Jump to content

App can't connect - https


runtimesandbox

Recommended Posts

runtimesandbox

I'm getting the following "We're unable to connect to the selected server right now. Please ensure it's running and try again"

This error pops up instantly with my real domain. The domain is a .xyz domain - This is running a genuine SSL cert.

It spins round and attempts to connect when using a ddns service but also receive this error after a short period. This domain ends in .com

 

 

My server is running on https on port 8920

I can access the web dashboard / media browser fine outside 

I have tried multiple variations ie with and without https:// at the front, with port on the line etc

 

 

Is the app looking for .co.uk / com / etc domains and thinks .xyz is invalid?

Is there anywhere I can get an indication of whats going wrong? I am logging traffic on that port at the firewall but nothing is even reaching that. the traffic is being passed through the firewall fine. (helps if you properly turning logging on) - see below

 

56c644c438e6e_1b427704beaa4eeba2997aeba3

 

EDIT: Works locally but only by connecting to local ip address / 8096. no https://

 

Running version 2.5.92 of the emby app on android 5.1.1

Running version 3.0.5871.0 of server on debian 8.3

 

Attached server logs showing some error but you can probably make better sense of that than me

 

https://www.dropbox.com/s/l2rakkmusviotu1/emby%20error%20log.txt

 

It would appear to be an issue with mono and the cert? 

 

FINAL EDIT: Nothing in emby app logs on the device. no logs at all

I have attached more (full) logs from a fresh server startup with a failed connection attempt

 

https://www.dropbox.com/s/9dblz4p336c78lr/emby-server-error-fresh-start.txt

https://www.dropbox.com/s/xuuk3whfvkep91u/emby-server-error-fresh-start2

Edited by spudy12
Link to comment
Share on other sites

anderbytes

@ , there's one catch involved.

 

You not only have to possess a geniune certificate. It has also to:

1. Embeed this PFX certificate with it's C.A. keychain (usually a .PEM file from C.A. site participates in the creation of the .PFX)

2. Import this [1] generated PFX also inside the client... in the case an Android, correct?

 

After doing those, I was able to connect to my server via HTTPS....

Stream is broken for now, though, because libVLC used in streaming still can't use the PFX mentioned and configured.

Link to comment
Share on other sites

runtimesandbox

I converted the certificate to a .pfx file using the below command

openssl pkcs12 -export -out final.pfx -inkey your.private.key -in cert.crt

This is installed in the emby server

 

When i visit the url I get the green padlock

56c7250f0b0f7_url.png

 

Why does the PFX have to be imported to the client? I thought the whole reason for getting a signed certificate was to avoid issues with android not liking self signed certificates that need to be imported to the device.

 

 

Stream is broken for now, though, because libVLC used in streaming still can't use the PFX mentioned and configured. 
 

 

Is this something that libVLC will be able to use in the future?

 

The main reason I bought a signed certificate was so that I can use the chromecast function when I'm out of the house

Edited by spudy12
Link to comment
Share on other sites

runtimesandbox

does it work from the online web client at app.emby.media?

 

When I use the app.emby.media and sign in with my account on the phone, it does see the name of the server but fails to connect with the same error message

 

I can access it fine via the web version though

Edited by spudy12
Link to comment
Share on other sites

anderbytes

I converted the certificate to a .pfx file using the below command

openssl pkcs12 -export -out final.pfx -inkey your.private.key -in cert.crt

This is installed in the emby server

 

When i visit the url I get the green padlock

56c7250f0b0f7_url.png

 

Why does the PFX have to be imported to the client? I thought the whole reason for getting a signed certificate was to avoid issues with android not liking self signed certificates that need to be imported to the device.

 

 

 

Is this something that libVLC will be able to use in the future?

 

The main reason I bought a signed certificate was so that I can use the chromecast function when I'm out of the house

 

About the correct PFX generation, see post http://emby.media/community/index.php?/topic/28609-no-connection-via-https/?p=277874

 

 

To a full-certified HTTPS connection to be connected and trusted, client and server must know and trust the same C.A. 's . From what I learned and tested, the developers of the browsers insert less certificates inside the mobile browsers (dunno why). So probably the C.A. that signed your certificate is trusted by your desktop browser, but not the mobile's. That's why sometimes its necessary to manually import the chain of certificates from C.A. to teach the browser that you trust that one.

