For if something cannot be found
Downloading & Importing - For when download clients have issues or files cannot be imported
If you're still stuck you'll have useful debug or trace logs and screenshots to share with the humans who will arrive soon. Those humans will likely ask you for the exact same thing this comment is asking..
Once your question/problem is solved, please comment anywhere in the thread saying '!solved' to change the flair to
solved.I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.