[BUG] iptorrents.com certificate ca is not supported

[osh123]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

prowlarr is not able to connect to iptorrents.com due to ca not being installed in the container.

root@23bff4ccdb8f:/# curl -v https://iptorrents.com
* Host iptorrents.com:443 was resolved.
* IPv6: 2606:4700:20::681a:d4f, 2606:4700:20::681a:c4f, 2606:4700:20::ac43:4899
* IPv4: 172.67.72.153, 104.26.13.79, 104.26.12.79
*   Trying [2606:4700:20::681a:d4f]:443...
* Immediate connect fail for 2606:4700:20::681a:d4f: Network unreachable
*   Trying [2606:4700:20::681a:c4f]:443...
* Immediate connect fail for 2606:4700:20::681a:c4f: Network unreachable
*   Trying [2606:4700:20::ac43:4899]:443...
* Immediate connect fail for 2606:4700:20::ac43:4899: Network unreachable
*   Trying 172.67.72.153:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Expected Behavior

No response

Steps To Reproduce

1. Run curl -v https://iptorrents.com in the prowlarr container

Environment

- OS: Debian 12.11
- How docker service was installed: apt

CPU architecture

x86-64

Docker creation

docker-compose.yml:


services:
  prowlarr:
    image: linuxserver/prowlarr:latest
    container_name: prowlarr
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Jerusalem
    volumes:
      - ./config:/config
    ports:
      - 9696:9696
    restart: unless-stopped
    labels:
      - "diun.enable=true"

Container logs

prowlarr  | [Error] X509CertificateValidationService: Certificate validation for iptorrents.com failed. RemoteCertificateChainErrors 
prowlarr  | [Warn] IPTorrents: Unable to connect to indexer 
prowlarr  | 
prowlarr  | [v1.37.0.5076] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
prowlarr  |  ---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
prowlarr  |    at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
prowlarr  |    at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
prowlarr  |    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
prowlarr  |    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
prowlarr  |    --- End of inner exception stack trace ---
prowlarr  |    at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.HttpConnectionPool.AddHttp2ConnectionAsync(HttpRequestMessage request)
prowlarr  |    at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.HttpConnectionPool.GetHttp2ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, Boolean async, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
prowlarr  |    at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
prowlarr  |    at NzbDrone.Common.Http.Dispatchers.ManagedHttpDispatcher.GetResponseAsync(HttpRequest request, CookieContainer cookies) in ./Prowlarr.Common/Http/Dispatchers/ManagedHttpDispatcher.cs:line 120
prowlarr  |    at NzbDrone.Common.Http.HttpClient.ExecuteRequestAsync(HttpRequest request, CookieContainer cookieContainer) in ./Prowlarr.Common/Http/HttpClient.cs:line 171
prowlarr  |    at NzbDrone.Common.Http.HttpClient.ExecuteAsync(HttpRequest request) in ./Prowlarr.Common/Http/HttpClient.cs:line 70
prowlarr  |    at NzbDrone.Core.Indexers.IndexerHttpClient.ExecuteProxiedAsync(HttpRequest request, ProviderDefinition definition) in ./Prowlarr.Core/Indexers/IndexerHttpClient.cs:line 43
prowlarr  |    at NzbDrone.Core.Indexers.HttpIndexerBase`1.<>c.<<FetchIndexerResponse>b__57_0>d.MoveNext() in ./Prowlarr.Core/Indexers/HttpIndexerBase.cs:line 665
prowlarr  | --- End of stack trace from previous location ---

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[thespad]

See https://bugzilla.mozilla.org/show_bug.cgi?id=1957701

AAA Certificate Services as been removed from the ca bundle and it's one of the trust paths for Cloudflare's certs. The other path goes to a trusted cert but the site isn't sending that intermediate cert so the client can't follow that path

[aptalca]

That removal affected quite a few Cloudflare proxied sites. The solution I believe is for the website admins to update their certs in the Cloudflare interface.

[osh123]

See https://bugzilla.mozilla.org/show_bug.cgi?id=1957701

AAA Certificate Services as been removed from the ca bundle and it's one of the trust paths for Cloudflare's certs. The other path goes to a trusted cert but the site isn't sending that intermediate cert so the client can't follow that path

The host does in fact work with those certificates.
For anyone looking for a workaround, I've added the path to the host’s root certificates as a shared volume, seems to work:

    volumes:
      - ./config:/config
      - /etc/ssl/certs/:/etc/ssl/certs/

[thespad]

Nobody said your host didn't work with those certificates, we said it's been removed from the current version of the ca certificates bundle, sooner or later you're going to end up with that verion on your host as well as in the container.