Self signed SSL certificate wont load on android EMBY server any more

[requa3r0 10]

Hi

I have tried to setup SSL for some time now on 2 different android boxes. Both The new Beelink GT king

The certificate is generated in the new version of termux from f-droid with these guides (tried both)

It normally works right out of the box, but not any more.

1:https://www.adamintech.com/how-to-configure-emby-for-https/

2: https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl&fbclid=IwAR1r_i7UZhf30AcCpSd6SvydCuHgad74BG4NiVz7RILDKlFBa60DGMSUDf4

Did something change?

Error:

2022-05-16 20:34:56.657 Error App: Error loading cert from /storage/emulated/0/Download/certs/emby.p12 * Error Report *

I have tryed everyting, but the certificate will not load and the port does not change to 8920 on WAN.

NB: I have to place the certificate in a location both termux and emby can see.

If I run the termux command

termux-setup-storage 

I get access to storage and downloads.

But...for some reason its called /Download/certs in Emby

I don't get a fail to locate the file though..so I guess its just the emulated android sdcard nonsense, and not an issue.

locatkion in EMBY

/storage/emulated/0/Download/certs/emby.p12

cert check in termux

~/.../downloads/certs $ openssl pkcs12 -in emby.p12 -noout -info
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

Edited May 16, 2022 by requa3r0
more info

[GrimReaper 3309]

AFAIK this still stands:

 

[Luke 37116]

21 minutes ago, GrimReaper said:

AFAIK this still stands:

 

That's not true from the server's standpoint. The server can load a self-signed cert, it's just that later the client devices might end up rejecting it. It's up to the server admin to choose an appropriate source of a certificate based on the apps and devices they intend to use.

[requa3r0 10]

It must be an android thing, because I have used self signed certs for years.

And it worked on my last android box i set up ??

That is really bad news ;O(

@Luke The emby server does not load the cert.

Can it be a bug then. Im sure the cert is fine.

It used to work.

Edited May 16, 2022 by requa3r0

[Luke 37116]

5 minutes ago, requa3r0 said:

It must be an android thing, because I have used self signed certs for years.

And it worked on my last android box i set up ??

That is really bad news ;O(

@Luke The emby server does not load the cert.

Can it be a bug then. Im sure the cert is fine.

It used to work.

Try converting to pfx. and/or try putting it underneath the server's program data folder to rule out a file access problem. It's possible the server doesn't have permission to read the directory you've put it in.

[requa3r0 10]

Can anyone see something in the logfile

Some help woud great ;O)

embyserver.txt

[requa3r0 10]

Its a bit hard to figure the file system out on android..but ill give a try

Perhaps here

/storage/emulated/0/Android/data/com.emby.embyserver/files/ new folder called certs

[requa3r0 10]

no drifference

2022-05-16 22:20:53.312 Error App: Error loading cert from /storage/emulated/0/Android/data/com.emby.embyserver/files/cert/certificate.p12
*** Error Report ***

 

[Luke 37116]

OK, I think tomorrow we'll be releasing the 4.7 release, so you could try that once available in case it might make a difference.

[requa3r0 10]

Thanks for the info @Luke

Just FYI the current beta 4.7.0.4.0  gives the same error.

Can anyone else confirm this issue, or am I make some kind of mistake when generating the self-signe cert.

Its worked fine before, and I did not even have any issues with other devices, other that they give the normal security risk to accept the first time. Even on i-devices.

Here is the full error.

It seems that EMBY is:

Unable to decode certificate. ---> System.Security.Cryptography.CryptographicException: `MonoBtlsPkcs12.Import` failed.#

