Friedhelm 1 Posted May 9 Share Posted May 9 I have setup emby on my proxmox in an debian lxc container. Everything works fine except https. I have stored the required pfx file in /var/log/emby/config, changed ownership to emby, configured it in the network configuration, and emby says all is fine. However, when I try to access the server on port 8920, no certificate is present. I checked it with openssl s_client -connect myhost.de:8920 and get "no peer certificate available". I can't find anything in the log (even at debug level) about the pfx activation, wether the certificate was successfully read or not. How can i diagnose the HTTPS setup? Are there any other log options to check if and why the certficate activation failed? Any help is appreciated. log is attached. embyserver.txt Link to comment Share on other sites More sharing options...
Q-Droid 670 Posted May 9 Share Posted May 9 Restart your Emby server then check the log to see if it's listening on the https port. It will be in the log and needs to be restarted. Rotated logs don't have the info. Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 I restartet already a dozen times, also updated from 4.8.5.0 to 4.8.6.0. What I uploaded was an active log, not a rotated one. I'm an experienced IT guy, so you can assume I've done the basic troubleshooting already. Port 8920 is open, telnet connects. So it is not a firewall issue or anything. In the log you don't find a single word regarding the certificate, thats why I'm asked where I should find it and how it should look like, I checked both the currently written log and the rotated logs. The only thing I see in the log is: Info App: Adding HttpListener prefix https://+:8920/ No word about the pfx. I also checked system.xml if it contains the proper path, filename and password. All looks good. Link to comment Share on other sites More sharing options...
Luke 37260 Posted May 9 Share Posted May 9 It appears that the server is listening on the https port, so I think you're good in that regard. I think the issue is that the requests are never reaching Emby Server, hence no activity in the server log. So it sounds like you have something in the middle causing that. Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 Nope, that's not the problem. When emby is up, port 8920 connects, when it is down, it doesn't. So the datagrams are reaching the server, but since I am requesting https and there is no certificate, the browser returns an error. SSL_ERROR_PROTOCOL_VERSION_ALERT and any communcation is aborted. I also tried http on port 8920, but that resets the connection Link to comment Share on other sites More sharing options...
Luke 37260 Posted May 9 Share Posted May 9 How do you know it's not the problem? Link to comment Share on other sites More sharing options...
Lessaj 82 Posted May 9 Share Posted May 9 Does openssl work properly inside the container? Link to comment Share on other sites More sharing options...
Q-Droid 670 Posted May 9 Share Posted May 9 Have you verified the contents of the pfx to make sure the needed certs are in it? I replied from my phone and didn't look at your log. Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 PS: http on 8096 is working, so the network routes are fine, too To me it looks like emby has a problem to read the certificate, but - once again - there is nothing in the logs... Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 3 minutes ago, Lessaj said: Does openssl work properly inside the container? Good point. But same result: root@emby:/var/lib/emby# openssl s_client -connect localhost:8920 CONNECTED(00000003) 40D76D37A4730000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1586:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 297 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) The pfx is definitely fine, certificates are my daily business. Private key is included and password is correct. Link to comment Share on other sites More sharing options...
Lessaj 82 Posted May 9 Share Posted May 9 Looks like this is probably a LetsEncrypt certificate or something similar with that ISRG Root. What exact command did you run to create the PFX? I'm assuming something like this. openssl pkcs12 -export -out cert.pfx -inkey /path/to/private.key -in cert.pem Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 I get my LE certificates using the certificate manager of my mailserver which has an embedded cert bot. It has an export function that creates the pfx. The pfx are properly created, I know the developer of the certmanager personally and trust his code. I checked if openssl can extract key and certs from the pfx and all was fine. Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 The openssl dump of the pfx is perfectly fine. Bag Attributes friendlyName: localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2 Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- MIIF4zCCBMugAwIBAgISAy6kWI0RvfAVKib0OjCy+4rSMA0GCSqGSIb3DQEBCwUA .... uxAtpeHNc7yqBqf79mozq+VDP1T+Dg== -----END PRIVATE KEY----- Bag Attributes friendlyName: localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2 subject=CN = xxxmyhostxxx.de issuer=C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- MIIF4zCCBMugAwIBAgISAy6kWI0RvfAVKib0OjCy+4rSMA0GCSqGSIb3DQEBCwUA .... 6kqxXlbS4mfkhyiu91qFmBWzlRLwa9g= -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2 subject=C = US, O = Let's Encrypt, CN = R3 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw ... nLRbwHOoq7hHwg== -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2 subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw ... emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- Link to comment Share on other sites More sharing options...
