trying to connect securely from outside the LAN

[appboxemby 0]

so i built a pretty basic setup to get to my emby server in my house. i bought a domain on cloudflare, which comes with the free ssl cert. i then pointed the domain to my server at home. that server is a truenas scale host with a traefik reverse proxy and emby in a docker container. everything works fine on my android phone and other computers and such. however, my samsung TV does not want to allow the SSL connection on port 443. i know that the certs on the samsung tv expired forever ago and samsung has not pushed an app update, but i didnt think i needed samsungs cert. that was the whole point of paying for a domain with a cert attached - i wanted to use that one, which i confirmed works on just about every other platform. do u guys know what is wrong? (fyi, i have the network settings in emby [secure connection mode] set to be handled by rev proxy. i left the cert fields blank bc the certs are hosted on cloudflare and not the local server)

[Luke 37060]

Hi, @SamES can elaborate more but I think the limited SSL support on these Samsung TV's is still going to be a problem.

[appboxemby 0]

i have the feeling you are right, i was really just hoping a legit cert on cloudflare + the rev proxy would be able to fix this. i am not having any success.

[SamES 890]

10 hours ago, appboxemby said:

so i built a pretty basic setup to get to my emby server in my house. i bought a domain on cloudflare, which comes with the free ssl cert. i then pointed the domain to my server at home. that server is a truenas scale host with a traefik reverse proxy and emby in a docker container. everything works fine on my android phone and other computers and such. however, my samsung TV does not want to allow the SSL connection on port 443. i know that the certs on the samsung tv expired forever ago and samsung has not pushed an app update, but i didnt think i needed samsungs cert. that was the whole point of paying for a domain with a cert attached - i wanted to use that one, which i confirmed works on just about every other platform. do u guys know what is wrong? (fyi, i have the network settings in emby [secure connection mode] set to be handled by rev proxy. i left the cert fields blank bc the certs are hosted on cloudflare and not the local server)

What model is your TV, how old is it?

Luke is right regarding limited ssl cert support on Samsung TV's although I would have thought Cloudflare would be supported depending on the age of the TV

[appboxemby 0]

the tv is a 2016. model # UN55KU6300F. im also having this issue on a newer LG.

[SamES 890]

1 hour ago, appboxemby said:

the tv is a 2016. model # UN55KU6300F. im also having this issue on a newer LG.

Based on it's age, it's quite possible that its Cloudflare certificates have either expired, or didn't ever exist.  We have no way of knowing.  

I know you have already gone down this path, but ZeroSSL is a provider that most people have had recent success with on TV's.  It could be worth trying. 

Edited June 2, 2022 by SamES

[appboxemby 0]

im noticing that zerossl only gives me three 90-day certs for free, then they make me pay. is that what everyone else is doing to make this work?

[SamES 890]

14 minutes ago, appboxemby said:

im noticing that zerossl only gives me three 90-day certs for free, then they make me pay. is that what everyone else is doing to make this work?

I'm not sure, but search zerossl on the forums and you'll find the active threads. 

[keithsrobertson 4]

Could try generating a 10 year self signed ssl cert. I posted up about doing so with my Qnap, so maybe some of those steps might help you:

 

[appboxemby 0]

holy crap i think that actually worked! i have 2 questions just to make sure:

1. if i am only forwarding port 8920 on my router, that is forcing all remote connections over https, correct?

2. what did u set your Secure Connection Mode to? it wasnt screenshotted in your guide (which was AMAZING btw). as a followup to #1, since i am only allowing incoming connecitons on 8920, does this setting even matter?

thanks so much for the help!! 1st one to solve this problem!!

[keithsrobertson 4]

yes 8920 is for using secure port SSL https://

I left the default ports in the network section as 8096 for http and 8920 for https, i set secure as preferred but not required as I have local lan users who use http, but the external users are all given the ddns address and use https and port 8920 for ssl

[appboxemby 0]

reason i ask is i am trying to connect with the TVs (obviously), and in the server address bar im just typing subdomain.ddns.net and using 8920 for the port. i am NOT including the https:// in the address. just double checking to make sure im not messing this up as emby does not give me any indication in the dashboard who is connected securely and who is not.

[keithsrobertson 4]

Yes I noticed that as well that there isnt any visible indicator to say if a user is connected securely or not. Perhaps a little padlock icon can be shown over the users device or something in future.

For my local tv downstairs, on the same lan i just use the http://, the local ip address and port 8096. For users outside the lan, they specify the https:// and the ddns domain and 8920 port in the emby app

[appboxemby 0]

i am actually going to update my previous post by saying it isnt working. reason i say that is, when i change the "Secure connection mode" to "required" i lose my connection, even on port 8920. but when i say "preferred" its totally fine, making me think emby is downgrading it.

also, when i try to connect through my browser so i can examine the cert, firefox gives me this error when trying the ssl connection: "SSL_ERROR_RX_RECORD_TOO_LONG". when i connect through firefox with just subdomain.ddns.net:8920 i get an unencrypted connection.

so im thinking even though i have that 10 yr old cert on the server, im not getting a secure connection.

[Luke 37060]

Quote

but when i say "preferred" its totally fine, making me think emby is downgrading it.

That just means it will allow connections over plain http, which is what might be happening.

[appboxemby 0]

thats whats worrying me, bc right now i am only forwarding port 8920 but i am still getting http connections.

[Luke 37060]

2 hours ago, appboxemby said:

thats whats worrying me, bc right now i am only forwarding port 8920 but i am still getting http connections.

If you look at your server dashboard it will show the remote address. That is the address that Emby apps will be trying to use.

[SamES 890]

And try adding https:// to the server url on the client