runtimesandbox 152 Posted February 18, 2016 Share Posted February 18, 2016 (edited) I'm getting the following "We're unable to connect to the selected server right now. Please ensure it's running and try again" This error pops up instantly with my real domain. The domain is a .xyz domain - This is running a genuine SSL cert. It spins round and attempts to connect when using a ddns service but also receive this error after a short period. This domain ends in .com My server is running on https on port 8920 I can access the web dashboard / media browser fine outside I have tried multiple variations ie with and without https:// at the front, with port on the line etc Is the app looking for .co.uk / com / etc domains and thinks .xyz is invalid? Is there anywhere I can get an indication of whats going wrong? I am logging traffic on that port at the firewall but nothing is even reaching that. the traffic is being passed through the firewall fine. (helps if you properly turning logging on) - see below EDIT: Works locally but only by connecting to local ip address / 8096. no https:// Running version 2.5.92 of the emby app on android 5.1.1 Running version 3.0.5871.0 of server on debian 8.3 Attached server logs showing some error but you can probably make better sense of that than me https://www.dropbox.com/s/l2rakkmusviotu1/emby%20error%20log.txt It would appear to be an issue with mono and the cert? FINAL EDIT: Nothing in emby app logs on the device. no logs at all I have attached more (full) logs from a fresh server startup with a failed connection attempt https://www.dropbox.com/s/9dblz4p336c78lr/emby-server-error-fresh-start.txt https://www.dropbox.com/s/xuuk3whfvkep91u/emby-server-error-fresh-start2 Edited February 19, 2016 by spudy12 Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 19, 2016 Author Share Posted February 19, 2016 (edited) Found the debug log setting so got some fresh logs with that turned on https://www.dropbox.com/s/chdg54kycws65nu/emby-server-debug-log1 https://www.dropbox.com/s/q5scn83e93v7uc4/emby-server-debug-log2 Edited February 19, 2016 by spudy12 Link to comment Share on other sites More sharing options...
Luke 36888 Posted February 19, 2016 Share Posted February 19, 2016 does it work from the online web client at app.emby.media? Link to comment Share on other sites More sharing options...
anderbytes 139 Posted February 19, 2016 Share Posted February 19, 2016 @ , there's one catch involved. You not only have to possess a geniune certificate. It has also to: 1. Embeed this PFX certificate with it's C.A. keychain (usually a .PEM file from C.A. site participates in the creation of the .PFX) 2. Import this [1] generated PFX also inside the client... in the case an Android, correct? After doing those, I was able to connect to my server via HTTPS.... Stream is broken for now, though, because libVLC used in streaming still can't use the PFX mentioned and configured. Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 19, 2016 Author Share Posted February 19, 2016 (edited) I converted the certificate to a .pfx file using the below command openssl pkcs12 -export -out final.pfx -inkey your.private.key -in cert.crt This is installed in the emby server When i visit the url I get the green padlock Why does the PFX have to be imported to the client? I thought the whole reason for getting a signed certificate was to avoid issues with android not liking self signed certificates that need to be imported to the device. Stream is broken for now, though, because libVLC used in streaming still can't use the PFX mentioned and configured. Is this something that libVLC will be able to use in the future? The main reason I bought a signed certificate was so that I can use the chromecast function when I'm out of the house Edited February 19, 2016 by spudy12 Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 19, 2016 Author Share Posted February 19, 2016 (edited) does it work from the online web client at app.emby.media? When I use the app.emby.media and sign in with my account on the phone, it does see the name of the server but fails to connect with the same error message I can access it fine via the web version though Edited February 19, 2016 by spudy12 Link to comment Share on other sites More sharing options...
anderbytes 139 Posted February 19, 2016 Share Posted February 19, 2016 I converted the certificate to a .pfx file using the below command openssl pkcs12 -export -out final.pfx -inkey your.private.key -in cert.crt This is installed in the emby server When i visit the url I get the green padlock Why does the PFX have to be imported to the client? I thought the whole reason for getting a signed certificate was to avoid issues with android not liking self signed certificates that need to be imported to the device. Is this something that libVLC will be able to use in the future? The main reason I bought a signed certificate was so that I can use the chromecast function when I'm out of the house About the correct PFX generation, see post http://emby.media/community/index.php?/topic/28609-no-connection-via-https/?p=277874 To a full-certified HTTPS connection to be connected and trusted, client and server must know and trust the same C.A. 's . From what I learned and tested, the developers of the browsers insert less certificates inside the mobile browsers (dunno why). So probably the C.A. that signed your certificate is trusted by your desktop browser, but not the mobile's. That's why sometimes its necessary to manually import the chain of certificates from C.A. to teach the browser that you trust that one. Link to comment Share on other sites More sharing options...
