xorinzor 108 Posted January 30, 2018 Share Posted January 30, 2018 I created a letsencrypt certificate, and merged them into a pkcs12 pfx certificate without password using openssl.But when I try to connect to the secured port I just keep getting "connection reset" with this in the log file: 2018-01-30 15:01:06.979 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.2.70.0 Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh Operating system: Unix 4.4.0.112 64-Bit OS: True 64-Bit Process: True User Interactive: False Mono: 4.8.1 (Stable 4.8.1.0/22a39d7 Tue May 2 22:26:20 UTC 2017) Processor count: 8 Program data path: /var/lib/emby-server Application directory: /usr/lib/emby-server/bin Mono.Btls.MonoBtlsException: Ssl error:1000009c:SSL routines:OPENSSL_internal:HTTP_REQUEST at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00054] in <5641e4edad4f4464ba58c620a7b8ea48>:0 at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncProtocolRequest asyncRequest, Mono.Net.Security.AsyncOperationStatus status) [0x00033] in <5641e4edad4f4464ba58c620a7b8ea48>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (Mono.Net.Security.AsyncOperationStatus status) [0x00086] in <5641e4edad4f4464ba58c620a7b8ea48>:0 at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation () [0x0000d] in <5641e4edad4f4464ba58c620a7b8ea48>:0 at Mono.Net.Security.AsyncProtocolRequest.StartOperation () [0x00000] in <5641e4edad4f4464ba58c620a7b8ea48>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <dbb16e0bacdc4a0f87478e401bc29b6c>:0 at Mono.Net.Security.MobileAuthenticatedStream.EndProcessAuthentication (System.IAsyncResult result) [0x0006f] in <5641e4edad4f4464ba58c620a7b8ea48>:0 at Mono.Net.Security.MobileAuthenticatedStream.EndAuthenticateAsServer (System.IAsyncResult asyncResult) [0x00000] in <5641e4edad4f4464ba58c620a7b8ea48>:0 at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) Anyone any ideas?Running on Ubuntu 16.04 x64 Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 Hi, you may wan to switch to our new installation package, which is .NET Core-based instead of mono: https://emby.media/download This is a brand new installation though and will require you to remove the existing installation first. Our new packages with .NET Core use OpenSSL and I think you'll have better luck. Thanks. Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 Hi, you may wan to switch to our new installation package, which is .NET Core-based instead of mono: https://emby.media/download This is a brand new installation though and will require you to remove the existing installation first. Our new packages with .NET Core use OpenSSL and I think you'll have better luck. Thanks. I wasn't aware there were different installations, is there going to be a repository for this? that would make automated updating a lot easier. I'll report back when finished about whether it solved my problem. Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 There might be a repository in the future. Right now it's still very new and we are at this point just steering new installations to the new package. Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 Now I'm getting this error (oddly enough it somehow involves ffmpeg apparently? even though I'm not even able to start playback of anything).The connection reset now got replaced with a timeout. 2018-01-30 19:46:39.823 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.2.70.0 Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb Operating system: Unix 4.4.0.112 64-Bit OS: True 64-Bit Process: True User Interactive: True Processor count: 8 Program data path: /var/lib/emby Application directory: /opt/emby-server/system System.IO.IOException: The handshake failed due to an unexpected packet format. at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, AsyncCallback asyncCallback, Object asyncState) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1](Func`4 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1](Func`4 beginMethod, Action`1 endMethod, TArg1 arg1, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate) at SocketHttpListener.Net.HttpConnection.<InitStream>d__28.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpConnection.<Create>d__29.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.EndPointListener.<ProcessAccept>d__23.MoveNext() System.IO.IOException at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, AsyncCallback asyncCallback, Object asyncState) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1](Func`4 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1](Func`4 beginMethod, Action`1 endMethod, TArg1 arg1, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate) at SocketHttpListener.Net.HttpConnection.<InitStream>d__28.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpConnection.<Create>d__29.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.EndPointListener.<ProcessAccept>d__23.MoveNext() Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 Does your cert have a password? Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 Does your cert have a password? No, I didn't change my cert. I just double checked by regenerating the certificate without the password and restarting the server, but still having the same error. Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 I would suggest adding a password to the cert, and then set the password for the cert in Emby. See if that helps. Thanks. Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 I would suggest adding a password to the cert, and then set the password for the cert in Emby. See if that helps. Thanks. Seems to result in the same error unfortunately. Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 Can you please attach the complete emby server log? thanks. Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 1 log file coming right up. emby.log Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 what https url are you trying to connect to that is causing this? Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 what https url are you trying to connect to that is causing this? I tried both direct-IP and the A-Record that I have configured (both from internal network, as external via my mobile phone network) with port 8920 (which the dashboard indicates). Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 is the cert associated with a domain name or IP? Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 (edited) is the cert associated with a domain name or IP? certificates can't be associated with IP addresses (at least not from letsencrypt, and I dont think the standard allows it either). EDIT: This shouldn't be related to this issue though, as I'm currently not receiving a response from the webserver. Otherwise It'd just give me an error about the SSL certificate not matching the hostname Edited January 30, 2018 by xorinzor Link to comment Share on other sites More sharing options...
