Jump to content

Recently getting a bunch of "no stream available" on previews


HawkXP71
 Share

Recommended Posts

HawkXP71

Looking into the logs, the transcoding is failing with the ffmpeg due to a TLS error.  Usually (ive seen this before outside of emby/ffmpeg) its due to  certificates not being correct.  But I have no idea how things are being done here.

 

Ive attached my log, but there isnt much data here.ffmpeg-transcode-d1f53285-f40b-4dbd-9986-90ca8dc79b22_1.txt

 

11:27:16.560 ffmpeg version 4.3.0-emby_2021_02_27 Copyright (c) 2000-2021 the FFmpeg developers and softworkz for Emby LLC
11:27:16.560   built with gcc 8.3.0 (crosstool-NG 1.24.0)
11:27:16.560 Execution Date: 2021-10-13 11:27:16
11:27:16.635 [tls @ 0x22cf680] A TLS fatal alert has been received.
11:27:16.635 https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/transcendenced.mp4: Input/output error

 

Edited by HawkXP71
Link to comment
Share on other sites

Hi, If I put that url in a browser to download it I get the following error.

<Error>
<Code>AccessDenied</Code>
<BucketName>cdn-mlst</BucketName>
<RequestId>tx000000000000016b5c10e-0061674b44-67d82fc-nyc3a</RequestId>
<HostId>67d82fc-nyc3a-nyc</HostId>
</Error>

 

Link to comment
Share on other sites

HawkXP71
1 minute ago, cayars said:

Hi, If I put that url in a browser to download it I get the following error.


<Error>
<Code>AccessDenied</Code>
<BucketName>cdn-mlst</BucketName>
<RequestId>tx000000000000016b5c10e-0061674b44-67d82fc-nyc3a</RequestId>
<HostId>67d82fc-nyc3a-nyc</HostId>
</Error>

 

so it likely means the server use to provide previews is returning bad URLs??

Link to comment
Share on other sites

Which movie is that?
I'll see if I have it or will just see what the meta-data providers return for it.

Link to comment
Share on other sites

HawkXP71
1 minute ago, cayars said:

Which movie is that?
I'll see if I have it or will just see what the meta-data providers return for it.

Its been happening quite a bit, but I think it was oceans 11 (2001 version)

Link to comment
Share on other sites

7 hours ago, HawkXP71 said:

Its been happening quite a bit, but I think it was oceans 11 (2001 version)

With a file name of "transcendenced.mp4"?

Link to comment
Share on other sites

HawkXP71
5 minutes ago, cayars said:

With a file name of "transcendenced.mp4"?

That was the trailer, not the movie i selected to watch.  Ill try to look at the full log and try to correlate to the actual movie. 

Link to comment
Share on other sites

That or just let us know the next time you see this.  That way we can try and duplicate the issue to see if it's the meta-data provider with bad info or you just haven't refreshed your meta-data since it's original pull and the data has gotten stale.

Link to comment
Share on other sites

HawkXP71
8 hours ago, cayars said:

That or just let us know the next time you see this.  That way we can try and duplicate the issue to see if it's the meta-data provider with bad info or you just haven't refreshed your meta-data since it's original pull and the data has gotten stale.

Just randomly tried a movie, Birds of Prey (the harley quin movie).  Happened again..

Calling wget on https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4 

returns the same TLS error...

Hopefully we can get to the bottom of it..  Thanks for all the help, I really appreciate it

 

ffmpeg-transcode-d1fe788e-c4b2-4074-853e-34ece76e570f_1.txt embyserver (12).txt

Link to comment
Share on other sites

That link works for me right here in a browser and playing it back from my system running on Synology.

Let's try something.  Using SSH/Putty login to your Synology then run this:

curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4"

Down it download?  If so delete the test.mp4 file.

If you get an error what does it say?

PS go to network menu in Emby and turn off automatic port mapping.  It's spamming your log file and you don't need this on.

Edited by cayars
Link to comment
Share on other sites

HawkXP71
10 minutes ago, cayars said:

That link works for me right here in a browser and playing it back from my system running on Synology.

