Jump to content


Photo
* * * * * 1 votes

Cannot access via HTTPS emby connect


Best Answer Luke , 15 August 2016 - 02:56 PM

Yep, and actually... its working now. I'm accessing it externally, after clearing the self-signed warning, I'm able to access. The only change was enabling that "Report HTTPS as external address". Seems I had to give it time to update the Emby connect? Not sure. First test after enabling "report https as external address" failed with the log I submitted above.

 

No, here is the problem. The browser is rejecting the self-signed cert. You are able to override this in the browser by using the address manually, but unfortunately our code cannot (for security reasons obviously).

 

So here are the possible solutions:

 

- your own domain with a trusted ssl cert that the browser won't reject by default.

- use the android app, where we can override this behavior

- use plain http

 

It's possible that after overriding manually, the browser is applying this override to our programattic http requests, which is why it's working now. But I don't think this will be permanent and it will also have to be done on other devices.

Go to the full post


  • Please log in to reply
14 replies to this topic

#1 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 07:55 AM

Both 8920 and 8096 ports are NAT'd out on my pfsense router.

xyHn07H.png

 

HTTP://app.emby.media works

 

HTTPS://app.emby.media does not. Inside and Outside of my local network.

 

hqOeb2p.png

 

Error message:
"Connection Failure
We're unable to connect to the selected server right now. Please ensure it is running and try again."

 

 

However:

HTTPS://local.emby.server.IP:8920 works.

 

http://portchecker.co/check shows HTTPS port 8920 is open and listening.

 

"Report https as external address" is not checked. This is running on my FreeNAS box in a FreeBSD jail.

 

I've seen other users having issues with this since 2015.


Edited by pheed, 15 August 2016 - 08:21 AM.


#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 100798 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 01:26 PM

Hi, in chrome can you try this again, only this time, before you login, right click anywhere -> inspect. then try to login. then check the console for any errors as well as check the network tab to analyze the requests that were sent out. then capture that info and provide it here. thanks.



#3 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 01:47 PM

Hi, in chrome can you try this again, only this time, before you login, right click anywhere -> inspect. then try to login. then check the console for any errors as well as check the network tab to analyze the requests that were sent out. then capture that info and provide it here. thanks.

 

From Chrome Console during login from https://app.emby.media:

testing connection mode 0 with server pheed's Emby
tryConnect url: http://192.168.1.23:8096/emby/system/info/public
ConnectionManager requesting url: http://192.168.1.23:8096/emby/system/info/public
fetchWithTimeout: timeoutMs: 8000, url: http://192.168.1.23:8096/emby/system/info/public
Mixed Content: The page at 'https://app.emby.media/selectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://192.168.1.23:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.
Fetch API cannot load http://192.168.1.23:8096/emby/system/info/public. Failed to start loading.
fetchWithTimeout: timed out connecting to url: http://192.168.1.23:8096/emby/system/info/public
ConnectionManager request failed to url: http://192.168.1.23:8096/emby/system/info/public
test failed for connection mode 0 with server pheed's Emby
testing connection mode 1 with server pheed's Emby
tryConnect url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
ConnectionManager requesting url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
fetchWithTimeout: timeoutMs: 20000, url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
Mixed Content: The page at 'https://app.emby.media/selectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://<EXT.IP.REMOVED>:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.
Fetch API cannot load http://<EXT.IP.REMOVED>:8096/emby/system/info/public. Failed to start loading.
fetchWithTimeout: timed out connecting to url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
ConnectionManager request failed to url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
test failed for connection mode 1 with server pheed's Emby
Tested all connection modes. Failing server connection.

Edited by pheed, 15 August 2016 - 01:55 PM.


