Issue with "ignore-cert" on latest Windows prebuilt 0.4.0

[cavalia88]

I recently updated to the latest Windows prebuilt 0.4.0. Have been encountering the following error: "[WARN] NNTP connection failed: self signed certificate in certificate chain, reconnecting after 15 second(s)". The only way to overcome this error is to set "ignore-cert" to TRUE.

In the previous 0.3.8 built that I have been using for the past two years, I have always set "ignore-cert" to FALSE in the config-nyuu file.

I used back the same config-nyuu.json file for both 0.3.8 and 0.4.0 versions. No issues with posting on the 0.3.8 version. I do get the above mentioned error when using the latest 0.4.0.

I'm posting to the same server, and using the same config-nyuu file and post settings, so the only variable is the new version of 0.4.0. Appreciate if you can have a look

[animetosho]

Thanks for the report.
Would you be able to share the hostname + port that you're using?

[cavalia88]

The information requested:

"host": "news.usenetexpress.com" "port": 563

Same problem exist for resellers of the usenetexpress service

[animetosho]

Thanks for the info. Unfortunately, I am unable to reproduce your issue.
I did some testing and certification verification seems to work on that build. I also tried your host/port combo and it seems to verify fine as well.

So all I can think of is shooting in the dark:

• are you able to try from a different network/system to check the possibility that something else is interfering with the connection?
• perhaps try adding "sni-host": "news.usenetexpress.com" to your config
• try watching the certificate exchange manually, by using OpenSSL for Windows and using the command openssl s_client -host news.usenetexpress.com -port 563 - this should show you info about the certificate exchange. I've posted my exchange below if you want to compare against it (e.g. the certificate)
• I'm not sure if Node uses your system's CA/certificate store, but perhaps check that it's up to date anyway

(it's even weirder that the old version works fine for you)

The first part of my key exchange is posted below, if you want to compare it with yours:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = usenetexpress.com
verify return:1
---
Certificate chain
 0 s:CN = usenetexpress.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISA5GnZpSvEDzQuBeTQ4UeHlykMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMDIyMjQ3MzVaFw0yMTAzMDIyMjQ3MzVaMBwxGjAYBgNVBAMT
EXVzZW5ldGV4cHJlc3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAu4QMuOa3CGm6kkgT8KE45ltLtTPktVIRv/JYijuzJ3EPrZzdL5UptFT65wNF
dU9N3rDtMgMNsZGIsMwBRXZsEN0orf4f9zey8nfuI3mYFcLhDCSqce9Zeukhc3JJ
7YyumHbEOrG4drvVGJvMZ+dnzIQlQxAR4hBk/Ucqc6Sh7WCDB0P0BBrd7d/71rUv
bNCHoOoptkyz8VO5qR31Il5GsqBcvubBt1WodC54Jm3FRCNXL/lriHNkFpc1ZXRt
ZI5kKLkX1mAmFEh9OqsiUB4JWChVs63JmAg5KtgMAIkPVFY2z00Ao6o0foMZGU5x
Hc0tNrShgNNaUkYBsowFUPrgyQIDAQABo4ICYTCCAl0wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBRjkB5DBCUciIxR9aDsGiE2WEgDHTAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAxBgNVHREEKjAoghMqLnVzZW5ldGV4cHJlc3MuY29tghF1c2VuZXRleHBy
ZXNzLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYG
CCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB
1nkCBAIEgfUEgfIA8AB2AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7K
AAABdiXaqPAAAAQDAEcwRQIgEjEyXrg3fywHkfZAcTa1tMZ6QryUqT0wSmXQMgne
9ZICIQDFKDlK+mRQ7V7DWbEVBfG+Xm/9yXEhp5gAZba1P9tNbgB2APZclC/RdzAi
FFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABdiXaqPMAAAQDAEcwRQIgAZVVqhaY
mzegcV7TSrkDmHDTxjGf4e2bN8IOBEQSLUkCIQDAReRQTSdZZVT5+32cPTA+cVlg
7uIm0L7RrDP366kHMDANBgkqhkiG9w0BAQsFAAOCAQEAcZ4mvh6iLl3OE3Rmz+Nk
EAYigBt40IWSZS96RoQH2t4OO6pAX7Bz2yI7zcXtBHpd70Z5nDMgddSS63ddohzl
ywmZ7Q/PUcx9Sj1TAtNuw8Y1QBPkkCK2ZKh1UaDFjvI4kNhycLn7uZkY76VWLnbS
p3Hc4lwGfHYbuRk4+fh5NP3qBKAL0EN2Gp5f1SktIsdkgSaE9SJfbx+Ho5HzWNUm
1ALCOECTI+mCBWDlChEnhE8j7Vh7BqSRYqTZxeymUN5uwH9VqvSW2JDMlLNoH3++
GuYnKEG8zzEbYvMmNYey4HLKVL1hXtAaEO0w053qn3jdM7oRiF6tlQRDnvVEzOAz
7w==
-----END CERTIFICATE-----
subject=CN = usenetexpress.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3035 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[cavalia88]

I'm not too technical, but tried what i could.

