HawkXP71 99 Posted October 13, 2021 Share Posted October 13, 2021 (edited) Looking into the logs, the transcoding is failing with the ffmpeg due to a TLS error. Usually (ive seen this before outside of emby/ffmpeg) its due to certificates not being correct. But I have no idea how things are being done here. Ive attached my log, but there isnt much data here.ffmpeg-transcode-d1f53285-f40b-4dbd-9986-90ca8dc79b22_1.txt 11:27:16.560 ffmpeg version 4.3.0-emby_2021_02_27 Copyright (c) 2000-2021 the FFmpeg developers and softworkz for Emby LLC 11:27:16.560 built with gcc 8.3.0 (crosstool-NG 1.24.0) 11:27:16.560 Execution Date: 2021-10-13 11:27:16 11:27:16.635 [tls @ 0x22cf680] A TLS fatal alert has been received. 11:27:16.635 https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/transcendenced.mp4: Input/output error Edited October 13, 2021 by HawkXP71 Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 13, 2021 Share Posted October 13, 2021 Hi, If I put that url in a browser to download it I get the following error. <Error> <Code>AccessDenied</Code> <BucketName>cdn-mlst</BucketName> <RequestId>tx000000000000016b5c10e-0061674b44-67d82fc-nyc3a</RequestId> <HostId>67d82fc-nyc3a-nyc</HostId> </Error> Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 13, 2021 Author Share Posted October 13, 2021 1 minute ago, cayars said: Hi, If I put that url in a browser to download it I get the following error. <Error> <Code>AccessDenied</Code> <BucketName>cdn-mlst</BucketName> <RequestId>tx000000000000016b5c10e-0061674b44-67d82fc-nyc3a</RequestId> <HostId>67d82fc-nyc3a-nyc</HostId> </Error> so it likely means the server use to provide previews is returning bad URLs?? Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 13, 2021 Share Posted October 13, 2021 Which movie is that? I'll see if I have it or will just see what the meta-data providers return for it. Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 13, 2021 Author Share Posted October 13, 2021 1 minute ago, cayars said: Which movie is that? I'll see if I have it or will just see what the meta-data providers return for it. Its been happening quite a bit, but I think it was oceans 11 (2001 version) Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 14, 2021 Share Posted October 14, 2021 7 hours ago, HawkXP71 said: Its been happening quite a bit, but I think it was oceans 11 (2001 version) With a file name of "transcendenced.mp4"? Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 5 minutes ago, cayars said: With a file name of "transcendenced.mp4"? That was the trailer, not the movie i selected to watch. Ill try to look at the full log and try to correlate to the actual movie. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 14, 2021 Share Posted October 14, 2021 That or just let us know the next time you see this. That way we can try and duplicate the issue to see if it's the meta-data provider with bad info or you just haven't refreshed your meta-data since it's original pull and the data has gotten stale. Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 8 hours ago, cayars said: That or just let us know the next time you see this. That way we can try and duplicate the issue to see if it's the meta-data provider with bad info or you just haven't refreshed your meta-data since it's original pull and the data has gotten stale. Just randomly tried a movie, Birds of Prey (the harley quin movie). Happened again.. Calling wget on https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4 returns the same TLS error... Hopefully we can get to the bottom of it.. Thanks for all the help, I really appreciate it ffmpeg-transcode-d1fe788e-c4b2-4074-853e-34ece76e570f_1.txt embyserver (12).txt Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 14, 2021 Share Posted October 14, 2021 (edited) That link works for me right here in a browser and playing it back from my system running on Synology. Let's try something. Using SSH/Putty login to your Synology then run this: curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4" Down it download? If so delete the test.mp4 file. If you get an error what does it say? PS go to network menu in Emby and turn off automatic port mapping. It's spamming your log file and you don't need this on. Edited October 14, 2021 by cayars Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 10 minutes ago, cayars said: That link works for me right here in a browser and playing it back from my system running on Synology. Let's try something. Using SSH/Putty login to your Synology then run this: curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4" Down it download? If so delete the test.mp4 file. If you get an error what does it say? PS go to network menu in Emby and turn off automatic port mapping. It's spamming your log file and you don't need this on. Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 (edited) 4 minutes ago, HawkXP71 said: First, THANK YOU for the UPNP hint.. I had been looking for the option and just couldnt find it but was too lazy to google for an answer for curl/wget I did the following, all 4 failed... I ran curl and wget from my desktop environment, as well as the synology box, all 4 failed with similar "ssl esq" connection errors scott@Thor ~/sb/bps/trunk/UI/VVE $ curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o foo.mp4 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log. scott@Thor ~/sb/bps/trunk/UI/VVE $ wget "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" --2021-10-14 12:13:45-- https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4 Resolving cdn-mlst.nyc3.digitaloceanspaces.com (cdn-mlst.nyc3.digitaloceanspaces.com)... 