#4 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 100798 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 01:53 PM

From Chrome Console during login from https://app.emby.media:

 

testing connection mode 0 with server pheed's Emby
tryConnect url: http://192.168.1.23:...tem/info/public
ConnectionManager requesting url: http://192.168.1.23:...tem/info/public
fetchWithTimeout: timeoutMs: 8000, url: http://192.168.1.23:...tem/info/public
Mixed Content: The page at 'https://app.emby.med...ectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://192.168.1.23:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.
Fetch API cannot load http://192.168.1.23:...tem/info/public. Failed to start loading.
fetchWithTimeout: timed out connecting to url: http://192.168.1.23:...tem/info/public
ConnectionManager request failed to url: http://192.168.1.23:...tem/info/public
test failed for connection mode 0 with server pheed's Emby
testing connection mode 1 with server pheed's Emby
tryConnect url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
ConnectionManager requesting url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
fetchWithTimeout: timeoutMs: 20000, url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
Mixed Content: The page at 'https://app.emby.med...ectserver.html'was loaded over HTTPS, but requested an insecure resource 'http://<EXT.IP.REMOVED>:8096/emby/system/info/public'. This request has been blocked; the content must be served over HTTPS.
Fetch API cannot load http://<EXT.IP.REMOVED>:8096/emby/system/info/public. Failed to start loading.
fetchWithTimeout: timed out connecting to url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
ConnectionManager request failed to url: http://<EXT.IP.REMOVED>:8096/emby/system/info/public
test failed for connection mode 1 with server pheed's Emby
Tested all connection modes. Failing server connection.

 

Hi, what did you try here? did you click on your server and connect, or did you manually enter the address? 



#5 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 01:55 PM

Hi, what did you try here? did you click on your server and connect, or did you manually enter the address? 

 

The above log came from clicking on my server.

 

Here's the console log from attempting to manually enter the address:

tryConnect url: https://EXT.IP.REMOVED:8920/emby/system/info/public
ConnectionManager requesting url: https://EXT.IP.REMOVED:8920/emby/system/info/public
fetchWithTimeout: timeoutMs: 20000, url: https://EXT.IP.REMOVED:8920/emby/system/info/public
ConnectionManager request failed to url: https://EXT.IP.REMOVED:8920/emby/system/info/public
connectToAddress https://EXT.IP.REMOVED:8920 failed


#6 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 100798 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 01:58 PM

Ok, two things. If you click on your server it will use the server reported addresses, which right now is http since you have not enabled "report https address".

 

So in  your case, you will want to just connect manually via address. However, this looks appears to be purely an issue of connectivity. Are you able to take this address and put it into a browser and connect?

https://EXT.IP.REMOVED:8920/emby/system/info/public


#7 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 02:25 PM

 

Ok, two things. If you click on your server it will use the server reported addresses, which right now is http since you have not enabled "report https address".

 

So in  your case, you will want to just connect manually via address. However, this looks appears to be purely an issue of connectivity. Are you able to take this address and put it into a browser and connect?

https://EXT.IP.REMOVED:8920/emby/system/info/public

 