Handl3vogn 6 Posted January 30, 2018 Share Posted January 30, 2018 (edited) Maybe we got same problem, Started a thread on this early January Can you try the same setup on ArchLinux or Windows? Got the ssl cert to work these platforms: Windows 10: OK Archlinux: OK Binhex docker (Arch based): OK Ubuntu 17.10: Fail Official docker: Fail @@alucryd Edited January 30, 2018 by Luke Link to comment Share on other sites More sharing options...
xorinzor 108 Posted January 30, 2018 Author Share Posted January 30, 2018 Maybe we got same problem, Started a thread on this early January Can you try the same setup on ArchLinux or Windows? Got the ssl cert to work these platforms: Windows 10: OK Archlinux: OK Binhex docker (Arch based): OK Ubuntu 17.10: Fail Official docker: Fail Interesting, I did just try it on my windows installation, same certificate, and I indeed get a response from the server now. Seems to be related to using Ubuntu then (even though I'm using 16.04 LTS) Link to comment Share on other sites More sharing options...
Luke 37022 Posted January 30, 2018 Share Posted January 30, 2018 Ok, we're looking into this, thanks. 1 Link to comment Share on other sites More sharing options...
alucryd 214 Posted February 20, 2018 Share Posted February 20, 2018 @@Handl3vogn @@xorinzor I made a few adjustments to our openssl, mostly mimicking how Arch Linux builds it, could you give the latest docker beta a try? I couldn't reproduce even without those changes, but you never know, I may not have been affected by the issue to begin with. One thing I may have done different is convert my let's encrypt to PKCS12 using certtool from gnutls instead of openssl because it seems this feature is currently borked on Arch Linux, I get an error during the conversion. Link to comment Share on other sites More sharing options...
Handl3vogn 6 Posted February 20, 2018 Share Posted February 20, 2018 @@Handl3vogn @@xorinzor I made a few adjustments to our openssl, mostly mimicking how Arch Linux builds it, could you give the latest docker beta a try? I couldn't reproduce even without those changes, but you never know, I may not have been affected by the issue to begin with. One thing I may have done different is convert my let's encrypt to PKCS12 using certtool from gnutls instead of openssl because it seems this feature is currently borked on Arch Linux, I get an error during the conversion. Hello tried this again using the latest beta. And I still get the server insecure when I try to connect. Can try to find out how to convert my ssl using certtool but the same ssl file works fine on windows and arch. Log Log.txt Link to comment Share on other sites More sharing options...
alucryd 214 Posted February 20, 2018 Share Posted February 20, 2018 What's the exact error code? I'm only getting a bad domain error here because I can't setup nginx to proxy_pass over to https so having emby face the world and use my domain is not an option. When I make an exception in Firefox it works (although excruciatingly slowly, but it seems to be related to using a local ip instead of my domain). Link to comment Share on other sites More sharing options...
alucryd 214 Posted February 20, 2018 Share Posted February 20, 2018 (edited) Oh wait, your log mentions missing sslv3, which I just disabled. Arch Linux has it disabled so if that's the cause it shouldn't work on Arch Linux either. I'll reinstate them, see what happens. Still, that's not right, firefox is using TLS 1.2 here, SSL3 should never be used, ever. Edited February 20, 2018 by alucryd Link to comment Share on other sites More sharing options...
Handl3vogn 6 Posted February 20, 2018 Share Posted February 20, 2018 (edited) I just get the standard "this site can not be trusted" I can click to get past it but then I get that warning every time I connect. Under technical details it says SEC_ERROR_UNKNOWN_ISSUER Edit Also converted to pfx using certtool (same error) If I did it right, used this command certtool --load-certificate fullchain.pem --load-privkey privkey.pem --to-p12 --outder --outfile certificate.pfx got prompted for name and password, typed in what I have set in the emby server settings Edited February 20, 2018 by Handl3vogn Link to comment Share on other sites More sharing options...
Handl3vogn 6 Posted February 21, 2018 Share Posted February 21, 2018 @@alucryd I have a feeling that these problems is due to the dot net core runtime. What version is the docker running? And is there any way to update it to the same version that arch Linux is using? Just to test if that fixes the problem? This problem started for me when upgrading from mono to dot net core. Changing back to mono worked and later I found a arch based docker that also works. Link to comment Share on other sites More sharing options...
alucryd 214 Posted February 22, 2018 Share Posted February 22, 2018 @@Handl3vogn Thanks for the feedback. I don't think it's an issue with the core runtime per se. It's working fine here, both on Arch Linux with an external core runtime, and on Docker with an embedded core runtime. I was able to have emby face the world, the issue I had was with nginx hogging all connections even if I used a port other than 80 or 443. Shutting it down allowed me to access emby on port 8920, and my converted let's encrypt certificate worked fine. The only difference is that on Arch Linux the TLS handshake is really fast, but in Docker it's painfully slow (and I have no idea why). When that's out of the way it's working as expected though. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now