192.73.240.22, 192.73.240.25, 2607:f740:14::356, ... Connecting to cdn-mlst.nyc3.digitaloceanspaces.com (cdn-mlst.nyc3.digitaloceanspaces.com)|192.73.240.22|:443... connected. GnuTLS: Error in the pull function. Unable to establish SSL connection. scott@Thor ~/sb/bps/trunk/UI/VVE $ ssh mediabox scott@mediabox:~$ curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o foo.mp4 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (35) error:140943E8:lib(20):func(148):reason(1000) scott@mediabox:~$ wget "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" --2021-10-14 12:14:02-- https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4 Resolving cdn-mlst.nyc3.digitaloceanspaces.com... 192.73.240.25, 192.73.240.22, 2607:f740:14::e9, ... Connecting to cdn-mlst.nyc3.digitaloceanspaces.com|192.73.240.25|:443... connected. OpenSSL: error:140943E8:lib(20):func(148):reason(1000) Unable to establish SSL connection. Also, I tried opening up the mp4 file on my browser (desktop) and got This site can’t provide a secure connection cdn-mlst.nyc3.digitaloceanspaces.com sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR Edited October 14, 2021 by HawkXP71 Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 22 minutes ago, cayars said: That link works for me right here in a browser and playing it back from my system running on Synology. Let's try something. Using SSH/Putty login to your Synology then run this: curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4" Down it download? If so delete the test.mp4 file. If you get an error what does it say? PS go to network menu in Emby and turn off automatic port mapping. It's spamming your log file and you don't need this on. Ok.. tried it on another machine outside my home network, and it works So something is broken on myside. Sorry for wasting your time. I havent changed anything so this should be fun Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 14, 2021 Share Posted October 14, 2021 In DSM open control panel and try changing this: Security->Advanced tab->TLS / SSL Profile Level. Set it to Intermediate Security If that doesn't work try the option right under that for "old" compatibilty as a test. Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 4 minutes ago, cayars said: In DSM open control panel and try changing this: Security->Advanced tab->TLS / SSL Profile Level. Set it to Intermediate Security If that doesn't work try the option right under that for "old" compatibilty as a test. it was already on intermediate, and old fails as well.. But It looks like its something with my comcast network connection.. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 14, 2021 Share Posted October 14, 2021 It may be the network or the box. Try from a home desktop or laptop outside of Synology. CURL works at the command prompt in windows too. Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 2 minutes ago, cayars said: It may be the network or the box. Try from a home desktop or laptop outside of Synology. CURL works at the command prompt in windows too. I have tried curl and wget from my desktop/laptop as well. same failure, even directly connected to the cable modem... Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 14, 2021 Share Posted October 14, 2021 OK what happens when you put that URL in Chrome or Edge on your desktop/laptop? Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 14, 2021 Author Share Posted October 14, 2021 20 minutes ago, cayars said: OK what happens when you put that URL in Chrome or Edge on your desktop/laptop? As I said above, I got the same failure from chrome, edge, curl and wget. I connected my laptop directly to the cable modem, with the same results. Contacted my ISP (comcast business internet) and after doing a reset to factory defaults, I was able to download with all four (and both curl and wget on the synology box) however, then one setting or another cause problems so they are sending out a new cable modem, should be here in 2-3 hours. Something is wrong wiht the router that just started acting up Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 14, 2021 Share Posted October 14, 2021 Well that's good news. Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 15, 2021 Author Share Posted October 15, 2021 Just for closure. The security edge software supplied with a comcast business router, was the root cause. I had always had it 100% turned off, and relied on my own internal firewall for protection. Somehow, a version about a week ago, got enabled. Then on top of that, for some reason, it is mucking with the SSL challenge/response system. Dont know how, dont know why, dont really care When Its enabled at all, the url fails. When disabled it works perfect. Hopefully if anyone else has the same issue, knowing this will help out a bit. If there is a "fixed" tag, please feel free to mark it as such @cayars 1 Link to comment Share on other sites More sharing options...