1. I enabled "Report https address" and here's the output from Chrome Console, test conducted outside of my network:
 

begin connectToServer
connectionmanager.js?v=3.1.6070.42676:998 beginning connection tests
connectionmanager.js?v=3.1.6070.42676:1067 skipping test at index 0
connectionmanager.js?v=3.1.6070.42676:1072 testing connection mode 0 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:200 tryConnect url: http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:172 ConnectionManager requesting url: 
http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:123 fetchWithTimeout: timeoutMs: 8000, url: 
http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:132 Mixed Content: The page at 
'https://app.emby.media/selectserver.html' was loaded over HTTPS, but requested an insecure resource 
'http://192.168.1.23:8096/emby/system/info/public'. This request has been blocked; the content must be served over 
HTTPS.(anonymous function) @ connectionmanager.js?v=3.1.6070.42676:132fetchWithTimeout @ connectionmanager.js?v=
3.1.6070.42676:125getFetchPromise @ connectionmanager.js?v=3.1.6070.42676:118ajax @ 
          connectionmanager.js?v=3.1.6070.42676:174tryConnect @ 
          connectionmanager.js?v=3.1.6070.42676:202testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1074testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1068(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:999ConnectionManager.se
lf.connectToServer @ connectionmanager.js?v=3.1.6070.42676:983connectToServer @ 
          selectserver.js:10(anonymous function) @ selectserver.js:24
connectionmanager.js?v=3.1.6070.42676:132 Fetch API cannot load 
          http://192.168.1.23:8096/emby/system/info/public. Failed to start loading.(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:132fetchWithTimeout @ 
          connectionmanager.js?v=3.1.6070.42676:125getFetchPromise @ connectionmanager.js?v=3.1.6070.42676:118ajax @ 
          connectionmanager.js?v=3.1.6070.42676:174tryConnect @ connectionmanag
er.js?v=3.1.6070.42676:202testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1074testNextConnectionMode @ 
          connectionmanager.js?v=3.1.6070.42676:1068(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:999ConnectionManager.self.connectToServer @ 
          connectionmanager.js?v=3.1.6070.42676:983connectToServer @ selectserver.js:10(anonymous function) @ 
          selectserver.js:24
connectionmanager.js?v=3.1.6070.42676:142 fetchWithTimeout: timed out connecting to url: 
          http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:191 ConnectionManager request failed to url: 
          http://192.168.1.23:8096/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:1091 test failed for connection mode 0 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:1072 testing connection mode 1 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:200 tryConnect url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:172 ConnectionManager requesting url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:123 fetchWithTimeout: timeoutMs: 20000, url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:132 GET https://EXT.IP.REMOVED:8920/emby/system/info/public 
          net::ERR_INSECURE_RESPONSE(anonymous function) @ connectionmanager.js?v=3.1.6070.42676:132fetchWithTimeout @ 
          connectionmanager.js?v=3.1.6070.42676:125getFetchPromise @ connectionmanager.js?v=3.1.6070.42676:118ajax @ 
          connectionmanager.js?v=3.1.6070.42676:174tryConnect @ connectionmanager.js?v=3.1.60
70.42676:202testNextConnectionMode @ connectionmanager.js?v=3.1.6070.42676:1074(anonymous function) @ 
          connectionmanager.js?v=3.1.6070.42676:1097
connectionmanager.js?v=3.1.6070.42676:142 fetchWithTimeout: timed out connecting to url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:191 ConnectionManager request failed to url: 
          https://EXT.IP.REMOVED:8920/emby/system/info/public
connectionmanager.js?v=3.1.6070.42676:1091 test failed for connection mode 1 with server pheed's Emby
connectionmanager.js?v=3.1.6070.42676:1036 Tested all connection modes. Failing server connection.

Why is it attempting to connect to my LAN address from external access?

 

2. Yes I can take that address and connect.



#8 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 100798 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 02:27 PM

It's just standard protocol because users use the same connection flow no matter how they're connecting. In most cases, connecting to the LAN address is more desirable when possible, so that's why we always try that first, then fallback to the remote address if it doesn't connect.

 

Ok, since you can put that url into the address bar, then I'll look into why the same http request is failing programatically. Thanks.



#9 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 100798 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 02:38 PM

Are you using the default self-signed cert that is installed by the server or did you customize with your own?



#10 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 02:40 PM

Are you using the default self-signed cert that is installed by the server or did you customize with your own?

 

Self-signed installed by server.


Edited by pheed, 15 August 2016 - 02:40 PM.


#11 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 100798 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 02:42 PM

When you put that https url in the browser, do you get an SSL warning?



#12 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 02:48 PM

When you put that https url in the browser, do you get an SSL warning?

 

 

Yep, and actually... its working now. I'm accessing it externally, after clearing the self-signed warning, I'm able to access. The only change was enabling that "Report HTTPS as external address". Seems I had to give it time to update the Emby connect? Not sure. First test after enabling "report https as external address" failed with the log I submitted above.