Solution Lessaj 82 Posted May 9 Solution Share Posted May 9 Can you try creating the PFX with only the private key + certificate? My PFX only contains 1 certificate and 1 key. The root and intermediate CA being there shouldn't be an issue but just to rule it out. 1 Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 That worked. But I would still call it a bug. A certificate with included chain should bot break a server. and if it does, I'd expect any kind of warning. A cert sanity check would be nice. Maybe you can update the documentation that the pfy may not contain a chain. Key and cert only. 1 Link to comment Share on other sites More sharing options...
Q-Droid 670 Posted May 9 Share Posted May 9 Nope. Emby works with the chain and the LE fullchain PEM is what should be used when creating the keystore. Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 Well, it didn't in my case and my checks of the pfx did not show any issues as you can see in the dump I posted. Dumping the pfx and rebuilding it without the chain fixed it, so proof me wrong. However: It is fixed now thanks to Lessaj. But my major complaint is still there: Something didn't work correctly, emby did not offer the certificate to the connecting clients though it was properly set up, and there was nothing about it in the logs. No "unable to open pfx" or "Invalid pfx structure" or whatever. Same pfx works fine on other hosts. Link to comment Share on other sites More sharing options...
Friedhelm 1 Posted May 9 Author Share Posted May 9 I tested it once more and manually built a pfx with the fullchain, and this time it worked. I think the difference to the original fullchain pfx is the encryption of the private key. The new pfx contains an unencrypted privated key, and only the pfx itself is password encrypted. The original pfx had both the pfx and the private key encrypted with the same password. Link to comment Share on other sites More sharing options...
Q-Droid 670 Posted May 9 Share Posted May 9 That's something the developers could consider. Having both a storepass and a keypass involved, even if the same, might need changes in the Emby code to handle. LE issues the full stack and generates a new private key for each issue/renewal and doesn't encrypt any of it. Sometimes this is taken for granted when people want to create their keystores in specific and more secure ways. Since most CAs handle CSRs you don't have to ever expose your private key and that's the price to pay for ease and convenience of the free services like LE. Link to comment Share on other sites More sharing options...
Lessaj 82 Posted May 9 Share Posted May 9 Yes that was another thought that I had, the key that I used when I created my PFX is not an encrypted key. It asks for an import password as well as PEM pass phrase when trying to view the pfx with openssl but they happen to be the same password. It's been a while since I created it. Link to comment Share on other sites More sharing options...
sftech13 8 Posted May 13 Share Posted May 13 (edited) after 4.8.6.0 I'm getting this same issue. Ubuntu 20.04 I's using LE and cant see any errors. Ports are open and working. PFK is valid but EMBY will not work with it. Nothing in the logs. I use domain.me for my panel, and apps. They are all secure. When I try to apply cert. to EMBY it will not work using domain.me:8920 embyserver.txt Edited May 13 by sftech13 Link to comment Share on other sites More sharing options...
sftech13 8 Posted May 13 Share Posted May 13 Is it possible that on the update port 8290 is blocked? I cant get to from open port check tool. I have it open on my router, no firewall running on server, tried to dmz and same thing. Link to comment Share on other sites More sharing options...
Q-Droid 670 Posted May 13 Share Posted May 13 It's in your log that it has a problem with the cert file. Quote 2024-05-13 10:31:28.126 Error App: Error loading cert from /home/sftech13/scripts/emby/certificate.pfx *** Error Report *** Version: 4.8.6.0 Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb Operating system: Linux version 5.4.0-181-generic (buildd@lcy02-amd64-102) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #201-Ubuntu SMP Thu Mar 28 15:39:01 UTC 2 Framework: .NET 6.0.25 OS/Process: x64/x64 Runtime: opt/emby-server/system/System.Private.CoreLib.dll Processor count: 8 Data path: /var/lib/emby Application path: /opt/emby-server/system Interop+Crypto+OpenSslCryptographicException: Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info) Source: System.Security.Cryptography.X509Certificates TargetSite: Void CheckValidOpenSslHandle(System.Runtime.InteropServices.SafeHandle) Link to comment Share on other sites More sharing options...
sftech13 8 Posted May 13 Share Posted May 13 damn I feel dumb!!!!! thank you Link to comment Share on other sites More sharing options...
Luke 37260 Posted May 14 Share Posted May 14 Hi, has this helped you resolve your issue? 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now