Search the Community

Hi, Since the latest update 3.3.0.0 I have an issue where when I browse to emby through my URL via https I get a popup asking to verify myself. If I press OK the site doesn't load but if I press cancel the site loads as normal. This happens once per browser session i.e if I close the browser and navigate back to emby it will pop up again. The certificate is fine and been generated correctly using openssl creating a .csr and getting signed with godaddy then creating a .pfx file from the generated godaddy certificates. I have not had any problems with the SSL certificate until the latest update. See attached screenshot. Pleas fix ASAP. Thanks

Hello, I have been trying to set-up Emby and allow remote access with docker containers. No matter what I do I cannot connect from any app including the web app. If I put in the URL it will connect just fine as long as force SSL is not enabled, if force SSL is enabled then I get an error that there has been too many redirects. I have looked at the posts about setting up remote access and setting up reverse proxy and nothing is working, I am not sure where to begin any help would be greatly appreciated Thank you!

Hi I was experimenting with using a SSL Cert with Emby this morning, I changed the public https port in server manager and now my Emby will not start, attached are the Emby logs from when this happened, in my Event viewer I can see the following The description for Event ID 7024 from source Service Control Manager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: Emby %%2148734208 The locale specific resource for the desired message is not present can anyone help me get my Emby back working again? server-63652297203.txt unhandled_4bb46dc1-e932-4b4d-95ed-5ac75b15ea40.txt

There have been a few posts around the Forum recently regarding SSL, HTTPS and Security. I'm by no means an expert on reverse proxies but have had alot of dealings with them over the past few months and with the help of @@pir8radio and @@shorty1483 have a fairly well setup and secure system to access my services from outside of my LAN. This guide is to help people access their Emby Server and any other services behind a reverse proxy. This is based on NGINX but it also works for Apache and IIS. So firstly, what is and why do i need a reverse proxy? If you’re like me and have many services running on servers or PCs in your home, i.e. Emby, Plex, Sonarr, Radarr, Ombi, Organizer, CP, home automation, CCTV and anything else. Then you have to open multiple ports on your router to direct traffic to where it needs to go. With a Reverse Proxy you only have to open 1 or 2 ports. Normally all HTTP traffic is sent over port 80 and HTTPS traffic over port 443. In my case I want all traffic served over HTTPS and port 443 so I close all ports bar 443. Another reason to use a reverse proxy is that you can use your own domain certs easily and fine tune your security settings. If you want to test your Domain security go here - https://securityheaders.io/ Chances are your rating will be an F. with reverse proxy you can easily attain a B+/A Grade. You can also setup a web faced server running NGINX and then have additional servers behind that hidden on your LAN, however if your like me I have NGINX running on the same machine as emby. I only access Emby remotely do i still need a reverse proxy? Difficult to answer. No you dont need a reverse proxy to access Emby, but if you do then you can fine tune the security. This guide assumes you have a Domain name, your own Certs to go with your domain name and either have your domain name pointed to a static PC (your home WAN IP) or have Dynamic DNS setup. Have I convinced you yet? I run Windows OS at home so this guide follows a Windows setup but the config will be the same across all OS. 1. Download the latest version of NGINX from here - http://nginx-win.ecsds.eu/ as of writing this guide its version 1.13.0.1 Violet. 2. Extract the ZIP file somewhere easy to find. C:\NGINX. a. To make future updating easier when you extract the ZIP the file is called nginx 1.13.0.1 Violet. Rename it to just NGINX. 3. Before we get started on the config of NGINX lets install it as a service. a. Download NSSM b. Extract the ZIP c. Copy correct x86 or x64 nssm.exe to C:\Windows\System32 d. Open a CMD, type ‘nssm install nginx’ e. Fill in the Application Path – C:\NGINX\nginx.exe Startup directory – C:\NGINX Service name – NGINX. Install Service Don’t Start the service yet, we need to configure NGINX. To create a config I use notepad++. I will go through each setting first before supplying a copy of my current config. This is how the config starts. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## } This part is fairly standard. anything starting with # is disabled or just a comment. The config is broken down into blocks. the first block here is the HTTP block. The HTTP block contains all the headers required to do the work of the reverse proxy for example when someone browses to emby.mydomain.com it matches a header in NGINX and it knows where to forward the data. The only change in the section above over a default config is the addition of server_tokens off; this is the first of our security tweaks. This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses. ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } This next block is called a server block and it nested inside the HTTP block. This block is optional, it is only used to redirect any users from HTTP to HTTPS if you want to force users on HTTPS only. listen 80 and listen [::] 80 are default ports for HTTP traffic for IPv4 and IPv6. return 301 https://$host$request_uri; is what rewrites the request from HTTP to HTTPS. Again only needed if you are forcing everyone to use HTTPS only. ##EMBY Server## server { listen 80; listen [::] 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNaUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } The next server block is where the magic happens. First the listen 80; and listen [::] 80; are only needed if you want to allow users to access your emby server on port 80. otherwise delete these 2 lines to force all users to HTTPS access. Listen 443 ssl; and listen [::] 443 ssl; are the default HTTPS ports again for IPv4 and IPv6. server_name emby.mydomain.com will be your subdomain and how you access emby from outside your network. Now lets look at the SSL certificates, for my setup I created a .pem file. this file contains both my cert, intermediate and CA root cert in one file. This link gives you an idea how to do it - https://www.digicert.com/ssl-support/pem-ssl-creation.htm you should now have your cert.pem and a private.key file. for simplicity copy these files to C:\NGINX\conf\SSL (you have to create the SSL folder) This tells NGINX where to find the certs. ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; For now I am going to skip over the #add_header Public-Key-Pins - as you can see i have it disabled by using # in front of it. I will explain why later on. The next section adds further security tweaks, you will need to change the content-security-policy domain names to your own. you need to list all your subdomains i.e. sonarr.mydomain.com radarr.mydomain.com emby.my....... you get the idea. add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; The next part is called the location block. This is what tells your domain name emby.mydomain.com where the data should go. In this case it forwards everything to proxy_pass http://192.168.10.10:8096 you can also forward to proxy_pass http://127.0.0.1:8096 if it runs on the same box as NGINX. the rest of the location block is default stuff to help the data get to where it is needed. Your Config should now look like the one below. we need to save it to C:\NGINX\conf and name it nginx.conf worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } And thats it, you can now start your NGINX services by running services.msc and starting NGINX.

