Search the Community

Sorry for posting yet another SSL threadTM, but I'm not sure how to troubleshoot this. . I have a subdomain that I've registered through IONOS (formerly 1&1). I have an SSL certificate that IONOS is managing for me at my top-level domain. How do I get my subdomain to direct to my server? Do I just redirect to my server's remote IP address? Also, in reviewing the various other guides I've found on this, it looks like I may need to download my SSL certificate and keys an import those into emby? It doesn't appear I have the option to do that from my IONOS dashboard as I've configured it so that IONOS manages it and not me. Is that a deal breaker? Or is there another way around this? I feel like I have the basic pieces available to setup SSL for remote connections to my server, but I just need to take a few more steps to get to the finish line.

Hi I'm trying to use https for remote connections using Synology reverse proxy and letsencrypt certificate installed using DMS control panel. Here what I did so far: 1. Setup DDNS using synology.me service 2. Create a letsencrypt certificate for this domain using DMS control panel 3. Create a reverse proxy setting on port 8921 to redirect to localhost:8096 4. Setup the https://*:8921 service to use the "mydomain".synology.me certificate 5. Setup port forwarding on my router to forward port 8921 to my nas port 8921 6. Setup emby advance settings, I set the external domain, https port and the secure connection mode to "Handled by reverse proxy". Everthing is working greate except for 1 thing. If I use https://"mydomain".synology.me:8921, I get a secure connection to emby server with the message : Secure connection: verified by Let's Encrypt. However, if I use this url instead: https://"mypublicip":8921, I get to my emby server on a unsecure connection with this message: "mypublicip":8921 uses an invalid security certificate. The certificate is only valid for "mydomain".synology.me. I can add an exception in the browser and get to my emby server on an unsecure connection, which defeat the purposeto have a secure connection at the first place. Did I miss a setting somewhere, anything that could explain why I can get to my emby server on a unsecure connection through my public ip? Thank you

The error message is: System.ObjectDisposedException: Cannot access a disposed object. Object name: 'SslStream'. Maybe this is related to these other reports but the error message I get is different (see attached file): https://emby.media/community/index.php?/topic/59531-external-ssl-connections-crashing https://emby.media/community/index.php?/topic/61243-server-crashing-within-minutes Thanks embyserver-63670224519.txt

Hello, I have a old ssl cert that has expired so I have loaded the new cert onto the server but it is still hosting the old cert. I have tried restarting the emby server application multiple times, restarting the server, recreating the .pfx and reloading it and it is still using the old cert. Any suggestions as to why this is happening? Thank you for your time,

I am still having issues with the chrome browser. I get a message saying SSL Version Interference. I Attached is the mono version I have installed (5.2.0) I believe to understand that I have this issue because Chrome requires a higher TLS version.

Hey, I have read most of the posts on the forum and i am still really struggling with setting up external connection and SSL. Now I have bought a domain through namecheap.com and have been following the guide Setting up SSL for Emby (WIP) by Swynol Now i have followed every step but I cant seem to get it to work. now I am not that technically gifted but know my way around a computer. Please could some help even further or dumb the process a bit even though its dumbed down already. I struggle with ssl free as it never finds my txt line to verify my domain. So any help would be greatfully appreciated Setting up SSL for Emby (WIP)

So I recently bought a domain and anticipated using Lets Encrypt. I had an extremely difficult time following their tutorials on how to acquire and validate a certificate but I found a YouTube video in which I created a certificate via a LAMP server on Ubuntu. The cert works fine and is verified on the LAMP server but when tried to compile the pem files in the pfx and set it up in advanced settings in my emby server, I cannot connect to my server when the settings are applied. When I remove the cert and the domain in advanced, it works again perfectly with the self signed certificate. Looking for a little help on how to get this working, maybe I didn't approach this correctly? I force all connections to HTTPS and would like to get this working so basically every other device other than a web browser and android OS can access the server.