Added "sni-host": "news.usenetexpress.com", getting error "[WARN] NNTP connection failed: connect ECONNREFUSED 127.0.0.1:563, reconnecting after 15 second(s)... (attempt 1/1)"

Tried watching with Open-SSL, same certificate issue. Antivirus and VPN all switched off. See output:

C:\Users\>openssl s_client -host news.usenetexpress.com -port 563
CONNECTED(000001B0)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = usenetexpress.com
verify return:1
---
Certificate chain
 0 s:CN = usenetexpress.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISA5GnZpSvEDzQuBeTQ4UeHlykMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMDIyMjQ3MzVaFw0yMTAzMDIyMjQ3MzVaMBwxGjAYBgNVBAMT
EXVzZW5ldGV4cHJlc3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAu4QMuOa3CGm6kkgT8KE45ltLtTPktVIRv/JYijuzJ3EPrZzdL5UptFT65wNF
dU9N3rDtMgMNsZGIsMwBRXZsEN0orf4f9zey8nfuI3mYFcLhDCSqce9Zeukhc3JJ
7YyumHbEOrG4drvVGJvMZ+dnzIQlQxAR4hBk/Ucqc6Sh7WCDB0P0BBrd7d/71rUv
bNCHoOoptkyz8VO5qR31Il5GsqBcvubBt1WodC54Jm3FRCNXL/lriHNkFpc1ZXRt
ZI5kKLkX1mAmFEh9OqsiUB4JWChVs63JmAg5KtgMAIkPVFY2z00Ao6o0foMZGU5x
Hc0tNrShgNNaUkYBsowFUPrgyQIDAQABo4ICYTCCAl0wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBRjkB5DBCUciIxR9aDsGiE2WEgDHTAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAxBgNVHREEKjAoghMqLnVzZW5ldGV4cHJlc3MuY29tghF1c2VuZXRleHBy
ZXNzLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYG
CCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB
1nkCBAIEgfUEgfIA8AB2AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7K
AAABdiXaqPAAAAQDAEcwRQIgEjEyXrg3fywHkfZAcTa1tMZ6QryUqT0wSmXQMgne
9ZICIQDFKDlK+mRQ7V7DWbEVBfG+Xm/9yXEhp5gAZba1P9tNbgB2APZclC/RdzAi
FFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABdiXaqPMAAAQDAEcwRQIgAZVVqhaY
mzegcV7TSrkDmHDTxjGf4e2bN8IOBEQSLUkCIQDAReRQTSdZZVT5+32cPTA+cVlg
7uIm0L7RrDP366kHMDANBgkqhkiG9w0BAQsFAAOCAQEAcZ4mvh6iLl3OE3Rmz+Nk
EAYigBt40IWSZS96RoQH2t4OO6pAX7Bz2yI7zcXtBHpd70Z5nDMgddSS63ddohzl
ywmZ7Q/PUcx9Sj1TAtNuw8Y1QBPkkCK2ZKh1UaDFjvI4kNhycLn7uZkY76VWLnbS
p3Hc4lwGfHYbuRk4+fh5NP3qBKAL0EN2Gp5f1SktIsdkgSaE9SJfbx+Ho5HzWNUm
1ALCOECTI+mCBWDlChEnhE8j7Vh7BqSRYqTZxeymUN5uwH9VqvSW2JDMlLNoH3++
GuYnKEG8zzEbYvMmNYey4HLKVL1hXtAaEO0w053qn3jdM7oRiF6tlQRDnvVEzOAz
7w==
-----END CERTIFICATE-----
subject=CN = usenetexpress.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3035 bytes and written 404 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: A0E7E4560F483F9DBA972C7CED0E835ECFDBE35751F0A01E090D21AD0925582B
    Session-ID-ctx:
    Resumption PSK: 6B9E6F054F2F3FF2AF56695EE07E3693FD3C0002BE287C790E1DDCF0C0732EA5E8B0CF867EC98E7D6CDC5F7E8271EEA6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 17 62 56 02 70 74 8a ff-17 e0 f2 5e df 84 29 a5   .bV.pt.....^..).
    0010 - 67 2a 65 4d c5 d2 b6 fb-e0 8a 7a 43 6b a1 19 f4   g*eM......zCk...
    0020 - 61 7a 01 c8 f6 27 73 c9-41 de ef c1 8d 30 52 48   az...'s.A....0RH
    0030 - 09 3e 88 f8 86 f6 8a c2-eb bf 09 dd 08 6d b1 83   .>...........m..
    0040 - 69 43 8f 10 2e 79 37 e5-94 b9 8f df e5 b2 f2 3b   iC...y7........;
    0050 - d0 2e 64 1e 19 73 cc 44-d3 49 30 16 1b ed 97 6b   ..d..s.D.I0....k
    0060 - 79 1d c2 de 59 84 b4 55-bf 4d 9d ae b0 43 42 17   y...Y..U.M...CB.
    0070 - b5 26 5b b6 da a2 1c f0-24 30 c3 c4 4f 49 2a 97   .&[.....$0..OI*.
    0080 - fe                                                .

