mono-6.8.0.105.txz needs to be recompiled.

[willfroning]

With Let's Encrypt "DST Root CA X3" expiring, Mono's BoringSSL library needs to be rebuilt.

https://github.com/Jackett/Jackett/issues/12341 and https://github.com/mono/mono/issues/21233 reference the issue.

If mono doesn't fix it, maybe using Sonarr's TLS patch is the better fix.

[fulder]

This is a disturbing issue :disappointed:

After some debugging, re-building mono from source / port and reading through the issue links together with e.g:

• https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
• https://www.catchpoint.com/blog/lessons-from-an-internet-outage-issues-caused-by-lets-encrypt-dst-root-ca-x3-expiration
• https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258834
• https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258709

My understanding and summarization is:

1. Like you wrote @willfroning, Let's Encrypt CA certificate expired Sep 30 14:01:15 2021 GMT, although as it's still a cross-signed CA cert some clients could experience issues still trying to check if it's valid (while present in the OS trust store)
2. mono6.8-6.8.0.123 port is broken and the cert-sync does no longer work properly
3. the jackett port package has a dependency to the new mono6.8-6.8.0.123

In order to create a quickfix for this plugin what I've done now is:

• Force uninstall the dependent mono6.8.0.123 and reinstall the bundled version from this repository (6.8.0.105) to make the cert-sync works properly again.
• Add a patch script for the root CA file removing the Let's Encrypt CA

(see PR #5 for more info, it's merged and ported back to 12.2 branch now)

I've tried to both install a fresh version of the plugin and run an update on my old version. Looks like it works properly and I can now connect to trackers with Let's Encrypt cert once again. If you could try updating/re-installing yourself now it would be much appreciated and if it works we could maybe close this issue again.

[geoffgs]

Hi @fulder really appreciate the effort you're taking and thank you for finding my comments in the main Jackett repo. I can confirm this worked! Removing mono 6.8.0.123, installing mono 6.8.0.105, manually removing the DST X3 certificate, and all is well again.

Some rough steps below for whomever may come across this. For background I'm on 12.2-RELEASE-p10 kernel 1202000 with an existing jail and with jackett version v0.18.1008. See this TrueNas thread to compile your own mono 6.8.0.105 or grab a pre-compiled version from jailmanagers github.

# uname -r && uname -a
12.2-RELEASE-p10
1202000
# pkg update && pkg upgrade -y
[...] omitted
Your packages are up to date.
# service jackett stop
# certsync
Mono Certificate Store Sync - version **6.8.0.105**
[...] omitted
# pkg info -l mono | head -n 1
**mono-6.8.0.123**:
# pkg remove mono
[...] omitted
# fetch -o /tmp/mono-6.8.0.105.txz https://github.com/jailmanager/jailmanager.github.io/releases/download/v0.0.1/mono-6.8.0.105.txz
/tmp/mono-6.8.0.105.txz           70 MB   99 MBps    01s
# pkg install -y /tmp/mono-6.8.0.105.txz 
[...] omitted
# pkg info -l mono | head -n 1
mono-6.8.0.105:
# rm /usr/share/certs/trusted/DST_Root_CA_X3.pem
# curl https://curl.se/ca/cacert.pem | cert-sync /dev/stdin
[...] omitted
Certificate removed: O=Digital Signature Trust Co., CN=DST Root CA X3
# service jackett restart

And voila, tests against trackers with LetsEncrypt certificates are validating again.

[fulder]

Nice steps @geoffgs, did you run these inside a new iocage jail or something else? The rm /usr/share/certs/trusted/DST_Root_CA_X3.pem command is not working for me in the new iocage jails, hence the script for removal of it from the readbale /usr/local/share/certs/ca-root-nss.crt.

This is probably related to the previously mentioned bug with cert-sync failure with new mono also trying to use a folder inside /usr/share/.mono and the fact that the new jails are using the same release folder from TrueNAS mounting e.g. /usr/share from the TrueNAS FreeBSD release "templates" in read-only mode. It would probably also work to remove these cert inside the release folder on TrueNAS OS level, although that's outside of this plugin and doesn't feel like a good solution as it would e.g. make it buggy again while switching between releases where it hasn't been removed.

[geoffgs]

This was performed in an existing iocage jail, it's been upgraded a few times. Here's some other efforts in my cage that I tried before with no effect, but maybe they had an impact:

• cp /usr/share/certs/trusted/DST_Root_CA_X3.pem /usr/share/certs/blacklisted/DST_Root_CA_X3.pem
• certctl blacklist /usr/share/certs/trusted/DST_Root_CA_X3.pem && certctl rehash
• I did not edit /usr/local/share/certs/ca-root-nss.crtbut the package was updated to 3.71 right before I posted those earlier commands so maybe that was related.

Maybe the certctl blacklisting was helpful, but it wasn't until I remove the DST_Root_CA_X3.pem from everywhere I could find it with a cert-sync. For me the key difference in the most recent attempt was the final cert-sync that read out Certificate removed: O=Digital Signature Trust Co., CN=DST Root CA X3 and I was back to a working state

[aleos89]

I was having an issue on this as well continued into TrueNAS 13.1-RELEASE. I was noticing that even though #5 was in my content and running, the mono package kept automatically getting pulled to the latest version of 6.8.0.123_1 even though 6.8.0.105 is being installed locally. The solution I found was:

service jackett stop

pkg lock jackett

pkg remove -fy mono6.8

pkg install -y /usr/local/migration/bin/mono-6.8.0.105.txz

cert-sync /usr/local/share/certs/ca-root-nss.crt
# After running cert-sync this time I didn't get a bunch of mono errors

pkg unlock jackett

service jackett start