2022-05-17 18:38:29.454 Error App: Error loading cert from /storage/emulated/0/Download/certs/certificate.p12
	*** Error Report ***
	Version: 4.7.0.40
	Command line: /data/app/com.emby.embyserver-IBkxfj5nmUkA6JTJTBLiZA==/base.apk
	Operating system: Android 9 (REL) SDK:P BuildId:PPR1.180610.011  Incremental:20201223 Patch-Level: 2018-08-05
	Framework: Mono 6.12.0 (2020-02/c633fe92383) 4.0.50524.0
	OS/Process: Arm/Arm
	Runtime: mscorlib.dll
	Processor count: 6
	Data path: /storage/emulated/0/Android/data/com.emby.embyserver/files
	Application path: /data/user/0/com.emby.embyserver
	Fingerprint: Amlogic/galilei/galilei:9/PPR1.180610.011/20201223:userdebug/test-keys
	Model: GTKing - AZW/Amlogic
	Hardware: galilei/galilei/amlogic/galilei
	SupportedAbis: armeabi-v7a, armeabi
	System.Security.Cryptography.CryptographicException: System.Security.Cryptography.CryptographicException: Unable to decode certificate. ---> System.Security.Cryptography.CryptographicException: `MonoBtlsPkcs12.Import` failed.
	  at Mono.Btls.MonoBtlsObject.CheckError (System.Boolean ok, System.String callerName) [0x0003b] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.MonoBtlsObject.CheckError (System.Int32 ret, System.String callerName) [0x00000] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.MonoBtlsPkcs12.Import (System.Byte[] buffer, Microsoft.Win32.SafeHandles.SafePasswordHandle password) [0x0002e] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.X509CertificateImplBtls.ImportPkcs12 (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password) [0x0003e] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.X509CertificateImplBtls..ctor (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00047] in <e3b6ad7501434659b50b5395301b3720>:0 
	   --- End of inner exception stack trace ---
	  at Mono.Btls.X509CertificateImplBtls..ctor (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00076] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.MonoBtlsProvider.GetNativeCertificate (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags flags) [0x00000] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.X509PalImplBtls.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00006] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) [0x00017] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.SystemCertificateProvider.Mono.ISystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) [0x00000] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at System.Security.Cryptography.X509Certificates.X509Helper.Import (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00005] in <1b39a03c32ec46258a7821e202e0269f>:0 
	  at System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x0003e] in <1b39a03c32ec46258a7821e202e0269f>:0 
	  at System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password) [0x00000] in <1b39a03c32ec46258a7821e202e0269f>:0 
	  at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor (System.String fileName, System.String password) [0x00000] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Emby.Server.Implementations.ApplicationHost.GetCertificate (Emby.Server.Implementations.CertificateInfo info) [0x00041] in <73c23a6fefc04c6dade6e5f84e25315d>:0 
	Source: System
	TargetSite: Void .ctor(Byte[], Microsoft.Win32.SafeHandles.SafePasswordHandle, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)
	InnerException: System.Security.Cryptography.CryptographicException: `MonoBtlsPkcs12.Import` failed.
	Source: System
	TargetSite: Void CheckError(Boolean, System.String)
	  at Mono.Btls.MonoBtlsObject.CheckError (System.Boolean ok, System.String callerName) [0x0003b] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.MonoBtlsObject.CheckError (System.Int32 ret, System.String callerName) [0x00000] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.MonoBtlsPkcs12.Import (System.Byte[] buffer, Microsoft.Win32.SafeHandles.SafePasswordHandle password) [0x0002e] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.X509CertificateImplBtls.ImportPkcs12 (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password) [0x0003e] in <e3b6ad7501434659b50b5395301b3720>:0 
	  at Mono.Btls.X509CertificateImplBtls..ctor (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00047] in <e3b6ad7501434659b50b5395301b3720>:0 

 

embyserver-4.7-beta.txt

Edited May 17, 2022 by requa3r0

[Luke 37116]

OK I'm not sure what the issue is. It looks like something related to your certificate. Try converting it to a pfx.

[requa3r0 10]

I tried to generate the cert on a proper debian server and not in the android termux app

Using this guide:https://www.adamintech.com/how-to-configure-emby-for-https/

Then I moved it here: ~/.../downloads/certs

in termux with a scp command

~ $ scp root@192.168.1.100:/root/Downloads/embycert/emby.p12 emby.p12

Now I can actually not display the  cert info in termux anymore - but the cert loads in emby..and works just fine..and my emby app on android loads the server fine as well.

Strangly the cert if fine on the debian server, but in termux i get this error.

~/.../certs/emby $ openssl pkcs12 -info -in emby-debian.p12 -nodes
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
94642FA6:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

so..I guess its the implementation of openssl in the new version of termux on f-driod..that is the culprit.

oh well..that only took 2 days ;O)

 

 

[Luke 37116]

Hi, so are you all set now?

[requa3r0 10]

Yes. All I did was to generate the cert on a proper debian server, and then send it to the droidbox to load in EMBY ;O)

I have a few android boxes, that I help setup etc. And its a bit of a pain that you can not reboot the EMBY server properly remotely from the web or just from the app.

For maintenance purpose, for example it requires a reboot if you change certificate etc.

But also if you are on the road the the emby server seems to hange etc.

A reboot feature would be great.

Is it a OS restriction issue, that this is not implemented yet?

[Luke 37116]

On 5/18/2022 at 1:24 PM, requa3r0 said:

 

Is it a OS restriction issue, that this is not implemented yet?

It's just a little bit more of a challenge on android than it is other platforms.

Quote

But also if you are on the road the the emby server seems to hange etc.

Can we please look at an example?

Thanks.