TheGreatCO 1 Posted December 21, 2015 Posted December 21, 2015 I have an SSL Certificate (letsencrypt.org) that is signed by - issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 This cert is in turn signed by - issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3 I create a pkcs12 from the pem files using the following command openssl pkcs12 -export -out cert.pfx -in cert.pem -inkey privkey.pem -certfile x3chain.pem -nodes Where cert.pem is the certificate, privkey.pem is the private key and x3chain.pem is the issuing certificate (Let's Encrypt) and the rootCA (DST Root CA X3). I then provide this certificate to Emby and start it. When I connect from Chrome on desktop, everything is OK ("Let's Encrypt Authority X1" is trusted by Desktop Chrome). When I try to access using Android, "Let's Encrypt Authority X1" is not a trusted CA, however "DST Root CA X3" is. If the chain were being sent properly, the chain of trust is in tact and it should work. Unfortunately, Emby is not sending the full chain, just the top certificate (mine) and the "Let's Encrypt Authority X1" certificate. I have seen references to a Mono bug, however that bug was fixed in April of 2014. To try and answer some questions ahead of time, here is the output from the top of my log file - 2015-12-21 22:06:02.5739 Info Main: Emby Command line: /usr/pbi/emby-amd64/lib/emby-server/MediaBrowser.Server.Mono.exe -ffmpeg /usr/pbi/emby-amd64/bin/ffmpeg -ffprobe /usr/pbi/emby-amd64/bin/ffprobe -programdata /var/db/emby-server Operating system: Unix 9.1.0.0 Processor count: 4 64-Bit OS: True 64-Bit Process: True Program data path: /var/db/emby-server Mono: 4.2.1 (Stable 4.2.1.124/39edf24 Sun Dec 20 05:03:56 UTC 2015) Application Path: /usr/pbi/emby-amd64/lib/emby-server/MediaBrowser.Server.Mono.exe 2015-12-21 22:06:02.8854 Info App: Application version: 3.0.5781.8 2015-12-21 22:06:02.9482 Info App: Application configuration: {"EnableUPnP":true,"PublicPort":8097,"PublicHttpsPort":8096,"HttpServerPortNumber":8097,"HttpsPortNumber":8096,"EnableHttps":true,"CertificatePath":"/etc/ssl/cert.pfx","EnableInternetProviders":true,"IsPortAuthorized":true,"SeasonZeroDisplayName":"Specials","SaveLocalMeta":true,"EnableLocalizedGuids":true,"DisableStartupScan":true,"EnableUserViews":false,"EnableLibraryMetadataSubFolder":true,"PreferredMetadataLanguage":"en","MetadataCountryCode":"US","SortReplaceCharacters":[".","+","%"],"SortRemoveCharacters":[",","&","-","{","}","'"],"SortRemoveWords":["the","a","an"],"MinResumePct":5,"MaxResumePct":90,"MinResumeDurationSeconds":300,"RealtimeLibraryMonitorDelay":40,"EnableDashboardResponseCaching":true,"EnableDashboardResourceMinification":true,"DashboardSourcePath":"","MergeMetadataAndImagesByName":true,"EnableStandaloneMetadata":true,"ImageSavingConvention":"Compatible","MetadataOptions":[{"ItemType":"Book","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280}],"DisabledMetadataSavers":[],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Movie","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicVideo","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Series","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":1,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicAlbum","ImageOptions":[{"Type":"Backdrop","Limit":0,"MinWidth":1280},{"Type":"Disc","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"MusicArtist","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Logo","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"BoxSet","ImageOptions":[{"Type":"Backdrop","Limit":1,"MinWidth":1280},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Thumb","Limit":1,"MinWidth":0},{"Type":"Logo","Limit":1,"MinWidth":0},{"Type":"Art","Limit":0,"MinWidth":0},{"Type":"Disc","Limit":0,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":[],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Season","ImageOptions":[{"Type":"Backdrop","Limit":0,"MinWidth":1280},{"Type":"Primary","Limit":1,"MinWidth":0},{"Type":"Banner","Limit":0,"MinWidth":0},{"Type":"Thumb","Limit":0,"MinWidth":0}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Episode","ImageOptions":[{"Type":"Backdrop","Limit":3,"MinWidth":1280}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]},{"ItemType":"Video","ImageOptions":[{"Type":"Backdrop","Limit":3,"MinWidth":1280}],"DisabledMetadataSavers":["Emby Xml"],"LocalMetadataReaderOrder":[],"DisabledMetadataFetchers":[],"MetadataFetcherOrder":[],"DisabledImageFetchers":[],"ImageFetcherOrder":[]}],"EnableAutomaticRestart":true,"PathSubstitutions":[{"From":"/mnt/Data","To":"\\\\**redacted**"}],"WanDdns":"home.