Cannot access via HTTPS emby connect

[pheed 2]

Both 8920 and 8096 ports are NAT'd out on my pfsense router.

 

HTTP://app.emby.media works

 

HTTPS://app.emby.media does not. Inside and Outside of my local network.

 

 

Error message:
"Connection Failure
We're unable to connect to the selected server right now. Please ensure it is running and try again."

 

 

However:

HTTPS://local.emby.server.IP:8920 works.

 

http://portchecker.co/check shows HTTPS port 8920 is open and listening.

 

"Report https as external address" is not checked. This is running on my FreeNAS box in a FreeBSD jail.

 

I've seen other users having issues with this since 2015.

Edited August 15, 2016 by pheed

[Luke 38413]

Hi, in chrome can you try this again, only this time, before you login, right click anywhere -> inspect. then try to login. then check the console for any errors as well as check the network tab to analyze the requests that were sent out. then capture that info and provide it here. thanks.

[pheed 2]

Hi, in chrome can you try this again, only this time, before you login, right click anywhere -> inspect. then try to login. then check the console for any errors as well as check the network tab to analyze the requests that were sent out. then capture that info and provide it here. thanks.

 

From Chrome Console during login from https://app.emby.media:

testing connection mode 0 with server pheed's Emby
tryConnect url: http://192.168.1.23:8096/emby/system/info/public
ConnectionManager requesting url: http://192.168.1.23:8096/emby/system/info/public
fetchWithTimeout: timeoutMs: 8000, url: http://192.168.1.23:8096/emby/system/info/public
Mixed Content: The page at 'https://app.emby.media/selectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://192.168.1.23:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.
Fetch API cannot load http://192.168.1.23:8096/emby/system/info/public. Failed to start loading.
fetchWithTimeout: timed out connecting to url: http://192.168.1.23:8096/emby/system/info/public
ConnectionManager request failed to url: http://192.168.1.23:8096/emby/system/info/public
test failed for connection mode 0 with server pheed's Emby
testing connection mode 1 with server pheed's Emby
tryConnect url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
ConnectionManager requesting url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
fetchWithTimeout: timeoutMs: 20000, url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
Mixed Content: The page at 'https://app.emby.media/selectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://<EXT.IP.REMOVED>:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.
Fetch API cannot load http://<EXT.IP.REMOVED>:8096/emby/system/info/public. Failed to start loading.
fetchWithTimeout: timed out connecting to url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
ConnectionManager request failed to url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
test failed for connection mode 1 with server pheed's Emby
Tested all connection modes. Failing server connection.

Edited August 15, 2016 by pheed

[Luke 38413]

From Chrome Console during login from https://app.emby.media:

 

testing connection mode 0 with server pheed's Emby

tryConnect url: http://192.168.1.23:8096/emby/system/info/public

ConnectionManager requesting url: http://192.168.1.23:8096/emby/system/info/public

fetchWithTimeout: timeoutMs: 8000, url: http://192.168.1.23:8096/emby/system/info/public

Mixed Content: The page at 'https://app.emby.media/selectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://192.168.1.23:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.

Fetch API cannot load http://192.168.1.23:8096/emby/system/info/public. Failed to start loading.

fetchWithTimeout: timed out connecting to url: http://192.168.1.23:8096/emby/system/info/public

ConnectionManager request failed to url: http://192.168.1.23:8096/emby/system/info/public

test failed for connection mode 0 with server pheed's Emby

testing connection mode 1 with server pheed's Emby

tryConnect url: http://:8096/emby/system/info/public

ConnectionManager requesting url: http://:8096/emby/system/info/public

fetchWithTimeout: timeoutMs: 20000, url: http://:8096/emby/system/info/public

Mixed Content: The page at 'https://app.emby.media/selectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.

Fetch API cannot load http://:8096/emby/system/info/public. Failed to start loading.

fetchWithTimeout: timed out connecting to url: http://:8096/emby/system/info/public

ConnectionManager request failed to url: http://:8096/emby/system/info/public

test failed for connection mode 1 with server pheed's Emby

Tested all connection modes. Failing server connection.

 

Hi, what did you try here? did you click on your server and connect, or did you manually enter the address? 

[pheed 2]

Hi, what did you try here? did you click on your server and connect, or did you manually enter the address? 

 

The above log came from clicking on my server.