    Start Time: 1609811097
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
200 Welcome to UsenetExpress (fe24.iad1)

[animetosho]

Added "sni-host": "news.usenetexpress.com", getting error "[WARN] NNTP connection failed: connect ECONNREFUSED 127.0.0.1:563, reconnecting after 15 second(s)... (attempt 1/1)"

Ah, you're supposed to add it in addition to the existing "host" field, not replace it.
Though from your other info, I don't think it'll make a difference.

Do you know whether it works fine on any other server?
Maybe the output of some of these commands might reveal some more info:

nyuu.exe -hanimetosho.org -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"
nyuu.exe -hself-signed.badssl.com --sni-host self-signed.badssl.com -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"
nyuu.exe -huntrusted-root.badssl.com --sni-host untrusted-root.badssl.com -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"
nyuu.exe -hsha256.badssl.com --sni-host sha256.badssl.com -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"

But honestly, I don't know. The certificate you're getting is the same as what I'm getting. So that suggests that perhaps the CA root isn't known on your system, for whatever reason.

It's odd that the old version works. I don't believe I've changed anything that should've affected SSL. New version is using NodeJS 12, whilst the old one is using NodeJS 4, so maybe something's changed there to cause your problem. Other difference is 32-bit vs 64-bit, if they happen to do certificate checking differently.
If you're interested in testing the theory, you can try different versions of NodeJS and see what works (if you don't have the necessary build tools set up, I can help compile yencode for you, but you'll need to tell me the exact NodeJS version + whether it's 32/64 bit, that you're trialing with).

[cavalia88]

Nyuu 0.4.0 works fine on "host": "eunews2.blocknews.net" and "host": "secure.europe.thecubenet.com".

The results of your commands:

D:\Process\Nyuu>nyuu.exe -hanimetosho.org -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"
[ERR ] NNTPError: NNTP connection failed: Connect timed out (use `skip-errors` to ignore)

D:\Process\Nyuu>nyuu.exe -hself-signed.badssl.com --sni-host self-signed.badssl.com -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"
[ERR ] NNTPError: NNTP connection failed: self signed certificate (use `skip-errors` to ignore)

D:\Process\Nyuu>nyuu.exe -huntrusted-root.badssl.com --sni-host untrusted-root.badssl.com -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"
[ERR ] NNTPError: NNTP connection failed: self signed certificate in certificate chain (use `skip-errors` to ignore)

D:\Process\Nyuu>nyuu.exe -hsha256.badssl.com --sni-host sha256.badssl.com -S -P443 -n1 --connect-timeout 5 --connect-retries 0 -q "%userprofile%\Documents\desktop.ini"
[ERR ] NNTPError: NNTP connection failed: Connect timed out (use `skip-errors` to ignore)

