FireTV Stick cannot login using https

[loomes 40]

From a FireTV Stick with Emby App is no login possible from extern with https.

​It always say "Username or Password wrong"

​With the same User/Pwd all is working fine with the Emby App on a Smartphone over LTE or a Browser on a Windows Machine.

​

​When i redirect the non https port 8096 also to my Emby Server in my Router i can connect with the FireTV. But with port 8920 over https its not working.

​

​

​

[pir8radio 1292]

From a FireTV Stick with Emby App is no login possible from extern with https.

​It always say "Username or Password wrong"

​With the same User/Pwd all is working fine with the Emby App on a Smartphone over LTE or a Browser on a Windows Machine.

​

​When i redirect the non https port 8096 also to my Emby Server in my Router i can connect with the FireTV. But with port 8920 over https its not working.

​

​

​

 

Try entering the server IP address manually.  Make sure you have "HTTPS://" ahead of the address...   non https does not require "http://"

[loomes 40]

yes i have manually add the address: https://mydomain.com and the port 8920, its not working on the firetv, as i say in the Android App on my Phone all is working fine when i add the same address and port manually.

[ebr 14921]

If using a self-signed certificate, the Fire TV is probably rejecting it.  I believe you will have to have a true trusted certificate for it to work.

[Luke 37094]

Let's Encrypt is a great option for that.

[loomes 40]

I have a lets encrypt certificate, that is not the problem.

openssl pkcs12 -export -out /var/lib/emby-server/ssl/emby.pfx -inkey /etc/letsencrypt/live/domain.com/privkey.pem -in /etc/letsencrypt/live/domain.com/fullchain.pem -password pass:

[loomes 40]

​I setup a Apache Reverse Proxy with the same Certificate and can login from external with a Firetv only by adding the adress "https://emby.domain.com"with port value empty.

Playing Video files working great with this reverse proxy but in the Dashboard i see only that the Client is online but not what he is showing. Also in recent activity i not see "Starts playing ...." and "stops playing" thats why i dont want to use the Proxy and do it in the direct way, but it dont work.

​

​
​<VirtualHost *:443>

   ServerAdmin loomes@domain.com
   ServerName emby.domain.com

   SetEnvIf Request_URI ^/server-status$ dontlog
   CustomLog /var/log/apache2/access.log combined env=!dontlog
   ErrorLog /var/log/apache2/error.log
   LogLevel warn

   SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
   SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem

   SSLEngine on
   SSLProxyEngine On
   ProxyRequests Off
   ProxyPreserveHost On

   Header set Connection "Upgrade"
   RequestHeader setifempty Connection "Upgrade"
   Header set Upgrade "websocket"
   RequestHeader setifempty Upgrade "websocket"

   ProxyPass /socket ws://127.0.0.1:8096/socket
   ProxyPassReverse /socket ws://127.0.0.1:8096/socket

   ProxyPass / http://127.0.0.1:8096/
   ProxyPassReverse / http://127.0.0.1:8096/

</VirtualHost>

[loomes 40]

Ok its working. Its not working when i use a subdomain like emby.mydomain.com The Subdomain is included in the lets encrypt certificate.

​no matter, with mydomain.com its working

[fuzzthekingoftrees 10]

Ok its working. Its not working when i use a subdomain like emby.mydomain.com The Subdomain is included in the lets encrypt certificate.

​no matter, with mydomain.com its working

Did you enter the subdomain on the advanced setup page in emby? Under the certificate box there is a box for external domain. This needs to contain the whole fqdn e.g. emby.mydomain.com.

[loomes 40]

Yes I do all these settings. And All is working, only the firetv app will not connect. My it's working post is obsolete. The app was before connected over a reverse proxy than I can select change server, input https://emby.domain.com and Port 8920 and he connect. After a disconnect he never connect again. The lets encrypt certificate is accepted by the firetv, checked it with cadroid. Handy Android app web browser, all works fine. When I try to connect the firetv with emby connect he says server not available. I think it's a bug in the app for firetv with ssl connections.

 

Gesendet von meinem SM-G925F mit Tapatalk

[loomes 40]

Today i have tested again with a FireTV Stick.

