Fire TV Stick + SSL not working -> cannot connect

[sualfred 677]

Nginx is working as reverse proxy for all clients incl. websockets. The Apache server was the issue. No idea if I forgot a flag or if it's simply not compatible.

 

Anyway, it's working now. Thanks.

Edited December 29, 2017 by sualfred

[Luke 36992]

Thanks for the feedback.

[Capt.Insano 3]

Just to report:

 

The exact same thing is happening here. I am trying to set up a MiBox (AndroidTV) box to connect to my Emby server at home from work.

 

I have correct port forwarding for Emby SSL (8920), the SSL Cert is letsencrypt signed and causes no issues with desktop web browser usage or with my android (phone) Emby app but I cannot connect via the AndroidTV app.

 

I have completed all recommended tests in this thread to be sure the SSL cert is OK and it is perfect but when I try to connect via "XXXXX.duckdns.org:8920" I get nowhere.

 

Are there any other options other than setting up a reverse proxy for Emby?

[Capt.Insano 3]

Just to report:

 

The exact same thing is happening here. I am trying to set up a MiBox (AndroidTV) box to connect to my Emby server at home from work.

 

I have correct port forwarding for Emby SSL (8920), the SSL Cert is letsencrypt signed and causes no issues with desktop web browser usage or with my android (phone) Emby app but I cannot connect via the AndroidTV app.

 

I have completed all recommended tests in this thread to be sure the SSL cert is OK and it is perfect but when I try to connect via "XXXXX.duckdns.org:8920" I get nowhere.

 

Are there any other options other than setting up a reverse proxy for Emby?

[Luke 36992]

How are you trying to connect inside the Android TV app?

[Capt.Insano 3]

I am manually specifying an address and port for my Emby server.

 

I put in my address:

 

"https://xxxxx.duckdns.org"

 

And port: 8920.

 

The AndroidTV app just reports a failure to connect.

 

If I disable SSL in Emby, I can connect via the same address above and port 8096. As previously said, I have confirmed that my certs are in order.

 

Any ideas?

[ebr 14898]

It has to be rejecting the certificate.  Are you sure the entire chain is included?

[Capt.Insano 3]

When I use https://whatsmychaincert.com I get the following:

 

for xxxxx.duckdns.org : "xxxxx.duckdns.org has the correct chain"

 

but then I though of trying the actual Emby SSL port:

 

for xxxxx.duckdns.org:8920 : "xxxxxxxx.duckdns.org:8920 is misconfigured. This is the chain it should be using."

 

So the chain error lies within Emby/Mono serving the SSL cert?

If so and considering I run Emby within a docker container, it my only (someway easy) option to roll an nginx reverse proxy?

 

Thanks for all help

[ebr 14898]

I think I recall others discovering there were issues in Mono with delivering the entire chain properly but there was some sort of configuration level fix.

[Capt.Insano 3]

I have read about a fix here: https://emby.media/community/index.php?/topic/46647-firetv-stick-cannot-login-using-https but  as I am running Emby within a docker it is no real solution.

 

Even when I try to get into the Emby container to run the commands via

#docker exec -it EmbyServer /bin/bash

I get the following error:

oci runtime error: exec failed: container_linux.go:265: starting container process caused "exec: \"/bin/bash\": stat /bin/bash: no such file or directory"

I am also aware that if I was able to make the required changes, they would be overwritten everytime I update the EmbyServer container with a new release.

[Luke 36992]

does your ssl cert have a private key and password?

[Capt.Insano 3]

does your ssl cert have a private key and password?

No.

 

I did not set either anyway.

[Luke 36992]

Private key is required. The next release of emby server will make that clear in the help text under the field.

 

Password is not technically required but we've seen issues with certs that don't have them.

[Capt.Insano 3]

I just double checked there and I think I may have a Private Key (forgive me, I am new to SSL certs!)

 

In my letsencrypt folder I have the following files:

cert.pem
chain.pem
fullchain.pem
privkey.pem
privkey.pfx

I have Emby pointing to the privkey.pfx. Is that correct so far regarding private keys?

[Luke 36992]

there needs to be a private key inside the pfx, and i would also assign a password and configure the password in emby.

[Garbonzo17 26]

I realize this is 3 years on now, but did you ever get this worked out?

I have 1 fire tv device that is outside of my lan and this is driving me crazy.

Android phones, iOS and Samsung TVs offside all working fine with SSL... not Android TV/FireTV Client...

[ebr 14898]

Hi.  Try these:

 

[Garbonzo17 26]

31 minutes ago, ebr said:

Hi.  Try these:

 

No, windows 10, lets-encrypt and it works fine on regular android. ios, samsung tv, oh and roku as well... it seems to be just an issue with the FireTV (and therefore probably Android TV varients).  But since there is only one person in my family that needs this, I can go to her house and try that manually installing the certificate...Anyone that isn't my sister is gonna be out of luck.

-G

[ebr 14898]

14 hours ago, Garbonzo17 said:

No, windows 10, lets-encrypt and it works fine on regular android. ios, samsung tv, oh and roku as well... it seems to be just an issue with the FireTV (and therefore probably Android TV varients).  But since there is only one person in my family that needs this, I can go to her house and try that manually installing the certificate...Anyone that isn't my sister is gonna be out of luck.