Let's try something.  Using SSH/Putty login to your Synology then run this:


curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4"

Down it download?  If so delete the test.mp4 file.

If you get an error what does it say?

PS go to network menu in Emby and turn off automatic port mapping.  It's spamming your log file and you don't need this on.

 

Link to comment
Share on other sites

HawkXP71
4 minutes ago, HawkXP71 said:

 

First, THANK YOU for the UPNP hint.. I had been looking for the option and just couldnt find it :) but was too lazy to google for an answer :)

for curl/wget I did the following, all 4 failed...  I ran curl and wget from my desktop environment, as well as the synology box, all 4 failed with similar "ssl esq" connection errors


 

 
scott@Thor ~/sb/bps/trunk/UI/VVE
$ curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o foo.mp4
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

scott@Thor ~/sb/bps/trunk/UI/VVE
$ wget "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4"
--2021-10-14 12:13:45--  https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4
Resolving cdn-mlst.nyc3.digitaloceanspaces.com (cdn-mlst.nyc3.digitaloceanspaces.com)... 192.73.240.22, 192.73.240.25, 2607:f740:14::356, ...
Connecting to cdn-mlst.nyc3.digitaloceanspaces.com (cdn-mlst.nyc3.digitaloceanspaces.com)|192.73.240.22|:443... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

scott@Thor ~/sb/bps/trunk/UI/VVE
$ ssh mediabox
scott@mediabox:~$  curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o foo.mp4
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:140943E8:lib(20):func(148):reason(1000)
scott@mediabox:~$ wget "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4"
--2021-10-14 12:14:02--  https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4
Resolving cdn-mlst.nyc3.digitaloceanspaces.com... 192.73.240.25, 192.73.240.22, 2607:f740:14::e9, ...
Connecting to cdn-mlst.nyc3.digitaloceanspaces.com|192.73.240.25|:443... connected.
OpenSSL: error:140943E8:lib(20):func(148):reason(1000)
Unable to establish SSL connection.


 

Also, I tried opening up the mp4 file on my browser (desktop) and got 
 

This site can’t provide a secure connection

cdn-mlst.nyc3.digitaloceanspaces.com sent an invalid response.

ERR_SSL_PROTOCOL_ERROR
Edited by HawkXP71
Link to comment
Share on other sites

HawkXP71
22 minutes ago, cayars said:

That link works for me right here in a browser and playing it back from my system running on Synology.

Let's try something.  Using SSH/Putty login to your Synology then run this:


curl "https://cdn-mlst.nyc3.digitaloceanspaces.com/flvideo/justiceleagueb.mp4" -o "test.mp4"

Down it download?  If so delete the test.mp4 file.

If you get an error what does it say?

PS go to network menu in Emby and turn off automatic port mapping.  It's spamming your log file and you don't need this on.

Ok.. tried it on another machine outside my home network, and it works :( So something is broken on myside. Sorry for wasting your time.  I havent changed anything so this should be fun

Link to comment
Share on other sites

In DSM open control panel and try changing this: Security->Advanced tab->TLS / SSL Profile Level.

Set it to Intermediate Security

If that doesn't work try the option right under that for "old" compatibilty as a test.

Link to comment
Share on other sites

HawkXP71
4 minutes ago, cayars said:

In DSM open control panel and try changing this: Security->Advanced tab->TLS / SSL Profile Level.

Set it to Intermediate Security

If that doesn't work try the option right under that for "old" compatibilty as a test.

it was already on intermediate, and old fails as well.. But It looks like its something with my comcast network connection.. 

Link to comment
Share on other sites

It may be the network or the box.
Try from a home desktop or laptop outside of Synology.

CURL works at the command prompt in windows too. :)

Link to comment
Share on other sites

HawkXP71
2 minutes ago, cayars said:

It may be the network or the box.
Try from a home desktop or laptop outside of Synology.

CURL works at the command prompt in windows too. :)

I have tried curl and wget from my desktop/laptop as well. same failure, even directly connected to the cable modem...

Link to comment
Share on other sites

OK what happens when you put that URL in Chrome or Edge on your desktop/laptop?