**redacted**.com","UICulture":"en-us","PeopleMetadataOptions":{"DownloadActorMetadata":true,"DownloadDirectorMetadata":true,"DownloadProducerMetadata":false,"DownloadWriterMetadata":false,"DownloadComposerMetadata":false,"DownloadOtherPeopleMetadata":false,"DownloadGuestStarMetadata":false},"FindInternetTrailers":true,"InsecureApps9":["Chromecast","iOS","Unknown app","iPad","iPhone","Windows Phone"],"SaveMetadataHidden":false,"ContentTypes":[],"EnableAudioArchiveFiles":false,"EnableVideoArchiveFiles":false,"RemoteClientBitrateLimit":0,"DenyIFrameEmbedding":true,"EnableLibraryMonitor":"Auto","SharingExpirationDays":30,"DisableXmlSavers":true,"EnableWindowsShortcuts":false,"EnableVideoFrameByFrameAnalysis":false,"EnableDateLastRefresh":false,"Migrations":["5767.1"],"EnableDebugLevelLogging":true,"EnableAutoUpdate":true,"SystemUpdateLevel":"Release","LogFileRetentionDays":3,"RunAtStartup":false,"IsStartupWizardCompleted":true,"EnableCustomPathSubFolders":true} 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Plugins.PushBulletNotifications, Version=3.0.5810.33455, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Api, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.WebDashboard, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Model, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Common, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Controller, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Providers, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Common.Implementations, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Implementations, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.MediaEncoding, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Dlna, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.LocalMetadata, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.XbmcMetadata, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.IsoMounting.Linux, Version=1.0.5131.24779, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Mono, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:02.9590 Info App: Loading MediaBrowser.Server.Startup.Common, Version=3.0.5781.8, Culture=neutral, PublicKeyToken=null 2015-12-21 22:06:03.0498 Info SqliteUserRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/users.db 2015-12-21 22:06:03.1207 Info SqliteFileOrganizationRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/fileorganization.db 2015-12-21 22:06:03.1282 Info AuthenticationRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/authentication.db 2015-12-21 22:06:03.1399 Info SyncRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/sync14.db 2015-12-21 22:06:03.2005 Info ImageMagick: ImageMagick version: ImageMagick 6.9.0-10 Q8 amd64 2015-12-11 http://www.imagemagick.org 2015-12-21 22:06:03.2314 Info ImageProcessor: ImageProcessor started with 4 max concurrent image processes 2015-12-21 22:06:03.2845 Info App: FFMpeg: /usr/pbi/emby-amd64/bin/ffmpeg 2015-12-21 22:06:03.2845 Info App: FFProbe: /usr/pbi/emby-amd64/bin/ffprobe 2015-12-21 22:06:03.2857 Info SharingRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/shares.db 2015-12-21 22:06:03.3144 Info ActivityRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/activitylog.db 2015-12-21 22:06:03.3293 Info SqliteDisplayPreferencesRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/displaypreferences.db 2015-12-21 22:06:03.3419 Info SqliteItemRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/library.db 2015-12-21 22:06:03.3546 Info SqliteProviderInfoRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/refreshinfo.db 2015-12-21 22:06:03.3665 Info SqliteUserDataRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/userdata_v2.db 2015-12-21 22:06:03.3755 Warn App: ffmpeg is missing decoder h264_qsv 2015-12-21 22:06:03.3766 Info SqliteNotificationsRepository: Sqlite 3.8.8.3 opening /var/db/emby-server/data/notifications.db 2015-12-21 22:06:03.3834 Warn App: ffmpeg is missing decoder mpeg2_qsv 2015-12-21 22:06:03.3909 Warn App: ffmpeg is missing decoder vc1_qsv 2015-12-21 22:06:03.7160 Info HttpServer: Calling ServiceStack AppHost.Init 2015-12-21 22:06:06.1848 Info ServiceStackHost: Initializing Application took 3025.623ms 2015-12-21 22:06:06.2013 Info ServerManager: Loading Http Server 2015-12-21 22:06:06.2041 Info HttpServer: attempting to load pfx: /etc/ssl/cert.pfx 2015-12-21 22:06:06.2506 Info HttpServer: Adding HttpListener prefix http://+:8097/ 2015-12-21 22:06:06.2511 Info HttpServer: Adding HttpListener prefix https://+:8096/ 2015-12-21 22:06:06.6102 Info App: Core startup complete If I am misreading the Mono commit and that bug is still unfixed in 4.2.1 I'll try and hack master together on FreeBSD and see what I get 1
hdllsdj 0 Posted December 25, 2015 Posted December 25, 2015 I have a similar problen with ubuntu When you creates the pfx for emby did you use a output password? Gesendet von meinem LG-D802 mit Tapatalk
TheGreatCO 1 Posted December 28, 2015 Author Posted December 28, 2015 I have a similar problen with ubuntu When you creates the pfx for emby did you use a output password? Gesendet von meinem LG-D802 mit Tapatalk No, I leave it blank. My issue isn't getting SSL to work, I have that. The issue is the pfx contains intermediate certificates and they aren't being served up.
sluggo45 47 Posted December 28, 2015 Posted December 28, 2015 I just found this same issue (Android client not working over SSL due to incomplete certificate chain). Let us know if you find anything? I've tried Mono 4.0.1 and 4.2.1 with no difference.
