Cannot Connect to EMBY Local or Remote using HTTPS on Win 11

[gihayes 46]

I Have a Domain Name from DYNU and I have been using it for several years with no problems. I bought a Single Domain SSL Certificate from them the other day and have not had any luck getting it to work with EMBY. I downloaded the Certificate files from DYNU and placed the folder with all the files in the EMBY Server system directory. I then pointed EMBY to the .pfx file. See my Emby Network Setup in attached images.
The .pfx file that was generated by DYNU does not have a password.

My Dashboard shows an https link

I have opened port 8920 (and port 443) on my router, but when I configure and attempt to access the site using https, (port 8920 or 443) I get 'Can't Reach This Page' error.

I get that regardless if I try to access locally, remotely, with Domain name or IP.
I have disabled My Anti-Virus Firewall and Windows Firewall with the same result.
I also created a .pfx with a password and tried pointing EMBY to that and it did not work.
I have restarted EMBY after each change.
A TTL Text Record for my Domain was automatically created when DYNU generated my SSL.
My http still works fine, local and remote.
I'm at a loss. Is there some step I am missing or something else I need to do? Help. 

 

embyserver.txt

Edited August 30, 2024 by gihayes
Forgot Log

[Happy2Play 9352]

Did you portforward 8920?  Does a site like canyouseeme.org show the ports open?

[gihayes 46]

Yes, port is open. I just checked it with canyouseeme.

[gihayes 46]

I just checked 443 and  canyouseeme says it is closed even though my cox router says it is open. That's weird. I just deleted the forward and re-added it. With the same result. Does 443 need to be open if I am gonna use 8920? Apparently Cox is blocking 443.

Edited August 31, 2024 by gihayes

[Lessaj 267]

No you don't need to open 443 if you're going to use 8920. You could have 443 exposed externally and have it route to 8920 internally if you wanted though.

[gihayes 46]

Ok, so I'll be using 8920. Given the configuration shown above is that all correct? Is there something else I need to do to get it to make emby accessible?

[Happy2Play 9352]

Have you verified the connection network type Public or Private?

But there is really only port forward for Emby ports and firewall for those ports per network type.

[Lessaj 267]

If 8920 is showing as open then it should work. Were you trying to access your domain from the internal network in your last screenshot or was that from a remote location?

[gihayes 46]

1 hour ago, Lessaj said:

If 8920 is showing as open then it should work. Were you trying to access your domain from the internal network in your last screenshot or was that from a remote location?

I get that screen when I try to connect on local network or external (with phone with wi-fi off).

[Lessaj 267]

Okay let's start with local network. Does https://192.168.0.35:8920 work at all? Even if it has a certificate error.

[gihayes 46]

No I get the page cannot be reached. But http://192.168.0.35:9096 works.

[Happy2Play 9352]

What is your network type Public or Private?

Does Emby Dashboard show correct WAN address?

Does any port checking site like canyouseeme.org show your Emby ports open?

Can all clients on your LAN connect to Emby?

[gihayes 46]

Private network, Dashboard shoes my domain and port correctly, and web port checkers show 8920 open. And all devices on my local lan can connect to Emby via http but not https

Edited September 2, 2024 by gihayes

[gihayes 46]

When I check my certificate on Dynu it resolves to my IP but it says that the check failed. Maybe I should check with them to see if there is something wrong with the certificates they issued me?

Edited September 2, 2024 by gihayes

[gihayes 46]

I am new to the certificate stuff. Do I need to install or import the certificates into windows? Will it hurt anything if I do?

[Happy2Play 9352]

Not sure on cert as Emby is not seeing a issue with it and is listening on 8920.  If port checking is showing open then I am not entirely sure only other thing would be firewall that I can thing of.

[Lessaj 267]

It is sounding like firewall to me as well but I don't run my server on windows to know what rules it would normally automatically add. The log does say it's listening on 8920, you could make sure from command prompt, but beyond that you need to check your firewall settings.

netstat -an | findstr 8920

Should see an entry for 8920 that says LISTENING.

Edited September 2, 2024 by Lessaj

[Lessaj 267]

1 hour ago, gihayes said:

I am new to the certificate stuff. Do I need to install or import the certificates into windows? Will it hurt anything if I do?

No you just need the PFX file the way you have it, your https setup is correct as is otherwise it wouldn't say in the log that it's listening on the port, there would be some kind of certificate error.

[Happy2Play 9352]

Yes that would be a question of do you have any Security/AV software that has its own firewall?