The Emby App cannot connect to my Server from the Internet "Server connection failed".

Also when i use Emby Connect, it says the server is not available. With other Clients Emby Connect works.

Without SSL all is working.

 

Then i installed SPMC with the Emby Addon and taadaaa he connects to my Server at the SSL Port and make the initial sync at the Moment.

I think the Emby App for FireTV has a bug.

[fuzzthekingoftrees 10]

Is the date and time correct on your firetv stick?

I have SSL set up here with a lets encrypt cert and last time I checked my fire TV connected fine.

When I have a minute I'll check it's still OK and report back.

 

Update:

I checked on my fireTV and SSL is working fine

Edited April 14, 2017 by fuzzthekingoftrees

[Luke 37094]

Is the date and time correct on your firetv stick?

I have SSL set up here with a lets encrypt cert and last time I checked my fire TV connected fine.

When I have a minute I'll check it's still OK and report back.

 

Update:

I checked on my fireTV and SSL is working fine

 

Thanks for the info !

[adam1010 19]

It's not working for me either. I'm using a Let's Encrypt cert and it works fine when connecting from my Android cell phone over LTE.  I'm using a Fire Stick (2nd Gen) with updated firmware and updated Emby app.

 

I'm definitely using "https" at the beginning.  The error message is: "Error Connecting to Server"

 

I've tried several variations as well:

https://example.com with port=8920

https://example.com:8920 with port=[blank]

https://example.com:8920 with port=8920

 

@fuzzthekingoftrees  When you tested it, were you outside of your local network? I could see a scenario where you might get a false positive if you were still on the same network as the server.

 

@@Luke @@ebr Would there be more descriptive error messages in the client log files that might help you debug this?  Or perhaps the Emby server keeps a log of connection attempts so we can see if the app tried to make a connection?

[fuzzthekingoftrees 10]

When I tested before I was on my local network. Just to make sure I've just done a test using my phone as a 4G hotspot and it connects fine. My 4G signal is pretty week in my house so it was unbelievably slow but it connected and I was able to play a video. I don't have my non SSL ports forwarded so it's definitely using SSL

 Here's a snip from the log

 

 

My fire TV, emby app and emby server are all on the latest stable builds. My server is on Windows.

Does the pfx that you are loading into Emby contain the full chain for the cert including the intermediate cert?

[adam1010 19]

@fuzzthekingoftrees  Thanks for the response!

 

I tried using ssllabs.com to test the certificate and it does show "Incomplete Certificate Chain", saying that I'm not including the intermediate. However, I've checked the .pfx file and it appears to have the Let's Encrypt intermediate certificate file embedded in it.  Is it possible that Emby Server isn't including the intermediate certificate chain from the .pfx file when it serves the certificate?

 

This is the code I used to generate the .pfx certificate (as mentioned on a few other Emby forum posts)

openssl pkcs12 -export -out /tmp/emby.pfx -inkey /tmp/privkey -in /tmp/cert -certfile /tmp/fullchain -password pass:

[fuzzthekingoftrees 10]

I generated my certificate on windows using certify. Then I exported it to a pfx from the certificate snap-in in the MMC I ticked the option to include the full path. Windows will only let you export a pfx with a password so I used openssl to remove the password like this.

openssl pkcs12 -in certWithPass.pfx -nodes | openssl pkcs12 -export -out certWithoutPass.pfx

You can check your cert using

openssl pkcs12 -info -in myCertificate.pfx

For my certificate I see 3 certs. Mine is at the top, then the self signed root which is DST Root CA X3, then the Let's Encrypt Authority X3 at the bottom.

You can check your chain on your server using

openssl s_client -connect servername.com

Certificate chain
 0 s:/CN=xxxxx.xxxxxxxx.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Make sure you have line 0 (your cert) and line 1 (the intermediate).

[adam1010 19]

Thanks for detailed reply -- The intermediate certificate is definitely not being output by Emby Server. I'm using the newest version (Ubuntu 3.2.13.0)

 

When I use "openssl s_client"  it only shows line 0 (my cert) in the certificate chain (which is what the ssllabs.com tool was reporting).

