Jump to content
tobby

No connection via https

Recommended Posts

tobby

Hi

 

Yesterday I set up my Emby server. It is working great and I can use the WebApp though my Browser via http on port 8096 and via https on port 8920. Both is working. At first I used the self-signed certificate, but then I generated a valid certificate from "let's encrypt" for it, which is also working.

 

But when using the Android-app or the Amazon-FireTV-Stick-App both can't connect to the https port. However, both are working great when using the http-port. I also tried both, using the self signed certificate and the let's encrypt one. Doesn't change anything...

 

So: Http and Https are both working with the web app, but on Android and on the FireTV-Stick there is only http working.

 

Any ideas what I may do wrong or what may be wrong with the apps?

Share this post


Link to post
Share on other sites
singer36

may i ask where you deployed the generated certificate files?

I did also generate a certificate with letsencrypt, but i am not sure where to put it to have emby take it in account !

[edit] very easy indeed: through emby web interface, manage server > Advanced > Hosting > Custom certificate path

 

as for the mobile app, i was expecting it to work...

but maybe we would need to import the certificate on the android device ?

Edited by singer36

Share this post


Link to post
Share on other sites
singer36

will try !

for now, i succeeded in creating a new domain + real certificate (Letsencrypt) and deployed it to emby server...

and having no more warning message in the webapp is.... cool already !

:)

  • Like 1

Share this post


Link to post
Share on other sites
singer36
At first I used the self-signed certificate, but then I generated a valid certificate from "let's encrypt" for it, which is also working.

 

But when using the Android-app or the Amazon-FireTV-Stick-App both can't connect to the https port.

 

I did the same: created a Letsencrypt certificate.

On my laptop with IE, chrome, FF (on home wifi), it works fine: certificate is validated !

On my laptop with IE, chrome, FF (routed with phone 3G), it works fine

On my android phone with firefox (on home wifi or 3G): KO: "sec_error_unknown_issuer"??!!

 

seems like the certificate is only validated in intranet??

 

[edit] issue solved ! :-) My certificate was missing the intermediate.pem ! Why was it working on my laptop? just because i had the intermediate certificate provided by another opened webpage... letsencrypt.org !

 

the right way to generate the pfx file is:

openssl pkcs12 -export -out ./<mydomain>.pfx -inkey ./domain.key -in ./domain.crt -certfile ./intermediate.pem

be careful, intermediate.pem file was not good for me. I updated it this way:

wget chain file from https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

 

And now web  application works everywhere !!! any browser !!! :-)

a little step for you, a fucking big one for me :-)

Edited by singer36

Share this post


Link to post
Share on other sites
Luke

Many of the apps still have some work to do regarding https. For now I would imagine you might have to install the cert on the device. That's what you have to do with apple devices at least.

  • Like 1

Share this post


Link to post
Share on other sites
singer36

tested on Android 5.1 (LG G3 latest EU firmware) + EMBY app latest version:

- copied and renamed my .pfx certificate to .p12

- transfered it to android device

- installed it on the device (too bad it restricts some authentication methods)

=> EMBY app no more complaining of certificate !! all images displaying well.

 

BUT...

- music not playing ?

- video not playing (playback error / there was an error processing the request. Please try again later)

- video playing perfectly with external player.

Share this post


Link to post
Share on other sites
Luke

we're using libvlc for playback, so we're going to have to figure out what we might have to configure with it. that's one of the things i was referring to when i said we still have work to do with ssl on android. nice job getting everything else working though.

Share this post


Link to post
Share on other sites
miquelx

@@Luke
Been looking at this bug, the VLC player app on android isalso affected, the problem may be within GnuTLS, which is the library used by libVLC for the https connections.
Looking at the catlog logs, it seems GnuTLS is not loading the installed user certificates on 4.0+ android devices, only the system certificates (162 certificates on my device) are loaded.
Altough GnuTLS was updated to support 4.0+ android certificates on version 3.1.10, there is no indication wether support was added for user certificates. 