I purchased my own domain certificate and then I had a crazy time trying to figure out why my pfx file wouldn't work. After much reading around it seemed that in order to make it work I had to use a pfx file (cert+private key) with no password in place. For me this wasn't an option, as I'm crazy paranoid that by creating this it would then be possible for someone to get their hands on it and then somehow and then be able to compromise my sites (wildcard cert). So instead, I made Emby work with a secure pfx file. Here is my howto.... Requirements: Active Directory enabled domain A Windows Server (2012 or higher) or a Windows workstation (Windows 8 or higher) joined to the domain - I used my Emby server for this SSL Certificate - I used one I had purchased Setup Emby Service Account: 1. In Active Directory create a user account that will be used to launch the Emby service - I placed mine under Managed Service Accounts 2. On the Emby server open Control Panel and type Services 3. Locate the Emby Server service, right click on it the service and choose Properties 4. Click on the Log On tab, select "This Account" radio button and enter in the username and password you created in Step 1, click OK and then Close the Services window 5. Still inside Control Panel, click on User Accounts, then select Give other users access to this computer 6. Click Add then add the Emby user information from Step 1 and click Next 7. Select Administrator and click Next, then Finish Preparing your secured pfx file: 1. Using a Windows 2012/2012R2 Server or Windows 8/8.1/10 workstation, with Control Panel still open type "certificate" 2. Import your certificate making sure to mark it as exportable. 3. Right click on the certificate that was just imported and choose Export 4. Mark "Yes, export the private key", click Next until you reach the Security screen 5. Check the "Group or user names", this will automatically input the user you're using. Remove that user and click Add, then add the Emby user created in Step 1 in the above section. Click Next 6. Give it a filename, I would HIGHLY recommend you do NOT name it the same as your original cert/pfx file since this will be used for this situation only. Click Next, then Finish 7. Once the two things above are done then assign the key as you would normally in Emby - Advanced/Custom certificate path Finally, reboot the server/workstation. This isn't 100% needed, but I like to do it to verify everything works correctly. If you don't do this then make sure to go back into Services and start or restart the Emby Server service. Another suggestion, but not needed for this to work, is to have the certificate saved in a folder by itself (C:\Windows\EmbyCert or some other generic spot). Then edit that folders security settings removing all users except for the Emby account you created. Assign that Emby account with Read access. There you go, Emby is now using your SSL certificate, and you don't have a certificate/private key combo sitting on your machine with no protection on it. Edited to correct some grammatical and spelling errors.

Hi, I've set up my Emby-server with "HTTPS using reverse proxy" using the "Setting up SSL for Emby (WIP)" guide. My question is: How can I switch between my LAN IP-address 192.168.1.20:8096 if I'm at home and my https: // emby.domainname.com:443 address if I'm on the road (using the Android-app)? Manually adding the other address for the same server doesn't seem to work? Thanks!

