Recently getting a bunch of "no stream available" on previews

[HawkXP71 99]

Looking into the logs, the transcoding is failing with the ffmpeg due to a TLS error.  Usually (ive seen this before outside of emby/ffmpeg) its due to  certificates not being correct.  But I have no idea how things are being done here.

 

Ive attached my log, but there isnt much data here.ffmpeg-transcode-d1f53285-f40b-4dbd-9986-90ca8dc79b22_1.txt

 

11:27:16.560 ffmpeg version 4.3.0-emby_2021_02_27 Copyright (c) 2000-2021 the FFmpeg developers and softworkz for Emby LLC
11:27:16.560   built with gcc 8.3.0 (crosstool-NG 1.24.0)
11:27:16.560 Execution Date: 2021-10-13 11:27:16
11:27:16.635 [tls @ 0x22cf680] A TLS fatal alert has been received.
11:27:16.635 https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/transcendenced.mp4: Input/output error

 

Edited October 13, 2021 by HawkXP71

[Carlo 4330]

Hi, If I put that url in a browser to download it I get the following error.

<Error>
<Code>AccessDenied</Code>
<BucketName>cdn-mlst</BucketName>
<RequestId>tx000000000000016b5c10e-0061674b44-67d82fc-nyc3a</RequestId>
<HostId>67d82fc-nyc3a-nyc</HostId>
</Error>

 

[HawkXP71 99]

1 minute ago, cayars said:

Hi, If I put that url in a browser to download it I get the following error.

<Error>
<Code>AccessDenied</Code>
<BucketName>cdn-mlst</BucketName>
<RequestId>tx000000000000016b5c10e-0061674b44-67d82fc-nyc3a</RequestId>
<HostId>67d82fc-nyc3a-nyc</HostId>
</Error>

 

so it likely means the server use to provide previews is returning bad URLs??

[Carlo 4330]

Which movie is that?
I'll see if I have it or will just see what the meta-data providers return for it.

[HawkXP71 99]

1 minute ago, cayars said:

Which movie is that?
I'll see if I have it or will just see what the meta-data providers return for it.

Its been happening quite a bit, but I think it was oceans 11 (2001 version)

[Carlo 4330]

7 hours ago, HawkXP71 said:

Its been happening quite a bit, but I think it was oceans 11 (2001 version)

With a file name of "transcendenced.mp4"?

[HawkXP71 99]

5 minutes ago, cayars said:

With a file name of "transcendenced.mp4"?

That was the trailer, not the movie i selected to watch.  Ill try to look at the full log and try to correlate to the actual movie. 

[Carlo 4330]

That or just let us know the next time you see this.  That way we can try and duplicate the issue to see if it's the meta-data provider with bad info or you just haven't refreshed your meta-data since it's original pull and the data has gotten stale.

[HawkXP71 99]

8 hours ago, cayars said:

That or just let us know the next time you see this.  That way we can try and duplicate the issue to see if it's the meta-data provider with bad info or you just haven't refreshed your meta-data since it's original pull and the data has gotten stale.

Just randomly tried a movie, Birds of Prey (the harley quin movie).  Happened again..

Calling wget on https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4 

returns the same TLS error...

Hopefully we can get to the bottom of it..  Thanks for all the help, I really appreciate it

 

ffmpeg-transcode-d1fe788e-c4b2-4074-853e-34ece76e570f_1.txt embyserver (12).txt

[Carlo 4330]

That link works for me right here in a browser and playing it back from my system running on Synology.

Let's try something.  Using SSH/Putty login to your Synology then run this:

curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4"

Down it download?  If so delete the test.mp4 file.

If you get an error what does it say?

PS go to network menu in Emby and turn off automatic port mapping.  It's spamming your log file and you don't need this on.

Edited October 14, 2021 by cayars

[HawkXP71 99]

10 minutes ago, cayars said:

That link works for me right here in a browser and playing it back from my system running on Synology.

Let's try something.  Using SSH/Putty login to your Synology then run this:

curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4"

Down it download?  If so delete the test.mp4 file.

