System.Net.Http.CurlException: Problem with the SSL CA cert (path? access rights?)

[PenkethBoy 2063]

Just updated my QNAP to the latest firmware 4.3.4.0537 and now getting large numbers of errors in the log and LiveTv cannot connect to Schedules Direct, plugin check fails and any other emby external service using ssl fails

 

Example error trace

2018-04-01 15:50:48.215 Error HttpClient: Error getting response from https://json.schedulesdirect.org/20141201/token
	*** Error Report ***
	Version: 3.3.1.0
	Command line: /share/CACHEDEV1_DATA/.qpkg/EmbyServer/system/EmbyServer.dll -programdata /share/CACHEDEV1_DATA/.qpkg/EmbyServer/programdata -ffmpeg /share/CACHEDEV1_DATA/.qpkg/EmbyServer/bin/ffmpeg -ffprobe /share/CACHEDEV1_DATA/.qpkg/EmbyServer/bin/ffprobe -defaultdirectory /share/CACHEDEV1_DATA -updatepackage emby-server-qnap_{version}_x86_64.qpkg
	Operating system: Unix 4.2.8.0
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Processor count: 4
	Program data path: /share/CACHEDEV1_DATA/.qpkg/EmbyServer/programdata
	Application directory: /share/CACHEDEV1_DATA/.qpkg/EmbyServer/system
	System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: Problem with the SSL CA cert (path? access rights?)
	   at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
	   at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference`1 easyWrapper, CURLcode messageResult)
	   --- End of inner exception stack trace ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
	   at System.Net.Http.HttpClient.<FinishSendAsyncUnbuffered>d__59.MoveNext()
	--- End of stack trace from previous location where exception was thrown ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.<SendAsyncInternal>d__20.MoveNext()
	System.Net.Http.HttpRequestException
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
	   at System.Net.Http.HttpClient.<FinishSendAsyncUnbuffered>d__59.MoveNext()
	--- End of stack trace from previous location where exception was thrown ---
	   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
	   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.<SendAsyncInternal>d__20.MoveNext()
	InnerException: System.Net.Http.CurlException
	System.Net.Http.CurlException: Problem with the SSL CA cert (path? access rights?)
	   at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
	   at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference`1 easyWrapper, CURLcode messageResult)
	   at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
	   at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference`1 easyWrapper, CURLcode messageResult)

Any ideas what to check for that might have changed??

Edited April 1, 2018 by PenkethBoy

[PenkethBoy 2063]

Ok - found a temporary solution

 

I re installed the 3.3.1.1. package over my existing install and this corrected the ssl error (Dont uninstall the package first or this will remove you database and settings!)

 

I assume the package install must set some permissions on the ssl cert - which QNAP then reset with a new firmware

 

This needs to be fixed otherwise you are going to get a lot of support posts on this!

[Luke 37248]

Thanks for the info.

[OddbOd 21]

Same thing happened to me on 3.3.1.0. Emby's error log is accurate as the QNAP firmware update is the root cause, curl and it's CA bundle were updated.

 

Installing the same Emby version over the top of itself is the simplest solution as there's nothing for Emby devs to fix.

[PenkethBoy 2063]

Yes there is it should not happen in the first place

[Luke 37248]

Yes we should try to find a way to prevent it from happening.

[PenkethBoy 2063]

This has happened again with 3.3.1

 

i shut down Emby - and restarted emby a couple of hours later

 

i had to re-install Emby again to get the server to work properly

 

So do we have any idea what causes it?

 

And no i had not updated my firmware

Edited April 20, 2018 by PenkethBoy

[Luke 37248]

I'm not sure yet, probably a system update resetting something.

[PenkethBoy 2063]

no - nothing like that changed - just shutting down Emby is enough to trigger it

[OddbOd 21]

After many hours and much vodka I finally found it. The link to /etc/ssl/certs/ca-certificates.crt is created when the package is installed instead of when Emby starts. When the system is rebooted that link no longer exists. That's why reinstalling the QPKG makes Emby work again.

 

@@alucryd & @Luke QNAP is not a "normal" Linux distro, there are many quirks that are poorly documented. You can do whatever you want in Emby's package directory but changes to /root;/etc;/share or cronjobs will not survive reboots.

 

@@PenkethBoy Replace emby-server.sh with this and all will be well. Thanks for the reminder that I don't know everything

#!/bin/sh

CONF=/etc/config/qpkg.conf
QPKG_NAME=EmbyServer
QPKG_DIR=$(getcfg $QPKG_NAME Install_Path -f $CONF)
PID_FILE=/var/run/emby-server.pid

case "$1" in
  start)
    ENABLED=$(getcfg $QPKG_NAME Enable -u -d FALSE -f $CONF)
    if [ "$ENABLED" != "TRUE" ]; then
        echo "$QPKG_NAME is disabled."
        exit 1
    fi

    if [ -f $PID_FILE ] && kill -0 $(cat $PID_FILE); then
      echo "$QPKG_NAME is already running."
      exit 1
    else
      if [ ! -e /etc/ssl/certs/ca-certificates.crt ]; then
        ln -s /etc/ssl/certs/rootca.pem /etc/ssl/certs/ca-certificates.crt
      fi
      $QPKG_DIR/bin/emby-server &
      echo $! > $PID_FILE
    fi
    ;;

  stop)
    if [ -f $PID_FILE ]; then
      PID=$(cat $PID_FILE)
      if kill -0 $PID; then
        kill $PID
        while [ -e /proc/$PID ]; do
          sleep 1;
        done
      fi
      rm $PID_FILE
    else
      echo "$QPKG_NAME is not running."
      exit 1
    fi
    ;;

  restart)
    $0 stop
    $0 start
    ;;

  *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac

exit 0

[PenkethBoy 2063]

@@OddbOd

 

Thanks i will give it a try - i assume this gets replaced on each emby install?

 

will install the latest beta .21 then update for now

Edited April 22, 2018 by PenkethBoy

[alucryd 217]

@@OddbOd I'm aware of that, I've already been doing that since several betas back.

[PenkethBoy 2063]

@@alucryd - so you think its a different error causing Emby to become unusable?

[Luke 37248]

The beta posted yesterday I think is the first build you've gotten with the changes.

[PenkethBoy 2063]

ok - will see how it goes

[OddbOd 21]

I've double checked the 3.3.1.21 beta and it definitely contains fixed install and start scripts. Thanks alucryd, keep up the good work.

[Luke 37248]

Thanks for the feedback.