Problems with (external) https connection

[mrbrahman 0]

Hi,

 

I setup a self signed certificate for secure connections. I'm able to connect using https on the LAN, but when I try to connect from outside, I see the below error in the log, and don't get a connection.

 

I tried to restart the Emby server several times, but that didn't resolve the issue.

 

Please help!

 

Thanks

server-63638066521.txt

[mastrmind11 722]

Hi,

 

I setup a self signed certificate for secure connections. I'm able to connect using https on the LAN, but when I try to connect from outside, I see the below error in the log, and don't get a connection.

 

I tried to restart the Emby server several times, but that didn't resolve the issue.

 

Please help!

 

Thanks

Don't use a self signed cert.  Go get one from letsencrypt.

[mrbrahman 0]

Thanks for your reply!

 

If I understand correctly, what you're saying is that I'll need a signed cert (like the ones from letsencrypt) in order to be able to access my machine securely from outside of my network, even though no such thing is needed to access it from the LAN?

 

Just want to confirm the suggested fix before I spend time on learning about letsencrypt :-)

 

Thank you!

[mastrmind11 722]

Thanks for your reply!

 

If I understand correctly, what you're saying is that I'll need a signed cert (like the ones from letsencrypt) in order to be able to access my machine securely from outside of my network, even though no such thing is needed to access it from the LAN?

 

Just want to confirm the suggested fix before I spend time on learning about letsencrypt :-)

 

Thank you!

Yes.  

[Luke 40111]

@@mrbrahman, yes, most devices will reject the self signed cert, in fact to the extent where there's almost no point in us even providing it.

[mrbrahman 0]

Thank you both.

 

I guess where I'm confused is that the self signed cert works on LAN (browser warns me, and I add a permanent exception). However it does not work when I access Emby through internet (browser only shows loading).

 

Obviously, I'm naive with security concepts, and am just using logic... To me, when https works on LAN, it should also work on WAN :-) That's why I wanted to confirm again.

 

Will read up on letsencrypt and set it up.

 

Thank you!

[mastrmind11 722]

Thank you both.

 

I guess where I'm confused is that the self signed cert works on LAN (browser warns me, and I add a permanent exception). However it does not work when I access Emby through internet (browser only shows loading).

 

Obviously, I'm naive with security concepts, and am just using logic... To me, when https works on LAN, it should also work on WAN :-) That's why I wanted to confirm again.

 

Will read up on letsencrypt and set it up.

 

Thank you!

A self signed cert basically says "I am who I say I am" versus a cert authorized by a third party, which basically says "this trusted authority says I am who I say I am".  The reason it works internally is because the IP in the self signed cert is your IP, so it can trust that you are who you say you are, though the browser will give you a heads up that it's potentially dangerous (since anyone who has the same internal IP as you can self sign a cert, and your server would have no idea the guy isn't you).  By that logic, it makes sense that self signed certs wouldn't work externally -- the potential for misuse and the data exposed is in general far more critical than what could be exposed internally.

[Andy777 21]

I'm using self signed certificate successfully as all the clients that I use can handle it:

• Emby for Kodi: Happily ignores (by default) that the cert is self signed
• Android mobile: Happily ignores
• Emby teather for windows (both, store and desktop). You can install the certificate to the client computer.

I created the cert with OpenSSL and it is created for my external dyn-dns FQDN.

 

I know there are some devices (like Android TV) which do not allow installation of untrusted certificates, but I currently don't use any.