Open-SSL Handshake results Blocknews

CONNECTED(00000184)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = blocknews.net
verify return:1
---
Certificate chain
 0 s:CN = blocknews.net
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF8DCCBNigAwIBAgIQSPHuUgqvqml193I2EudMAzANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIwMTAwOTAwMDAwMFoXDTIxMTEwODIzNTk1OVowGDEWMBQGA1UEAxMNYmxv
Y2tuZXdzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOW6I2vv
gMU3kXOWp+8HUAcDOS+rhR0uyaPaVlukmAUh6Ms6GfHeBWyNWwiJ93yF7Lc4PbdD
fu3KxAGKW4qZPXoMQ4iOd8EsG/zySfU77WH78rl/TnSoNFaZJRKN8R/yarv3V4RK
H8KZthuC638Yi2MWxe30UjNhXb5LzaLKOD2ndUojoJOvNCAUC1J82JPo4IZ2bB6A
xHIVjLPoFDKasjWTOLwkaouwwPTsy+UjnS1V6ojG/Zh70zPjP/Y1erkLXQAeuSx3
nYo0U1CnaWmYZK7yjLUtIAKw2E5aMJxicwHjnDs6ec5eAN2+kV4uzXwNyAHtOugI
mGTw/OrOFjODO3MCAwEAAaOCArwwggK4MB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMB0GA1UdDgQWBBTrn0JqtHMIxL/Ayas5d1ybKD2UyjAOBgNVHQ8B
Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsGAQUFBwIBFhdo
dHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsGAQUFBwEBBHgw
djBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNB
RG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggrBgEFBQcwAYYX
aHR0cDovL29jc3Auc2VjdGlnby5jb20wggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8A
dgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXUK/g0ZAAAEAwBH
MEUCIFGXtn08r1lE5gS7hvyyqlDyQbIlcRBUN7G30Z1IBuZ/AiEA7LmJoqtdRZ9J
8G26RpDnLXw6mIlNijgCUmrYkDoGD38AdQCUILwejtWNbIhzH4KLIiwN0dpNXmxP
lD1h204vWE2iwgAAAXUK/g1BAAAEAwBGMEQCIHOhXCTs8iuIhBxCjy0FvFSXdm97
MU0A/AYT258Wr2lBAiBx66iIV4PRrGgyfrbe9k6DT4rvHWW+Wyo5OH1khGe0+zBg
BgNVHREEWTBXgg1ibG9ja25ld3MubmV0gg8qLmJsb2NrbmV3cy5uZXSCEiouZnJ1
Z2FsdXNlbmV0LmNvbYIQKi51c2VuZXRuZXdzLm5ldIIPKi51c2VuZXRub3cubmV0
MA0GCSqGSIb3DQEBCwUAA4IBAQAjRN7JmDcimpxUqTvqHRB80kXJ+KYDZtUOZk3X
9UpqbWXOoheQ1g6dImNDknSCKmFA1QJD1003gsnvZTktZK3mGkwvUXyYECi1YRKG
aYxYMO5zzGaRJhGsZki0svEtHPezEl4eJ/rpK4BzBPgbI46iaQEhbph8ZHihjn9s
TcD+DLGbbYmOLZO53DBwVf1yBrELy7M7DE7F1xf8EoutCaoivC8tTLg9rCQH9nUn
rTuHwAOjbWRTfkwlkt2ibbXQgdFVuyEI7pHCanT6j+IxFnSCGSZcPEfDgrobfG3x
u7lmmVGJozxM18HYrdxy8qNYqVYWDQHDZslLPpnHAqNMdLE/
-----END CERTIFICATE-----
subject=CN = blocknews.net

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5066 bytes and written 403 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 593F52473DCFA5375E5B072A54F4575870398A406230528A87E25A6A4F0FD17F
    Session-ID-ctx:
    Resumption PSK: 5FE82CDF5E24239146D25902469AE60A02CB878F1A2D9A075061EB7F4C99AD85C8553CDA6DA2181EBC8846CD486FB858
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 3e 39 3b f5 a3 d4 78 02-e1 24 2d ad e5 bc 90 7e   >9;...x..$-....~
    0010 - 5f 3b 55 64 13 7c 37 58-04 58 f6 14 f5 4e 3c 4c   _;Ud.|7X.X...N<L
    0020 - 4d 5e f9 59 dc 00 8f 53-8f 26 31 4b d5 ae 69 96   M^.Y...S.&1K..i.
    0030 - 0f fb ea 45 d7 7f 1d 66-d7 40 a7 42 b1 02 e4 3b   ...E...f.@.B...;
    0040 - 2e e0 17 cc 0b a0 65 35-fa ed 05 af bd 2c c1 11   ......e5.....,..
    0050 - 3a da e6 b5 2d 57 9c 54-fa dc 7e 56 d4 d0 38 85   :...-W.T..~V..8.
    0060 - cd aa 83 ee c4 61 3a 8c-93 a3 17 18 45 c0 fc ed   .....a:.....E...
    0070 - c0 f6 c0 d3 c2 e6 a4 a0-09 77 d5 62 9c 95 d0 e8   .........w.b....
    0080 - aa 11 8a 6e a8 3f ce b9-41 59 4e 84 92 8e be 69   ...n.?..AYN....i
    0090 - 9b 9e 37 64 9e 3f ed 01-d5 0f 91 95 93 d9 4d 61   ..7d.?........Ma
    00a0 - 59 9c 01 9b d6 2f 29 fa-56 90 77 4b 38 05 96 4c   Y..../).V.wK8..L
    00b0 - 08 af b2 b5 3f 63 be 26-1e 72 1a 99 9d c9 04 a1   ....?c.&.r......
    00c0 - ce ba 81 55 59 d1 00 da-01 72 ca bd e0 49 0f c5   ...UY....r...I..
    00d0 - 07 1b 15 32 9e 20 30 a6-e3 99 9a a0 7d c7 76 5f   ...2. 0.....}.v_