If you get an error what does it say?

PS go to network menu in Emby and turn off automatic port mapping.  It's spamming your log file and you don't need this on.

 

[HawkXP71 99]

4 minutes ago, HawkXP71 said:

 

First, THANK YOU for the UPNP hint.. I had been looking for the option and just couldnt find it  but was too lazy to google for an answer

for curl/wget I did the following, all 4 failed...  I ran curl and wget from my desktop environment, as well as the synology box, all 4 failed with similar "ssl esq" connection errors

 

 

scott@Thor ~/sb/bps/trunk/UI/VVE
$ curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o foo.mp4
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

scott@Thor ~/sb/bps/trunk/UI/VVE
$ wget "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4"
--2021-10-14 12:13:45--  https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4
Resolving cdn-mlst.nyc3.digitaloceanspaces.com (cdn-mlst.nyc3.digitaloceanspaces.com)... 192.73.240.22, 192.73.240.25, 2607:f740:14::356, ...
Connecting to cdn-mlst.nyc3.digitaloceanspaces.com (cdn-mlst.nyc3.digitaloceanspaces.com)|192.73.240.22|:443... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

scott@Thor ~/sb/bps/trunk/UI/VVE
$ ssh mediabox
scott@mediabox:~$  curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o foo.mp4
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:140943E8:lib(20):func(148):reason(1000)
scott@mediabox:~$ wget "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4"
--2021-10-14 12:14:02--  https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4
Resolving cdn-mlst.nyc3.digitaloceanspaces.com... 192.73.240.25, 192.73.240.22, 2607:f740:14::e9, ...
Connecting to cdn-mlst.nyc3.digitaloceanspaces.com|192.73.240.25|:443... connected.
OpenSSL: error:140943E8:lib(20):func(148):reason(1000)
Unable to establish SSL connection.

 

Also, I tried opening up the mp4 file on my browser (desktop) and got 
 

This site can’t provide a secure connection

cdn-mlst.nyc3.digitaloceanspaces.com sent an invalid response.

 

• Try running Windows Network Diagnostics.

ERR_SSL_PROTOCOL_ERROR

Edited October 14, 2021 by HawkXP71

[HawkXP71 99]

22 minutes ago, cayars said:

That link works for me right here in a browser and playing it back from my system running on Synology.

Let's try something.  Using SSH/Putty login to your Synology then run this:

curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4"

Down it download?  If so delete the test.mp4 file.

If you get an error what does it say?

PS go to network menu in Emby and turn off automatic port mapping.  It's spamming your log file and you don't need this on.

Ok.. tried it on another machine outside my home network, and it works  So something is broken on myside. Sorry for wasting your time.  I havent changed anything so this should be fun

[Carlo 4330]

In DSM open control panel and try changing this: Security->Advanced tab->TLS / SSL Profile Level.

Set it to Intermediate Security

If that doesn't work try the option right under that for "old" compatibilty as a test.

[HawkXP71 99]

4 minutes ago, cayars said:

In DSM open control panel and try changing this: Security->Advanced tab->TLS / SSL Profile Level.

Set it to Intermediate Security

If that doesn't work try the option right under that for "old" compatibilty as a test.

it was already on intermediate, and old fails as well.. But It looks like its something with my comcast network connection.. 

[Carlo 4330]

It may be the network or the box.
Try from a home desktop or laptop outside of Synology.

CURL works at the command prompt in windows too.

[HawkXP71 99]

2 minutes ago, cayars said:

It may be the network or the box.
Try from a home desktop or laptop outside of Synology.

CURL works at the command prompt in windows too.

I have tried curl and wget from my desktop/laptop as well. same failure, even directly connected to the cable modem...

[Carlo 4330]

OK what happens when you put that URL in Chrome or Edge on your desktop/laptop?

[HawkXP71 99]

20 minutes ago, cayars said:

OK what happens when you put that URL in Chrome or Edge on your desktop/laptop?

