Jump to content

Cant connect using SSL


xorinzor

Recommended Posts

xorinzor

I created a letsencrypt certificate, and merged them into a pkcs12 pfx certificate without password using openssl.
But when I try to connect to the secured port I just keep getting "connection reset" with this in the log file:
 

2018-01-30 15:01:06.979 Error HttpServer: Error in ProcessAccept
	*** Error Report ***
	Version: 3.2.70.0
	Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh
	Operating system: Unix 4.4.0.112
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: False
	Mono: 4.8.1 (Stable 4.8.1.0/22a39d7 Tue May  2 22:26:20 UTC 2017)
	Processor count: 8
	Program data path: /var/lib/emby-server
	Application directory: /usr/lib/emby-server/bin
	Mono.Btls.MonoBtlsException: Ssl error:1000009c:SSL routines:OPENSSL_internal:HTTP_REQUEST
	  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00054] in <5641e4edad4f4464ba58c620a7b8ea48>:0 
	  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x00033] in <5641e4edad4f4464ba58c620a7b8ea48>:0 
	  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x00086] in <5641e4edad4f4464ba58c620a7b8ea48>:0 
	  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <5641e4edad4f4464ba58c620a7b8ea48>:0 
	  at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x00000] in <5641e4edad4f4464ba58c620a7b8ea48>:0 
	--- End of stack trace from previous location where exception was thrown ---
	  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <dbb16e0bacdc4a0f87478e401bc29b6c>:0 
	  at Mono.Net.Security.MobileAuthenticatedStream.EndProcessAuthentication (System.IAsyncResult result) [0x0006f] in <5641e4edad4f4464ba58c620a7b8ea48>:0 
	  at Mono.Net.Security.MobileAuthenticatedStream.EndAuthenticateAsServer (System.IAsyncResult asyncResult) [0x00000] in <5641e4edad4f4464ba58c620a7b8ea48>:0 
	  at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) 

Anyone any ideas?

Running on Ubuntu 16.04 x64

Link to comment
Share on other sites

Hi, you may wan to switch to our new installation package, which is .NET Core-based instead of mono:

 

https://emby.media/download

 

This is a brand new installation though and will require you to remove the existing installation first. Our new packages with .NET Core use OpenSSL and I think you'll have better luck. Thanks.

Link to comment
Share on other sites

xorinzor

Hi, you may wan to switch to our new installation package, which is .NET Core-based instead of mono:

 

https://emby.media/download

 

This is a brand new installation though and will require you to remove the existing installation first. Our new packages with .NET Core use OpenSSL and I think you'll have better luck. Thanks.

I wasn't aware there were different installations, is there going to be a repository for this? that would make automated updating a lot easier.

I'll report back when finished about whether it solved my problem.

Link to comment
Share on other sites

There might be a repository in the future. Right now it's still very new and we are at this point just steering new installations to the new package.

Link to comment
Share on other sites

xorinzor

Now I'm getting this error (oddly enough it somehow involves ffmpeg apparently? even though I'm not even able to start playback of anything).
The connection reset now got replaced with a timeout.

 

2018-01-30 19:46:39.823 Error HttpServer: Error in ProcessAccept
	*** Error Report ***
	Version: 3.2.70.0
	Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
	Operating system: Unix 4.4.0.112
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Processor count: 8
	Program data path: /var/lib/emby
	Application directory: /opt/emby-server/system
	System.IO.IOException: The handshake failed due to an unexpected packet format.
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, AsyncCallback asyncCallback, Object asyncState)
	   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1](Func`4 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, Object state, TaskCreationOptions creationOptions)
	   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1](Func`4 beginMethod, Action`1 endMethod, TArg1 arg1, Object state)
	   at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate)
	   at SocketHttpListener.Net.HttpConnection.<InitStream>d__28.MoveNext()
	--- End of stack trace from previous location where exception was thrown ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at SocketHttpListener.Net.HttpConnection.<Create>d__29.MoveNext()
	--- End of stack trace from previous location where exception was thrown ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at SocketHttpListener.Net.EndPointListener.<ProcessAccept>d__23.MoveNext()
	System.IO.IOException
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, AsyncCallback asyncCallback, Object asyncState)
	   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1](Func`4 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, Object state, TaskCreationOptions creationOptions)
	   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1](Func`4 beginMethod, Action`1 endMethod, TArg1 arg1, Object state)
	   at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate)
	   at SocketHttpListener.Net.HttpConnection.<InitStream>d__28.MoveNext()
	--- End of stack trace from previous location where exception was thrown ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at SocketHttpListener.Net.HttpConnection.<Create>d__29.MoveNext()
	--- End of stack trace from previous location where exception was thrown ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at SocketHttpListener.Net.EndPointListener.<ProcessAccept>d__23.MoveNext()
Link to comment
Share on other sites

xorinzor

Does your cert have a password?

No, I didn't change my cert. I just double checked by regenerating the certificate without the password and restarting the server, but still having the same error.

Link to comment
Share on other sites

I would suggest adding a password to the cert, and then set the password for the cert in Emby. See if that helps. Thanks.