Hi, can you upgrade the TLS version used for SSL connection in Emby? I've been tuning my Firefox's security configurations, and when I enable "security.ssl.require_safe_negotiation = true" it returns me the error "SSL_ERROR_UNSAFE_NEGOTIATION" at the moment I try to enter Emby web client. Googling a little returned me that the TLS version may be insecure at the webserver.... in this case Emby's embeeded webserver that uses the .pfx for enabling HTTPS. Thanks.

http://www.pcworld.com/article/2932419/plex-gets-more-secure-adding-free-ssl-encryption-for-all-free-and-paying-users.html i'm surprised something like this not thought about in the beginning of things

Hi, I've tried to follow all the guides out there to add a certificate to my Emby server, unfortunately without success. Today I'm running my Emby server on Ubuntu 17.04. I own my own domain but I already use the main domain for another server that I has as a webserver. So I would like to have a sub-domain for my Emby, so I have created an address that looks like this: emby.domain.com I have managed to use free certificates on my web server via Certbot, but when I try to do the same way on my Emby server with my sub-domain I get some authentication error message. So I would really appreciate if someone would give me some really good instructions on how to install a certificate on my Emby-server. Have tried this already: https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/

Status: Initiated Blueprint Luke has investigated this, unclear the progress on universal development. App devs have not begun dev for this. Once Luke builds core compatibility it may be 3+ months before app/client SSL adoption. Spread the word! Let's make it known how many Emby users would love to see this feature! I have seen scattered, unorganized requests for this that seemed to die, so this will serve to centralize all support for SSL and to track responses/feedback. This is to request Emby support SSL, both app and web client to server. This would be for Emby Connect setups as well as local user setup. Current Plan: Utilize Lets Encrypt (https://letsencrypt.org/) to allow automated endoint encryption. Luke is currently looking for members that may be able to help automate this at server endpoints. Possible Solutions include subdomains for each client (ex. customer.emby.media) or custom domains for each customer such as DyDNS. Reasons for this: Secure activity/traffic between client and server Allows passwords to be passed plain text from client to server. Would allow development of SSO/LDAP authentication solutions. Please see and support our topic linked below:https://emby.media/community/index.php?/topic/26495-ldap-support/ What is done: Enhanced SSL support on mobile application What is needed: Core universal SSL support App supported SSL Web-app supported SSL Authentication passed over SSL to allow plaintext passwords

Hello, I am not able to setup SSL on my emby server hosted on QNAP TS-251+. Server details: QNAP TS-251+ Firmware v4.3.3 Emby v3.2.14 Qmono v4.6.2.7 (64bit) When I supply my own ssl cert with .pfx, I can connect via http but not https. Port forwarding is done correctly. Also, if I do not supply my own cert then connect via https works fine with warning. Here is the log snippet: 2017-05-08 14:46:32.9377 Error App: Error loading cert from /*****/SSLcertificate.pfx *** Error Report *** Version: 3.2.14.0 Command line: /*****/.qpkg/Emby/Emby/MediaBrowser.Server.Mono.exe Operating system: Unix 4.2.8.0 64-Bit OS: True 64-Bit Process: True Mono: 4.6.2 (Stable 4.6.2.7/08fd525 mercredi 23 novembre 2016, 17:45:54 (UTC+0100)) Processor count: 4 Program data path: /*****/.qpkg/Emby/Emby/ProgramData-Server Application directory: /*****/.qpkg/Emby/Emby System.Security.Cryptography.CryptographicException: Unable to decode certificate. ---> System.Security.Cryptography.CryptographicException: Input data cannot be coded as a valid certificate. ---> System.Security.Cryptography.CryptographicException: Input data cannot be coded as a valid certificate. at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) [0x00041] in <1d0bb82c94e7435eb09324cf5ef20e36>:0 --- End of inner exception stack trace --- Any suggestions? Thanks,

I am running a Kodi instance with Emby plugin remotely. The access is proxied via Apache to provide secure SSL. This works perfectly in almost all regards. I can stream FullHD video and all (200/25 connection). The only thing that does not work is the automatic library update. I have to make a manual update each time anything changes. I know the server is ok: - There are local instances that are not proxied, which pick up the changes fine. - Also the remote machine does pick up the changes when I connect to the server via the site-to-site VPN, but that is too slow for actual streaming. So I am pretty sure the problem is in the Apache proxy system. What do I have to make available to allow instantaneous library updates? This is quite a bummer for me right now, because the update already takes a few minutes, and I haven't even integrated the Music library.

Hello, I jsute create un letsencrypt certificate for emby but i see that the web server include for windows restrict connection to TLS 1.0. There is a config file for it to force TLS 1.2 and modify cipher ? Thanks