I got it working on my rooted device by installing the root certificate as a system certificate, if people show interest i don't mind doing a tutorial.

P.S.: According to this post on the VLC forums there seems to be a flag in the VLC android app compilation to bypass certificate checks, maybe that's something that can be integrated into the emby app has an option for advanced users?

Edited by miquelx

Share this post


Link to post
Share on other sites
Luke

I think our future though is getting everyone a trusted cert with letsencrypt. These self-signed certs are really painful due to the changes that have to be made to every single app in order to handle them.

Share this post


Link to post
Share on other sites
miquelx

Which apps are using libVLC? 

Share this post


Link to post
Share on other sites
Luke

all of the android apps. but there are similar issues with self-signed certs on other platforms as well.

Share this post


Link to post
Share on other sites
anderbytes

I did the same: created a Letsencrypt certificate.

On my laptop with IE, chrome, FF (on home wifi), it works fine: certificate is validated !

On my laptop with IE, chrome, FF (routed with phone 3G), it works fine

On my android phone with firefox (on home wifi or 3G): KO: "sec_error_unknown_issuer"??!!

 

seems like the certificate is only validated in intranet??

 

[edit] issue solved ! :-) My certificate was missing the intermediate.pem ! Why was it working on my laptop? just because i had the intermediate certificate provided by another opened webpage... letsencrypt.org !

 

the right way to generate the pfx file is:

openssl pkcs12 -export -out ./<mydomain>.pfx -inkey ./domain.key -in ./domain.crt -certfile ./intermediate.pem

be careful, intermediate.pem file was not good for me. I updated it this way:

wget chain file from https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

 

And now web  application works everywhere !!! any browser !!! :-)

a little step for you, a fucking big one for me :-)

 

Singer36, thanks a LOT for solving this mystery! Now the dev can focus better on the final solution, because your discovery!

 

@@Luke

Been looking at this bug, the VLC player app on android isalso affected, the problem may be within GnuTLS, which is the library used by libVLC for the https connections.

Looking at the catlog logs, it seems GnuTLS is not loading the installed user certificates on 4.0+ android devices, only the system certificates (162 certificates on my device) are loaded.

Altough GnuTLS was updated to support 4.0+ android certificates on version 3.1.10, there is no indication wether support was added for user certificates. 

I got it working on my rooted device by installing the root certificate as a system certificate, if people show interest i don't mind doing a tutorial.

 

P.S.: According to this post on the VLC forums there seems to be a flag in the VLC android app compilation to bypass certificate checks, maybe that's something that can be integrated into the emby app has an option for advanced users?

 

MiquelX, WOW. Congratulations for the research.

 

 

all of the android apps. but there are similar issues with self-signed certs on other platforms as well.

 

Luke, we learned that using the correct pfx / p12 in server and clients would do the trick.

 

What do you think about:

- Enabling server to self-create it's PFX (based on fillable fiels as KEY , CRT and PEM that probably has to be given by the emby admin in any case).

- Make the generated PFX downloadable as P12 for importing in clients. Or make Emby Connect gets it automatically and use it.

 

As for the libVLC. If it is really the best one to use, maybe ignoring certificate check would be a good idea, I can't imagine any kind of real security risk with this.

  • Like 1

Share this post


Link to post
Share on other sites
runtimesandbox

I think our future though is getting everyone a trusted cert with letsencrypt. These self-signed certs are really painful due to the changes that have to be made to every single app in order to handle them.

 

@@Luke I know this will be the ideal solution, but wouldn't this still require a client side cert to be installed?

Share this post


Link to post
Share on other sites
anderbytes

@@Luke I know this will be the ideal solution, but wouldn't this still require a client side cert to be installed?

Probably when Let's Encrypt gets solid and worldwide trusted, all browsers will support it natively.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...