 

When I use "openssl pkcs12 -info -in emby.pfx" it shows 2 certs, mine plus the intermediate (Lets Encrypt X3). So it would appear the pfx contains the intermediate, but Emby Server (Ubuntu) is not passing it along to the client. Any idea if that code is shared between Windows/Linux or if it's different? (that might explain why it's working on your Windows server)

[fuzzthekingoftrees 10]

I loaded up emby in ubuntu and dropped in my working pfx from my Windows server. I see the same behaviour as you. Only the server certificate is sent, not the chain. I haven't confirmed that this breaks the fire TV but I wouldn't be suprised.

[adam1010 19]

@fuzzthekingoftrees  That's great news you were able to reproduce the problem. Thanks for testing that for me!

 

I've started looking through the source code to see if I can find where the HTTP server is loading the certificate but I haven't narrowed it down yet.

https://github.com/MediaBrowser/Emby/blob/master/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs

 

Should we open a new thread regarding the handling of SSL certificates on Linux? (Since this isn't really a Fire TV problem anymore)

[adam1010 19]

Looks like the problem may be with Mono, and not in the Emby code. Apparently Mono has had issues dealing with intermediate certificates in the past and may still.

 

Are there any Emby devs that are part of the Mono community?

https://bugzilla.xamarin.com/show_bug.cgi?id=25317
https://bugzilla.xamarin.com/show_bug.cgi?id=38969
https://bugzilla.xamarin.com/show_bug.cgi?id=46398
https://forums.sonarr.tv/t/mono-didnt-support-intermediate-ssl-certificate-chains-causing-problems-between-nzbtomedia-and-nzbdrone-sonarr-fix/2467/13
 

If this turns out to be a problem at the Mono level the temporary solution may be to run nginx, or haproxy, etc in front of Emby to handle the encryption.

[fuzzthekingoftrees 10]

I think I have this working, but I can't test because it's quite hard to get my Fire TV to connect to my test ubuntu machine over SSL due to DNS.

What I've done is to import the Let's Encrypt intermediate certificate into the mono cert store as follows. I performed these commands as root, you might need to sudo some of them if you aren't root.

wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.cer
certmgr -add -c -v -m CA letsencryptauthorityx3.cer
service emby-server restart

My test instance is now returning the whole certificate chain so I'm hopeful that this will work.

[adam1010 19]

@@fuzzthekingoftrees You're my hero!  Nice work!

 

Yes, that did get Emby to start providing the intermediate signed by "ISRG X1"... However, when I tried to connect with the Fire TV Stick it gave the same error. And the "openssl s_client -connect" is showing the intermediate now, however it still shows an error message.

 

It looks like my certificate is cross-signed by a second intermediate, "DST X3" as well. However, I haven't been able to get Emby to include that intermediate (even though I added it via certmgr). I'm not sure if the Fire TV needs both intermediate certs, or just the DST one  (or if there is still another issue).

 

[EDIT] Looks like the "ISRG X1" CA that you linked to is the new Mozilla CA and only really trusted by Firefox. So it would appear I need to get the "DST X3" intermediate working instead. For some reason though the certmgr won't include it (even after I deleted the ISRG certificate so that DST is the only one in the trust store)

DST X3: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

Edited April 29, 2017 by adam1010

[adam1010 19]

Sweet sweet victory!  I got the DST X3 intermediate certificate to be included by loading it out of my .pfx file!  I have verified that the Fire TV stick now works!  So the "ISRG X1" is definitely not recognized by the Fire TV and does not need to be included as an intermediate.

sudo certmgr -add -c -v -m CA emby.pfx

This needs to be added to a tutorial somewhere now that Emby is pushing everyone towards Let's Encrypt instead of self-signed certs.

[fuzzthekingoftrees 10]

OK good work

So I think you need this certificate

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

and this one

https://www.identrust.com/certificates/trustid/root-download-x3.html

And they both need to be in your CA store. I had tried putting the second one in the Trust store which didn't work. Importing from the pfx as you did works OK but you end up with your server certificate in the CA store.