renniethebear 0 Posted October 2, 2021 Posted October 2, 2021 (edited) My IPTV provider recently switched to using self-signed 10-year certificate. This has caused emby to throw an error about an untrusted cert and will no longer play any streams. How can I allow emby trust the certificate? Does the self signed cert need to be trusted at a system level or perhaps installing the cert to "/var/lib/emby/.dotnet/corefx/cryptography/x509stores/"? The IPTV server in question is @ https://50.7.100.82/ I have attached the thrown error when attempting to connect to the stream. embyserver.txt Edited October 2, 2021 by renniethebear
Luke 38508 Posted October 2, 2021 Posted October 2, 2021 Hi, yea you may want to try those two things and see if that helps. Thanks.
Carlo 4453 Posted October 2, 2021 Posted October 2, 2021 What happens if you change the URL from https to http? If that works you will avoid having to mess with certs. It sounds like this provider doesn't know what he's doing using self signed certs for public use. 1
renniethebear 0 Posted October 3, 2021 Author Posted October 3, 2021 The M3U provider serves up the streams over https only so no http access. I don't seem to be having any luck getting the certificate installed. I'm not sure what format is required for the "/var/lib/emby/.dotnet/corefx/cryptography/x509stores/" directory. I've tried adding just the .pem cert as well as the converted crt using: openssl x509 -outform der -in cert.pem -out cert.crt Would it be possible to add a feature/option to ignore certificate warnings (dumb from a security standpoint, I know) in the "TV Source Setup" moving forward?
rossome 3 Posted October 3, 2021 Posted October 3, 2021 GOT IT WORKING! I had to convert the server certificate to pfx/pkcs12 using the following: openssl pkcs12 -password pass: -export -nokeys -in cert.pem -out cert.pfx Make sure to have the cert chown'd by the running emby user (emby in my case) and a chmod of 600 (-rw-------) then I placed the certificate in: /var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca/ Lastly, give emby a restart and now the channels are playing again.
Carlo 4453 Posted October 3, 2021 Posted October 3, 2021 That's convoluted to say the least. I can't imagine many end-users would have a clue how to get that to work.
Jer1059 0 Posted October 3, 2021 Posted October 3, 2021 Hi is there any way someone can walk me threw that i have same problem
Carlo 4453 Posted October 4, 2021 Posted October 4, 2021 Looks like the solution is posted above already. However, my recommendation would be to switch providers as using a private cert like this is "dumb" when you can get legit free certs to use that won't make the end user jump through hoops in setup.
rossome 3 Posted October 5, 2021 Posted October 5, 2021 On 10/3/2021 at 3:36 PM, cayars said: That's convoluted to say the least. I can't imagine many end-users would have a clue how to get that to work. This is only required on the server. Not on the clients end.
rossome 3 Posted October 5, 2021 Posted October 5, 2021 On 10/3/2021 at 4:28 PM, Jer1059 said: Hi is there any way someone can walk me threw that i have same problem Step 1. Locate Your M3U Stream URL Download and open the .m3u file from your provider and locate any URL for a stream. Copy/Paste the URL in your browser. This should take you to a page that states "Secure Connection Not Available" example: https://i.imgur.com/g69cm6R.png Step 2. Download the Certificate Using one of the guides below, download a copy of the server's certificate: Downloading an SSL Certificate in Mozilla Firefox | How do I download SSL certificate in Chrome? Step 3. Download OpenSSL Installing OpenSSL on Windows 10 and updating PATH | apt-get install openssl | pacman -S openssl | dnf install openssl Step 4. Convert the Certificate Using the command line/terminal; with the following options, convert your certificate(modifying the "-in" cert.pem to the certificate name. "-out" can be "what_ever_you_want.pfx"): openssl pkcs12 -password pass: -export -nokeys -in cert.pem -out cert.pfx Step 6. Change the Ownership and Permissions on Linux Make sure the file is owned by the running emby user. "emby" in my case, yours may differ. chown emby:emby cert.pfx && chmod 600 cert.pfx Step 5. Move the Certificate to Your emby Directory Your emby directory will vary depending on the operating system. Just move the converted .pfx certificate into the following directory: Windows: i'm not sure, sorry Linux(varies, but typically): /var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca/ Step 6. Restart emby sudo systemctl restart emby-server Step 7. Profit emby should now load live tv channels from your provider without issue.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now