Cant connect using SSL

[Handl3vogn 6]

@@alucryd

 

Tried using the latest 3.3.0.0 and I still get sec_error_unknown_issuer error in my browser.

If I visit another site "or port" on my server that uses same cert before I visit emby I get green lock (cert ok) until next time my cert is renewed or until I connect whit a client/browser that newer seen that certificate before.

 

So there must be something wrong when the same certificate work on windows and arch but not on official docker or ubuntu.

 

I'm not using reverse proxy or anything like that, just opened a port for emby server and connection straight to that using https.

Edited February 24, 2018 by Luke

[Luke 37008]

The latest beta has resolved the client certificate problem, if you could try that out it would be helpful. I'm not sure it will affect the original issue this topic was opened for though. Thanks.

[Handl3vogn 6]

@@Luke

Tried the latest beta docker and still same problem for me.

[Luke 37008]

What same problem?

[Handl3vogn 6]

@@Luke

I get site insecure error in my browser when connecting to my emby server.

[Luke 37008]

What version does your server dashboard say?

[Handl3vogn 6]

@@Luke

3.3.0.1

 

here is log

 

Log.txt

Edited February 26, 2018 by Handl3vogn

[Luke 37008]

Ok, I could be wrong but I think the original issue is blocking you from being able to accurately confirm that. Thanks.

[Handl3vogn 6]

Ok, I could be wrong but I think the original issue is blocking you from being able to accurately confirm that. Thanks.

I did not exactly understand that, but I'm still having trouble getting emby server to work with ssl certificate. And you can see in the logs that there is some problems. And at this point I don't believe that there is anything wrong with my setup when the same setup works in Windows and on binhex-emby docker. Edited February 26, 2018 by Handl3vogn

[Luke 37008]

Yea I get that, we're just having a hard time reproducing the problem.

[Handl3vogn 6]

Yeah I get that, we're just having a hard time reproducing the problem.

I understand that, is there anything I can do to help? Would it be helpful if I sent you my cert file? Or made some test Dockers you could connect to? One working and one not working? Just tell me if I can do anything to help resolve that issue. Edited February 26, 2018 by Handl3vogn

[GWTPqZp6b 41]

I think I'm having this problem with latest beta as well, although this could be something to do with a pfsense RP issue too. The problem only occurs when I attempt to add the send-proxy option to enable me to see the real-ip address behind my proxy address. 

2018-03-16 23:58:17.653 Error HttpServer: Error in ProcessAccept
	*** Error Report ***
	Version: 3.3.1.5
	Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
	Operating system: Unix 4.9.0.3
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Processor count: 2
	Program data path: /var/lib/emby
	Application directory: /opt/emby-server/system
	System.IO.IOException: The handshake failed due to an unexpected packet format.
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
	   at SocketHttpListener.Net.HttpConnection..ctor(ILogger logger, Socket socket, EndPointListener epl, Boolean secure, X509Certificate cert, ICryptoProvider cryptoProvider, IMemoryStreamFactory memoryStreamFactory, ITextEncoding textEncoding, IFileSystem fileSystem, IEnvironmentInfo environment)
	   at SocketHttpListener.Net.EndPointListener.ProcessAccept(Socket accepted)
	System.IO.IOException
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
	   at SocketHttpListener.Net.HttpConnection..ctor(ILogger logger, Socket socket, EndPointListener epl, Boolean secure, X509Certificate cert, ICryptoProvider cryptoProvider, IMemoryStreamFactory memoryStreamFactory, ITextEncoding textEncoding, IFileSystem fileSystem, IEnvironmentInfo environment)
	   at SocketHttpListener.Net.EndPointListener.ProcessAccept(Socket accepted)

let me know if theres anything I can do to help debug etc. 

[Luke 37008]

@@pir8radio are you using this option?

[GWTPqZp6b 41]

hey luke, looks like you cut and pasted form the 'other' SSL thread I was reading.... Im using both these options

 

 <RequireHttps>true</RequireHttps>

  <IsBehindProxy>true</IsBehindProxy>

[Luke 37008]

Right ok. I mis-read that and thought you had configured a proxy setting.

[Luke 37008]

In any event I don't think your issue is related to this thread, but in case it helps, check the incoming request urls and make sure that the https url has the proper port. Your exception message suggests that you have an incoming https request on your http port.

 

Additionally, i would set RequireHttps to false. Since you're behind a proxy you probably want to have the proxy handle your SSL and forward everything to Emby over local http.

[GWTPqZp6b 41]

I think you are right in that these are probably two different problems. I have basic proxy needs so rely on pfSense to separate a few internet facing services including emby by subdomain, these all run local letsencrypt HTTPS certs and a simple passthrough from pfSense with the 'send-proxy' option allows me to run fail2ban / log correct IP addresses. It seems emby throws the error I posted when I add that 'send-proxy' flag. Wanted to make sure you understood in case it was a Emby side problem, I have a workaround that gets me where I need to be in th meanwhile, thank you. 

 

Edited March 17, 2018 by GWTPqZp6b

[pir8radio 1292]

 

hey luke, looks like you cut and pasted form the 'other' SSL thread I was reading.... Im using both these options

 

 <RequireHttps>true</RequireHttps>

  <IsBehindProxy>true</IsBehindProxy>

 

 

 

Behind a Reverse proxy you will want:

<EnableHttps>true</EnableHttps>      not "RequireHttps"    set require to false, and enable to true. 

 

Probably not your issue, but something to fix.   Also if the proxy is setup correctly you wont need "IsBehindProxy" set to true, as far as I know..  I'm not sure what this switch does within emby... But emby should be blind to the fact that it is behind a proxy if its setup correctly. 

Edited March 17, 2018 by pir8radio

[Luke 37008]

If you would like to try the beta server that would be helpful as we've updated to .NET Core 2.1. Thanks.

[Handl3vogn 6]

Tried the 3.4.1.2-beta on ubuntu 18.04

Still got ssl certification error so no change for me.

[Luke 37008]

New server log? thanks.

[Handl3vogn 6]

New server log? thanks.

Here

 

lots of ssl errors in log

Log.txt

[Luke 37008]

Those are all outbound https, which are hopefully resolved for next beta. I don't see anything here related inbound traffic.

[Handl3vogn 6]

Those are all outbound https, which are hopefully resolved for next beta. I don't see anything here related inbound traffic.

I still get certification error in my browser.

And tried a online ssl certificate tester and got these results

Edited May 15, 2018 by Handl3vogn

[cristol 0]

Hi, i've the same issue with the docker (Version 3.4.1.0) on debian 8.10 (OpenMediaVault).

 

I can access and play video with my desktop but with my android phone it's impossible (chrome and emby app)

 

*** Error Report ***

Version: 3.4.1.0

Command line: /system/EmbyServer.dll -programdata /config -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3

Operating system: Unix 4.9.0.0

64-Bit OS: True

64-Bit Process: True

User Interactive: True

Processor count: 4

Program data path: /config

Application directory: /system

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

   --- End of inner exception stack trace ---

 

After a moment, Https isn't accessible ... i must restart docker image to restart https access.

 

 

PS : My certificat is generate with letsencrypt --> openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out Emby.pfx -passout pass:PASSWORD

 

It's an Emby problem ?

 

logEmby.txt