achalmers 2 Posted November 30, 2022 Share Posted November 30, 2022 pfSense / HAProxy failure. Full rebuild and recovery. Re-issued / Renewed my reverse proxy certs via ACME and Lets Encrypt. Now only certain devices are having trouble accessing Emby. Android devices are prompting to accept the SSL certificate. Roku devices completely fail to login / no prompt or anything. Just spinnging. IOS devices login fine no issues and no cert prompt. Windows PC's login fine no prompt and inspecting the certificate everything is valid / current. I tried deleting cache and all app data for Emby on my android device and re-logging in. Same issue. Prompting for SSL certificate acceptance. Any ideas? Thanks! Link to comment Share on other sites More sharing options...
Luke 37066 Posted November 30, 2022 Share Posted November 30, 2022 Hi, it sounds like they're all rejecting your certificate, no? The only reason you get a prompt on android is because we have the ability to allow you to override that. On other platforms we don't though. Link to comment Share on other sites More sharing options...
Solution Q-Droid 643 Posted December 1, 2022 Solution Share Posted December 1, 2022 When things are inconsistent upon cert renewal there's a chance you left out the chain/intermediate certs from the configuration. Make sure you included the cert.pem + chain.pem or the fullchain.pem for the reverse proxy. 1 Link to comment Share on other sites More sharing options...
achalmers 2 Posted December 2, 2022 Author Share Posted December 2, 2022 (edited) On 11/30/2022 at 6:30 PM, Luke said: Hi, it sounds like they're all rejecting your certificate, no? The only reason you get a prompt on android is because we have the ability to allow you to override that. On other platforms we don't though. I dont think iPhone, or Windows devices are rejecting the certs. They are not prompting, and when inspecting the cert chain via Windows browser everything looks fine and these clients can access Emby without issue When the firewall failed I loaded onto a new RAID1 array, installed the software, restored a backup, and went into ACME service and manually told them to renew. Certs stuff confuses the hell out of me sometimes. I'm definitely no expert. Edited December 2, 2022 by achalmers Wording Link to comment Share on other sites More sharing options...
achalmers 2 Posted December 2, 2022 Author Share Posted December 2, 2022 On 11/30/2022 at 7:01 PM, Q-Droid said: When things are inconsistent upon cert renewal there's a chance you left out the chain/intermediate certs from the configuration. Make sure you included the cert.pem + chain.pem or the fullchain.pem for the reverse proxy. ok so I think you may be right. I looked at the intermediate cert serial number (R3) and on the Windows device the Serial number is different than on my Android device. Windows device is happy, Android is not. How can the intermediate cert be different when both clients access the reverse proxy in the same way. How can the reverse proxy be giving one a different intermediate cert ? Link to comment Share on other sites More sharing options...
achalmers 2 Posted December 2, 2022 Author Share Posted December 2, 2022 I got it figured out. Thanks for the help you definitley pointed me in the right direction ! Looks like after recovery the HA Proxy backend was not set to use the CA as part of the certificate profile or something. What has me baffled is how IOS and Windows clients were getting the CA but Android wasnt.... ? Changed the CA field here from "None" to the Intermediate 1 Link to comment Share on other sites More sharing options...
Q-Droid 643 Posted December 2, 2022 Share Posted December 2, 2022 The trust/key stores are often different across devices. Even on the same devices different key stores may be used. For example some browsers and apps use their own while others use the system's key store. Then you run into cases where the key store includes the root and intermediate certs for some CAs but only the root for others. Add the somewhat recent intermediate cert rotation from Letsencrypt and the ability to validate the chain/root becomes hit or miss when not enough "links" are presented during the validation exchange. In your case HAproxy was likely only presenting the server cert (depth=0) which some devices could handle because they had the intermediate in their store, but others didn't. Including the chain/intermediate in the config lets your server present a more complete chain (depth=1 or more depending on CA) giving the clients all of the "links" needed to validate the cert. 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now