After using Emby for a while I'm so happy with it that I decided to publish it to the Internet so I can listen to my music when I'm away, without needing to VPN home. I'm publishing Emby behind a Squid reverse proxy, using SSL termination. Meaning: Internet Client -----HTTPS SSL connection-----> | Squid reverse-proxy -----PLAIN HTTP-----> Emby | INTERNET | LAN Now I have a couple of questions/features requests regarding publishing Emby to the "evil" Internet: Is there any known issue/concern that I should be aware off that is not too relevant while Emby is only visible in the LAN but that can be dangerous if Emby is visible from the Internet? I'm worried about brute force attacks. Is it possible to enable a captcha on the login screen so for example after 3 failed logins the user will need to validate the captcha to try to login again? About the login screen: would it be posible to have a configuration parameter in Emby to "harden" the login form like for example disabling autocomplete on the username field? Is it possible to enable a configuration parameter to hide all users from the login screen, server wide, instead of doing it on user basis only? How does the "in-network sign-in" with the easy pin code works? How does Emby know that the user is logging in from the LAN or from the Internet? What happen if the user is in the Internet but Emby is behind a reverse-proxy in the LAN (all requests comes from the LAN IP of the proxy)? Would Emby check the X-Forwarded-For HTTP header if the reverse-proxy provides it? I know these are a lot of questions and some things may not be even implemented right now, but if they are not, maybe they can be a good idea to implement in the near future since they can help us to protect our server for the "evil" Internet. Cheers

Hello Guys, facts: installed emby on a debian vps. allow 8096 and 8920 in ufw buy a Domain at namecheap. create A Record for the VPS IP. create a letsencrypt cert (https://emby.media/community/index.php?/topic/42315-creating-a-letsencrypt-ssl-certificate-for-emby/ Emby config: add certfolder to /opt/emby-server/ssl/ssl.pfx Emby config: add external Domain "https://xxx.xxx" Problem: I got emby over "http://xxx.xxx:8096"but on "https://xxx.xxx:8920" I got "ERR_TUNNEL_CONNECTION_FAILED" can you help me with this issue? thanks

Hi, Since the latest update 3.3.0.0 I have an issue where when I browse to emby through my URL via https I get a popup asking to verify myself. If I press OK the site doesn't load but if I press cancel the site loads as normal. This happens once per browser session i.e if I close the browser and navigate back to emby it will pop up again. The certificate is fine and been generated correctly using openssl creating a .csr and getting signed with godaddy then creating a .pfx file from the generated godaddy certificates. I have not had any problems with the SSL certificate until the latest update. See attached screenshot. Pleas fix ASAP. Thanks

Hello, I have been trying to set-up Emby and allow remote access with docker containers. No matter what I do I cannot connect from any app including the web app. If I put in the URL it will connect just fine as long as force SSL is not enabled, if force SSL is enabled then I get an error that there has been too many redirects. I have looked at the posts about setting up remote access and setting up reverse proxy and nothing is working, I am not sure where to begin any help would be greatly appreciated Thank you!

Hi I was experimenting with using a SSL Cert with Emby this morning, I changed the public https port in server manager and now my Emby will not start, attached are the Emby logs from when this happened, in my Event viewer I can see the following The description for Event ID 7024 from source Service Control Manager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: Emby %%2148734208 The locale specific resource for the desired message is not present can anyone help me get my Emby back working again? server-63652297203.txt unhandled_4bb46dc1-e932-4b4d-95ed-5ac75b15ea40.txt

