Expired SSL Certificate Issue with api.filebot.net

[tightropecat]

Hi folks,

I've encountered an issue with api.filebot.net where my connection attempts are failing due to an SSL certificate problem. Upon further inspection, it appears the SSL certificate for api.filebot.net has expired, resulting in SSL handshake errors and preventing successful connections and thus filebot is not executing successfully.

Using ```openssl s_client -connect api.filebot.net:443 -servername api.filebot.net```
I get this output:
```
openssl s_client -connect api.filebot.net:443 -servername api.filebot.net
CONNECTED(00000003)
depth=4 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
```

In the meantime, if there are any recommended workarounds or updates that users can apply to mitigate this issue, I would greatly appreciate hearing about them. I understand that bypassing SSL verification is a potential temporary workaround, but I'm also aware of the security risks involved in such an approach and would prefer a safer alternative if available.

[rednoah]

Here's what I get:

Console Output: Select all

$ openssl s_client -connect api.filebot.net:443 -servername api.filebot.net
CONNECTED(00000003)
depth=3 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = api.filebot.net
verify return:1
---
Certificate chain
 0 s:CN = api.filebot.net
   i:C = US, O = Let's Encrypt, CN = E1
 1 s:C = US, O = Let's Encrypt, CN = E1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X2
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

The log you posted seems fishy, as api.filebot.net is actively used and somebody would have noticed if api.filebot.net was unreachable since 3 years ago:

Code: Select all

verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT

Which DNS server are you using? 1.1.1.1 CloudFlare or 8.8.8.8 Google? If you're using your ISP provided DNS, or Hotel / Airport Wifi, then there's a good chance that DNS poisoning is at play, and you're not actually connecting to the real api.filebot.net server.

[tightropecat]

Interesting. Thanks for sharing that! I'm using my ISPs DNS, but I will try both Google and Cloudflare and let you know.

Appreciate it!

[tightropecat]

The reason I am bringing this is because I've started hitting this error last week when filebot runs.

Shell: Select all

/Scripts/filebot/filebot.sh: line 30: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Run script [fn:amc] at [Tue Mar 19 10:59:45 PDT 2024]
Parameter: minFileSize = 0
Parameter: minLengthMS = 10
Parameter: seriesDB = TheTVDB
Parameter: unsorted = n
Parameter: seriesFormat = {n} - {s00e00} - {t}
Argument[0]: /All_Videos/TV/hold/Family.Guy.S22E11.720p.WEB.h264-EDITH.mkv
Input: /All_Videos/TV/hold/Family.Guy.S22E11.720p.WEB.h264-EDITH.mkv
Group: [tvs:null] => [Family.Guy.S22E11.720p.WEB.h264-EDITH.mkv]
Finished without processing any files
Failure (°_°)

Console Output: Select all

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Tried both 1.1.1.1 and 8.8.8.8 as my DNS servers but getting this for both. I'm also usually using pi-hole as my DNS resolver.

Shell: Select all

openssl s_client -connect api.filebot.net:443 -servername api.filebot.net

Console Output: Select all

 
CONNECTED(00000003)
depth=4 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
 0 s:/CN=api.filebot.net
   i:/C=US/O=Let's Encrypt/CN=E1
 1 s:/C=US/O=Let's Encrypt/CN=E1
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X2
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X2
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfjCCAwSgAwIBAgISA7gw4l+j0R+ErZyydXkF80r5MAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
MTAeFw0yNDAzMDgwODE0MDFaFw0yNDA2MDYwODE0MDBaMBoxGDAWBgNVBAMTD2Fw
aS5maWxlYm90Lm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABANZU5OUem3x
vA4tIX5UdoDqaMd6vc5t4E+z5uf6QBD1wkRbhgtbHVql3c1/OxmWGwFbvOI6Pzho
rbk9ZZWIP4KjggIQMIICDDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAuhvflWGyz3
JAtiuy+esNOibOL/MB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpUb89Vyy6sMFUG
CCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8ubGVuY3Iub3Jn
MCIGCCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGC
D2FwaS5maWxlYm90Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisGAQQB
1nkCBAIEgfQEgfEA7wB1ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h+tQX
AAABjh1XQPsAAAQDAEYwRAIgDSoileeDlI3OBYo4boSsi419hIHrK6qcQO/0FYSZ
oAgCIDwpJZNHDFsn+5XyA2de1e2eHTv0yZct8uuVYSI1wtn8AHYAouK/1h7eLy8H
oNZObTen3GVDsMa1LqLat4r4mm31F9gAAAGOHVdBFgAABAMARzBFAiEA44oviIL2
hxQQJd1Tc3hoTC+yJz59WwlqOPbKwO550egCIBteD3j6JWVYBqhYJS3fR5uFUndm
ahfmaul3+WrnogDAMAoGCCqGSM49BAMDA2gAMGUCMG52Pv0mtjHOrEuBzxB+K4B0
24sXIwBof0tv/VnVysls/qtDJRcHSoFGNeen8/IWZQIxAMpX+ZBSQhVuzXYRDnV9
otleBpY+7ClRK9F6OskIXsoHXwcQ0cj6l5hwlq9DpkWNZA==
-----END CERTIFICATE-----
subject=/CN=api.filebot.net
issuer=/C=US/O=Let's Encrypt/CN=E1
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4611 bytes and written 457 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 5B9C02057253F048639E8D9A315631A73A4729453608FDE72BA9F4845E8E7846
    Session-ID-ctx: 
    Master-Key: 80E65E386CDC31994BB8F3CD6233DDA5BA25A2A4A99A411C654E9D227E8DADC07EC9D8856E2283FF61AF59CD8B79B540
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - 54 26 14 61 40 26 ba 84-2b 7a 44 c5 49 21 bb 80   T&.a@&..+zD.I!..
    0010 - ce c6 45 4d ec 43 75 b1-08 4b cd 15 72 7a 17 6b   ..EM.Cu..K..rz.k
    0020 - 6f 84 96 e1 6b 2b 01 0b-8c bc 0e cf df 80 99 27   o...k+.........'
    0030 - 3c 13 6e 03 2c 4f 3f 3c-03 39 67 52 80 02 67 31   <.n.,O?<.9gR..g1
    0040 - c7 45 0a 8c 49 fb 39 f7-11 11 6c e8 c8 e6 58 9d   .E..I.9...l...X.
    0050 - 93 66 73 5c 79 d5 ee 14-8a 40 92 c8 ad e6 a7 ee   .fs\y....@......
    0060 - 1d 35 f6 58 6c 48 c0 bb-3d 25 28 b8 fc 53 a9 e6   .5.XlH..=%(..S..
    0070 - 45 16 f6 ea 2c a9 4d 3e-66 72 fa 7c de 90 f3 f1   E...,.M>fr.|....
    0080 - db 5e 42 a6 d2 f6 e8 5c-3f e4 1f a6 a0 54 21 9f   .^B....\?....T!.
    0090 - 42 d8 18 34 d2 b2 53 1c-5d ec bb fa 2b de c5 a7   B..4..S.]...+...
    00a0 - d7 ca b2 cf 97 c2 e8 a4-32 ff b8 83 28 01 6b 61   ........2...(.ka

    Start Time: 1710870939
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
closed

[rednoah]

What does filebot -script fn:sysinfo say?

Looks like you're using an outdated version of FileBot. If you're also using an outdated version of the JRE then that could be a problem. If the root certificates on your machine haven't been updated then that could be a problem as well. Could also be something else entirely.

[tightropecat]

I updated both java and FileBot as I was on 4.8.2 (talk about setting it and forgetting it). Everything works now!

Thanks!