Link to comment
Share on other sites

xorinzor

I would suggest adding a password to the cert, and then set the password for the cert in Emby. See if that helps. Thanks.

Seems to result in the same error unfortunately.

Link to comment
Share on other sites

xorinzor

what https url are you trying to connect to that is causing this?

 

I tried both direct-IP and the A-Record that I have configured (both from internal network, as external via my mobile phone network) with port 8920 (which the dashboard indicates).

Link to comment
Share on other sites

xorinzor

is the cert associated with a domain name or IP?

 

certificates can't be associated with IP addresses (at least not from letsencrypt, and I dont think the standard allows it either).

EDIT: This shouldn't be related to this issue though, as I'm currently not receiving a response from the webserver. Otherwise It'd just give me an error about the SSL certificate not matching the hostname

Edited by xorinzor
Link to comment
Share on other sites

Handl3vogn

Maybe we got same problem, Started a thread on this early January 

Can you try the same setup on ArchLinux or Windows? 

 

Got the ssl cert to work these platforms:

Windows 10: OK

Archlinux: OK

Binhex docker (Arch based): OK

Ubuntu 17.10: Fail

Official docker: Fail

 

@@alucryd

Edited by Luke
Link to comment
Share on other sites

xorinzor

Maybe we got same problem, Started a thread on this early January 

Can you try the same setup on ArchLinux or Windows? 

 

Got the ssl cert to work these platforms:

Windows 10: OK

Archlinux: OK

Binhex docker (Arch based): OK

Ubuntu 17.10: Fail

Official docker: Fail

Interesting, I did just try it on my windows installation, same certificate, and I indeed get a response from the server now.

Seems to be related to using Ubuntu then (even though I'm using 16.04 LTS)

Link to comment
Share on other sites

  • 3 weeks later...
alucryd

@@Handl3vogn @@xorinzor I made a few adjustments to our openssl, mostly mimicking how Arch Linux builds it, could you give the latest docker beta a try?

 

I couldn't reproduce even without those changes, but you never know, I may not have been affected by the issue to begin with. One thing I may have done different is convert my let's encrypt to PKCS12 using certtool from gnutls instead of openssl because it seems this feature is currently borked on Arch Linux, I get an error during the conversion.

Link to comment
Share on other sites

Handl3vogn

@@Handl3vogn @@xorinzor I made a few adjustments to our openssl, mostly mimicking how Arch Linux builds it, could you give the latest docker beta a try?

 

I couldn't reproduce even without those changes, but you never know, I may not have been affected by the issue to begin with. One thing I may have done different is convert my let's encrypt to PKCS12 using certtool from gnutls instead of openssl because it seems this feature is currently borked on Arch Linux, I get an error during the conversion.

Hello tried this again using the latest beta. And I still get the server insecure when I try to connect. 

Can try to find out how to convert my ssl using certtool but the same ssl file works fine on windows and arch.

 

Log

Log.txt

Link to comment
Share on other sites

alucryd

What's the exact error code? I'm only getting a bad domain error here because I can't setup nginx to proxy_pass over to https so having emby face the world and use my domain is not an option. When I make an exception in Firefox it works (although excruciatingly slowly, but it seems to be related to using a local ip instead of my domain).

Link to comment
Share on other sites

alucryd

Oh wait, your log mentions missing sslv3, which I just disabled. Arch Linux has it disabled so if that's the cause it shouldn't work on Arch Linux either. I'll reinstate them, see what happens. Still, that's not right, firefox is using TLS 1.2 here, SSL3 should never be used, ever.

Edited by alucryd
Link to comment
Share on other sites

Handl3vogn

I just get the standard "this site can not be trusted"

I can click to get past it but then I get that warning every time I connect.

Under technical details it says SEC_ERROR_UNKNOWN_ISSUER

 

Edit

Also converted to pfx using certtool (same error)

If I did it right, used this command

certtool --load-certificate fullchain.pem --load-privkey privkey.pem --to-p12 --outder --outfile certificate.pfx

got prompted for name and password, typed in what I have set in the emby server settings

 

post-248165-0-89201500-1519156516_thumb.png

Edited by Handl3vogn
Link to comment
Share on other sites

Handl3vogn

@@alucryd

I have a feeling that these problems is due to the dot net core runtime.

What version is the docker running? And is there any way to update it to the same version that arch Linux is using? Just to test if that fixes the problem?

 

This problem started for me when upgrading from mono to dot net core. Changing back to mono worked and later I found a arch based docker that also works.

Link to comment
Share on other sites

alucryd

@@Handl3vogn Thanks for the feedback. I don't think it's an issue with the core runtime per se. It's working fine here, both on Arch Linux with an external core runtime, and on Docker with an embedded core runtime. I was able to have emby face the world, the issue I had was with nginx hogging all connections even if I used a port other than 80 or 443. Shutting it down allowed me to access emby on port 8920, and my converted let's encrypt certificate worked fine.

 

The only difference is that on Arch Linux the TLS handshake is really fast, but in Docker it's painfully slow (and I have no idea why). When that's out of the way it's working as expected though.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...