Good evening guys, is from about 1 week that the ssl connection on port 8920, does not work anymore. I try to restart emby, and it works for about half an hour, then do not work anymore. I have the latest version of emby installed. It works via http. Using the certificate of let'sencrypt from 6 months is it always worked. Can someone help me? The only mistake that I find in the log is this. Thank you 2016-09-15 14:30:14.1333 Error ServiceStackHost: Error occured while Processing Request: Access token is required. *** Error Report *** Version: 3.0.7100.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -ffmpeg /usr/bin/ffmpeg -ffprobe /usr/bin/ffprobe -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.42 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.4.2 (Stable 4.4.2.11/f72fe45 Tue Aug 30 15:48:05 UTC 2016) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Access token is required. MediaBrowser.Controller.Net.SecurityException at MediaBrowser.Server.Implementations.HttpServer.Security.AuthService.ValidateSecurityToken (IServiceRequest request, System.String token) <0x413e2870 + 0x00107> in <filename unknown>:0 at MediaBrowser.Server.Implementations.HttpServer.Security.AuthService.ValidateUser (IServiceRequest request, IAuthenticationAttributes authAttribtues) <0x413e0eb0 + 0x0007b> in <filename unknown>:0 at MediaBrowser.Server.Implementations.HttpServer.Security.AuthService.Authenticate (IServiceRequest request, IAuthenticationAttributes authAttribtues) <0x413e0e80 + 0x00017> in <filename unknown>:0 at MediaBrowser.Controller.Net.AuthenticatedAttribute.RequestFilter (IRequest request, IResponse response, System.Object requestDto) <0x413e0de0 + 0x0007a> in <filename unknown>:0 at ServiceStack.ServiceStackHost.ApplyRequestFiltersSingle (IRequest req, IResponse res, System.Object requestDto) <0x41324b60 + 0x0029e> in <filename unknown>:0 at ServiceStack.ServiceStackHost.ApplyRequestFilters (IRequest req, IResponse res, System.Object requestDto) <0x41322590 + 0x000d5> in <filename unknown>:0 at ServiceStack.Host.RestHandler+<ProcessRequestAsync>d__13.MoveNext () <0x4131d1d0 + 0x00595> in <filename unknown>:0

Hi all, I thought this might be an issue with the Android client at first, but I'm not so sure anymore. I'm running on Ubuntu, and I've got a cert from StartSSL, and I'm using it to secure my server. Only the HTTPS port is open to the public. Everything appears to work fine when using Firefox and the WebUI, but when connecting with Android, the server reports: 2015-05-04 00:49:18.8658 Error - HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.0.5597.1 Command line: /opt/mediabrowser/MediaBrowser.Server.Mono.exe -programdata /var/lib/mediabrowser Operating system: Unix 3.13.0.51 Processor count: 2 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/mediabrowser Mono: 3.10.0 (tarball Wed Nov 5 12:50:04 UTC 2014) Application Path: /opt/mediabrowser/MediaBrowser.Server.Mono.exe The authentication or decryption has failed. System.IO.IOException at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 InnerException: Mono.Security.Protocol.Tls.TlsException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.RecordProtocol.ReceiveRecord (System.IO.Stream record) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 I've converted the cert and decrypted key in this way: ~# openssl pkcs12 -export -in host.cer -inkey host.decrypted.key -out host.pfx I've also tried other random things like: ~# mozroots --import -–sync ~# openssl pkcs12 -in host.pfx -out certificate.p7b -nodes ~# certmgr -add -c Trust ./certificate.p7b Mono Certificate Manager - version 3.10.0.0 Manage X.509 certificates and CRL from stores. Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed. Unhandled Exception: System.Security.Cryptography.CryptographicException: Invalid encoding ---> System.FormatException: Invalid character found. at (wrapper managed-to-native) System.Convert:InternalFromBase64String (string,bool) at System.Convert.FromBase64String (System.String s) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.PEM (System.Byte[] data) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 --- End of inner exception stack trace --- at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.LoadCertificates (System.String filename, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Add (ObjectType type, Mono.Security.X509.X509Store store, System.String file, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00000] in <filename unknown>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.Security.Cryptography.CryptographicException: Invalid encoding ---> System.FormatException: Invalid character found. at (wrapper managed-to-native) System.Convert:InternalFromBase64String (string,bool) at System.Convert.FromBase64String (System.String s) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.PEM (System.Byte[] data) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 --- End of inner exception stack trace --- at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.LoadCertificates (System.String filename, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Add (ObjectType type, Mono.Security.X509.X509Store store, System.String file, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00000] in <filename unknown>:0 I'm unsure why that would fail, too. Anyone have any ideas?

Since updating to Version 3.0.7200.0, I have to restart the Emby Windows Service every few hours because I can no longer access it from the Internet or the LAN using https://mysite.com:8920. I can still access it via the LAN by using http://192.168.0.2:8096, without restarting the service. As soon as I restart the service, I can once again access it via the Internet and via the LAN, using https://mysite.com:8920, for a few hours. I never experienced this issue until the last update.

It's 2016 and Emby (Community) still doesn't use proper TLS. This page has an Qualys SSL Labs rating of F (this should be A or A+) Most links on this page redirect back to HTTP Most pages are only partially HTTPS You can't login securely without editing the form manually You can't register securely without editing the form manually You can't post in the forum securely without editing the form manually Side note: Your PHP exposes its version freely in your X-Powered-By header Also, your plugin catalog images are loaded solely via HTTP. This results in some of them being blocked by modern browsers. In a year where SSL certificates are free and there is more than enough documentation on securing a TLS connection it's not acceptable for a company trying to sell products for up to 100$ to be this insecure. I would love to see this done properly. edit: Also just saw the pinned thread. Feel free to move it in there.

