Jump to content

External SSL connections crashing

lsrmax

By lsrmax
in Linux

 Share
Go to solution Solved by Knight_Elf,

Recommended Posts

Luke Emby Team

Luke   37095

Posted
Posted

We're setting an environment variable SSL_CERTS_DIR that .NET core will utilize.

Link to comment
Share on other sites
Knight_Elf

Knight_Elf   2

Posted
Posted

Thank you!

 

Does emby always look in this folder or is this the folder you have configured in emby for https? I looked in that folder and all certs in there have read permissions for everybody...

 

You're welcome! ;)

 

Most of the files in the /etc/ssl/certs directory are in fact symbolic links to certificates placed in other directories (secondaries CA stores) so check the permissions of the linked files in their true pathes instead of the permissions of the links themselves (they're always lrwxrwxrwx ie. accessibles and modifiables by anyone), you may have one emby-unreadable file in those secondary stores...

Link to comment
Share on other sites
Knight_Elf

Knight_Elf   2

Posted
Posted

To be sure I ran chmod a+r /etc/ssl/certs/*

 

Still no luck...

 

Can you, please, publish the result of ls -lR /etc/ssl/certs?

 

Oh, and I forgot to add that you must be root for chmod a+r /etc/ssl/certs/* to work!

Link to comment
Share on other sites
Gerrit507

Gerrit507   24

Posted
Posted

You're welcome! ;)

 

Most of the files in the /etc/ssl/certs directory are in fact symbolic links to certificates placed in other directories (secondaries CA stores) so check the permissions of the linked files in their true pathes instead of the permissions of the links themselves (they're always lrwxrwxrwx ie. accessibles and modifiables by anyone), you may have one emby-unreadable file in those secondary stores...

It's working!

 

I've misunderstood it at first, but you were absolutely right!

 

I've moved my certs folder to certs_bak, created a new empty certs folder and emby webinterface works again :) :) :)

Link to comment
Share on other sites
Knight_Elf

Knight_Elf   2

Posted
Posted (edited)

It's working!

 

I've misunderstood it at first, but you were absolutely right!

 

I've moved my certs folder to certs_bak, created a new empty certs folder and emby webinterface works again :) :) :)

 

Beware, by doing this, you may have partly disabled the SSL functionnality of your Debian!

 

Try getting back certificates one by one in your new "certs" directory to find the culprit.

 

By the way, I'm happy to hear that the solution is working for someone else! :D

Edited by Knight_Elf
  • Like 1
Link to comment
Share on other sites
zoneee

zoneee   6

Posted
Posted (edited)

Beware, by doing this, you may have partly disabled the SSL functionnality of your Debian!

 

Try getting back certificates one by one in your new "certs" directory to find the culprit.

 

By the way, I'm happy to hear that the solution is working for someone else! :D

 

TYVM @@Knight_Elf. Yeah, so this worked for me too on Ubuntu.. I was stuck on 3.4.1.11 for a while now because of this. Just upgraded to 3.4.1.17 now and "sudo mv /etc/ssl/certs /etc/ssl/certs.bak; sudo systemctl restart emby-server; sleep 5; sudo mv /etc/ssl/certs.bak /etc/ssl/certs"  and https://myembyserver:8920 started working again. Now figuring out which cert is causing the problem is going to take some doing since all the perms on the target certs(and their corresponding symlinks in /etc/ssl/certs) look right. :D

 

This also breaks "Emby: Check for application updates failed. The SSL connection could not be established, see inner exception." because it has no SSL certs to use for outgoing connections. :/

 

[uPDATE]

 

So, I figured out what certs were causing the problem

 
/etc/ssl/certs$ file * | grep broken
55a10908.0:                                                       broken symbolic link to UbuntuOne-ValiCert_Class_2_VA.pem
598630ad.0:                                                       broken symbolic link to UbuntuOne-Go_Daddy_CA.pem


/etc/ssl/certs$ sudo rm 55a10908.0 598630ad.0


/etc/ssl/certs$ sudo systemctl restart emby-server

And we are back to normal now. :-D

 

Edited by zoneee
  • Like 3
Link to comment
Share on other sites
Gerrit507

Gerrit507   24

Posted
Posted (edited)

TYVM @@Knight_Elf. Yeah, so this worked for me too on Ubuntu.. I was stuck on 3.4.1.11 for a while now because of this. Just upgraded to 3.4.1.17 now and "sudo mv /etc/ssl/certs /etc/ssl/certs.bak; sudo systemctl restart emby-server; sleep 5; sudo mv /etc/ssl/certs.bak /etc/ssl/certs"  and https://myembyserver:8920 started working again. Now figuring out which cert is causing the problem is going to take some doing since all the perms on the target certs(and their corresponding symlinks in /etc/ssl/certs) look fine to me. :D

 

This also breaks "Emby: Check for application updates failed. The SSL connection could not be established, see inner exception." because it has no SSL certs to use for outgoing connections. :/

I checked all the symlinks too, their target seemed fine to me. I just moved them all out. It were a bunch of CA certs. Everything is still up without them so it'll be fine :D

Edited by Gerrit507
Link to comment
Share on other sites
lsrmax

lsrmax   0

Posted
  • Author
Posted (edited)

Hi there,

 

About the original problem.

I solved it by switching to docker version of emby server.

Now it's fine and everything went back to normal.

(Basically it seems that i just reinstalled everything)

 

Thanks

Edited by lsrmax
Link to comment
Share on other sites
tosa65

tosa65   16

Posted
Posted (edited)
Yeah ... that's it ...
Even though I did not understand much, one thing I understood ...
Something was wrong with the certificates.
 
