SSL: CERTIFICATE_VERIFY_FAILED

[DraZtiK]

Is there anyway to prevent or a workaround for this error when I use the post processing script in Nzbget? What I assume is that watcher will not allow a connection from Nzbget on self signed certs? Both Nzbget and watcher use self signed.

My Nzbget log: error Fri Jul 27 2018 11:30:02 Post-process-script watcher.py for The.Movie. failed (terminated with unknown status) info Fri Jul 27 2018 11:30:02 watcher: urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)> info Fri Jul 27 2018 11:30:02 watcher: raise URLError(err) info Fri Jul 27 2018 11:30:02 watcher: File "/usr/lib/python3.5/urllib/request.py", line 1256, in do_open info Fri Jul 27 2018 11:30:02 watcher: context=self._context, check_hostname=self._check_hostname)

[nosmokingbandit]

There really isn't an easy way to handle this, but it is possible.

I'll modify all of the scripts to have this option available, but meanwhile you can edit your nzbget.py, just make sure you use a copy so git doesn't complain when you try to update in the future.

Add at line 29:

import ssl

Add at line 68:

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

Modify line 77 from:

response = json.loads(urlopen(request, timeout=600).read().decode('utf-8'))

To:

response = json.loads(urlopen(request, timeout=600, context=ctx).read().decode('utf-8'))

This tells the script not to verify ssl certs. Everything will still be encrypted, it just won't care who did the encrypting.

[DraZtiK]

Would it be easier to just allow both secure and non-secure connections simultaneously, or does the server only allow one or the other? I believe Nzbget allows both?

[nosmokingbandit]

The connection request isn't made directly from nzbget but rather a subprocess of python calling the script. So none of nzbget's server settings have any affect on scripts (pre or post). Watcher should be handling the request normally, but the response back to the post-script subprocess isn't accepted due to the self-signed cert. It's a bit of a pain, but the only way to allow imperfect ssl certs is to specifically ignore those errors in the post-script.

I just pushed 0b446cefd40a51afb848b9932843b5b3c15d52a2, check it out. All the scripts have been updated to allow you to disable ssl cert verification. You should be able to just copy the new nzbget.py to your nzbget scripts dir and the option will be available in nzbget's webui.