Hi Emby crowd! I have an emby server visible on the internet via SSL/HTTPS only. My server has DDNS so is accessed via URL rather than IP address. I'll be off on a family holiday soon and we're looking to be able to watch our Emby movies on the TV in our destination. The problem is that I have found that Emby app support for HTTPS seems to be quite patchy... - iOS works perfectly with HTTPS. I can watch movies from other networks, from 3G/LTE etc no probs... but of course is is not a big screen family experience. - Samsung TV app works well - family members are able to stream from my Emby server... but I wont be sideloading TV apps on someone elses TV - Amazon fire stick - not working with HTTPS. It fails when trying to select an HTTPS address - Emby sideloaded to Now TV box (aka a roku 3) - does not work with HTTPs - Chromecast - TBC need to test it today One other option is to use the (very pricey) Apple lightning HDMI adapter to watch from iOS app on the TV. Does anyone know if the Apple lightning HDMI adapter works with Emby app? Does anyone have any good (well proven) ideas on how to stream Emby via SSL? Which apps/devices will work? What do you guys do? Note that I have direct access to the wifi network at my travel destination. Its not a hotel wifi with captive portal thank god. (The amazon fire stick is potentially the holy grail of Emby travel since it supports hotel wifi... but sadly not SSL connections) Big thanks in advance for you inputs!!

I decided to try and install my SSL certificate to my emby install earlier, and when i created my pfx and set it to use that it worked, however when browsing to it in chrome or firefox is said it was insecure because it did not have the bundle in the .pfx file, So i generated a .pfx with both the certificate and the bundle in the certificate field, however after doing so i now get an error_connection_closed whenever i access over wan or lan, So i switched back to the original pfx without the bundle and i get the same thing, i have restarted it a few times and tried a few different ports, any idea on how to get this to work? OS Server2012R2 DC Mobo Supermicro X8DTN+ CPU X5650x2 Memory 192GB DDR3 Registered, SSL Provider Startcom

Hi there, I am trying to access my Emby server from the "outside" world. To do so, I have configured the public port on my emby server instance as 8920 and left the field for the server-cert blank, hoping emby would provide its own. I did forward the port in my router. But sadly, nothing works. My browser keeps loading forever. Doing the same for the standard http-port, 8096, works like charm, however, unencrypted. I am completely new to the whole SSL thing via http, is there anything else to do, or is there a tutorial on how to get my emby server public? Thanks!