TheGreatCO 1 Posted December 30, 2015 Author Posted December 30, 2015 For the time being, I have manually imported the letsencrypt.org certificate authority into my Android device. This is not an ideal solution and a permanent fix is definitely required as this is an invalid SSL implementation as it currently stands. I'm not sure if it is mono or emby at fault.
sluggo45 47 Posted December 31, 2015 Posted December 31, 2015 Importing the cert works but in Marshmallow at least throws up a permanent notification warning that it's invalid (which as you know, it is) not to mention you have to do it on every client. I used the reverse proxy method with Ngnix (there are various threads on the forums about it) however didn't find it to be quite stable. Maybe it's something the Emby Android app can help work around?
TheGreatCO 1 Posted January 7, 2016 Author Posted January 7, 2016 Well, the big issue is that the Lets Encrypt certificate isn't trusted in a lot of places yet. Chrome on desktop trusts it and I think the latest Android release does too, but older versions are lacking the cert in the Trusted Root CA list. There are a few ways to fix this, but I think the most proper way is to get the full chain presented properly.
djkunkel 0 Posted January 13, 2016 Posted January 13, 2016 I have a similar issue. I've created a cert with startcom's free ssl service. I can't get emby to include the intermediate certs even when including them in the pfx. It only serves my certificate.
razzfazz 11 Posted January 14, 2016 Posted January 14, 2016 (edited) Maybe check the order? I am using StartSSL as well and it seems to be working just fine here... Edited January 14, 2016 by razzfazz
razzfazz 11 Posted January 14, 2016 Posted January 14, 2016 There's also a "create pkcs#12(pfx) file" tool under the toolbox menu on the startssl website.
TheGreatCO 1 Posted February 19, 2016 Author Posted February 19, 2016 Maybe check the order? I am using StartSSL as well and it seems to be working just fine here... This is most likely because the CA certificate used by StartSSL is itself trusted, there is no intermediate CA that also needs to be trusted.
kjp4756 41 Posted March 3, 2016 Posted March 3, 2016 I'm seeing this issue as well on my freenas server. From what I've read today, the issue is mono. The TLS handling in mono is a bit of a mess. In time this should be sorted out. For now I'm using a nginx reverse proxy using a letsencrypt cert. I have the same letsencrypt cert installed on emby. Basically nginx listens on port 8920 and proxy passes to port 8920 on my emby jail. No more certificate errors on android chrome.
HumanPanda 6 Posted March 14, 2016 Posted March 14, 2016 Hi, I am having the same issue. I thought it was just me doing it wrong but I put both the root and intermediate in one cert file and then used the openssl command to create the pfx file. I can't get it to show the intermediate certs no matter what. So I just ended up setting up a second listening port for nginx as the first one emby is under /emby.
bay_wolf 4 Posted April 20, 2016 Posted April 20, 2016 Was there ever any updates to how Emby is handling the passing of the Intermediate certificate? Whether it's a bug with Mono or Emby, it'd be nice to figure out a fix somehow.
razzfazz 11 Posted May 25, 2016 Posted May 25, 2016 (edited) It does look like it's a Mono issue: https://bugzilla.xamarin.com/show_bug.cgi?id=16974 https://bugzilla.xamarin.com/show_bug.cgi?id=25317 Apparently fixed in version 4.4.0.148, but the FreeBSD port is only at 4.2.3.4. Relevant commit: https://github.com/mono/mono/commit/8df01216debd1c01e9582ee3d1bd598388fb6f56 Edited May 25, 2016 by razzfazz
razzfazz 11 Posted May 25, 2016 Posted May 25, 2016 This is most likely because the CA certificate used by StartSSL is itself trusted, there is no intermediate CA that also needs to be trusted. There's definitely an intermediate cert; I guess I must have added that to the client's cert store at some point.
dylanger 0 Posted May 26, 2016 Posted May 26, 2016 Same issue on CentOS, I don't think Emby supports certificate chains (At least on CentOS/Fedora), I ended up having to sign the server cert directly from my Root CA, skipping my intermediate. That solved the issue for me.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now