    Start Time: 1609835897
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F4306BA4889DA57F89286E74FDCBB6227822A45FC2E4A7785CE52DDFE403A5FE
    Session-ID-ctx:
    Resumption PSK: C3B86F42AEB758284ACF109102D18D6472912895451D34197A7612CD1ABE04B692D1CADBD9E4070399EC6A73F33C9478
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 3e 39 3b f5 a3 d4 78 02-e1 24 2d ad e5 bc 90 7e   >9;...x..$-....~
    0010 - de d2 a8 2a 84 9b b4 45-0f 73 4f 85 84 18 78 48   ...*...E.sO...xH
    0020 - 1e 69 d1 53 8e f0 45 37-ab c1 9b 2b f4 1b 9e 4e   .i.S..E7...+...N
    0030 - 96 b3 ee f9 ae 17 c6 6d-4b 6a 35 a5 04 1a f4 1e   .......mKj5.....
    0040 - 15 17 98 bb be f2 db e4-5e 6c 26 27 f7 59 72 31   ........^l&'.Yr1
    0050 - 31 b1 31 7f d9 e5 fe 63-75 d4 07 c6 82 35 54 0d   1.1....cu....5T.
    0060 - 0a 04 9d d7 28 0a 35 b8-7b a5 ca 92 0f 06 f8 77   ....(.5.{......w
    0070 - 9c 48 a2 8e 49 b9 7f 07-9e 7b a2 fb ac 5b fb 8d   .H..I....{...[..
    0080 - 86 17 5c 74 ae c5 c1 1b-37 ba e1 d6 cc 47 b8 72   ..\t....7....G.r
    0090 - 71 fa 13 47 7c c2 fd d9-22 20 d6 d0 54 f5 0c 06   q..G|..." ..T...
    00a0 - 27 c8 0b 0a ec 23 6c df-c7 08 84 e3 fa bc 70 8b   '....#l.......p.
    00b0 - c2 5a ee 8d 08 91 3a 8b-04 93 0a 8e 5d 8e 6c 14   .Z....:.....].l.
    00c0 - 04 c6 89 59 db 50 98 ed-97 e8 60 9c f3 71 3c bd   ...Y.P....`..q<.
    00d0 - 00 70 86 74 e2 02 ea a4-7c 81 5c 3c 67 b1 5d 99   .p.t....|.\<g.].

    Start Time: 1609835897
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
200 Welcome to Usenet