There have been a few posts around the Forum recently regarding SSL, HTTPS and Security. I'm by no means an expert on reverse proxies but have had alot of dealings with them over the past few months and with the help of @@pir8radio and @@shorty1483 have a fairly well setup and secure system to access my services from outside of my LAN. This guide is to help people access their Emby Server and any other services behind a reverse proxy. This is based on NGINX but it also works for Apache and IIS. So firstly, what is and why do i need a reverse proxy? If you’re like me and have many services running on servers or PCs in your home, i.e. Emby, Plex, Sonarr, Radarr, Ombi, Organizer, CP, home automation, CCTV and anything else. Then you have to open multiple ports on your router to direct traffic to where it needs to go. With a Reverse Proxy you only have to open 1 or 2 ports. Normally all HTTP traffic is sent over port 80 and HTTPS traffic over port 443. In my case I want all traffic served over HTTPS and port 443 so I close all ports bar 443. Another reason to use a reverse proxy is that you can use your own domain certs easily and fine tune your security settings. If you want to test your Domain security go here - https://securityheaders.io/ Chances are your rating will be an F. with reverse proxy you can easily attain a B+/A Grade. You can also setup a web faced server running NGINX and then have additional servers behind that hidden on your LAN, however if your like me I have NGINX running on the same machine as emby. I only access Emby remotely do i still need a reverse proxy? Difficult to answer. No you dont need a reverse proxy to access Emby, but if you do then you can fine tune the security. This guide assumes you have a Domain name, your own Certs to go with your domain name and either have your domain name pointed to a static PC (your home WAN IP) or have Dynamic DNS setup. Have I convinced you yet? I run Windows OS at home so this guide follows a Windows setup but the config will be the same across all OS. 1. Download the latest version of NGINX from here - http://nginx-win.ecsds.eu/ as of writing this guide its version 1.13.0.1 Violet. 2. Extract the ZIP file somewhere easy to find. C:\NGINX. a. To make future updating easier when you extract the ZIP the file is called nginx 1.13.0.1 Violet. Rename it to just NGINX. 3. Before we get started on the config of NGINX lets install it as a service. a. Download NSSM b. Extract the ZIP c. Copy correct x86 or x64 nssm.exe to C:\Windows\System32 d. Open a CMD, type ‘nssm install nginx’ e. Fill in the Application Path – C:\NGINX\nginx.exe Startup directory – C:\NGINX Service name – NGINX. Install Service Don’t Start the service yet, we need to configure NGINX. To create a config I use notepad++. I will go through each setting first before supplying a copy of my current config. This is how the config starts. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## } This part is fairly standard. anything starting with # is disabled or just a comment. The config is broken down into blocks. the first block here is the HTTP block. The HTTP block contains all the headers required to do the work of the reverse proxy for example when someone browses to emby.mydomain.com it matches a header in NGINX and it knows where to forward the data. The only change in the section above over a default config is the addition of server_tokens off; this is the first of our security tweaks. This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses. ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } This next block is called a server block and it nested inside the HTTP block. This block is optional, it is only used to redirect any users from HTTP to HTTPS if you want to force users on HTTPS only. listen 80 and listen [::] 80 are default ports for HTTP traffic for IPv4 and IPv6. return 301 https://$host$request_uri; is what rewrites the request from HTTP to HTTPS. Again only needed if you are forcing everyone to use HTTPS only. ##EMBY Server## server { listen 80; listen [::] 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNaUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } The next server block is where the magic happens. First the listen 80; and listen [::] 80; are only needed if you want to allow users to access your emby server on port 80. otherwise delete these 2 lines to force all users to HTTPS access. Listen 443 ssl; and listen [::] 443 ssl; are the default HTTPS ports again for IPv4 and IPv6. server_name emby.mydomain.com will be your subdomain and how you access emby from outside your network. Now lets look at the SSL certificates, for my setup I created a .pem file. this file contains both my cert, intermediate and CA root cert in one file. This link gives you an idea how to do it - https://www.digicert.com/ssl-support/pem-ssl-creation.htm you should now have your cert.pem and a private.key file. for simplicity copy these files to C:\NGINX\conf\SSL (you have to create the SSL folder) This tells NGINX where to find the certs. ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; For now I am going to skip over the #add_header Public-Key-Pins - as you can see i have it disabled by using # in front of it. I will explain why later on. The next section adds further security tweaks, you will need to change the content-security-policy domain names to your own. you need to list all your subdomains i.e. sonarr.mydomain.com radarr.mydomain.com emby.my....... you get the idea. add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; The next part is called the location block. This is what tells your domain name emby.mydomain.com where the data should go. In this case it forwards everything to proxy_pass http://192.168.10.10:8096 you can also forward to proxy_pass http://127.0.0.1:8096 if it runs on the same box as NGINX. the rest of the location block is default stuff to help the data get to where it is needed. Your Config should now look like the one below. we need to save it to C:\NGINX\conf and name it nginx.conf worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } And thats it, you can now start your NGINX services by running services.msc and starting NGINX.