I have an SSL Certificate (letsencrypt.org) that is signed by - issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 This cert is in turn signed by - issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3 I create a pkcs12 from the pem files using the following command openssl pkcs12 -export -out cert.pfx -in cert.pem -inkey privkey.pem -certfile x3chain.pem -nodes Where cert.pem is the certificate, privkey.pem is the private key and x3chain.pem is the issuing certificate (Let's Encrypt) and the rootCA (DST Root CA X3). I then provide this certificate to Emby and start it. When I connect from Chrome on desktop, everything is OK ("Let's Encrypt Authority X1" is trusted by Desktop Chrome). When I try to access using Android, "Let's Encrypt Authority X1" is not a trusted CA, however "DST Root CA X3" is. If the chain were being sent properly, the chain of trust is in tact and it should work. Unfortunately, Emby is not sending the full chain, just the top certificate (mine) and the "Let's Encrypt Authority X1" certificate. I have seen references to a Mono bug, however that bug was fixed in April of 2014. To try and answer some questions ahead of time, here is the output from the top of my log file - 2015-12-21 22:06:02.5739 Info Main: Emby Command line: /usr/pbi/emby-amd64/lib/emby-server/MediaBrowser.Server.Mono.exe -ffmpeg /usr/pbi/emby-amd64/bin/ffmpeg -ffprobe /usr/pbi/emby-amd64/bin/ffprobe -programdata /var/db/emby-server Operating system: Unix 9.1.0.0 Processor count: 4 64-Bit OS: True 64-Bit Process: True Program data path: /var/db/emby-server Mono: 4.2.1 (Stable 4.2.1.124/39edf24 Sun Dec 20 05:03:56 UTC 2015) Application Path: /usr/pbi/emby-amd64/lib/emby-server/MediaBrowser.Server.Mono.exe 2015-12-21 22:06:02.8854 Info App: Application version: 3.0.5781.8 2015-12-21 22:06:02.9482 Info App: Application configuration: {"EnableUPnP":true,"PublicPort":8097,"PublicHttpsPort":8096,"HttpServerPortNumber":8097,"HttpsPortNumber":8096,"EnableHttps":true,"CertificatePath":"/etc/ssl/cert.pfx","EnableInternetProviders":true,"IsPortAuthorized":true,"SeasonZeroDisplayName":"Specials","SaveLocalMeta":true,"EnableLocalizedGuids":true,"DisableStartupScan":true,"EnableUserViews":false,"EnableLibraryMetadataSubFolder":true,"PreferredMetadataLanguage":"en","MetadataCountryCode":"US","SortReplaceCharacters":[".","+","%"],"SortRemoveCharacters":[",","&","-","{","}","'"],"SortRemoveWords":["the","a","an"],"MinResumePct":5,"MaxResumePct":90,"MinResumeDurationSeconds":300,"RealtimeLibraryMonitorDelay":40,"EnableDashboardResponseCaching":true,"EnableDashboardResourceMinification":true,"DashboardSourcePath":"","MergeMetadataAndImagesByName":true,"EnableStandaloneMetadata":true,"ImageSavingConvention":"Compatible","MetadataOptions":[{"ItemType":"Book","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280}],"DisabledMetadataSavers":[],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Movie","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicVideo","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Series","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":1,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicAlbum","ImageOptions":[{"Type":"Backdrop","Limit":0,"MinWidth":1280},{"Type":"Disc","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicArtist","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Logo","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"BoxSet","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":[],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Season","ImageOptions":[{"Type":"Backdrop","Limit":0,"MinWidth":1280},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Episode","ImageOptions":[{"Type":"Backdrop","Limit":3,"MinWidth":1280}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Video","ImageOptions":[{"Type":"Backdrop","Limit":3,"MinWidth":1280}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]}],"EnableAutomaticRestart":true,"PathSubstitutions":[{"From":"/mnt/Data","To":"\\\\**redacted**"}],"WanDdns":"home.**redacted**.com","UICulture":"en-us","PeopleMetadataOptions":{"DownloadActorMetadata":true,"DownloadDirectorMetadata":true,"DownloadProducerMetadata":false,"DownloadWriterMetadata":false,"DownloadComposerMetadata":false,"DownloadOtherPeopleMetadata":false,"DownloadGuestStarMetadata":false},"FindInternetTrailers":true,"InsecureApps9":["Chromecast","iOS","Unknown app","iPad","iPhone","Windows Phone"],"SaveMetadataHidden":false,"ContentTypes":[],"EnableAudioArchiveFiles":false,"EnableVideoArchiveFiles":false,"RemoteClientBitrateLimit":0,"DenyIFrameEmbedding":true,"EnableLibraryMonitor":"Auto","SharingExpirationDays":30,"DisableXmlSavers":true,"EnableWindowsShortcuts":false,"EnableVideoFrameByFrameAnalysis":false,"EnableDateLastRefresh":false,"Migrations":["5767.1"],"EnableDebugLevelLogging":true,"EnableAutoUpdate":true,"SystemUpdateLevel":"Release","LogFileRetentionDays":3,"RunAtStartup":false,"IsStartupWizardCompleted":true,"EnableCustomPathSubFolders":true} 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Plugins.PushBulletNotifications, Version=3.0.5810.33455, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Api, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.WebDashboard, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Model, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Common, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Controller, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Providers, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Common.Implementations, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Implementations, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.MediaEncoding, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Dlna, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.LocalMetadata, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.XbmcMetadata, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.IsoMounting.Linux, Version=1.0.5131.24779, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Mono, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Startup.Common, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:03.0498 Info SqliteUserRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/users.db 2015-12-21 22:06:03.1207 Info SqliteFileOrganizationRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/fileorganization.db 2015-12-21 22:06:03.1282 Info AuthenticationRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/authentication.db 2015-12-21 22:06:03.1399 Info SyncRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/sync14.db 2015-12-21 22:06:03.2005 Info ImageMagick: ImageMagick version: ImageMagick 6.9.0-10 Q8 amd64 2015-12-11 http://www.imagemagick.org 2015-12-21 22:06:03.2314 Info ImageProcessor: ImageProcessor started with 4 max concurrent image processes 2015-12-21 22:06:03.2845 Info App: FFMpeg: /usr/pbi/emby-amd64/bin/ffmpeg 2015-12-21 22:06:03.2845 Info App: FFProbe: /usr/pbi/emby-amd64/bin/ffprobe 2015-12-21 22:06:03.2857 Info SharingRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/shares.db 2015-12-21 22:06:03.3144 Info ActivityRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/activitylog.db 2015-12-21 22:06:03.3293 Info SqliteDisplayPreferencesRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/displaypreferences.db 2015-12-21 22:06:03.3419 Info SqliteItemRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/library.db 2015-12-21 22:06:03.3546 Info SqliteProviderInfoRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/refreshinfo.db 2015-12-21 22:06:03.3665 Info SqliteUserDataRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/userdata_v2.db 2015-12-21 22:06:03.3755 Warn App: ffmpeg is missing decoder h264_qsv 2015-12-21 22:06:03.3766 Info SqliteNotificationsRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/notifications.db 2015-12-21 22:06:03.3834 Warn App: ffmpeg is missing decoder mpeg2_qsv 2015-12-21 22:06:03.3909 Warn App: ffmpeg is missing decoder vc1_qsv 2015-12-21 22:06:03.7160 Info HttpServer: Calling ServiceStack AppHost.Init 2015-12-21 22:06:06.1848 Info ServiceStackHost: Initializing Application took 3025.623ms 2015-12-21 22:06:06.2013 Info ServerManager: Loading Http Server 2015-12-21 22:06:06.2041 Info HttpServer: attempting to load pfx: /etc/ssl/cert.pfx 2015-12-21 22:06:06.2506 Info HttpServer: Adding HttpListener prefix http://+:8097/ 2015-12-21 22:06:06.2511 Info HttpServer: Adding HttpListener prefix https://+:8096/ 2015-12-21 22:06:06.6102 Info App: Core startup complete If I am misreading the Mono commit and that bug is still unfixed in 4.2.1 I'll try and hack master together on FreeBSD and see what I get

