error: -60 SSL certificate

[syralk 12]

Hi,

For some reson when i try to connect my Roku to my emby server via HTTPS using a PFX from letsencrypt it doenst work

error -60 SSL certificate problem unable to get local issuer certificate

it works in Kodi but not in Roku

 

I am using the version 3.3.1.0

I tries

- Linux Debian Jessie with and without docker

- Linux Ubuntu Xenial without docker

- brand new install of Ubuntu 17.10 with the same pfx same issue

 

if i try in emby server on Windows 10 or Windows 2016

Roku work perfectly with the same PFX

 

Do I need a additional dependency in Linux?

 

thanks

Edited April 18, 2018 by syralk

[Luke 36997]

Hi, where does it say that error?

[syralk 12]

Hi, where does it say that error?

On the Roku during the connection to a new server

[syralk 12]

this issue was not present when emby was install using a ubuntu repo, i think its because it was using mono

Edited April 18, 2018 by syralk

[Luke 36997]

Can you please attach the server log? Thanks

[syralk 12]

2018-04-18 16:07:13.379 Error HttpServer: Error in ProcessAccept
    *** Error Report ***
    Version: 3.3.1.0
    Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
    Operating system: Unix 4.9.0.0
    64-Bit OS: True
    64-Bit Process: True
    User Interactive: True
    Processor count: 2
    Program data path: /var/lib/emby
    Application directory: /opt/emby-server/system
    System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
       --- End of inner exception stack trace ---
       at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
       at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired)
       --- End of inner exception stack trace ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
       at SocketHttpListener.Net.HttpConnection..ctor(ILogger logger, Socket socket, EndPointListener epl, Boolean secure, X509Certificate cert, ICryptoProvider cryptoProvider, IMemoryStreamFactory memoryStreamFactory, ITextEncoding textEncoding, IFileSystem fileSystem, IEnvironmentInfo environment)
       at SocketHttpListener.Net.EndPointListener.ProcessAccept(Socket accepted)
    System.Security.Authentication.AuthenticationException
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
       at SocketHttpListener.Net.HttpConnection..ctor(ILogger logger, Socket socket, EndPointListener epl, Boolean secure, X509Certificate cert, ICryptoProvider cryptoProvider, IMemoryStreamFactory memoryStreamFactory, ITextEncoding textEncoding, IFileSystem fileSystem, IEnvironmentInfo environment)
       at SocketHttpListener.Net.EndPointListener.ProcessAccept(Socket accepted)
    InnerException: Interop+OpenSsl+SslException
    Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
       --- End of inner exception stack trace ---
       at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
       at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired)
       at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
       at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired)
    InnerException: Interop+Crypto+OpenSslCryptographicException
    Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
    
2018-04-18 16:07:15.687 Info HttpServer: HTTP Response 200 to 192.168.42.240. Time: 4315ms (slow). http://192.168.42.99:8096/emby/users/cff1bf154390466dadb53a89645338aa/items

[syralk 12]

Can you please attach the server log? Thanks

i think the issue is there

 

    System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

 

just dont know how to fix it

[syralk 12]

Hi, where does it say that error?

 

I just try emby-server 3.3.1.0 on Arch Manjaro linux

 

and the server work well with the same PFX

so it could be only with the debian/ubuntu version

[Luke 36997]

Thanks for the report. We are looking into it.

[orbitron 0]

Thanks for the report. We are looking into it.

 

I am seeing this same error in the official EmbyServer docker container.

[Luke 36997]

I am seeing this same error in the official EmbyServer docker container.

 

Please attach the emby server log. You can learn how to do that here:

https://emby.media/community/index.php?/topic/739-how-to-report-a-problem/

 

Thanks.

[orbitron 0]

Please attach the emby server log. You can learn how to do that here:

https://emby.media/community/index.php?/topic/739-how-to-report-a-problem/

 

Thanks.

 

Here you go! Thank you.

emby-server.txt

[Luke 36997]

Ok, i would suggest trying this again with the next release of emby server as there have been a number of changes in related areas. thanks.

[orbitron 0]

Ok, i would suggest trying this again with the next release of emby server as there have been a number of changes in related areas. thanks.

 

Will do! Thank you!

[Luke 36997]

@@syralk in your case, same as well. thanks !