Jump to content

SSL Cert with Intermediate Certificates


TheGreatCO
 Share

Recommended Posts

I have an SSL Certificate (letsencrypt.org) that is signed by -

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1

This cert is in turn signed by -

issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3

I create a pkcs12 from the pem files using the following command

openssl pkcs12 -export -out cert.pfx -in cert.pem -inkey privkey.pem -certfile x3chain.pem -nodes

Where cert.pem is the certificate, privkey.pem is the private key and x3chain.pem is the issuing certificate (Let's Encrypt) and the rootCA (DST Root CA X3).

 

I then provide this certificate to Emby and start it. When I connect from Chrome on desktop, everything is OK ("Let's Encrypt Authority X1" is trusted by Desktop Chrome). When I try to access using Android, "Let's Encrypt Authority X1" is not a trusted CA, however "DST Root CA X3" is. If the chain were being sent properly, the chain of trust is in tact and it should work. Unfortunately, Emby is not sending the full chain, just the top certificate (mine) and the "Let's Encrypt Authority X1" certificate.

 

I have seen references to a Mono bug, however that bug was fixed in April of 2014.

 

To try and answer some questions ahead of time, here is the output from the top of my log file -

2015-12-21 22:06:02.5739 Info Main: Emby
	Command line: /usr/pbi/emby-amd64/lib/emby-server/MediaBrowser.Server.Mono.exe -ffmpeg /usr/pbi/emby-amd64/bin/ffmpeg -ffprobe /usr/pbi/emby-amd64/bin/ffprobe -programdata /var/db/emby-server
	Operating system: Unix 9.1.0.0
	Processor count: 4
	64-Bit OS: True
	64-Bit Process: True
	Program data path: /var/db/emby-server
	Mono: 4.2.1 (Stable 4.2.1.124/39edf24 Sun Dec 20 05:03:56 UTC 2015)
	Application Path: /usr/pbi/emby-amd64/lib/emby-server/MediaBrowser.Server.Mono.exe
2015-12-21 22:06:02.8854 Info App: Application version: 3.0.5781.8
2015-12-21 22:06:02.9482 Info App: Application configuration:
	{"EnableUPnP":true,"PublicPort":8097,"PublicHttpsPort":8096,"HttpServerPortNumber":8097,"HttpsPortNumber":8096,"EnableHttps":true,"CertificatePath":"/etc/ssl/cert.pfx","EnableInternetProviders":true,"IsPortAuthorized":true,"SeasonZeroDisplayName":"Specials","SaveLocalMeta":true,"EnableLocalizedGuids":true,"DisableStartupScan":true,"EnableUserViews":false,"EnableLibraryMetadataSubFolder":true,"PreferredMetadataLanguage":"en","MetadataCountryCode":"US","SortReplaceCharacters":[".","+","%"],"SortRemoveCharacters":[",","&","-","{","}","'"],"SortRemoveWords":["the","a","an"],"MinResumePct":5,"MaxResumePct":90,"MinResumeDurationSeconds":300,"RealtimeLibraryMonitorDelay":40,"EnableDashboardResponseCaching":true,"EnableDashboardResourceMinification":true,"DashboardSourcePath":"","MergeMetadataAndImagesByName":true,"EnableStandaloneMetadata":true,"ImageSavingConvention":"Compatible","MetadataOptions":[{"ItemType":"Book","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280}],"DisabledMetadataSavers":[],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Movie","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicVideo","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Series","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":1,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicAlbum","ImageOptions":[{"Type":"Backdrop","Limit":0,"MinWidth":1280},{"Type":"Disc","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicArtist","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Logo","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"BoxSet","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":[],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Season","ImageOptions":[{"Type":"Backdrop","Limit":0,"MinWidth":1280},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Episode","ImageOptions":[{"Type":"Backdrop","Limit":3,"MinWidth":1280}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Video","ImageOptions":[{"Type":"Backdrop","Limit":3,"MinWidth":1280}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]}],"EnableAutomaticRestart":true,"PathSubstitutions":[{"From":"/mnt/Data","To":"\\\\**redacted**"}],"WanDdns":"home.**redacted**.com","UICulture":"en-us","PeopleMetadataOptions":{"DownloadActorMetadata":true,"DownloadDirectorMetadata":true,"DownloadProducerMetadata":false,"DownloadWriterMetadata":false,"DownloadComposerMetadata":false,"DownloadOtherPeopleMetadata":false,"DownloadGuestStarMetadata":false},"FindInternetTrailers":true,"InsecureApps9":["Chromecast","iOS","Unknown app","iPad","iPhone","Windows Phone"],"SaveMetadataHidden":false,"ContentTypes":[],"EnableAudioArchiveFiles":false,"EnableVideoArchiveFiles":false,"RemoteClientBitrateLimit":0,"DenyIFrameEmbedding":true,"EnableLibraryMonitor":"Auto","SharingExpirationDays":30,"DisableXmlSavers":true,"EnableWindowsShortcuts":false,"EnableVideoFrameByFrameAnalysis":false,"EnableDateLastRefresh":false,"Migrations":["5767.1"],"EnableDebugLevelLogging":true,"EnableAutoUpdate":true,"SystemUpdateLevel":"Release","LogFileRetentionDays":3,"RunAtStartup":false,"IsStartupWizardCompleted":true,"EnableCustomPathSubFolders":true}