Link to comment
Share on other sites

runtimesandbox

About the correct PFX generation, see post http://emby.media/community/index.php?/topic/28609-no-connection-via-https/?p=277874

 

 

To a full-certified HTTPS connection to be connected and trusted, client and server must know and trust the same C.A. 's . From what I learned and tested, the developers of the browsers insert less certificates inside the mobile browsers (dunno why). So probably the C.A. that signed your certificate is trusted by your desktop browser, but not the mobile's. That's why sometimes its necessary to manually import the chain of certificates from C.A. to teach the browser that you trust that one.

 

Okay i might have missed out the intermediary cert looking at that post. Will try it again tonight. 

It does however work from all browsers and mobile browsers with any issues.

 

 

 

For me it was a firewall problem. Firewall blocked any connections to the app.

 

I'm pretty sure its going through my firewall fine, i can see it passing through and as far as I know it doesn't need any other ports?

Where you using a signed cert or the normal self signed one?

Link to comment
Share on other sites

anderbytes

@ , I had missed it, too. But after doing it, everything worked, with the exception of the https streaming.

Link to comment
Share on other sites

runtimesandbox

@ , I had missed it, too. But after doing it, everything worked, with the exception of the https streaming.

 

Good to know. Will try this again later tonight and post back with results. 

Have you tried to chromecast anything using the app and ssl?

 

Is there any where we can track the progress of getting libvlc to work with pfx files?

Edited by spudy12
Link to comment
Share on other sites

runtimesandbox

I've regenerated my SSL cert, and used the following to export it to pfx for emby. I have included the intermediate pem file from my provider.

 

It still does not work with the app or the chrome mobile browser?

openssl pkcs12 -export -out <mydomain>.pfx -inkey domain.key -in domain.crt -certfile intermediate.pem

Am i not properly including the intermediate pem file?

Link to comment
Share on other sites

runtimesandbox

Final question with this:

 

If i run emby behind a apache reverse ssl proxy with a valid certificate would this solve the issue with the apps not working? 

Apart from the libVLC library issue on playback that is

Edited by spudy12
Link to comment
Share on other sites

anderbytes

Final question with this:

 

If i run emby behind a apache reverse ssl proxy with a valid certificate would this solve the issue with the apps not working? 

Apart from the libVLC library issue on playback that is

 

I have mine working just like that.

Reverse Proxy + SSL

 

The only thing that doesn't works for now is streaming.

 

But if your client can't recognize that PFX and you don't have it imported in it, it wont work.

Link to comment
Share on other sites

runtimesandbox

Cool! I understand the streaming not working. Did you have to install your certificate on your devices using this method still? 

From what i gather to avoid having to install the cert on the device you need to get your certificate from an authority thats root is trusted on android / ios?

 

Do you use apache or nginx for your reverse proxy? Would you mind sharing your configs so i can see how exactly to go about it?  :)

Link to comment
Share on other sites

anderbytes

Cool! I understand the streaming not working. Did you have to install your certificate on your devices using this method still?

From what i gather to avoid having to install the cert on the device you need to get your certificate from an authority thats root is trusted on android / ios?

 

Do you use apache or nginx for your reverse proxy? Would you mind sharing your configs so i can see how exactly to go about it? :)

Well, I don't know who issued your certificate, but mine wasn't trusted by my mobile browser so yes, I had to install it manually.

 

As for the reverse proxy, I went to get the config and then remembered that I abandoned reverse proxy for emby because I didn't want any intermediaries in those connections.

 

But I can provide you with the info needed so nginx can reverse proxy. But it's very easy to find on Google, too.

Link to comment
Share on other sites

runtimesandbox

Yes no on second thoughts I would rather not have emby go through a reverse proxy as i imagine this will mess with the internal external detection and other things.

 

My cert provider is Gandi. I don't think Android trust many SHA-2 certs yet but i maybe wrong. It seems to work fine on Ios and chrome but not on android or firefox. Will revert to an SHA1 cert for the time being. 

Link to comment
Share on other sites

runtimesandbox

Just an update on this. Turns out I can successfully cast from an external web browser to an external Chromecast and it works. Didn't used to when I had a self signed cert so this is a definite improvement. No need to side load the cert

 

No luck with the android app still

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...