Jump to content

M3U Provider Switched to a Self Signed Certificate


renniethebear

Recommended Posts

renniethebear

My IPTV provider recently switched to using self-signed 10-year certificate. This has caused emby to throw an error about an untrusted cert and will no longer play any streams. How can I allow emby trust the certificate?  Does the self signed cert need to be trusted at a system level or perhaps installing the cert to "/var/lib/emby/.dotnet/corefx/cryptography/x509stores/"? The IPTV server in question is @ https://50.7.100.82/

I have attached the thrown error when attempting to connect to the stream.

 

embyserver.txt

Edited by renniethebear
Link to comment
Share on other sites

What happens if you change the URL from https to http?

If that works you will avoid having to mess with certs.

It sounds like this provider doesn't know what he's doing using self signed certs for public use. :)

  • Agree 1
Link to comment
Share on other sites

renniethebear

The M3U provider serves up the streams over https only so no http access. I don't seem to be having any luck getting the certificate installed. I'm not sure what format is required for the "/var/lib/emby/.dotnet/corefx/cryptography/x509stores/" directory. I've tried adding just the .pem cert as well as the converted crt using:

openssl x509 -outform der -in cert.pem -out cert.crt

Would it be possible to add a feature/option to ignore certificate warnings (dumb from a security standpoint, I know) in the "TV Source Setup" moving forward?

Link to comment
Share on other sites

rossome

GOT IT WORKING! I had to convert the server certificate to pfx/pkcs12 using the following:

openssl pkcs12 -password pass: -export -nokeys -in cert.pem -out cert.pfx

Make sure to have the cert chown'd by the running emby user (emby in my case) and a chmod of 600 (-rw-------) then I placed the certificate in:

/var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca/

Lastly, give emby a restart and now the channels are playing again.

Link to comment
Share on other sites

That's convoluted to say the least.  I can't imagine many end-users would have a clue how to get that to work. :)

Link to comment
Share on other sites

Looks like the solution is posted above already.

However, my recommendation would be to switch providers as using a private cert like this is "dumb" when you can get legit free certs to use that won't make the end user jump through hoops in setup.

Link to comment
Share on other sites

rossome
On 10/3/2021 at 3:36 PM, cayars said:

That's convoluted to say the least.  I can't imagine many end-users would have a clue how to get that to work. :)

This is only required on the server. Not on the clients end.

Link to comment
Share on other sites

rossome
On 10/3/2021 at 4:28 PM, Jer1059 said:

Hi is there any way someone can walk me threw that i have same problem

Step 1. Locate Your M3U Stream URL

Download and open the .m3u file from your provider and locate any URL for a stream. Copy/Paste the URL in your browser. This should take you to a page that states "Secure Connection Not Available"

example: https://i.imgur.com/g69cm6R.png

Step 2. Download the Certificate

Using one of the guides below, download a copy of the server's certificate:

Downloading an SSL Certificate in Mozilla Firefox | How do I download SSL certificate in Chrome?

Step 3. Download OpenSSL

Installing OpenSSL on Windows 10 and updating PATH | apt-get install openssl | pacman -S openssl | dnf install openssl

Step 4. Convert the Certificate

Using the command line/terminal; with the following options, convert your certificate(modifying the "-in" cert.pem to the certificate name. "-out" can be "what_ever_you_want.pfx"):

openssl pkcs12 -password pass: -export -nokeys -in cert.pem -out cert.pfx

Step 6. Change the Ownership and Permissions on Linux

Make sure the file is owned by the running emby user. "emby" in my case, yours may differ.

chown emby:emby cert.pfx && chmod 600 cert.pfx

Step 5. Move the Certificate to Your emby Directory

Your emby directory will vary depending on the operating system. Just move the converted .pfx certificate into the following directory:

Windows: i'm not sure, sorry
Linux(varies, but typically): /var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca/

Step 6. Restart emby

sudo systemctl restart emby-server

Step 7. Profit

emby should now load live tv channels from your provider without issue.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...