SSL_ERROR_RX_RECORD_TOO_LONG error trying to configure Emby for https.

[ziomario 0]

Hello to everyone.

 

I'm trying to configure Emby for https,following this tutorial :

 

https://www.adamintech.com/how-to-configure-emby-for-https/

 

Unfortunately after having followed carefully all the instructions found on the tutorial as well as some different variant,it ended up with the error that you see on the title. I've attached the pictures that show how I have configured the emby network settings as suggested.

Can someone help me to find what's wrong please. thanks.

 

PS : I have opened port 8920 on my router....

 

Edited February 18 by ziomario

[Lessaj 70]

Your p12 is in the /root directory, are you running emby as root? If not, does the emby user have access to this file? You should probably put the certificate file within the emby directory at a location that makes sense to you, such as /var/lib/emby/config/ssl for example. It also looks like you're still trying to use the HTTP port but the browser screenshot isn't complete to show if you were trying to access http or https on 8096. You may want to use the local server name or IP rather than the domain name to ensure https is working locally before you try to do anything externally, you'll get a certificate error if there is no SAN for that address but it would at least indicate that SSL is properly configured.

[ziomario 0]

Ok,I've copied the emby.p12 file in /var/lib/emby/config/ssl but it still does not connect using port 8920. Between the log I see this error message :

 

Error App: Error loading cert from /var/lib/emby/config/ssl/emby.p12
       *** Error Report ***
       Version: 4.8.1.0

 

[ziomario 0]

Reading from this thread :

 

 

it seems that I should do a : chmod 644 /var/lib/emby/config/ssl/emby.p12

well,I did it,but the error is still there.

 

Edited February 18 by ziomario

[ziomario 0]

This is the full log :

 

Quote

Error App: Error loading cert from /var/lib/emby/config/ssl/emby.p12
       *** Error Report ***
       Version: 4.8.1.0
       Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_armhf.deb

       Operating system: Linux version 5.4.261-iommu-dma-on-xen (root@devuan-bunsen) (gcc version 12.2.0 (Debian 12.2.0-14)) #8 SMP Tue Jan 9 21:33:13 UTC 2024
       Framework: .NET 6.0.25
       OS/Process: arm/arm
       Runtime: opt/emby-server/system/System.Private.CoreLib.dll
       Processor count: 2
       Data path: /var/lib/emby
       Application path: /opt/emby-server/system
       System.Security.Cryptography.CryptographicException: System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.
        ---> System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.
          at Internal.Cryptography.Pal.UnixPkcs12Reader.VerifyAndDecrypt(ReadOnlySpan`1 password, ReadOnlyMemory`1 authSafeContents)
          at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password, Boolean ephemeralSpecified)
          --- End of inner exception stack trace ---
          at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password, Boolean ephemeralSpecified)
          at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan`1 rawData, OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, BooleanreadingFromFile, ICertificatePal& readPal, List`1& readCerts)
          at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan`1 rawData, SafePasswordHandle password, Boolean single, Boolean ephemeralSpecified, Boolean readingFromFile, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException)
          at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
          at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
          at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName,String password)
          at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info)
       Source: System.Security.Cryptography.X509Certificates
       TargetSite: Void Decrypt(Microsoft.Win32.SafeHandles.SafePasswordHandle, Boolean)
       InnerException: System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.
       Source: System.Security.Cryptography.X509Certificates
       TargetSite: Void VerifyAndDecrypt(System.ReadOnlySpan`1[System.Char], System.ReadOnlyMemory`1[System.Byte])
          at Internal.Cryptography.Pal.UnixPkcs12Reader.VerifyAndDecrypt(ReadOnlySpan`1 password, ReadOnlyMemory`1 authSafeContents)
          at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password, Boolean ephemeralSpecified)

[Happy2Play 8313]

Are you possitive the password is correct?

The certificate data cannot be read with the provided password, the password may be incorrect.

 

[Lessaj 70]

Did you set a password when creating the p12? You left that field blank in the configuration page. Try to read the p12 with openssl.

openssl pkcs12 -info -in /var/lib/emby/config/ssl/emby.p12

[ziomario 0]

now it says :

 

ziomario.ns0.it:8920 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

 

 

Edited February 19 by ziomario

[Lessaj 70]

Okay so that should mean that now your SSL is working at least. If you don't have any options to proceed anyway and you want your browser to trust it you'll have to import the certificate (the PEM certificate created before the p12). I don't use firefox but there's a certificate manager, you can either add it as an authority or probably add an exception under servers might work too.

By the way your port forwarding is working as well.

Edited February 19 by Lessaj

[ziomario 0]

I can't ask to my friends to add the certificate in their browser because they don't know even what a browser is. I find more useful to understand how to add an exception on the emby server. Can you explain how to do this ?

Edited February 19 by ziomario

[Lessaj 70]

You don't add the exception in the server, it's all done from the client browser. If you want a certificate that's trusted already by devices you could get one using certbot or acme.sh. You'd likely want to do this in order for client apps to work (like on android, iOS, etc) because browsers can bypass it but client apps might not be able to.

[jaycedk 389]

Self signet certificates should not be used anymore.

Browsers sees them as insecure. 

And some systems flat out reject them.

Its better to bite the pullet and buy a real certificate.

or use certbot with a reverse proxy that can automate the process.

[ziomario 0]

I need a detailed tutorial that explain how to perform the whole procedure.

Edited February 19 by ziomario

[Luke 37125]

Have you considered digicert?

[ziomario 0]

I don't know which differences there are between digicert or certbot or acme. I'm not experienced in this area. But what matters more for me is to find a detailed tutorial that explain how to perform the whole procedure. By myself only I'm not able to find the right tutorial. For sure,I can find one of the many tutorials that are on internet,but I'm not sure if the chosen one will fits with emby.

.

Edited February 20 by ziomario

[Luke 37125]

4 minutes ago, ziomario said:

I don't know which differences there are between digicert or certbot or acme. I'm not experienced in this area. But what matters more for me is to find a detailed tutorial that explain how to perform the whole procedure. By myself only I'm not able to find the right tutorial. For sure,I can find one of the many tutorials that are on internet,but I'm not sure if the chosen one will fits with emby.

.

Have you taken a look at this?

 

[ziomario 0]

Its not good for me. As you can read below,the client is written only for Windows :

 

Win32/Win64 Portable SSL Certificates client for Let's Encrypt / Buypass / other ACME-compatible CAs and servers (with ACME v2/v1, Wildcards and External Account Binding support)

 

but I'm on arm 32 bit.