Jump to content

Metadata updates failing after Mono6.8 update on 4.7.0.9


garybellanice
 Share

Recommended Posts

garybellanice

Hi All, 

I'm running into the same issue as described HERE and felt it was worth creating a new topic.  

In my case, I was stable on 4.7.0.7 and then began to experience the issue with the update to 4.7.0.9 -- and the corresponding mono6.8 upgrade.  

 

InnerException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
	Source: mscorlib
	TargetSite: Void Throw()
	  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <2deb8ccd8f0546038e28d46e7bcc1998>:0 
	  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <2deb8ccd8f0546038e28d46e7bcc1998>:0 
	  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <2deb8ccd8f0546038e28d46e7bcc1998>:0 
	InnerException: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
	  at /wrkdirs/usr/ports/lang/mono6.8/work/mono-6.8.0.123/external/boringssl/ssl/handshake_client.c:1132
	Source: System

 

The mono cert-sync command  runs successfully with the "--user" flag, but given that emby runs as the user "emby" and I ran the command as root, I believe that is why it was still ineffective.  On my install, I cannot login as "emby", and I'm not sure how to make the changes to allow that user to login -- but I believe that if the cert-sync command was run by the "emby" user, it may resolve the issue. 

Also, upgrade to 4.7.0.10 did not resolve the issue.  

Any ideas? 

 

Link to comment
Share on other sites

garybellanice

I created a jail, and then manually installed emby. I've had this jail running for probably 1yr+ on freenas11.5, and then upgraded to 12.0 a few months ago.

I also upgraded the jail to 12.0 after upgrading to Truenas and have been using the freebsd12 install package since 4.7.0.6

Link to comment
Share on other sites

alucryd

@garybellanice Could you try installing the latest beta again? https://github.com/MediaBrowser/Emby.Releases/releases/download/4.7.0.10/emby-server-freebsd12_4.7.0.10_amd64.pkg

If you get SSL issues, please try a simple curl on https://emby.media/community/index.php?/blog/rss/1-media-browser-developers-blog from the jail and post the output here. Thanks!

Link to comment
Share on other sites

garybellanice

Tried reinstalling...

Server log attached.

Also ran a simple curl.  Output attached. 

 curl https://www.google.com >/tmp/curltest.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 14403    0 14403    0     0  42491      0 --:--:-- --:--:-- --:--:-- 42612

Issue remains..

Source: System
	TargetSite: System.Net.WebResponse EndGetResponse(System.IAsyncResult)
	InnerException: System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
	Source: mscorlib
	TargetSite: Void Throw()
	  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <2deb8ccd8f0546038e28d46e7bcc1998>:0 
	  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <2deb8ccd8f0546038e28d46e7bcc1998>:0 
	  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <2deb8ccd8f0546038e28d46e7bcc1998>:0 
	InnerException: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
	  at /wrkdirs/usr/ports/lang/mono6.8/work/mono-6.8.0.123/external/boringssl/ssl/handshake_client.c:1132

 

 

 

 

embyserver (8).txt curltest.txt

Link to comment
Share on other sites

alucryd

@garybellanicePlease test curl on one of the affected URLs, like https://emby.media/community/index.php?/blog/rss/1-media-browser-developers-blog I posted above.

Is the ca_root_nss package up to date in your jail? Can you try importing the following certificate bundle as root using cert-sync? https://curl.se/ca/cacert.pem

Link to comment
Share on other sites

garybellanice

@Luke yes, I used pkg add -f to download and reinstall a fresh copy of the package. 

@alucryd I downloaded the cert bundle and imported with root: 

root@emby:/tmp # cert-sync --user cacert.pem
Mono Certificate Store Sync - version 6.8.0.123
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy user store:
I already trust 143, your new list has 128
14 previously trusted certificates were removed.
Certificate removed: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3
Certificate removed: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root
Certificate removed: C=PL, O=Unizeto Sp. z o.o., CN=Certum CA
Certificate removed: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 2 Public Primary Certification Authority - G6
Certificate removed: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 1 Public Primary Certification Authority - G6
Certificate removed: C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2
Certificate removed: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Secure Mail Root R45
Certificate removed: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 1 Public Primary Certification Authority - G3
Certificate removed: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA
Certificate removed: C=EU, L=Madrid (see current address at www.camerfirma.com/address), SERIALNUMBER=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008
Certificate removed: C=DE, O=D-Trust GmbH, CN=D-TRUST Root CA 3 2013
Certificate removed: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 2 Public Primary Certification Authority - G3
Certificate removed: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root
Certificate removed: C=EU, L=Madrid (see current address at www.camerfirma.com/address), SERIALNUMBER=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008
Import process completed.