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Plugins.PushBulletNotifications, Version=3.0.5810.33455, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Api, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.WebDashboard, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Model, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Common, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Controller, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Providers, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Common.Implementations, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Implementations, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.MediaEncoding, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Dlna, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.LocalMetadata, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.XbmcMetadata, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.IsoMounting.Linux, Version=1.0.5131.24779, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Mono, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Startup.Common, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null
2015-12-21 22:06:03.0498 Info SqliteUserRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/users.db
2015-12-21 22:06:03.1207 Info SqliteFileOrganizationRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/fileorganization.db
2015-12-21 22:06:03.1282 Info AuthenticationRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/authentication.db
2015-12-21 22:06:03.1399 Info SyncRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/sync14.db
2015-12-21 22:06:03.2005 Info ImageMagick: ImageMagick version: ImageMagick 6.9.0-10 Q8 amd64 2015-12-11 http://www.imagemagick.org
2015-12-21 22:06:03.2314 Info ImageProcessor: ImageProcessor started with 4 max concurrent image processes
2015-12-21 22:06:03.2845 Info App: FFMpeg: /usr/pbi/emby-amd64/bin/ffmpeg
2015-12-21 22:06:03.2845 Info App: FFProbe: /usr/pbi/emby-amd64/bin/ffprobe
2015-12-21 22:06:03.2857 Info SharingRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/shares.db
2015-12-21 22:06:03.3144 Info ActivityRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/activitylog.db
2015-12-21 22:06:03.3293 Info SqliteDisplayPreferencesRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/displaypreferences.db
2015-12-21 22:06:03.3419 Info SqliteItemRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/library.db
2015-12-21 22:06:03.3546 Info SqliteProviderInfoRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/refreshinfo.db
2015-12-21 22:06:03.3665 Info SqliteUserDataRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/userdata_v2.db
2015-12-21 22:06:03.3755 Warn App: ffmpeg is missing decoder h264_qsv
2015-12-21 22:06:03.3766 Info SqliteNotificationsRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/notifications.db
2015-12-21 22:06:03.3834 Warn App: ffmpeg is missing decoder mpeg2_qsv
2015-12-21 22:06:03.3909 Warn App: ffmpeg is missing decoder vc1_qsv
2015-12-21 22:06:03.7160 Info HttpServer: Calling ServiceStack AppHost.Init
2015-12-21 22:06:06.1848 Info ServiceStackHost: Initializing Application took 3025.623ms
2015-12-21 22:06:06.2013 Info ServerManager: Loading Http Server
2015-12-21 22:06:06.2041 Info HttpServer: attempting to load pfx: /etc/ssl/cert.pfx
2015-12-21 22:06:06.2506 Info HttpServer: Adding HttpListener prefix http://+:8097/
2015-12-21 22:06:06.2511 Info HttpServer: Adding HttpListener prefix https://+:8096/
2015-12-21 22:06:06.6102 Info App: Core startup complete 

If I am misreading the Mono commit and that bug is still unfixed in 4.2.1 I'll try and hack master together on FreeBSD and see what I get :D

  • Like 1
Link to comment
Share on other sites

I have a similar problen with ubuntu

When you creates the pfx for emby did you use a output password?