I purchased my own domain certificate and then I had a crazy time trying to figure out why my pfx file wouldn't work. After much reading around it seemed that in order to make it work I had to use a pfx file (cert+private key) with no password in place. For me this wasn't an option, as I'm crazy paranoid that by creating this it would then be possible for someone to get their hands on it and then somehow and then be able to compromise my sites (wildcard cert). So instead, I made Emby work with a secure pfx file. Here is my howto.... Requirements: Active Directory enabled domain A Windows Server (2012 or higher) or a Windows workstation (Windows 8 or higher) joined to the domain - I used my Emby server for this SSL Certificate - I used one I had purchased Setup Emby Service Account: 1. In Active Directory create a user account that will be used to launch the Emby service - I placed mine under Managed Service Accounts 2. On the Emby server open Control Panel and type Services 3. Locate the Emby Server service, right click on it the service and choose Properties 4. Click on the Log On tab, select "This Account" radio button and enter in the username and password you created in Step 1, click OK and then Close the Services window 5. Still inside Control Panel, click on User Accounts, then select Give other users access to this computer 6. Click Add then add the Emby user information from Step 1 and click Next 7. Select Administrator and click Next, then Finish Preparing your secured pfx file: 1. Using a Windows 2012/2012R2 Server or Windows 8/8.1/10 workstation, with Control Panel still open type "certificate" 2. Import your certificate making sure to mark it as exportable. 3. Right click on the certificate that was just imported and choose Export 4. Mark "Yes, export the private key", click Next until you reach the Security screen 5. Check the "Group or user names", this will automatically input the user you're using. Remove that user and click Add, then add the Emby user created in Step 1 in the above section. Click Next 6. Give it a filename, I would HIGHLY recommend you do NOT name it the same as your original cert/pfx file since this will be used for this situation only. Click Next, then Finish 7. Once the two things above are done then assign the key as you would normally in Emby - Advanced/Custom certificate path Finally, reboot the server/workstation. This isn't 100% needed, but I like to do it to verify everything works correctly. If you don't do this then make sure to go back into Services and start or restart the Emby Server service. Another suggestion, but not needed for this to work, is to have the certificate saved in a folder by itself (C:\Windows\EmbyCert or some other generic spot). Then edit that folders security settings removing all users except for the Emby account you created. Assign that Emby account with Read access. There you go, Emby is now using your SSL certificate, and you don't have a certificate/private key combo sitting on your machine with no protection on it. Edited to correct some grammatical and spelling errors.

Hi, I've set up my Emby-server with "HTTPS using reverse proxy" using the "Setting up SSL for Emby (WIP)" guide. My question is: How can I switch between my LAN IP-address 192.168.1.20:8096 if I'm at home and my https: // emby.domainname.com:443 address if I'm on the road (using the Android-app)? Manually adding the other address for the same server doesn't seem to work? Thanks!

Hi, can you upgrade the TLS version used for SSL connection in Emby? I've been tuning my Firefox's security configurations, and when I enable "security.ssl.require_safe_negotiation = true" it returns me the error "SSL_ERROR_UNSAFE_NEGOTIATION" at the moment I try to enter Emby web client. Googling a little returned me that the TLS version may be insecure at the webserver.... in this case Emby's embeeded webserver that uses the .pfx for enabling HTTPS. Thanks.

http://www.pcworld.com/article/2932419/plex-gets-more-secure-adding-free-ssl-encryption-for-all-free-and-paying-users.html i'm surprised something like this not thought about in the beginning of things

Hi, I've tried to follow all the guides out there to add a certificate to my Emby server, unfortunately without success. Today I'm running my Emby server on Ubuntu 17.04. I own my own domain but I already use the main domain for another server that I has as a webserver. So I would like to have a sub-domain for my Emby, so I have created an address that looks like this: emby.domain.com I have managed to use free certificates on my web server via Certbot, but when I try to do the same way on my Emby server with my sub-domain I get some authentication error message. So I would really appreciate if someone would give me some really good instructions on how to install a certificate on my Emby-server. Have tried this already: https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/