Cubenet

C:\Users\>openssl s_client -host secure.europe.thecubenet.com -port 80
CONNECTED(00000184)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = news.sslusenet.com
verify return:1
---
Certificate chain
 0 s:CN = news.sslusenet.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJZTCCCE2gAwIBAgISA1MgRzHdCKFa6ePtADyFFLNrMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMDQxNzQyMzVaFw0yMTAzMDQxNzQyMzVaMB0xGzAZBgNVBAMT
Em5ld3Muc3NsdXNlbmV0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBAK4WUGscqdLTQ+e2Y9lF6NkZiDPuu2eQuE9qt452IwmTVSeEnvlvrWv5LJzW
4/YmZbyEYMklgl9lYrIs5IftK03Wp7KCjUHRjn3i7P9S4aqthp8TK2TgjGrx9T/I
ufEc0tB6MY6Yz2qifhhRddCDU+hsBFqtMAs72czT+OcKnzS2GkE2AfVTT0ONQQ1D
rIFmVF1OosGlzVL0/oi5/ERrtpDvQgN1gs8TMU7TZd5Tgut7Opt3+4g7jYvvOPnZ
8zx4So4hHButq79qScY3b+coN3sUWekZPQOjxUZNy027Z9w/S6BuUHUNOCzkLZeb
Xl9V/AStWDs/+JhPkh16AJ4SJ8m5fvfGkJAmPoG6q1B2Oe0mXoSf8lGR+LBIxLMk
hEq8y/9BAv8ceCPt/uTvqi4wCpHdSPjNq39SJx5prZi0pNMCIpWxpYgBpTC4SlT3
gielhNnIR5AeyEHz2QfSRUsvo6ekwluB83a0Tgnu8OBrYx0JUOtpfU31s9K/iL93
ePuUhLVu6ow7kxqOtGk7NLQvAcIZ5WNVKE+IpXsQOvykxGt6SyuEQ0Ook/LxUPu4
8ps5H7Ed1AP+7TAnOG5hfwM9qbJER1FI22Z71EVML/1FDve8JD1JHO6cDYUGJ5La
aK4AXf4oiGrK9EuQgn7HMxrnrDi6klRxgoflkVwg0+T1wFIPAgMBAAGjggWIMIIF
hDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHRaTFrsCOBQcYjfbCo1aJEcG5FVMB8G
A1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAh
BggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZo
dHRwOi8vcjMuaS5sZW5jci5vcmcvMIIDVQYDVR0RBIIDTDCCA0iCEmFtczIuc3Ns
dXNlbmV0LmNvbYIQZGUuc3NsdXNlbmV0LmNvbYISZXUubmV3c2xlZWNoZXIuY29t
ghNldXJvLmZhc3R1c2VuZXQub3JnghtldXJvcGVzc2wudXNlbmV0LWFjY2Vzcy5j
b22CEGhpZ2gyLnVzZW5leHQuZGWCEWlhZC5zc2x1c2VuZXQuY29tghduZXdzLWRl
Lm5ld3Nncm91cC5uaW5qYYIXbmV3cy1ubC5uZXdzZ3JvdXAubmluamGCF25ld3Mt
dXMubmV3c2dyb3VwLm5pbmphghNuZXdzLmZhc3R1c2VuZXQub3JnghZuZXdzLm1h
eGltdW11c2VuZXQuY29tghRuZXdzLm5ld3Nncm91cC5uaW5qYYIUbmV3cy5uZXdz
bGVlY2hlci5jb22CD25ld3Muc2hlbWVzLmNvbYIPbmV3cy5zbmVsbmwuY29tgh1u
ZXdzLnNzbC5ubC5wcmVwYWlkLXVzZW5ldC5kZYIebmV3cy5zc2wudXNhLnByZXBh
aWQtdXNlbmV0LmRlghJuZXdzLnNzbHVzZW5ldC5jb22CEG5ld3MyLnNuZWxubC5j
b22CEG5ld3MzLnNuZWxubC5jb22CEG5sLnNzbHVzZW5ldC5jb22CEHBvd2VyMi51
c2VuZXQubmyCEXJlYWRlci5zbmVsbmwuY29tghhzZWN1cmUuZGUudGhlY3ViZW5l
dC5jb22CGXNlY3VyZS5ldS50aHVuZGVybmV3cy5jb22CHHNlY3VyZS5ldXJvcGUu
dGhlY3ViZW5ldC5jb22CFXNlY3VyZS5mYXN0dXNlbmV0Lm9yZ4Iac2VjdXJlLm5l
d3MudGhlY3ViZW5ldC5jb22CHXNlY3VyZS5uZXdzZ3JvdXAtYmluYXJpZXMuY29t
ghlzZWN1cmUubmwudGh1bmRlcm5ld3MuY29tghlzZWN1cmUudXMudGh1bmRlcm5l
d3MuY29tghNzc2wtbmV3cy5zbmVsbmwuY29tghRzc2wtbmV3czIuc25lbG5sLmNv
bYIVc3NsLnVzZW5ldC1hY2Nlc3MuY29tghJ1cy5uZXdzbGVlY2hlci5jb22CEHVz
LnNzbHVzZW5ldC5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEF
BgorBgEEAdZ5AgQCBIH2BIHzAPEAdgCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h
204vWE2iwgAAAXYvECU8AAAEAwBHMEUCIQDeRdKi8P/t3hTzz58DJl/u2WUHrRus
lVrGbnPS7tzvkAIgPb2eRNL7BSN0U8APz3EMs+IYhmbH8jgLsZwgfdKJDqcAdwB9
PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXYvECWRAAAEAwBIMEYC
IQCWGouGuCwptQsNzINwfNl23eFikm2Vthy/qMEch/Ov1AIhANCFhVHKeorf5r7K
Aoq996xZBuJkKZgXx6f6bamXYHBZMA0GCSqGSIb3DQEBCwUAA4IBAQBRefb5tTPp
kvbfUGESp5IT664YoU4bvMZqnrMLFY91dF4Npw1ABIc7bu7z7JHn2c4nClWlHvEc
LGGVNP9kv4TzpIWr6+6sKmSXli3gBo2zGXdc0zD0glQER+4KWditJ3PAAhSJETyf
ONDNSPbEhK0dxz9280Cdv2uH2/C6yGKPUmfFRILIYmi94Zcr9R5MkWtYK82qXF9m
3Hoaei6pj1k38fiYq6MM6lKOc9pHPyABMG5MutIl2m+44nGu2pL4P2lAu2c/iu8F
Ylq/+epo2lA84Jf2BkPcBuj9IlX8wKUfT7y9KxYzjMNshsJZsll7h7LbsOA7SrC6
m4ttcZwSW4T6
-----END CERTIFICATE-----
subject=CN = news.sslusenet.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4359 bytes and written 410 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C471E7DBBCAF44E64EF79FB798F4BDD14F8EAADEB1DBE0060CC9758E2F0A6E24
    Session-ID-ctx:
    Resumption PSK: CB3CD914AE9BDFF85755177FA0838C71D538326D6A72013025A62568F52724DF19589D5895B1DA20020EB75E59813ADD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2b 1b 49 c4 54 39 a6 ee-65 a9 9a 73 ab 48 1c f8   +.I.T9..e..s.H..
    0010 - 58 0a d4 4b 63 da e4 f0-35 4e 0e c6 e8 88 fb 28   X..Kc...5N.....(
    0020 - 6a d8 f7 1c 06 25 42 2b-36 bc 50 33 71 36 fd 31   j....%B+6.P3q6.1
    0030 - 4a fd 0a 4d 4d 7b 3f 3a-a7 ea 13 57 ba 77 54 7f   J..MM{?:...W.wT.
    0040 - f0 f5 47 3a cd f7 a8 d1-78 42 10 ab c6 3a c4 5a   ..G:....xB...:.Z
    0050 - 3e d0 a5 8d e6 90 a0 5a-46 bb e0 39 1d 19 97 36   >......ZF..9...6
    0060 - e8 8e 54 35 9e bf fe 05-c4 83 df 6a 04 88 f9 29   ..T5.......j...)
    0070 - bc 09 9e 06 12 a2 4b 81-7a 09 40 b1 a5 8c 41 28   ......K.z.@...A(
    0080 - 5f 59 4b ef 96 1d 94 2f-49 dd 8a 02 00 2d 0e ff   _YK..../I....-..
    0090 - 79 a9 6c bc 70 4d ab 53-52 87 87 bf 43 cf 58 4f   y.l.pM.SR...C.XO
    00a0 - 6d ac d2 24 d6 e9 5a 37-c0 e0 21 92 1e 60 96 00   m..$..Z7..!..`..
    00b0 - f5 2b 3b 43 97 24 c0 0d-ce 95 75 2b fc d4 b7 32   .+;C.$....u+...2
    00c0 - de 89 2b ae ba a6 68 ca-fb 07 77 a4 5a 46 be a5   ..+...h...w.ZF..
    00d0 - 4a 93 2a d2 f0 a9 b2 9a-ed da bd 41 0f 5e b6 de   J.*........A.^..
    00e0 - 2b 9e 0a 0d bc 7d aa 4d-4b bc fc c8 f3 9e d5 eb   +....}.MK.......