-G

The Fires are different because they run older, forked versions of Android and because Amazon has them locked down pretty tight.  They also don't work well with a VPN.

Please let us know how it goes with the cert.

Thanks.

[Garbonzo17 26]

On 17/08/2020 at 09:30, ebr said:

The Fires are different because they run older, forked versions of Android and because Amazon has them locked down pretty tight.  They also don't work well with a VPN.

Please let us know how it goes with the cert.

I will as soon as I can get out to her place. But in the meantime I am trying to get Windows Firewall to only allow port 8096 from her IP address. But I am having some issues.

For some reason if I allow port 8096 to the server it works from any IP, even though the scope has only her IP address. I am not sure what I am overlooking, but I realize this is beyond the scope of the topic, I just really would like unencrypted traffic to be from her, everyone else's apps can connect to the 8920 no prob with my let-encrypt setup... it's just the fire tv sitch.

If there is another let me know.  I have the feeling I could accomplish it with nginx (or similar) but that seems like a steep learning curve just to limit a single port to a single ip address pass thru.  with my old router running dd-wrt i could accomplish it there, but that died and I had to fallback to a pos linksys that doesn't particularly play well with dd/openWRT...  (actually I just looked at their site and I may have mis-remembered that this was possible, but regardless I should be able to accomplish through FW I would think.)

Anyway, as always any insight welcomed, TIA!

G

Edited August 23, 2020 by Garbonzo17
corrected my statement on router

[Luke 36992]

On 8/23/2020 at 3:24 PM, Garbonzo17 said:

I will as soon as I can get out to her place. But in the meantime I am trying to get Windows Firewall to only allow port 8096 from her IP address. But I am having some issues.

For some reason if I allow port 8096 to the server it works from any IP, even though the scope has only her IP address. I am not sure what I am overlooking, but I realize this is beyond the scope of the topic, I just really would like unencrypted traffic to be from her, everyone else's apps can connect to the 8920 no prob with my let-encrypt setup... it's just the fire tv sitch.

If there is another let me know.  I have the feeling I could accomplish it with nginx (or similar) but that seems like a steep learning curve just to limit a single port to a single ip address pass thru.  with my old router running dd-wrt i could accomplish it there, but that died and I had to fallback to a pos linksys that doesn't particularly play well with dd/openWRT...  (actually I just looked at their site and I may have mis-remembered that this was possible, but regardless I should be able to accomplish through FW I would think.)

Anyway, as always any insight welcomed, TIA!

G

@Garbonzo17 are you still running into this?

[Garbonzo17 26]

6 hours ago, Luke said:

Garbonzo17 are you still running into this?

I'm not 100% sure because I just opened 8096 and set my server to work with either encrypted or not for the time being. Still haven't been able to connect with her on a time for me to go over there and try adding the certificate on her end. Did anything change with the situation regarding Amazon and let's encrypt certs?

[rbjtech 4218]

What FireTV stick is it ?

I run lets encrypt SSL connections only on Win10 stable release using a few remote FireTV stick Gen 2's  and it works perfectly ?

 

 

[Garbonzo17 26]

On 08/09/2020 at 10:36, rbjtech said:

I run lets encrypt SSL connections only on Win10 stable release using a few remote FireTV stick Gen 2's  and it works perfectly ?

Then I have no idea what's going on.  Everything is working as it should be (I am on Windows) and people outside the lan could connect when I had it set to MUST USE SSL, Samsung 4k TV emby app, ios (tv and phone), Roku (many) and of course Android phones all work no problem.  I just switched to a Firestick 4k (wanted to be able to s/l HBOmax and Peacock) and gave my Roku to my mum, but I recommended my sister go with Fire Stick (back before I encrypted) and she got a new TV with Fire built in, and a firestick 2nd gen for her upstairs TV.

However once she tried loging into the new server it kept rejecting her... I reopened port 8096 on the router, still nothing, but once I set the SSL in emby back to Preferred (not reqd) it connected immediately but without ssl.

So I went down the rabbithole in this thread, and it seems that Amazon doesn't include Lets-Encrypt in their Trust, so I figured I'd try manually loading my cert on her devices next time we can get together at her place, but haven't made time, I have everyone else using 8920 but I have to keep 8096 open for her until I can get it to work.

My firestick 4k works, but i think even if I tell it to use 8920 it sees it is on the lan and allows un-encrypted. (but I am not 100% on that, but I guess I could use my phone as a hotspot and test it out from external ip that way)

Anything I might be overlooking?

-G

[rbjtech 4218]

Have you tried to load your emby site via the FireTV browser - maybe install Amazon Silk - and in the browser goto https:\\yoursite:8920 ?

It may just be your terminology but I also noticed you said this -

"However once she tried loging into the new server it kept rejecting her."

Do you mean she got a login prompt - or do you mean it could not find the server at all ?

Does emby work with SSL on the same home network as the FireTV stick - ie another client or webbrowser ?

Have you cleared the cache/data on the FireTV stick App - removed it, rebooted and reinstalled it ?

 

Edited September 11, 2020 by rbjtech