But on install Emby applies firewall rules and you can retrigger it by changing ports or manually editing system.xml <IsPortAuthorized>

and here is the what Emby runs different then default at that is for a test server.

Spoiler

rem 7359 = udp server port
rem 8095 = http server port
rem 8443 = https server port
rem C:\Users\Media\AppData\Roaming\Emby-Server\system\EmbyServer.exe = exe path

netsh advfirewall firewall delete rule name="Port 7359" protocol=UDP localport=7359
netsh advfirewall firewall add rule name="Port 7359" dir=in action=allow protocol=UDP localport=7359

netsh advfirewall firewall delete rule name="Port 8095" protocol=TCP localport=8095
netsh advfirewall firewall add rule name="Port 8095" dir=in action=allow protocol=TCP localport=8095

netsh advfirewall firewall delete rule name="Port 8443" protocol=TCP localport=8443
netsh advfirewall firewall add rule name="Port 8443" dir=in action=allow protocol=TCP localport=8443

netsh advfirewall firewall delete rule name="mediabrowser.serverapplication.exe"
netsh advfirewall firewall delete rule name="EmbyServer.exe"
netsh advfirewall firewall delete rule name="Emby Server"

netsh advfirewall firewall add rule name="Emby Server" dir=in action=allow protocol=TCP program=C:\Users\Media\AppData\Roaming\Emby-Server\system\EmbyServer.exe enable=yes
netsh advfirewall firewall add rule name="Emby Server" dir=in action=allow protocol=UDP program=C:\Users\Media\AppData\Roaming\Emby-Server\system\EmbyServer.exe enable=yes

:DONE
Exit

If firewall was not correct I would assume port checker should fails.  At least it does when I disable the rules.

 

2 hours ago, gihayes said:

But http://192.168.0.35:9096 works.

May need to see a new server log from startup as your previous log was not on that port.  Unless that is a typo.

Edited September 2, 2024 by Happy2Play

[gihayes 46]

I meant port 8096 not 9096, that was a typo. I ran the netstat command and it returned nothing. just went back to the prompt. There is a tool in windows named Resource Monitor that shows what programs are listing on what ports. It shows Emby listening on quite a few ports, but 8920 is not one of them.  I am attaching a new log. I am running Bitdefender AV software and Emby has been allowed access to all ports. Emby is allowed access with Windows Defender Firewall also. I have tried connecting with both off, and for a very short period with my Bitdefender AV totally disabled. But I still get the same Web page when trying to connect via https. I was running Emby as a service but have just switched to running it as an app so as to make restarting easier. I have attached a new log

 

embyserver.txt

Edited September 2, 2024 by gihayes
Turned on Debugging, Replaced log

[gihayes 46]

I just checked the Windows Resource Monitor and Emby is listening on 8920 now, and the netstat command worked, but I still get the same webpage when trying to connect to https. If I try to connect using 192.168.0.35:8920 I get a different webpage error. Attaching screenshot.

Edited September 2, 2024 by gihayes

[Lessaj 267]

Can you provide the entire URL for that page? It's not in the screenshot. I just installed a server very quickly on a windows vm and used my same certificate, setting up nothing else, and I can see it listening, it just complains about the common name not matching (which I expected).

Edited September 2, 2024 by Lessaj

[gihayes 46]

That's all it shows. I checked my Emby System folder and found a system.xml.dll but not just a system.xml. Will re-installing over my current install possibly straighten things out? if I do that, It will keep all my libraries and settings, right?

Here is the result of the netstat command

C:\Windows\System32>netstat -an | findstr 8920
  TCP    0.0.0.0:8920           0.0.0.0:0              LISTENING
  TCP    [::]:8920              [::]:0                 LISTENING

C:\Windows\System32>

[Happy2Play 9352]

5 minutes ago, gihayes said:

I checked my Emby System folder and found a system.xml.dll but not just a system.xml

It will not be in Emby system folder it will be Emby programdata folder.

C:\Users\{username}\AppData\Roaming\Emby-Server\programdata\config

But per your image you are not going to https you are going to http which will not work.

2024-09-02 00:04:31.089 Info App: Adding HttpListener prefix http://+:8096/
2024-09-02 00:04:31.089 Info App: Adding HttpListener prefix https://+:8920/

 

Edited September 2, 2024 by Happy2Play

[Happy2Play 9352]

Should relatively be the same process but may need to take a step back and get http port 8096 working and check remote connection via WANIP:8096 then work on https/ssl configuration.