    Start Time: 1609836015
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: AF5F6AD51C4E698655F25C86DE1E1B0552451498B656D9CB89A2A61F3513D45E
    Session-ID-ctx:
    Resumption PSK: 2CF7A2F57BF80670711FEA901560ADAF9B319006DEA40F2098DB7D01E8C92E29A6A347C3618D9B6D83ABC07BC2E90DE9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2b 1b 49 c4 54 39 a6 ee-65 a9 9a 73 ab 48 1c f8   +.I.T9..e..s.H..
    0010 - 0d 46 ef d5 c3 06 9a a9-70 3c 2c 76 8d f8 b8 4d   .F......p<,v...M
    0020 - be bf 7d 58 59 7c 06 c9-6e 74 6c 34 c3 9a f4 af   ..}XY|..ntl4....
    0030 - 5b 56 31 de 37 a7 08 bb-cd df ac f0 96 bb 84 f7   [V1.7...........
    0040 - 05 cd df b4 f3 56 a8 49-f2 3b a9 f3 fa 9c 35 c8   .....V.I.;....5.
    0050 - 20 39 89 be f7 ed da 30-9b aa e5 2d 65 5e 19 69    9.....0...-e^.i
    0060 - 58 30 62 14 ed 2c 5d d4-48 29 01 84 ee 5a 50 cd   X0b..,].H)...ZP.
    0070 - eb 51 b7 86 52 c0 17 51-e2 24 54 23 41 73 6c a7   .Q..R..Q.$T#Asl.
    0080 - 18 97 82 1f 02 08 ab 6a-66 9c 65 66 2b 96 57 d9   .......jf.ef+.W.
    0090 - d4 ee e2 8f bc 04 4e 62-eb f3 a0 da fe 8d ea ef   ......Nb........
    00a0 - 87 5e 60 7c e7 e2 c8 90-7f 10 8c f2 51 47 f2 aa   .^`|........QG..
    00b0 - a0 92 29 cc d5 06 86 cf-d4 4a 85 2a bb 11 db f9   ..)......J.*....
    00c0 - 72 21 e7 3e 70 0e ec 59-da ca 99 48 7e 3c 47 50   r!.>p..Y...H~<GP
    00d0 - 34 04 1f 65 ce 7c 8e bc-14 c7 41 e7 2c 4f 9f fe   4..e.|....A.,O..
    00e0 - b6 7a f4 dc 51 78 ed 44-6a 4c cb da 1d ee 56 06   .z..Qx.DjL....V.

