Emby IOS app not working, but through IOS Safari it does

[Trexx 1]

When I try to remotely access Emby  (via LTE), I can connect if I login via Emby website (via Safari), but not if I use the Emby IOS app.

 

I am running the latest Emby version (Version 3.0.5782.0) and IOS release version.

 

​I have remote access configured to use HTTPS Dynamic DNS address (via QNAP's myQnapCloud service) with custom port (which is port forwarded to 8920).

 

Any ideas??

 

 

[Luke 37006]

Does regular http work?

[Trexx 1]

Yes - regular HTTP works when I added it manually to the client.  The configuration was basically the same (Dynamic DNS, Port Forwarding, etc.).  The only difference was SSL vs. non-SSL.

 

Do you validate the SSL certificate as part of your connection process?

Edited December 29, 2015 by Trexx

[Luke 37006]

We currently have not done anything in the app to support SSL, although we have not specifically done anything to prevent it. It just has not been fully tested by us yet so until that happens it will probably be hit or miss.

[Trexx 1]

Any eta on when that is going to occur. Unencrypted login information is a big red flag these days.

 

 

Sent from my iPad using Tapatalk

[Luke 37006]

It is on our list for the near future. We will probably start by overhauling the server-side support first to be based around letsencrypt.

 

In the meantime, I have seen some reports from users that they were able to get ssl to work in the app by adding the certificate to the device.

 

By the way, if you sign in with Emby Connect, that login process is encrypted.

[efrantz 0]

Can someone (Luke?) post a walk through for users to utilize SSL in the meantime?

[Luke 37006]

I thought @@fc7 created one?

[fc7 123]

I thought @@fc7 created one?

 

Not yet. Actually I couldn't find a way to make it work with the self-signed certificate that Emby creates. Self-signed certificates are fine to encrypt the communication but you need to have a way to trust them in every situation. By this I mean, you will be using different CNs (hostnames or even IPs) to connect to Emby from the LAN or from the Internet, this will become a problem since you can't manually trust the self-signed cert (or create an exception -that big warning message in your browser telling you that the site may not be secure as it should and if you want to continue anyway-) on every different scenario because sometimes you don't even get asked too (Emby app, Safari while doing playback).

 

The best way to make it work right now is to get a proper certificate (by your own or a 3rd party CA) with the proper settings in the certificate subject identifier and alternate subject identifiers. If the certificate is issued by your own CA (like in my case) you need to install the CA certificate in your device and it will automatically trust any certificate issued by the CA. If the certificate is coming from a well-known 3rd party CA (like verysign, godaddy, etc) then the CA certificate is already installed in iOS and it will automatically trust any certificate issued by these CAs.

 

Now as I said before you also need to make sure that the hostname or ip you are using to connect to Emby with SSL is included in the CN and if you are using more than one then make sure the alternatives are also included in the certificate. For example: let's assume that your Emby server in the LAN is called "embyserver", with IP "192.168.0.100" and that you are accessing it from the internet using a dynamic DNS hostname called "emby.mydynamicdomain.com" then in your certificate you should include the following values:

 

CommonName: embyserver

Alternative Subject Identifiers: DNS:embyserver, DNS:emby.mydynamicdomain.com, IP:192.168.0.100

 

This way the certificate will be trusted if you access your server with:

• https://embyserver:8920
• https://emby.mydynamicdomain.com:8920
• https://192.168.0.100:8920

Just keep in mind that if anything of these (names or IPs) change you will need a new certificate or the trust relationship will be broken.

So to continue with the example if you lated decide to change your dynamic hostname to something different like "emby.mydomain.com", you will need a new certificate.

Sorry for the long post, but PKI is not a simple or short to explain subject and there are many caveats.

Edited December 31, 2015 by fc7

[stirrupm 0]

I have recently installed Emby and have been able to get SSL working through the web app without issue. I have created my own CA and certificate through PFSense. On my iPhone (IOS 13) I can connect via web app (safari) as well. I have installed the certificates successfully into a verified profile. When I attempt to use the Emby IOS App I cannot connect secure. It immediately fails to connect to server (Post 8920). It works unsecure. Any ideas?

[Luke 37006]

I have recently installed Emby and have been able to get SSL working through the web app without issue. I have created my own CA and certificate through PFSense. On my iPhone (IOS 13) I can connect via web app (safari) as well. I have installed the certificates successfully into a verified profile. When I attempt to use the Emby IOS App I cannot connect secure. It immediately fails to connect to server (Post 8920). It works unsecure. Any ideas?

 

Sounds like it might not be using your installed certificate. We'll look into if there's anything we can do about that. Thanks.