Ainarh0 0 Posted February 19, 2016 Share Posted February 19, 2016 For me it was a firewall problem. Firewall blocked any connections to the app. Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 19, 2016 Author Share Posted February 19, 2016 About the correct PFX generation, see post http://emby.media/community/index.php?/topic/28609-no-connection-via-https/?p=277874 To a full-certified HTTPS connection to be connected and trusted, client and server must know and trust the same C.A. 's . From what I learned and tested, the developers of the browsers insert less certificates inside the mobile browsers (dunno why). So probably the C.A. that signed your certificate is trusted by your desktop browser, but not the mobile's. That's why sometimes its necessary to manually import the chain of certificates from C.A. to teach the browser that you trust that one. Okay i might have missed out the intermediary cert looking at that post. Will try it again tonight. It does however work from all browsers and mobile browsers with any issues. For me it was a firewall problem. Firewall blocked any connections to the app. I'm pretty sure its going through my firewall fine, i can see it passing through and as far as I know it doesn't need any other ports? Where you using a signed cert or the normal self signed one? Link to comment Share on other sites More sharing options...
anderbytes 139 Posted February 19, 2016 Share Posted February 19, 2016 @ , I had missed it, too. But after doing it, everything worked, with the exception of the https streaming. Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 19, 2016 Author Share Posted February 19, 2016 (edited) @ , I had missed it, too. But after doing it, everything worked, with the exception of the https streaming. Good to know. Will try this again later tonight and post back with results. Have you tried to chromecast anything using the app and ssl? Is there any where we can track the progress of getting libvlc to work with pfx files? Edited February 19, 2016 by spudy12 Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 23, 2016 Author Share Posted February 23, 2016 I've regenerated my SSL cert, and used the following to export it to pfx for emby. I have included the intermediate pem file from my provider. It still does not work with the app or the chrome mobile browser? openssl pkcs12 -export -out <mydomain>.pfx -inkey domain.key -in domain.crt -certfile intermediate.pem Am i not properly including the intermediate pem file? Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 23, 2016 Author Share Posted February 23, 2016 (edited) Final question with this: If i run emby behind a apache reverse ssl proxy with a valid certificate would this solve the issue with the apps not working? Apart from the libVLC library issue on playback that is Edited February 23, 2016 by spudy12 Link to comment Share on other sites More sharing options...
anderbytes 139 Posted February 23, 2016 Share Posted February 23, 2016 Final question with this: If i run emby behind a apache reverse ssl proxy with a valid certificate would this solve the issue with the apps not working? Apart from the libVLC library issue on playback that is I have mine working just like that. Reverse Proxy + SSL The only thing that doesn't works for now is streaming. But if your client can't recognize that PFX and you don't have it imported in it, it wont work. Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 23, 2016 Author Share Posted February 23, 2016 Cool! I understand the streaming not working. Did you have to install your certificate on your devices using this method still? From what i gather to avoid having to install the cert on the device you need to get your certificate from an authority thats root is trusted on android / ios? Do you use apache or nginx for your reverse proxy? Would you mind sharing your configs so i can see how exactly to go about it? Link to comment Share on other sites More sharing options...
anderbytes 139 Posted February 23, 2016 Share Posted February 23, 2016 Cool! I understand the streaming not working. Did you have to install your certificate on your devices using this method still? From what i gather to avoid having to install the cert on the device you need to get your certificate from an authority thats root is trusted on android / ios? Do you use apache or nginx for your reverse proxy? Would you mind sharing your configs so i can see how exactly to go about it? Well, I don't know who issued your certificate, but mine wasn't trusted by my mobile browser so yes, I had to install it manually. As for the reverse proxy, I went to get the config and then remembered that I abandoned reverse proxy for emby because I didn't want any intermediaries in those connections. But I can provide you with the info needed so nginx can reverse proxy. But it's very easy to find on Google, too. Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 26, 2016 Author Share Posted February 26, 2016 Yes no on second thoughts I would rather not have emby go through a reverse proxy as i imagine this will mess with the internal external detection and other things. My cert provider is Gandi. I don't think Android trust many SHA-2 certs yet but i maybe wrong. It seems to work fine on Ios and chrome but not on android or firefox. Will revert to an SHA1 cert for the time being. Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted February 27, 2016 Author Share Posted February 27, 2016 Just an update on this. Turns out I can successfully cast from an external web browser to an external Chromecast and it works. Didn't used to when I had a self signed cert so this is a definite improvement. No need to side load the cert No luck with the android app still Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now