Status: Initiated Blueprint Luke has investigated this, unclear the progress on universal development. App devs have not begun dev for this. Once Luke builds core compatibility it may be 3+ months before app/client SSL adoption. Spread the word! Let's make it known how many Emby users would love to see this feature! I have seen scattered, unorganized requests for this that seemed to die, so this will serve to centralize all support for SSL and to track responses/feedback. This is to request Emby support SSL, both app and web client to server. This would be for Emby Connect setups as well as local user setup. Current Plan: Utilize Lets Encrypt (https://letsencrypt.org/) to allow automated endoint encryption. Luke is currently looking for members that may be able to help automate this at server endpoints. Possible Solutions include subdomains for each client (ex. customer.emby.media) or custom domains for each customer such as DyDNS. Reasons for this: Secure activity/traffic between client and server Allows passwords to be passed plain text from client to server. Would allow development of SSO/LDAP authentication solutions. Please see and support our topic linked below:https://emby.media/community/index.php?/topic/26495-ldap-support/ What is done: Enhanced SSL support on mobile application What is needed: Core universal SSL support App supported SSL Web-app supported SSL Authentication passed over SSL to allow plaintext passwords

Hello, I am not able to setup SSL on my emby server hosted on QNAP TS-251+. Server details: QNAP TS-251+ Firmware v4.3.3 Emby v3.2.14 Qmono v4.6.2.7 (64bit) When I supply my own ssl cert with .pfx, I can connect via http but not https. Port forwarding is done correctly. Also, if I do not supply my own cert then connect via https works fine with warning. Here is the log snippet: 2017-05-08 14:46:32.9377 Error App: Error loading cert from /*****/SSLcertificate.pfx *** Error Report *** Version: 3.2.14.0 Command line: /*****/.qpkg/Emby/Emby/MediaBrowser.Server.Mono.exe Operating system: Unix 4.2.8.0 64-Bit OS: True 64-Bit Process: True Mono: 4.6.2 (Stable 4.6.2.7/08fd525 mercredi 23 novembre 2016, 17:45:54 (UTC+0100)) Processor count: 4 Program data path: /*****/.qpkg/Emby/Emby/ProgramData-Server Application directory: /*****/.qpkg/Emby/Emby System.Security.Cryptography.CryptographicException: Unable to decode certificate. ---> System.Security.Cryptography.CryptographicException: Input data cannot be coded as a valid certificate. ---> System.Security.Cryptography.CryptographicException: Input data cannot be coded as a valid certificate. at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) [0x00041] in <1d0bb82c94e7435eb09324cf5ef20e36>:0 --- End of inner exception stack trace --- Any suggestions? Thanks,

I am running a Kodi instance with Emby plugin remotely. The access is proxied via Apache to provide secure SSL. This works perfectly in almost all regards. I can stream FullHD video and all (200/25 connection). The only thing that does not work is the automatic library update. I have to make a manual update each time anything changes. I know the server is ok: - There are local instances that are not proxied, which pick up the changes fine. - Also the remote machine does pick up the changes when I connect to the server via the site-to-site VPN, but that is too slow for actual streaming. So I am pretty sure the problem is in the Apache proxy system. What do I have to make available to allow instantaneous library updates? This is quite a bummer for me right now, because the update already takes a few minutes, and I haven't even integrated the Music library.

Hello, I jsute create un letsencrypt certificate for emby but i see that the web server include for windows restrict connection to TLS 1.0. There is a config file for it to force TLS 1.2 and modify cipher ? Thanks