    Start Time: 1609836015
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
200 Welcome

Handshake results for cubenet and blocknews show similar return codes (20 - unable to get local issuer certificate), but I don't encounter errors when using them with Nyuu. Most strange. The only difference I note is that for cubenet / blocknews, they show the arrival of two "Post-Handshake New Session Ticket arrived", as opposed to only once for Usenetexpress

I'm happy to try whatever you suggested. Not really a technical guy, so would be great if you can provide instructions on how to proceed.

[animetosho]

Interesting, your tests seem to indicate certificate validation is working properly in Nyuu, so I don't know why UsenetExpress specifically is acting differently for you.

In fact, TheCubeNet even uses the same intermediary/root as UsenetExpress, and the error in your first post suggests that it doesn't like UsenetExpress' intermediary/root.

Handshake results for cubenet and blocknews show similar return codes (20 - unable to get local issuer certificate)

I think that might be a OpenSSL Windows thing, as I seem to get it too.
If you see a '200' on the last line though, everything's worked fine.

Are you able to test with a clean Windows 10 (1809 or newer) install in a virtual machine perhaps? Again, I really don't know what to suggest, so just throwing random ideas out...

[cavalia88]

I tested on a separate laptop, with same version of Windows 10 Pro (10.0.18363), same VPN but using a different ISP. Able to post without errors on UsenetExpress with Nyuu 0.4.0.

Looks like one remote possibility is that it could be an ISP issue. Then again, if it was an ISP issue, i should have encountered the same problem even when I used 0.3.8.

Anyway, I could either (i) continue to use the trustworthy 0.3.8, or (ii) use the 0.4.0 with "ignore-cert" set to TRUE. Any impact on posting if "ignore-cert" is set to TRUE? The post seems to go through properly as long as the setting is set to TRUE on 0.40

[animetosho]

Thanks for trying that - that narrows things down then.

If you're using a VPN, the ISP shouldn't have any effect. Maybe it's something with the CA/certificate store on your main machine, or something (like antivirus) messing with the validation (though that'd still be weird).

Any impact on posting if "ignore-cert" is set to TRUE?

No impact on posting.

The certificate check is there to detect if someone is (actively) intercepting your connection (i.e. performing a man-in-the-middle attack). If you aren't concerned with that, there is no issue with ignoring validity checks.
Personally I wouldn't be too concerned, particularly since you're using a VPN (though the fact that you're getting it in the first place is weird), but only you can assess your risk profile.

I might add a CA option which would allow you to pin accepted certificate roots, which is less "risky" than just ignoring all validation errors, though I suspect few would bother using it.

[cavalia88]

Thanks for all your assistance. Will ignore the certificate check and use version 0.4.0 then.

If I do manage to isolate the source of the issues, will let you know again