Importing into BTLS user store:
I already trust 143, your new list has 128
14 previously trusted certificates were removed.
Certificate removed: C=DE, O=D-Trust GmbH, CN=D-TRUST Root CA 3 2013
Certificate removed: C=EU, L=Madrid (see current address at www.camerfirma.com/address), SERIALNUMBER=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008
Certificate removed: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Secure Mail Root R45
Certificate removed: C=PL, O=Unizeto Sp. z o.o., CN=Certum CA
Certificate removed: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 1 Public Primary Certification Authority - G3
Certificate removed: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA
Certificate removed: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 1 Public Primary Certification Authority - G6
Certificate removed: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3
Certificate removed: C=EU, L=Madrid (see current address at www.camerfirma.com/address), SERIALNUMBER=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008
Certificate removed: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root
Certificate removed: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root
Certificate removed: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 2 Public Primary Certification Authority - G6
Certificate removed: C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2
Certificate removed: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 2 Public Primary Certification Authority - G3
Import process completed.

 

Not sure what I'm doing wrong with the curl test: 

root@emby:/tmp # curl https://emby.media/community/index.php?/blog/rss/1-media-browser-developers-blog
curl: No match.

 

Curl provides output as long as exclude everything after the "?"

IE:  

root@emby:/tmp # curl --insecure https://emby.media/community/index.php

 

 

 

I also tried reinstalling 4.7.0.10 after importing the ca-cert list above, but no luck.  Same issue.

server log attached.

 

 

embyserver (9).txt

Edited by garybellanice
Link to comment
Share on other sites

garybellanice

Hello, 

I force reinstalled all of the dependencies, and then installed 4.7.0.11.  Unfortunately, the same issue is occurring.  

Something interesting I noticed is that during the install of the dependencies, I received the "read-only" file system error with mono6.8 attempting to sync the certificates.

[emby] [3/17] Reinstalling gnutls-3.6.16...
[emby] [3/17] Extracting gnutls-3.6.16: 100%
[emby] [4/17] Reinstalling fribidi-1.0.10...
[emby] [4/17] Extracting fribidi-1.0.10: 100%
[emby] [5/17] Reinstalling webp-1.2.0...
[emby] [5/17] Extracting webp-1.2.0: 100%
[emby] [6/17] Reinstalling sqlite3-3.35.5_3,1...
[emby] [6/17] Extracting sqlite3-3.35.5_3,1: 100%
[emby] [7/17] Reinstalling libvorbis-1.3.7_2,3...
[emby] [7/17] Extracting libvorbis-1.3.7_2,3: 100%
[emby] [8/17] Reinstalling libraw-0.20.2...
[emby] [8/17] Extracting libraw-0.20.2: 100%
[emby] [9/17] Reinstalling mono6.8-6.8.0.123...
[emby] [9/17] Extracting mono6.8-6.8.0.123: 100%
Mono Certificate Store Sync - version 6.8.0.123
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:
I already trust 0, your new list has 143
Warning: Could not import C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM
System.IO.IOException: Read-only file system
  at System.IO.FileSystem.CreateDirectory (System.String fullPath) [0x00191] in <0e6cb1433c7b46f598f86593dd03f528>:0
  at System.IO.Directory.CreateDirectory (System.String path) [0x0002c] in <0e6cb1433c7b46f598f86593dd03f528>:0
  at Mono.Security.X509.X509Store.CheckStore (System.String path, System.Boolean throwException) [0x00020] in <9d0b4d46cb9c4cd288c22cd9cdf5212a>:0
  at Mono.Security.X509.X509Store.Import (Mono.Security.X509.X509Certificate certificate) [0x00000] in <9d0b4d46cb9c4cd288c22cd9cdf5212a>:0
  at Mono.Tools.CertSync.ImportToStore (Mono.Security.X509.X509CertificateCollection roots, Mono.Security.X509.X509Store store) [0x00050] in <34bb119f69354d8986322c88a4400682>:0
Warning: Could not import C=ES, O=FNMT-RCM, OU=Ceres, OID.2.5.4.97=VATES-Q2826004J, CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS

After the upgrade to 4.7.0.11 did not resolve the issue, I tried re-running cert-sync: 

cert-sync --user /usr/local/share/certs/ca-root-nss.crt
cert-sync --user /tmp/cacert.pem
 

They above commands run successfully with "--user" but I still suspect the issue is that emby-server runs as the user "emby" and I'm running cert-sync with the root user.  If I exclude the "--user" flag, cert-sync fails with the same read-only file system error mentioned above during the pkg dependency installation. 

*Fresh server log attached.

 

Thanks for the suggestions so far.  

 

embyserver (11).txt

Link to comment
Share on other sites

alucryd

Well, it does seem that your trust store has no certificates at all. Never ran into this read-only filesystem error before, but please try cert-sync without the --user flag.

Link to comment
Share on other sites

garybellanice

This morning, I went ahead and created a brand new jail on 12.2 release 9.  Freshly installed 4.7.0.11, imported by backups from the previous jail, and the ssl error is no longer present. 

Not sure what happened with the original jail, but a fresh install from scratch resolved my issue. 

Thanks anyway for the help and suggestions. 

 

Link to comment
Share on other sites

Townsey

I have the same problem, is there any updates on this please.

I really do not want to go through a complete reinstall if can be avoided

From my log files in Emby from the log menu it looks like a trust issue with Mono.

I am not an expert and delving around in the same way as garybellanice has, would be beyond my spec.

Have installed 4.7.0.12 in the same way as I normally do through the shell in the jail, rebooted everything and still the same problem.

Thanks

Link to comment
Share on other sites

9 hours ago, Townsey said:

I have the same problem, is there any updates on this please.

I really do not want to go through a complete reinstall if can be avoided

From my log files in Emby from the log menu it looks like a trust issue with Mono.

I am not an expert and delving around in the same way as garybellanice has, would be beyond my spec.

Have installed 4.7.0.12 in the same way as I normally do through the shell in the jail, rebooted everything and still the same problem.

Thanks

Hi, can you please try the steps that the other user in this topic tried? Please let us know if it helps. Thanks.

Link to comment
Share on other sites

  • 2 weeks later...
Townsey
On 20/09/2021 at 16:59, Luke said:

Hi, can you please try the steps that the other user in this topic tried? Please let us know if it helps. Thanks.

Have tried most things but have gone back to 4.6.4.0 as nothing else for me worked.

Running on TrueNAS-12.0-U5.1 

Link to comment
Share on other sites

KristianT

I have battled with this issues for a long time as well. I just now found this thread with what seems to be the exact same issue as I am experiencing. I am running:
TrueNAS-12.0-U5.1
Emby Server version 4.7.0.13
mono6.8-6.8.0.123

I am unable to download subtitles. Unable to load plugins catalog. Unable to refresh metadata.
When I tail the embyserver.txt log file, I notice the following error which i think is the cause of this issue?:
InnerException: Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

I would also like to fix the issue in my current jail. I tried setting up a new one, but am having difficulties doing it. 
If there are any logfile outputs or commands you need me to run to get to the bottom of this issue. I will be happy to assist. 

Link to comment
Share on other sites

KristianT

I tried installing in a new jail again. But I am unable to get it working. Here are my findings:

When installing dependencies in the new jail, I notice the following:
[newemby] [109/117] Extracting mono6.8-6.8.0.123: 100%
ld-elf.so.1: /lib/libthr.so.3: version FBSD_1.6 required by /usr/local/bin/mono not found
pkg: POST-INSTALL script failed

Also I noticed this one. Not sure if it related at all...
If you are in a jailed environment, ensure System V IPC are enabled.
  You can rely on the security.jail.sysvipc_allowed  sysctl to check
  this status.  The following enables this feature on the host system:
    # echo "jail_sysvipc_allow=\"YES\"" >> /etc/rc.conf

And this:
 Mono does not use the system certificates files. If you update
  security/ca_root_nss separate from Mono, you must manually resync
  from the PEM file using the Mono cert-sync tool as root.
    # cert-sync /usr/local/share/certs/ca-root-nss.crt
  Otherwise, certificates may fail validation within Mono.