 

Gesendet von meinem LG-D802 mit Tapatalk

Link to comment
Share on other sites

I have a similar problen with ubuntu

When you creates the pfx for emby did you use a output password?

 

Gesendet von meinem LG-D802 mit Tapatalk

No, I leave it blank. My issue isn't getting SSL to work, I have that. The issue is the pfx contains intermediate certificates and they aren't being served up.

Link to comment
Share on other sites

I just found this same issue (Android client not working over SSL due to incomplete certificate chain). Let us know if you find anything? I've tried Mono 4.0.1 and 4.2.1 with no difference. 

Link to comment
Share on other sites

For the time being, I have manually imported the letsencrypt.org certificate authority into my Android device. This is not an ideal solution and a permanent fix is definitely required as this is an invalid SSL implementation as it currently stands. I'm not sure if it is mono or emby at fault.

Link to comment
Share on other sites

Importing the cert works but in Marshmallow at least throws up a permanent notification warning that it's invalid (which as you know, it is) not to mention you have to do it on every client. 

 

I used the reverse proxy method with Ngnix (there are various threads on the forums about it) however didn't find it to be quite stable. Maybe it's something the Emby Android app can help work around?

Link to comment
Share on other sites

Well, the big issue is that the Lets Encrypt certificate isn't trusted in a lot of places yet. Chrome on desktop trusts it and I think the latest Android release does too, but older versions are lacking the cert in the Trusted Root CA list. There are a few ways to fix this, but I think the most proper way is to get the full chain presented properly.

Link to comment
Share on other sites

I have a similar issue. I've created a cert with startcom's free ssl service. I can't get emby to include the intermediate certs even when including them in the pfx.  It only serves my certificate.

Link to comment
Share on other sites

Maybe check the order? I am using StartSSL as well and it seems to be working just fine here...

Edited by razzfazz
Link to comment
Share on other sites

  • 1 month later...

Maybe check the order? I am using StartSSL as well and it seems to be working just fine here...

This is most likely because the CA certificate used by StartSSL is itself trusted, there is no intermediate CA that also needs to be trusted.

Link to comment
Share on other sites

  • 2 weeks later...

I'm seeing this issue as well on my freenas server.  From what I've read today, the issue is mono.  The TLS handling in mono is a bit of a mess.  In time this should be sorted out.

 

For now I'm using a nginx reverse proxy using a letsencrypt cert.  I have the same letsencrypt cert installed on emby.  Basically nginx listens on port 8920 and proxy passes to port 8920 on my emby jail.  No more certificate errors on android chrome.

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

 

I am having the same issue. I thought it was just me doing it wrong but I put both the root and intermediate in one cert file and then used the openssl command to create the pfx file. I can't get it to show the intermediate certs no matter what. So I just ended up setting up a second listening port for nginx as the first one emby is under /emby.

Link to comment
Share on other sites

  • 1 month later...

Was there ever any updates to how Emby is handling the passing of the Intermediate certificate? Whether it's a bug with Mono or Emby, it'd be nice to figure out a fix somehow.

Link to comment
Share on other sites

  • 1 month later...

It does look like it's a Mono issue:

 

https://bugzilla.xamarin.com/show_bug.cgi?id=16974

https://bugzilla.xamarin.com/show_bug.cgi?id=25317

 

Apparently fixed in version 4.4.0.148, but the FreeBSD port is only at 4.2.3.4.

 

Relevant commit:

 

https://github.com/mono/mono/commit/8df01216debd1c01e9582ee3d1bd598388fb6f56

Edited by razzfazz
Link to comment
Share on other sites

This is most likely because the CA certificate used by StartSSL is itself trusted, there is no intermediate CA that also needs to be trusted.

 

There's definitely an intermediate cert; I guess I must have added that to the client's cert store at some point.

Link to comment
Share on other sites

Same issue on CentOS, I don't think Emby supports certificate chains (At least on CentOS/Fedora), I ended up having to sign the server cert directly from my Root CA, skipping my intermediate. That solved the issue for me.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...