[solved] Aria2 : ssl/handshake failure : unable to get local issuer certificate with https links

Hello and a big thank you for this wonderful project that I have been discovering for a few months.

So I have a problem with luci-app-aria2, when I enable the options

-- rpc-secure=true
-- rpc-certificate=/mnt/sda2/ssl/aria2.pfx

The Json RPC url refers me to: http://192.168.1.1:6800/jsonrpc, so no https.
So I can't connect with AriaNg in https, does anyone have any ideas?

Thank you in advance.

https://aria2.github.io/manual/en/html/aria2c.html#cmdoption-rpc-certificate

--rpc-certificate =<FILE>

Use the certificate in FILE for RPC server. The certificate must be either in PKCS12 (.p12, .pfx) or in PEM format.

PKCS12 files must contain the certificate, a key and optionally a chain of additional certificates. Only PKCS12 files with a blank import password can be opened!

When using PEM, you have to specify the private key via --rpc-private-key as well. Use --rpc-secure option to enable encryption.

Thank you for your quick answer, I used this method to create my certificate without a password : https://gist.github.com/GAS85/79849bfd09613067a2ac0c1a711120a6

Added options :

Capture%20d%E2%80%99%C3%A9cran_2018-09-28_14-11-59

But impossible to access in https, I did a lot of research on the net before asking a question on the forum, I'm starting to despair :slight_smile:

You should post the log after service restart.
It could be either a separate file or system log.
In case of system log it should be like this:

service log restart
service aria2 restart
sleep 10; logread -e aria2
Fri Sep 28 18:01:06 2018 daemon.info aria2: Aria2 will run with uer 'aria2'.
Fri Sep 28 18:01:06 2018 daemon.info aria2: Please make sure user 'aria2' has write access to downlod dir: /mnt/sda2/download

That's all I have.
However, no connection problems when using aria2 through http.
Some use a reverse proxy to fix the problem as here :
https://github.com/ziahamza/webui-aria2/issues/108

Please show Aria2 configuration:

uci show aria2
root@OpenWrt:~# uci show aria2
aria2.main=aria2
aria2.main.user='aria2'
aria2.main.config_dir='/var/etc/aria2'
aria2.main.bt_enable_lpd='true'
aria2.main.enable_dht='true'
aria2.main.follow_torrent='true'
aria2.main.save_session_interval='30'
aria2.main.header=''
aria2.main.enabled='1'
aria2.main.dir='/mnt/sda2/download'
aria2.main.disk_cache='32M'
aria2.main.file_allocation='falloc'
aria2.main.rpc_auth_method='none'
aria2.main.max_connection_per_server='4'
aria2.main.min_split_size='20M'
aria2.main.split='4'
aria2.main.overall_speed_limit='1'
aria2.main.max_overall_download_limit='0'
aria2.main.max_overall_upload_limit='0'
aria2.main.task_speed_limit='1'
aria2.main.max_download_limit='0'
aria2.main.max_upload_limit='0'
aria2.main.max_concurrent_downloads='5'
aria2.main.extra_settings='rpc-secure=true' 'rpc-certificate=/mnt/sda2/ssl/aria2.pfx'
aria2.main.enable_log='true'
aria2.main.log_level='debug'

Are you using desktop client or one of Web-UI?

# opkg list | grep -i aria2 | grep -i web

ariang - 2018-02-21-f71a67cb-1 - AriaNg is a web frontend making aria2 easier to use. AriaNg is written in pure html & javascript, thus it does not need any compilers or runtime environment.

webui-aria2 - 2017-05-21-d1ce5b99-1 - The aim for this project is to create the worlds best and hottest interface to interact with aria2. Very simple to use.

yaaw - 2017-04-11-1 - Yet Another Aria2 Web Frontend in pure HTML/CSS/Javascirpt.

Actually there's no point setting up secure connection if Daemon and Web-UI are on the same host.

Yes, no interest for localhost, but the problem, as soon as I want to download a link in https, I receive this error this AriaNg:

ssl/handshake failure : unable to get local issuer certificate

The only solution I found, but not secure, is the option :

-- check-certificate=false

There's example using Aria2 + AriaNg:
https://hub.docker.com/r/wahyd4/aria2-ariang/

Notice : The certificate file should be named aria2.crt and the key file should be named aria2.key

I had a glimmer of hope, but no, changing the name doesn't help.

I think I'm going to turn to a nginx reverse proxy, i've tested a lot of things, but nothing works.

Thank you for your patient anyway :slight_smile:

  1. Do not use PFX, only CRT and PEM.

Additional option for private key:
https://aria2.github.io/manual/en/html/aria2c.html#cmdoption-rpc-private-key

--rpc-private-key =<FILE>

Use the private key in FILE for RPC server. The private key must be decrypted and in PEM format. Use --rpc-secure option to enable encryption. See also --rpc-certificate option.

  1. Make sure your certificate and key look like this:
# cat aria2.crt
-----BEGIN CERTIFICATE-----
<base64_encoded_data>
-----END CERTIFICATE-----

# cat aria2.pem
-----BEGIN PRIVATE KEY-----
<base64_encoded_data>
-----END PRIVATE KEY-----
  1. AriaNg should have some option to specify the directory with certificate and key:
    I suspect you need to set this option explicitly:

/yoursslkeys/:/dir/with/ssl/keys

See the link above with Aria2+AriaNg@Docker example.

What is your problems.
Https url error.

It's moving forward this morning, install :

opkg install ca-certificates

cd /etc/ssl/

And run :

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

Add in luci-app-aria2 options :

rpc-certificate=/etc/ssl/server.crt
rpc-private-key=/etc/ssl/server.key
rpc-secure=true
ca-certificate=/etc/ssl/certs/ca-certificates.crt

I went to this link with firefox to sign the certificate and add an exception:

https://192.168.1.1:6800/jsonrpc

And the miracle, AriaNg connects it in https :slight_smile:

I was on the wrong track :wink:

Thanks guys for helping out.

Ps : I change the title so as not to mislead future readers.

Ps1 : Edition 13 July 2019, simplified handling.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.