So I looked at the / etc / ssl / certs more closely. And look there; There were symbolic links that did not lead to a file. I have simply killed or disposed of these and then installed V3.4.1.17 ...
 
What can I say: Emby, so the * .17 runs like an oiled uvula LOL.
 
Sorry Luke, for all the circumstances.
So Emby was fine the whole time?
 
For the future, could not such things be stopped from the beginning? Say; If Emby encounters such problems that he ignores them and keeps going anyway?
 
Best regards Tom
 
----------------------------------------------------
Germans Original
-------------------------
Yeah... Das war's...
Auch wenn ich nicht viel verstanden habe, eines verstand ich dennoch...
Irgendetwas stimmte nicht mit den Certificaten. 
 
Also schaute ich mir das /etc/ssl/certs genauer an. Und siehe da; Es lagen dort Symbolische Links, die zu keiner Datei führten. Ich habe diese schlichtweg gekillt bzw. entsorgt und danach V3.4.1.17 installiert...
 
Was soll ich sagen: Emby, also die *.17  läuft wie 'n geöltes Zäpfchen LOL.
 
Sorry Luke, für die ganzen Umstände. 
Dann war also Emby die ganze Zeit völlig in Ordnung?
 
Für die Zukunft, könnte man solche Sachen nicht von vorn herein unterbinden? Sprich; Wenn Emby auf solche Probleme stösst, dass er diese Ingnoriert und trotzdem weiter macht?
 
Liebe Grüsse Tom

-----------------------------------------------

 

Anmerkung

Witzig ist hier die Übersetzung von Zäpfchen nach "uvula" :) Wo doch eigentlich "suppository" gemeint waren LOL

Edited by tosa65
Link to comment
Share on other sites
Luke Emby Team

Luke   37095

Posted
Posted

Emby did ignore them and keep going, you just had no internet metadata because you couldn't make http requests.

Link to comment
Share on other sites
tosa65

tosa65   16

Posted
Posted
What does that mean?

That I imagine that it now runs with the 3.4.1.17. That I can finally get back information from the net?

 

Sorry, but unfortunately you did not send a quote that you refer to, I assume that you answer me. And the translation turns it on me that Emby always ignored that.

 

Or was that related to future versions?

Link to comment
Share on other sites
Gerrit507

Gerrit507   24

Posted
Posted

@@Gerrit507,

I just updated my post. Maybe you should check the targets of those symlinks again. :-)

Wow, Thanks!

 

The command

file * | grep broken

is really useful here. I had 8 broken links. I deleted them in backup folder, copied the rest into my normal folder and emby is working fine.

Link to comment
Share on other sites
Gerrit507

Gerrit507   24

Posted
Posted

 

What does that mean?
That I imagine that it now runs with the 3.4.1.17. That I can finally get back information from the net?
 
Sorry, but unfortunately you did not send a quote that you refer to, I assume that you answer me. And the translation turns it on me that Emby always ignored that.
 
Or was that related to future versions?

 

 

Du brauchst diese Zertifikate um eine https Verbindung aufzubauen. Dort wird nämlich das Zertifikat des externen Servers mit denen gegengeprüft die bei dir gespeichert sind. Das Problem hier war, dass emby beim Iterieren durch die lokalen Zertifikate ein Zertifkat gefunden hat, welches nicht lesbar ist. Dadurch wurde eine Ausnahme beim Verbindungsaufbau ausgelöst und dadurch abgebrochen.

 

@@Luke

A solution I could think of is catching this exception

Interop+Crypto+OpenSslCryptographicException: error:2006D080:BIO routines:BIO_new_file:no such file
  • Like 1
Link to comment
Share on other sites
Gerrit507

Gerrit507   24

Posted
Posted

We do catch it and the server continues moving forward.

Ok. What I meant is catching it inside the connection method, that the connection can go on.

Link to comment
Share on other sites
Luke Emby Team

Luke   37095

Posted
Posted

That's happening in the netcore runtime, there's nothing we can do other than disable certificate validation, which we're not going to do as that would pose a security risk.

  • Like 1
Link to comment
Share on other sites
Gerrit507

Gerrit507   24

Posted
Posted

That's happening in the netcore runtime, there's nothing we can do other than disable certificate validation, which we're not going to do as that would pose a security risk.

Ok, I understand. Thanks for explaining.

  • Like 1
Link to comment
Share on other sites
  • 1 month later...
s7relok

s7relok   1

Posted
Posted

 

TYVM @@Knight_Elf. Yeah, so this worked for me too on Ubuntu.. I was stuck on 3.4.1.11 for a while now because of this. Just upgraded to 3.4.1.17 now and "sudo mv /etc/ssl/certs /etc/ssl/certs.bak; sudo systemctl restart emby-server; sleep 5; sudo mv /etc/ssl/certs.bak /etc/ssl/certs"  and https://myembyserver:8920 started working again. Now figuring out which cert is causing the problem is going to take some doing since all the perms on the target certs(and their corresponding symlinks in /etc/ssl/certs) look right. :D

 

This also breaks "Emby: Check for application updates failed. The SSL connection could not be established, see inner exception." because it has no SSL certs to use for outgoing connections. :/

 

[uPDATE]

 

So, I figured out what certs were causing the problem

 
/etc/ssl/certs$ file * | grep broken
55a10908.0:                                                       broken symbolic link to UbuntuOne-ValiCert_Class_2_VA.pem
598630ad.0:                                                       broken symbolic link to UbuntuOne-Go_Daddy_CA.pem


/etc/ssl/certs$ sudo rm 55a10908.0 598630ad.0


/etc/ssl/certs$ sudo systemctl restart emby-server

And we are back to normal now. :-D

 

This post litteraly saved my installation

 

A billion thanks mate :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...