Luke 37099 Posted October 15, 2021 Share Posted October 15, 2021 Thanks for the feedback. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 15, 2021 Share Posted October 15, 2021 It's great to hear you got this worked out and we all gained a bit of knowledge at your expense. Do you know which software is used on this router for the security edge protection? Link to comment Share on other sites More sharing options...
HawkXP71 99 Posted October 15, 2021 Author Share Posted October 15, 2021 Just now, cayars said: It's great to hear you got this worked out and we all gained a bit of knowledge at your expense. Do you know which software is used on this router for the security edge protection? Unfortunately, no. Its a "add on upsell" from comcast business internet. However, like their voip phone , its sold as part of a bundle where its cheaper to sign up for it. I had turned it off originally, but sometime in the last 2 weeks or so, a firmware update to the mode re-enabled it. With it turned on at all, it seems to be doing a "we are helping here" inspection of the certificate and/or the validation of the certificate . Unfortunately, in the process of "helping me" it returns an invalid certificate. When speaking with tech support, I got someone to say, that in the last 4-6 months, they had seen an uptick in "I cant see this site" and the solution is to turn off security edge. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted October 15, 2021 Share Posted October 15, 2021 I had to think for a bit but I remember this now. Referred back to my notes on it I have an entry: "Xfinity SecureEdge for Business transparently intercepts Port 53 DNS and breaks DNSSEC" I believe I found this initially on Reddit but didn't save the link. Below is from a couple of posts organized as one entry in my electronic notes. You can turn this off yourself in case you ever need to or can reconfigure it here: https://business.comcast.com/help-and-support/internet/securityedge-portal-access Background info on config and getting reports on security if you want it. https://business.comcast.com/help-and-support/internet/securityedge-manage-settings/ The problem is a bit wacky but probably because queries to root name servers over https were returning IP addresses. But that's not possible. But if you switch to using DNS over TLS and redirecting to 1.1.1.1 / 1.0.0.1 the issue would go away and you would get back expected results like: [root@web ~]# dig google.com @198.41.0.4 +trace ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com @198.41.0.4 +trace ;; global options: +cmd . 600 IN NS i.root-servers.net. . 600 IN NS j.root-servers.net. . 600 IN NS k.root-servers.net. . 600 IN NS l.root-servers.net. . 600 IN NS m.root-servers.net. . 600 IN NS b.root-servers.net. . 600 IN NS c.root-servers.net. . 600 IN NS d.root-servers.net. . 600 IN NS e.root-servers.net. . 600 IN NS f.root-servers.net. . 600 IN NS g.root-servers.net. . 600 IN NS h.root-servers.net. . 600 IN NS a.root-servers.net. . 600 IN RRSIG NS 8 0 518400 20200331050000 20200318040000 33853 etc That right there shows something is goofy and mucking things up. Basically, if your system requires and validates DNSSEC it completely breaks the network as you found out! So just in case it gets turned back on you have a link that should allow you to turn it back off. You could also setup DNS over TLS or similar to fix the issue as well so keep that in your back pocket. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now