Edited by pheed, 15 August 2016 - 02:49 PM.


#13 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 100798 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 02:56 PM   Best Answer

Yep, and actually... its working now. I'm accessing it externally, after clearing the self-signed warning, I'm able to access. The only change was enabling that "Report HTTPS as external address". Seems I had to give it time to update the Emby connect? Not sure. First test after enabling "report https as external address" failed with the log I submitted above.

 

No, here is the problem. The browser is rejecting the self-signed cert. You are able to override this in the browser by using the address manually, but unfortunately our code cannot (for security reasons obviously).

 

So here are the possible solutions:

 

- your own domain with a trusted ssl cert that the browser won't reject by default.

- use the android app, where we can override this behavior

- use plain http

 

It's possible that after overriding manually, the browser is applying this override to our programattic http requests, which is why it's working now. But I don't think this will be permanent and it will also have to be done on other devices.


  • pheed likes this

#14 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 03:05 PM

It's possible that after overriding manually, the browser is applying this override to our programattic http requests, which is why it's working now. But I don't think this will be permanent and it will also have to be done on other devices.

 

 

Gotcha, time to setup LetsEncrypt SSL with DDNS :)  I just attempted to access https://app.emby.media from my laptop, and it wouldn’t connect. Confirming what you said.

 

Thanks for the help Luke.


Edited by pheed, 15 August 2016 - 03:12 PM.


#15 pheed OFFLINE  

pheed

    Member

  • Members
  • 14 posts
  • Local time: 11:47 PM

Posted 15 August 2016 - 11:46 PM

Just an update after spending hours getting Emby+LetsEncrypt on FreeBSD running. https://app.emby.media is connecting properly as long as I'm in Chrome. Firefox still gives the error, but seems LetsEncrypt root won't be trusted by Mozilla until Firefox 50. So no worries there.
 
Here's the steps taken in FreeNAS 9.10.1 / FreeBSD 10.3-RELEASE jail:
 
If you haven’t already, fetch the ports: (or just run: pkg install py27-certbot)

# portsnap fetch extract
# cd /usr/ports/security/py-certbot && make install clean

When running the above install I received a warning from testing other LetsEncrypt scripts I had installed LibreSSL:

/!\ WARNING /!\

You have security/libressl installed but do not have DEFAULT_VERSIONS+=ssl=libressl set in your make.conf

 

So I added DEFAULT_VERSIONS+=ssl=libressl to /usr/ports/security/py-certbot/Makefile.
 
Then reran make install clean.
If it reports its already installed run make deinstall then make install clean again.
 
Opened port 80 and 443 to NAT to the FreeNAS jail LAN IP.
 
Then ran certbot:

# certbot certonly --standalone -d emby.mydomain.com

Entered email address and accepted ToS.
 
This generated the certs in .pem format and placed them in /usr/local/etc/letsencrypt/live/emby.mydomain.com/
 
Now to convert .pem to .pfx:

# openssl pkcs12 -export -out emby.mydomain.com.pfx -inkey privkey.pem -in cert.pem -certfile fullchain.pem

Then moved the resulting .pfx file to emby's install directory.

# mv emby.mydomain.com.pfx /usr/local/lib/emby-server/

Finally, back in emby's "Manage Server" Web UI -> Expert -> Advanced added /usr/local/lib/emby-server/emby.mydomain.com.pfx to the "Custom certificate path" and added emby.mydomain.com to "External domain".

57b32da53626d_Screenshotfrom201608160949

Restart emby-server and remove the port 80/443 NAT holes I created in the firewall. Leaving only port 8920 open for emby's default SSL port.
 
More info including Auto-renew can be found at https://certbot.eff.org
 
Thanks, that was fun.


Edited by pheed, 16 August 2016 - 11:21 AM.

  • Happy2Play likes this




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users