External SSL connections crashing

[Gerrit507 24]

@@alucryd Emby runs as user emby. The home directory is /var/lib/emby and it contains a .dotnet folder

Edited June 14, 2018 by Luke

[lsrmax 0]

@@Gerrit507

 

This thread isn't about the https of the emby server itsself.

I can access my emby server over https with letsencrypt without any problem.

The problem only comes when the server tries to contact external services through https.

[Gerrit507 24]

My fault for the wrong thread but https is broken at the moment. Try the latest beta and it won't work anymore.

[lsrmax 0]

I won't try a version that would mess the server even more

 

I hope the next release will stabilize the https calls and be released soon...
My libraries are becoming a bit messy without the services to clean everything...

[Gerrit507 24]

Emby https issue still persists in version 3.4.1.15 beta...

[Luke 37093]

The strange part is that for most users this appears to be resolved. Is there anything unique about your setups that you can think of that would affect this? Thanks.

[lsrmax 0]

Except that i'm on archlinux (so the updates are delayed) and not using any docker, i d'ont think so.
I'm not enough into your code to see anything special from the logs.

[Luke 37093]

Except that i'm on archlinux (so the updates are delayed) and not using any docker, i d'ont think so.

I'm not enough into your code to see anything special from the logs.

 

Ok I think you're going to be fine. We're talking about the .deb package here.

[lsrmax 0]

Fine, I just have to wait for the next release with the new https calls system and the version for archlinux so.

[Luke 37093]

@@Gerrit507 can you provide a new server log? Thanks.

[Gerrit507 24]

@@Gerrit507 can you provide a new server log? Thanks.

 

Here you go

Log15.txt

[tosa65 16]

Ohh yeah, thats it the same problem, was i have...

No Scraper,No Infos more over http...

[Gerrit507 24]

No https with 3.4.1.16 beta

Log16.txt

[Luke 37093]

It's just odd because we have this resolved for everyone else but you two at this point.

[tosa65 16]

That's funny. I admit that openly. Only fact is that the problem since 3.4.1.12 began. And I certainly did not make ominous or funny things here. Under OMV 4.x I only run emby server and tvheadend as well as samba shares.

 

Hmm, are the problem kids just OMV users or Debian users?

Probably. OMV or Debian 9 has a problem?

 

I can not judge that myself, since I only have Emby who is in trouble.

 

Greetings Tommy

[Luke 37093]

Have you customized anything in the OS that might affect SSL certificates?

[tosa65 16]

Have you customized anything in the OS that might affect SSL certificates?

No, on the contrary ... I have even rebuilt the OMV4 from OMV3 to OMV4 2 weeks ago ... I do not work with certificates ... Never touched anything like that before. Also, I'm not a guy who simply confirms something unread ...

 

Nevertheless, I think we are getting closer to it. But as I said: I would not know where I could look there ... but I like to help, if the Emby for soon updatable ...

 

Just have to tell me what I can do. But please exactly.

 

And remember: My english comes from the translator.

[Gerrit507 24]

I have an apache with https running on the same machine but it never interfered with emby so I think that's fine.

 

I guess it's just a general issue with Core 2.1 and Debian based systems.

[Luke 37093]

What we're doing is supplying a certs folder for .net core 2.1 and then configuring it with an environment variable. I wonder if it's just not getting applied for whatever reason.

[tosa65 16]

Could not you simulate something like that in a VM and look there?

Otherwise, say quietly how you could help with the error-limitation.

[Luke 37093]

We have not been able to reproduce.

 

For the next build I will add the environment variables to the server log so that we can see if it is getting applied. Thanks.

[Gerrit507 24]

We have not been able to reproduce.

 

For the next build I will add the environment variables to the server log so that we can see if it is getting applied. Thanks.

 

Here is the log for version 3.4.1.17

 

I hope it helps

Log17.txt

[Knight_Elf 2]

Hi everybody!

 

I, too, had the same issue with Emby and SSL but, on only one of the two servers, I'm runinng (one is a backup of the other):

- the main one was having the issue

- the backup one was not

 

I've even tried to reinstall the emby package from the start (clean, no db) and got the same result: SSL not working.

So the issue was not directly in Emby but in the configurations' difference between the two servers.

 

 At last, I found the origin of this... (with the help of a thread on another .NET core project having similar troubles: https://groups.google.com/forum/#!topic/rabbitmq-users/a5HIyM1VPY4).

 

In fact, Emby is not able to read AT LEAST one certificate in the store and this impossiblity propagates to the whole SSL engine in .NET core, disabling it entirely.

 

So check your /etc/ssl/certs directory for AT LEAST one certificate being unreadable from anyone except root and change its (their) permission(s) to be readable from anyone.

 

chmod a+r /etc/ssl/certs/* can also do the trick!

 

Remember that Emby server is not running as root but as emby user, so it's not able to read a file reserved to root!

And do not fear for a security risk by doing this: certificates are intended to be readable by anyone. It's the privates keys that must absolutely remain private...

 

After this, I got my main Emby server working with SSL again!

Edited June 19, 2018 by Knight_Elf

[Luke 37093]

That's very interesting, thanks !

[Gerrit507 24]

Thank you!

 

Does emby always look in this folder or is this the folder you have configured in emby for https? I looked in that folder and all certs in there have read permissions for everybody...