2016-04-06 13:41:31.6854 Info HttpServer: attempting to load pfx: C:\Users\media\Desktop\mydomain.pfx 2016-04-06 13:41:31.6854 Error HttpServer: Exception loading certificate: C:\Users\media\Desktop\mydomain.pfx *** Error Report *** Version: 3.0.5912.0 Command line: C:\Users\media\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe Operating system: Microsoft Windows NT 6.1.7601 Service Pack 1 Processor count: 4 64-Bit OS: True 64-Bit Process: True Program data path: C:\Users\media\AppData\Roaming\Emby-Server Application Path: C:\Users\media\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe The specified network password is not correct. System.Security.Cryptography.CryptographicException at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName) at SocketHttpListener.Net.HttpListener.LoadCertificateAndKey(String certificateLocation) I've generated PFX multiple ways, with open ssl: penssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt I've tried to use StartCom export. No luck. I even tried to import and export on Windows as was in http://emby.media/community/index.php?/topic/33534-issue-with-ssl-cert-causing-server-to-refuse-connections/ ( http://emby.media/community/index.php?/topic/30792-howto-use-custom-ssl-cert-and-keep-private-key-secure/) I have verified, cert is correct when imported to Windows Certificate store, however emby fails to accept when same cert file is pointed in Emby config. This one single line buggs me when custom pfx is loaded: The specified network password is not correct. When custom serv is removed, error is not present. 2016-04-06 14:53:01.6084 Info HttpServer: attempting to load pfx: C:\Users\media\AppData\Roaming\Emby-Server\ssl\cert_d6a2b7fa3ab358ed7a19e0e99.pfx I've tried to put this file in any directory on Windows 7 and system can not read for some reason. I have tried to start Emby as a service (system and as a user) and as soon as custom cert is added, this same error is generated.

I have been trying to get Emby working with a custom SSL cert and having lots of trouble. Hopefully someone here can point me to what I am doing stupid. I own my own domain and have it hosted through NameCheap. I noticed last week that they have a DDNS client. So I went ahead and used that to point emby.mydomain.com to my IP address as supplied through the DDNS client. Success!! I can drop the free DDNS service I had been using and use my own domain! I tested this and am able to log in to Emby successfully from outside my network through the domain I setup. I also set the external WAN address in Emby server to be the address emby.mydomain.com (obviously this is not the actual address). For the SSL cert, I went with StartSSL and used their free personal SSL cert option. I received a class 1 SSL cert for emby.mydomain.com. I then used their StartCom tool to generate the PFX file using the .key and .cer files I received. I did NOT specify a password when generating the PFX file. I then placed that PFX file on the Emby server and set the custom certificate path to that file. Apply and reboot Emby. Wham, bam, thank you ma'am. Except....not. Now I can't even access Emby http or https. I removed the custom cert and went back to letting Emby generate it's own cert. Http and https both work. Re-add the custom cert. Broken again. Remove, everything works. Can anyone tell me what I am doing wrong? Emby 3.0.5882, normal ports (8096 and 8920), Windows 10 Pro