As I said above, I got the same failure from chrome, edge, curl and wget.

I connected my laptop directly to the cable modem, with the same results.

Contacted my ISP (comcast business internet) and after doing a reset to factory defaults, I was able to download with all four (and both curl and wget on the synology box) however, then one setting or another cause problems so they are sending out a new cable modem, should be here in 2-3 hours.

Something is wrong wiht the router that just started acting up

[Carlo 4330]

Well that's good news. 

[HawkXP71 99]

Just for closure.  The security edge software supplied with a comcast business router, was the root cause.  I had always had it 100% turned off, and relied on my own internal firewall for protection.

Somehow, a version about a week ago, got enabled.  Then on top of that, for some reason, it is mucking with the SSL challenge/response system.  Dont know how, dont know why, dont really care   When Its enabled at all, the url fails.  When disabled it works perfect.

Hopefully if anyone else has the same issue, knowing this will help out a bit.

If there is a "fixed" tag, please feel free to mark it as such @cayars

 

[Luke 37099]

Thanks for the feedback.

[Carlo 4330]

It's great to hear you got this worked out and we all gained a bit of knowledge at your expense.

Do you know which software is used on this router for the security edge protection?

[HawkXP71 99]

Just now, cayars said:

It's great to hear you got this worked out and we all gained a bit of knowledge at your expense.

Do you know which software is used on this router for the security edge protection?

Unfortunately, no.  Its a "add on upsell" from comcast business internet.  However, like their voip phone , its sold as part of a bundle where its cheaper to sign up for it.  I had turned it off originally,  but sometime in the last 2 weeks or so, a firmware update to the mode re-enabled it.    With it turned on at all, it seems to be doing a "we are helping here" inspection of the certificate and/or the validation of the certificate .  Unfortunately, in the process of "helping me" it returns an invalid certificate.

When speaking with tech support, I got someone to say, that in the last 4-6 months, they had seen an uptick in "I cant see this site" and the solution is to turn off security edge.  

 

[Carlo 4330]

I had to think for a bit but I remember this now. Referred back to my notes on it I have an entry:
"Xfinity SecureEdge for Business transparently intercepts Port 53 DNS and breaks DNSSEC"

I believe I found this initially on Reddit but didn't save the link. Below is from a couple of posts organized as one entry in my electronic notes.

You can turn this off yourself in case you ever need to or can reconfigure it here:
https://business.comcast.com/help-and-support/internet/securityedge-portal-access

Background info on config and getting reports on security if you want it.
https://business.comcast.com/help-and-support/internet/securityedge-manage-settings/

The problem is a bit wacky but probably because queries to root name servers over https were returning IP addresses. But that's not possible.
But if you switch to using DNS over TLS and redirecting to 1.1.1.1 / 1.0.0.1 the issue would go away and you would get back expected results like:

[root@web ~]# dig google.com @198.41.0.4 +trace

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com @198.41.0.4 +trace
;; global options: +cmd
.			600	IN	NS	i.root-servers.net.
.			600	IN	NS	j.root-servers.net.
.			600	IN	NS	k.root-servers.net.
.			600	IN	NS	l.root-servers.net.
.			600	IN	NS	m.root-servers.net.
.			600	IN	NS	b.root-servers.net.
.			600	IN	NS	c.root-servers.net.
.			600	IN	NS	d.root-servers.net.
.			600	IN	NS	e.root-servers.net.
.			600	IN	NS	f.root-servers.net.
.			600	IN	NS	g.root-servers.net.
.			600	IN	NS	h.root-servers.net.
.			600	IN	NS	a.root-servers.net.
.			600	IN	RRSIG	NS 8 0 518400 20200331050000 20200318040000 33853
etc

That right there shows something is goofy and mucking things up.
Basically, if your system requires and validates DNSSEC it completely breaks the network as you found out!

So just in case it gets turned back on you have a link that should allow you to turn it back off.  You could also setup DNS over TLS or similar to fix the issue as well so keep that in your back pocket.