Link to comment
Share on other sites

HawkXP71
20 minutes ago, cayars said:

OK what happens when you put that URL in Chrome or Edge on your desktop/laptop?

As I said above, I got the same failure from chrome, edge, curl and wget.

I connected my laptop directly to the cable modem, with the same results.

Contacted my ISP (comcast business internet) and after doing a reset to factory defaults, I was able to download with all four (and both curl and wget on the synology box) however, then one setting or another cause problems so they are sending out a new cable modem, should be here in 2-3 hours.

Something is wrong wiht the router that just started acting up

Link to comment
Share on other sites

HawkXP71

Just for closure.  The security edge software supplied with a comcast business router, was the root cause.  I had always had it 100% turned off, and relied on my own internal firewall for protection.

Somehow, a version about a week ago, got enabled.  Then on top of that, for some reason, it is mucking with the SSL challenge/response system.  Dont know how, dont know why, dont really care :)  When Its enabled at all, the url fails.  When disabled it works perfect.

Hopefully if anyone else has the same issue, knowing this will help out a bit.

If there is a "fixed" tag, please feel free to mark it as such @cayars


 

  • Thanks 1
Link to comment
Share on other sites

It's great to hear you got this worked out and we all gained a bit of knowledge at your expense. :)

Do you know which software is used on this router for the security edge protection?

Link to comment
Share on other sites

HawkXP71
Just now, cayars said:

It's great to hear you got this worked out and we all gained a bit of knowledge at your expense. :)

Do you know which software is used on this router for the security edge protection?

Unfortunately, no.  Its a "add on upsell" from comcast business internet.  However, like their voip phone , its sold as part of a bundle where its cheaper to sign up for it.  I had turned it off originally,  but sometime in the last 2 weeks or so, a firmware update to the mode re-enabled it.    With it turned on at all, it seems to be doing a "we are helping here" inspection of the certificate and/or the validation of the certificate .  Unfortunately, in the process of "helping me" it returns an invalid certificate.

When speaking with tech support, I got someone to say, that in the last 4-6 months, they had seen an uptick in "I cant see this site" and the solution is to turn off security edge.  

 

Link to comment
Share on other sites

I had to think for a bit but I remember this now. Referred back to my notes on it I have an entry:
"Xfinity SecureEdge for Business transparently intercepts Port 53 DNS and breaks DNSSEC"

I believe I found this initially on Reddit but didn't save the link. Below is from a couple of posts organized as one entry in my electronic notes.

You can turn this off yourself in case you ever need to or can reconfigure it here:
https://business.comcast.com/help-and-support/internet/securityedge-portal-access

Background info on config and getting reports on security if you want it.
https://business.comcast.com/help-and-support/internet/securityedge-manage-settings/

The problem is a bit wacky but probably because queries to root name servers over https were returning IP addresses. But that's not possible.
But if you switch to using DNS over TLS and redirecting to 1.1.1.1 / 1.0.0.1 the issue would go away and you would get back expected results like:

[root@web ~]# dig google.com @198.41.0.4 +trace

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> google.com @198.41.0.4 +trace
;; global options: +cmd
.			600	IN	NS	i.root-servers.net.
.			600	IN	NS	j.root-servers.net.
.			600	IN	NS	k.root-servers.net.
.			600	IN	NS	l.root-servers.net.
.			600	IN	NS	m.root-servers.net.
.			600	IN	NS	b.root-servers.net.
.			600	IN	NS	c.root-servers.net.
.			600	IN	NS	d.root-servers.net.
.			600	IN	NS	e.root-servers.net.
.			600	IN	NS	f.root-servers.net.
.			600	IN	NS	g.root-servers.net.
.			600	IN	NS	h.root-servers.net.
.			600	IN	NS	a.root-servers.net.
.			600	IN	RRSIG	NS 8 0 518400 20200331050000 20200318040000 33853
etc

That right there shows something is goofy and mucking things up.
Basically, if your system requires and validates DNSSEC it completely breaks the network as you found out!

So just in case it gets turned back on you have a link that should allow you to turn it back off.  You could also setup DNS over TLS or similar to fix the issue as well so keep that in your back pocket.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...