Good evening guys, is from about 1 week that the ssl connection on port 8920, does not work anymore. I try to restart emby, and it works for about half an hour, then do not work anymore. I have the latest version of emby installed. It works via http. Using the certificate of let'sencrypt from 6 months is it always worked. Can someone help me? The only mistake that I find in the log is this. Thank you 2016-09-15 14:30:14.1333 Error ServiceStackHost: Error occured while Processing Request: Access token is required. *** Error Report *** Version: 3.0.7100.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -ffmpeg /usr/bin/ffmpeg -ffprobe /usr/bin/ffprobe -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 3.19.0.42 Processor count: 8 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/emby-server Mono: 4.4.2 (Stable 4.4.2.11/f72fe45 Tue Aug 30 15:48:05 UTC 2016) Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe Access token is required. MediaBrowser.Controller.Net.SecurityException at MediaBrowser.Server.Implementations.HttpServer.Security.AuthService.ValidateSecurityToken (IServiceRequest request, System.String token) <0x413e2870 + 0x00107> in <filename unknown>:0 at MediaBrowser.Server.Implementations.HttpServer.Security.AuthService.ValidateUser (IServiceRequest request, IAuthenticationAttributes authAttribtues) <0x413e0eb0 + 0x0007b> in <filename unknown>:0 at MediaBrowser.Server.Implementations.HttpServer.Security.AuthService.Authenticate (IServiceRequest request, IAuthenticationAttributes authAttribtues) <0x413e0e80 + 0x00017> in <filename unknown>:0 at MediaBrowser.Controller.Net.AuthenticatedAttribute.RequestFilter (IRequest request, IResponse response, System.Object requestDto) <0x413e0de0 + 0x0007a> in <filename unknown>:0 at ServiceStack.ServiceStackHost.ApplyRequestFiltersSingle (IRequest req, IResponse res, System.Object requestDto) <0x41324b60 + 0x0029e> in <filename unknown>:0 at ServiceStack.ServiceStackHost.ApplyRequestFilters (IRequest req, IResponse res, System.Object requestDto) <0x41322590 + 0x000d5> in <filename unknown>:0 at ServiceStack.Host.RestHandler+<ProcessRequestAsync>d__13.MoveNext () <0x4131d1d0 + 0x00595> in <filename unknown>:0

Hi all, I thought this might be an issue with the Android client at first, but I'm not so sure anymore. I'm running on Ubuntu, and I've got a cert from StartSSL, and I'm using it to secure my server. Only the HTTPS port is open to the public. Everything appears to work fine when using Firefox and the WebUI, but when connecting with Android, the server reports: 2015-05-04 00:49:18.8658 Error - HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.0.5597.1 Command line: /opt/mediabrowser/MediaBrowser.Server.Mono.exe -programdata /var/lib/mediabrowser Operating system: Unix 3.13.0.51 Processor count: 2 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/mediabrowser Mono: 3.10.0 (tarball Wed Nov 5 12:50:04 UTC 2014) Application Path: /opt/mediabrowser/MediaBrowser.Server.Mono.exe The authentication or decryption has failed. System.IO.IOException at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 InnerException: Mono.Security.Protocol.Tls.TlsException The authentication or decryption has failed. at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.RecordProtocol.ReceiveRecord (System.IO.Stream record) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 I've converted the cert and decrypted key in this way: ~# openssl pkcs12 -export -in host.cer -inkey host.decrypted.key -out host.pfx I've also tried other random things like: ~# mozroots --import -–sync ~# openssl pkcs12 -in host.pfx -out certificate.p7b -nodes ~# certmgr -add -c Trust ./certificate.p7b Mono Certificate Manager - version 3.10.0.0 Manage X.509 certificates and CRL from stores. Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed. Unhandled Exception: System.Security.Cryptography.CryptographicException: Invalid encoding ---> System.FormatException: Invalid character found. at (wrapper managed-to-native) System.Convert:InternalFromBase64String (string,bool) at System.Convert.FromBase64String (System.String s) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.PEM (System.Byte[] data) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 --- End of inner exception stack trace --- at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.LoadCertificates (System.String filename, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Add (ObjectType type, Mono.Security.X509.X509Store store, System.String file, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00000] in <filename unknown>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.Security.Cryptography.CryptographicException: Invalid encoding ---> System.FormatException: Invalid character found. at (wrapper managed-to-native) System.Convert:InternalFromBase64String (string,bool) at System.Convert.FromBase64String (System.String s) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.PEM (System.Byte[] data) [0x00000] in <filename unknown>:0 at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 --- End of inner exception stack trace --- at Mono.Security.Authenticode.SoftwarePublisherCertificate.CreateFromFile (System.String filename) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.LoadCertificates (System.String filename, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Add (ObjectType type, Mono.Security.X509.X509Store store, System.String file, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0 at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00000] in <filename unknown>:0 I'm unsure why that would fail, too. Anyone have any ideas?

Since updating to Version 3.0.7200.0, I have to restart the Emby Windows Service every few hours because I can no longer access it from the Internet or the LAN using https://mysite.com:8920. I can still access it via the LAN by using http://192.168.0.2:8096, without restarting the service. As soon as I restart the service, I can once again access it via the Internet and via the LAN, using https://mysite.com:8920, for a few hours. I never experienced this issue until the last update.