But running this command fails like this:
root@newemby:~ # cert-sync /usr/local/share/certs/ca-root-nss.crt
ld-elf.so.1: /lib/libthr.so.3: version FBSD_1.6 required by /usr/local/bin/mono not found

Running this same command in my current jail with emby server installed, gives a lot of output. Including erros such as this:
Warning: Could not import C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM
System.IO.IOException: Read-only file system
  at System.IO.FileSystem.CreateDirectory (System.String fullPath) [0x00191] in <0e6cb1433c7b46f598f86593dd03f528>:0
  
 Installing emby also gives errors like this:
 root@newemby:~ # pkg add -f https://github.com/MediaBrowser/Emby.Releases/releases/download/4.7.0.13/emby-server-freebsd12_4.7.0.13_amd64.pkg
[newemby] Fetching emby-server-freebsd12_4.7.0.13_amd64.pkg: 100%   44 MiB  15.4MB/s    00:03
[newemby] Installing emby-server-4.7.0.13_1...
Newer FreeBSD version for package emby-server:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1202000
- running kernel: 1200086
Ignore the mismatch and continue? [y/N]: y
===> Creating groups.
Creating group 'emby' with gid '989'.
===> Creating users
Creating user 'emby' with uid '989'.
[newemby] Extracting emby-server-4.7.0.13_1: 100%
ld-elf.so.1: /lib/libthr.so.3: version FBSD_1.6 required by /usr/local/bin/mono not found
pkg: POST-INSTALL script failed

When starting emby_server, it seems to fail:
root@newemby:~ # sysrc emby_server_enable="YES"
emby_server_enable:  -> YES
root@newemby:~ # service emby-server start
Starting emby_server.
root@newemby:~ # service emby-server status
emby_server is not running.

Link to comment
Share on other sites

KristianT

In my previous post I created the jail in TrueNAS and chose the to use Release 12.0 when creating the jail. I tried again, and this time I used 11.2 Release instead. It worked a lot better and I was able to install and start Emby. The features that did not work previously works like it should in this new jail. I copied the emby-server directory from my previous jail and all my content is present. However, I cannot play anything and emby tells me that "No compatible streams are currently available". 

log file is attached. 

This is probably an unrelated issue to the previous one. But if it can be fixed so i can play content in my new jail, that would be good. Any idea how to fix this one?

emby-server-log.txt

Link to comment
Share on other sites

KristianT

Woho.. I managed to get it working in my new jail. I had to install emby-server-freebsd11_4.7.0.13_amd64.pkg instead of emby-server-freebsd12_4.7.0.13_amd64.pkg. I finally have a fully functional emby installation again. 

Link to comment
Share on other sites

7 hours ago, KristianT said:

Woho.. I managed to get it working in my new jail. I had to install emby-server-freebsd11_4.7.0.13_amd64.pkg instead of emby-server-freebsd12_4.7.0.13_amd64.pkg. I finally have a fully functional emby installation again. 

Thanks for the feedback !

Link to comment
Share on other sites

david.torcivia

For those that don't want to install a new jail, there's a workaround that works currently.

Install your emby update like normal but also with the latest mono:

service emby-server stop
pkg update -f
pkg upgrade
# install latest mono for requirement
pkg install mono6.8
# install latest emby from https://github.com/MediaBrowser/Emby.Releases/releases
pkg add -f https://github.com/MediaBrowser/Emby.Releases/releases/download/4.7.0.13/emby-server-freebsd12_4.7.0.13_amd64.pkg

Substitute emby-server with whatever service name you have, alternatively `ps aux` will show you running processes so you can identify and kill emby with it's PID (command is `kill` then the PID number).

If you start emby here, it won't connect to anything. To fix it:

# lock emby so you don't get dependency errors
pkg lock emby-server
# install mono 5.2 over mono6.8
pkg install mono5.20-5.20.1.34
# unlock emby so you can update later
pkg unlock emby-server
service emby-server start

And it should work without a hitch. This likely won't work eventually as newer mono features are utilized, but it's been flawless for me on all the latest emby versions. You'll have to do this each time you update, but it's probably faster than reinstalling (in the short term anyway).

Edited by david.torcivia
formatting fix
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...