 

Here's the console log from attempting to manually enter the address:

tryConnect url: https://EXT.IP.REMOVED:8920/emby/system/info/public
ConnectionManager requesting url: https://EXT.IP.REMOVED:8920/emby/system/info/public
fetchWithTimeout: timeoutMs: 20000, url: https://EXT.IP.REMOVED:8920/emby/system/info/public
ConnectionManager request failed to url: https://EXT.IP.REMOVED:8920/emby/system/info/public
connectToAddress https://EXT.IP.REMOVED:8920 failed

[Luke 38413]

Ok, two things. If you click on your server it will use the server reported addresses, which right now is http since you have not enabled "report https address".

 

So in  your case, you will want to just connect manually via address. However, this looks appears to be purely an issue of connectivity. Are you able to take this address and put it into a browser and connect?

https://EXT.IP.REMOVED:8920/emby/system/info/public

[pheed 2]

 

Ok, two things. If you click on your server it will use the server reported addresses, which right now is http since you have not enabled "report https address".

 

So in  your case, you will want to just connect manually via address. However, this looks appears to be purely an issue of connectivity. Are you able to take this address and put it into a browser and connect?

https://EXT.IP.REMOVED:8920/emby/system/info/public

 

1. I enabled "Report https address" and here's the output from Chrome Console, test conducted outside of my network:

 

begin connectToServer
connectionmanager.js?v=3.1.6070.42676:998 beginning connection tests
connectionmanager.js?v=3.1.6070.42676:1067 skipping test at index 0
connectionmanager.js?v=3.1.6070.42676:1072 testing connection mode 0 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:200 tryConnect url: http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:172 ConnectionManager requesting url: 
http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:123 fetchWithTimeout: timeoutMs: 8000, url: 
http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:132 Mixed Content: The page at 
'https://app.emby.media/selectserver.html' was loaded over HTTPS, but requested an insecure resource 
'http://192.168.1.23:8096/emby/system/info/public'. This request has been blocked; the content must be served over 
HTTPS.(anonymous function) @ connectionmanager.js?v=3.1.6070.42676:132fetchWithTimeout @ connectionmanager.js?v=
3.1.6070.42676:125getFetchPromise @ connectionmanager.js?v=3.1.6070.42676:118ajax @ 
          connectionmanager.js?v=3.1.6070.42676:174tryConnect @ 
          connectionmanager.js?v=3.1.6070.42676:202testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1074testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1068(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:999ConnectionManager.se
lf.connectToServer @ connectionmanager.js?v=3.1.6070.42676:983connectToServer @ 
          selectserver.js:10(anonymous function) @ selectserver.js:24
connectionmanager.js?v=3.1.6070.42676:132 Fetch API cannot load 
          http://192.168.1.23:8096/emby/system/info/public. Failed to start loading.(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:132fetchWithTimeout @ 
          connectionmanager.js?v=3.1.6070.42676:125getFetchPromise @ connectionmanager.js?v=3.1.6070.42676:118ajax @ 
          connectionmanager.js?v=3.1.6070.42676:174tryConnect @ connectionmanag
er.js?v=3.1.6070.42676:202testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1074testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1068(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:999ConnectionManager.self.connectToServer @ 
          connectionmanager.js?v=3.1.6070.42676:983connectToServer @ selectserver.js:10(anonymous function) @ 
          selectserver.js:24
connectionmanager.js?v=3.1.6070.42676:142 fetchWithTimeout: timed out connecting to url: 
          http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:191 ConnectionManager request failed to url: 
          http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:1091 test failed for connection mode 0 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:1072 testing connection mode 1 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:200 tryConnect url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:172 ConnectionManager requesting url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:123 fetchWithTimeout: timeoutMs: 20000, url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:132 GET https://EXT.IP.REMOVED:8920/emby/system/info/public 
          net::ERR_INSECURE_RESPONSE(anonymous function) @ connectionmanager.js?v=3.1.6070.42676:132fetchWithTimeout @ 
          connectionmanager.js?v=3.1.6070.42676:125getFetchPromise @ connectionmanager.js?v=3.1.6070.42676:118ajax @ 
          connectionmanager.js?v=3.1.6070.42676:174tryConnect @ connectionmanager.js?v=3.1.60
70.42676:202testNextConnectionMode @ connectionmanager.js?v=3.1.6070.42676:1074(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:1097
connectionmanager.js?v=3.1.6070.42676:142 fetchWithTimeout: timed out connecting to url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:191 ConnectionManager request failed to url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:1091 test failed for connection mode 1 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:1036 Tested all connection modes. Failing server connection.

Why is it attempting to connect to my LAN address from external access?