I am running Emby 3.0.5912.0 on Server 2012 R2. I used II7 to put in a CSR, which i then exported to https://my.gogetssl.com to provide me a SSL. When Running 3.0.5781.5 the following steps worked and would like to know if there is something I am doing wrong, or if there is an issues I am experiencing. Put in a CSR using IIS Submit the CSR https://my.gogetssl.com, and get a *.crt back Import the *.crt into the servers local cert store Export the *.pfx Rename the cert to the <selfsignedname>.pfx restart the server Here is there it breaks in 3.0.5912.0 When i access the server over HTTPS, the server refuses connections and drops all HTTPS traffic. Looking through the server logs I see the following: 2016-04-04 23:30:44.4469 Error HttpServer: Exception loading certificate: C:\Users\Administrator\AppData\Roaming\Emby-Server\ssl\cert_9c31b7884ea5475c8687970fc5996297.pfx *** Error Report *** Version: 3.0.5912.0 Command line: C:\Users\Administrator\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe Operating system: Microsoft Windows NT 6.2.9200.0 Processor count: 6 64-Bit OS: True 64-Bit Process: True Program data path: C:\Users\Administrator\AppData\Roaming\Emby-Server Application Path: C:\Users\Administrator\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe The specified network password is not correct. System.Security.Cryptography.CryptographicException at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName) at SocketHttpListener.Net.HttpListener.LoadCertificateAndKey(String certificateLocation) 016-04-04 23:30:46.3340 Error HttpResultFactory: Error streaming data *** Error Report *** Version: 3.0.5912.0 Command line: C:\Users\Administrator\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe Operating system: Microsoft Windows NT 6.2.9200.0 Processor count: 6 64-Bit OS: True 64-Bit Process: True Program data path: C:\Users\Administrator\AppData\Roaming\Emby-Server Application Path: C:\Users\Administrator\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. System.IO.IOException at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size) at SocketHttpListener.Net.ResponseStream.InternalWrite(Byte[] buffer, Int32 offset, Int32 count) at SocketHttpListener.Net.ResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count) at System.IO.Stream.InternalCopyTo(Stream destination, Int32 bufferSize) at MediaBrowser.Server.Implementations.HttpServer.StreamWriter.WriteToInternal(Stream responseStream) InnerException: System.Net.Sockets.SocketException An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size) 2016-04-04 23:30:46.3610 Error HttpAsyncTaskHandler: Error occured while Processing Request: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. *** Error Report *** Version: 3.0.5912.0 Command line: C:\Users\Administrator\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe Operating system: Microsoft Windows NT 6.2.9200.0 Processor count: 6 64-Bit OS: True 64-Bit Process: True Program data path: C:\Users\Administrator\AppData\Roaming\Emby-Server Application Path: C:\Users\Administrator\AppData\Roaming\Emby-Server\System\MediaBrowser.ServerApplication.exe Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host. System.IO.IOException at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size) at SocketHttpListener.Net.ResponseStream.InternalWrite(Byte[] buffer, Int32 offset, Int32 count) at SocketHttpListener.Net.ResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count) at System.Xml.XmlUtf8RawTextWriter.FlushBuffer() at System.Xml.XmlUtf8RawTextWriter.Flush() at System.Xml.XmlWellFormedWriter.Close() at System.Xml.XmlWriter.Dispose(Boolean disposing) at ServiceStack.Text.XmlSerializer.SerializeToStream(Object obj, Stream stream) at ServiceStack.HttpResponseExtensionsInternal.WriteErrorToResponse(IResponse httpRes, IRequest httpReq, String contentType, String operationName, String errorMessage, Exception ex, Int32 statusCode) at ServiceStack.ServiceStackHost.OnUncaughtException(IRequest httpReq, IResponse httpRes, String operationName, Exception ex) at ServiceStack.HostContext.RaiseUncaughtException(IRequest httpReq, IResponse httpRes, String operationName, Exception ex) at ServiceStack.HttpResponseExtensionsInternal.WriteToResponse(IResponse response, Object result, ResponseSerializerDelegate defaultAction, IRequest request, Byte[] bodyPrefix, Byte[] bodySuffix) at ServiceStack.HttpResponseExtensionsInternal.WriteToResponse(IResponse httpRes, IRequest httpReq, Object result, Byte[] bodyPrefix, Byte[] bodySuffix) at ServiceStack.HttpResponseExtensionsInternal.WriteToResponse(IResponse httpRes, IRequest httpReq, Object result) at ServiceStack.Host.Handlers.ServiceStackHandlerBase.HandleResponse(Object response, Func`2 callback, Func`2 errorCallback) InnerException: System.Net.Sockets.SocketException An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size) When I delete the cert, the self signed is regened and the HTTPS connections work again to load HTTPS with the self signed. I would like to get the HTTPS working with the cert I have purchased is the end goal. Note: If i browse and point at the .pfx from within the emby server browser the same is issue is repeated.

A couple of days ago I posted a thread about how my website was failing to load when using SSL. I've finally figured out what the problem was. Since I use CloudFlare as my DNS for domain I use their SSL, Caching, etc. However, when I disable SSL and set the domain to not go through CloudFlare servers (by making the cloud on the DNS page turn grey) so it bypasses everything except basic DNS. Now Emby works flawlessly without any issues. I am a bit bummed that I cannot use CloudFlare for SSL but now everything is working. Does Emby support CloudFlare or is my hosting provider not liking CloudFlare? Thanks, Gabriel Gulla emby-server-2-1-16.pdf