tobby 16 Posted December 15, 2015 Posted December 15, 2015 Hi Yesterday I set up my Emby server. It is working great and I can use the WebApp though my Browser via http on port 8096 and via https on port 8920. Both is working. At first I used the self-signed certificate, but then I generated a valid certificate from "let's encrypt" for it, which is also working. But when using the Android-app or the Amazon-FireTV-Stick-App both can't connect to the https port. However, both are working great when using the http-port. I also tried both, using the self signed certificate and the let's encrypt one. Doesn't change anything... So: Http and Https are both working with the web app, but on Android and on the FireTV-Stick there is only http working. Any ideas what I may do wrong or what may be wrong with the apps?
singer36 1 Posted December 20, 2015 Posted December 20, 2015 (edited) may i ask where you deployed the generated certificate files? I did also generate a certificate with letsencrypt, but i am not sure where to put it to have emby take it in account ! [edit] very easy indeed: through emby web interface, manage server > Advanced > Hosting > Custom certificate path as for the mobile app, i was expecting it to work... but maybe we would need to import the certificate on the android device ? Edited December 21, 2015 by singer36
singer36 1 Posted December 20, 2015 Posted December 20, 2015 will try ! for now, i succeeded in creating a new domain + real certificate (Letsencrypt) and deployed it to emby server... and having no more warning message in the webapp is.... cool already ! 1
singer36 1 Posted December 21, 2015 Posted December 21, 2015 (edited) At first I used the self-signed certificate, but then I generated a valid certificate from "let's encrypt" for it, which is also working. But when using the Android-app or the Amazon-FireTV-Stick-App both can't connect to the https port. I did the same: created a Letsencrypt certificate. On my laptop with IE, chrome, FF (on home wifi), it works fine: certificate is validated ! On my laptop with IE, chrome, FF (routed with phone 3G), it works fine On my android phone with firefox (on home wifi or 3G): KO: "sec_error_unknown_issuer"??!! seems like the certificate is only validated in intranet?? [edit] issue solved ! :-) My certificate was missing the intermediate.pem ! Why was it working on my laptop? just because i had the intermediate certificate provided by another opened webpage... letsencrypt.org ! the right way to generate the pfx file is: openssl pkcs12 -export -out ./<mydomain>.pfx -inkey ./domain.key -in ./domain.crt -certfile ./intermediate.pem be careful, intermediate.pem file was not good for me. I updated it this way: wget chain file from https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem And now web application works everywhere !!! any browser !!! :-) a little step for you, a fucking big one for me :-) Edited December 22, 2015 by singer36
Luke 38839 Posted December 21, 2015 Posted December 21, 2015 Many of the apps still have some work to do regarding https. For now I would imagine you might have to install the cert on the device. That's what you have to do with apple devices at least.
singer36 1 Posted December 22, 2015 Posted December 22, 2015 tested on Android 5.1 (LG G3 latest EU firmware) + EMBY app latest version: - copied and renamed my .pfx certificate to .p12 - transfered it to android device - installed it on the device (too bad it restricts some authentication methods) => EMBY app no more complaining of certificate !! all images displaying well. BUT... - music not playing ? - video not playing (playback error / there was an error processing the request. Please try again later) - video playing perfectly with external player.
Luke 38839 Posted December 22, 2015 Posted December 22, 2015 we're using libvlc for playback, so we're going to have to figure out what we might have to configure with it. that's one of the things i was referring to when i said we still have work to do with ssl on android. nice job getting everything else working though.
miquelx 2 Posted January 27, 2016 Posted January 27, 2016 (edited) @@LukeBeen looking at this bug, the VLC player app on android isalso affected, the problem may be within GnuTLS, which is the library used by libVLC for the https connections.Looking at the catlog logs, it seems GnuTLS is not loading the installed user certificates on 4.0+ android devices, only the system certificates (162 certificates on my device) are loaded.Altough GnuTLS was updated to support 4.0+ android certificates on version 3.1.10, there is no indication wether support was added for user certificates. I got it working on my rooted device by installing the root certificate as a system certificate, if people show interest i don't mind doing a tutorial.P.S.: According to this post on the VLC forums there seems to be a flag in the VLC android app compilation to bypass certificate checks, maybe that's something that can be integrated into the emby app has an option for advanced users? Edited January 27, 2016 by miquelx
Luke 38839 Posted January 27, 2016 Posted January 27, 2016 I think our future though is getting everyone a trusted cert with letsencrypt. These self-signed certs are really painful due to the changes that have to be made to every single app in order to handle them.
Luke 38839 Posted January 27, 2016 Posted January 27, 2016 all of the android apps. but there are similar issues with self-signed certs on other platforms as well.
anderbytes 140 Posted January 31, 2016 Posted January 31, 2016 I did the same: created a Letsencrypt certificate. On my laptop with IE, chrome, FF (on home wifi), it works fine: certificate is validated ! On my laptop with IE, chrome, FF (routed with phone 3G), it works fine On my android phone with firefox (on home wifi or 3G): KO: "sec_error_unknown_issuer"??!! seems like the certificate is only validated in intranet?? [edit] issue solved ! :-) My certificate was missing the intermediate.pem ! Why was it working on my laptop? just because i had the intermediate certificate provided by another opened webpage... letsencrypt.org ! the right way to generate the pfx file is: openssl pkcs12 -export -out ./<mydomain>.pfx -inkey ./domain.key -in ./domain.crt -certfile ./intermediate.pem be careful, intermediate.pem file was not good for me. I updated it this way: wget chain file from https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem And now web application works everywhere !!! any browser !!! :-) a little step for you, a fucking big one for me :-) Singer36, thanks a LOT for solving this mystery! Now the dev can focus better on the final solution, because your discovery! @@Luke Been looking at this bug, the VLC player app on android isalso affected, the problem may be within GnuTLS, which is the library used by libVLC for the https connections. Looking at the catlog logs, it seems GnuTLS is not loading the installed user certificates on 4.0+ android devices, only the system certificates (162 certificates on my device) are loaded. Altough GnuTLS was updated to support 4.0+ android certificates on version 3.1.10, there is no indication wether support was added for user certificates. I got it working on my rooted device by installing the root certificate as a system certificate, if people show interest i don't mind doing a tutorial. P.S.: According to this post on the VLC forums there seems to be a flag in the VLC android app compilation to bypass certificate checks, maybe that's something that can be integrated into the emby app has an option for advanced users? MiquelX, WOW. Congratulations for the research. all of the android apps. but there are similar issues with self-signed certs on other platforms as well. Luke, we learned that using the correct pfx / p12 in server and clients would do the trick. What do you think about: - Enabling server to self-create it's PFX (based on fillable fiels as KEY , CRT and PEM that probably has to be given by the emby admin in any case). - Make the generated PFX downloadable as P12 for importing in clients. Or make Emby Connect gets it automatically and use it. As for the libVLC. If it is really the best one to use, maybe ignoring certificate check would be a good idea, I can't imagine any kind of real security risk with this. 1
runtimesandbox 156 Posted February 19, 2016 Posted February 19, 2016 I think our future though is getting everyone a trusted cert with letsencrypt. These self-signed certs are really painful due to the changes that have to be made to every single app in order to handle them. @@Luke I know this will be the ideal solution, but wouldn't this still require a client side cert to be installed?
anderbytes 140 Posted February 19, 2016 Posted February 19, 2016 @@Luke I know this will be the ideal solution, but wouldn't this still require a client side cert to be installed? Probably when Let's Encrypt gets solid and worldwide trusted, all browsers will support it natively.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now