 

2. Yes I can take that address and connect.

[Luke 38413]

It's just standard protocol because users use the same connection flow no matter how they're connecting. In most cases, connecting to the LAN address is more desirable when possible, so that's why we always try that first, then fallback to the remote address if it doesn't connect.

 

Ok, since you can put that url into the address bar, then I'll look into why the same http request is failing programatically. Thanks.

[Luke 38413]

Are you using the default self-signed cert that is installed by the server or did you customize with your own?

[pheed 2]

Are you using the default self-signed cert that is installed by the server or did you customize with your own?

 

Self-signed installed by server.

Edited August 15, 2016 by pheed

[Luke 38413]

When you put that https url in the browser, do you get an SSL warning?

[pheed 2]

When you put that https url in the browser, do you get an SSL warning?

 

 

Yep, and actually... its working now. I'm accessing it externally, after clearing the self-signed warning, I'm able to access. The only change was enabling that "Report HTTPS as external address". Seems I had to give it time to update the Emby connect? Not sure. First test after enabling "report https as external address" failed with the log I submitted above.

Edited August 15, 2016 by pheed

[Luke 38413]

Yep, and actually... its working now. I'm accessing it externally, after clearing the self-signed warning, I'm able to access. The only change was enabling that "Report HTTPS as external address". Seems I had to give it time to update the Emby connect? Not sure. First test after enabling "report https as external address" failed with the log I submitted above.

 

No, here is the problem. The browser is rejecting the self-signed cert. You are able to override this in the browser by using the address manually, but unfortunately our code cannot (for security reasons obviously).

 

So here are the possible solutions:

 

- your own domain with a trusted ssl cert that the browser won't reject by default.

- use the android app, where we can override this behavior

- use plain http

 

It's possible that after overriding manually, the browser is applying this override to our programattic http requests, which is why it's working now. But I don't think this will be permanent and it will also have to be done on other devices.

[pheed 2]

It's possible that after overriding manually, the browser is applying this override to our programattic http requests, which is why it's working now. But I don't think this will be permanent and it will also have to be done on other devices.

 

 

Gotcha, time to setup LetsEncrypt SSL with DDNS   I just attempted to access https://app.emby.media from my laptop, and it wouldn’t connect. Confirming what you said.

 

Thanks for the help Luke.

Edited August 15, 2016 by pheed

[pheed 2]

Just an update after spending hours getting Emby+LetsEncrypt on FreeBSD running. https://app.emby.media is connecting properly as long as I'm in Chrome. Firefox still gives the error, but seems LetsEncrypt root won't be trusted by Mozilla until Firefox 50. So no worries there.
 
Here's the steps taken in FreeNAS 9.10.1 / FreeBSD 10.3-RELEASE jail:
 
If you haven’t already, fetch the ports: (or just run: pkg install py27-certbot)

# portsnap fetch extract

# cd /usr/ports/security/py-certbot && make install clean

When running the above install I received a warning from testing other LetsEncrypt scripts I had installed LibreSSL:

/!\ WARNING /!\

You have security/libressl installed but do not have DEFAULT_VERSIONS+=ssl=libressl set in your make.conf

 

So I added DEFAULT_VERSIONS+=ssl=libressl to /usr/ports/security/py-certbot/Makefile.
 
Then reran make install clean.
If it reports its already installed run make deinstall then make install clean again.
 
Opened port 80 and 443 to NAT to the FreeNAS jail LAN IP.
 
Then ran certbot:

# certbot certonly --standalone -d emby.mydomain.com

Entered email address and accepted ToS.
 
This generated the certs in .pem format and placed them in /usr/local/etc/letsencrypt/live/emby.mydomain.com/
 
Now to convert .pem to .pfx:

# openssl pkcs12 -export -out emby.mydomain.com.pfx -inkey privkey.pem -in cert.pem -certfile fullchain.pem

Then moved the resulting .pfx file to emby's install directory.

# mv emby.mydomain.com.pfx /usr/local/lib/emby-server/

Finally, back in emby's "Manage Server" Web UI -> Expert -> Advanced added /usr/local/lib/emby-server/emby.mydomain.com.pfx to the "Custom certificate path" and added emby.mydomain.com to "External domain".

Restart emby-server and remove the port 80/443 NAT holes I created in the firewall. Leaving only port 8920 open for emby's default SSL port.
 
More info including Auto-renew can be found at https://certbot.eff.org
 
Thanks, that was fun.

Edited August 16, 2016 by pheed