External IOS emby app with ssl - not working anymore ?

[vaise 307]

I got a report from a user saying they could not connect from their iphone anymore.

They are quite technical so they uninstalled the app, re-installed, re-added my server and port and get the same connection failure.  The iphone app was updated - may be related. 

 

Note - They say the web app link is working fine for them in their browser on the same iphone - so it seems to be an IOS only issue ?

 

I turned off my wifi and went 4g to simulate, and i also cant get connected in the same way.

 

Anyone else able to test this ?  Not sure if it relates to all remote comms or just ssl ?

[Luke 37132]

What kind of ssl cert?

[vaise 307]

Nothing changed on my backend.

 

PKCS#12

 

Iv posted how I created the emby wanted password ones before.

 

This is from my notes (no graphics pasted here tho) :

 

As Emby uses a pfx format (PKCS#12) then a conversion and password creation needs to be done to convert the letsencrypt certs for emby.

Go to https://www.sslshopper.com/ssl-converter.html, and key in the below data to convert the certs to the pfx format (provide the same password as the wifi password).

Once you click the Convert Certificate button, pointo the output name to   cert-conv.pfx and the location to c:\users\Vaise\ssl.

Block all ports except the emby ssl port in the router now – 8920.  Disable UDP on the router.

Add the info the the emby server.

[Luke 37132]

What kind of ssl cert?

[vaise 307]

I guess i don't understand the question then if my reply was not enough to give you something to go on.

 

The cert is from letsencrypt, I then run that through the link above to create the pfx format with password that emby wants.

[Luke 37132]

How exactly are you testing this?

[vaise 307]

I got an email from one person, they said they could not connect on their iphone.

I then emailed another, they said they could not connect, so they uninstalled/reinstalled the app and re added (or attempted to) the server manually (i dont use emby connect).

I then got my own iphone, turned off wifi, so I am on 4G (hence external), coould not connect.

I uninstalled and reinstalled my emby, added server in normal way - could not connect

turn wifi back on - connects fine.

Called an android remote user, they are all fine.

Called the iphone users to enter the httsp urll into their iphone browsers - they are all fine.

Repeated browser test myself while off network - all fine.

 

I activated the default port on my router for emby server (non ssl), added server fine remotely to the unsecure port.

 

In summary this seems to be an emby ssl ios app issue only.

 

Think I tested it to death.

 

Surely there are others using ssl and iphones that can test the new update ?

[Luke 37132]

Make sure the cert includes the full certificate chain. some good info here: https://community.letsencrypt.org/t/connection-is-not-trusted-ios-only/55374/4

[vaise 307]

ok - dunno what that is.  All I know was it was all working, then emby ios app was updated, then the iphones dont work.

 

I exported the letsencrypt certs again from my asus router (these are installed as part of the asus ddns config, i.e they are not on my emby server) and all i have are two files :

 

cert.pem

key.pem

 

These are what I used to create your required file with password as documented above.

[Luke 37132]

https://community.letsencrypt.org/t/letsencrypt-and-ipad-problem-after-renew/64860

https://community.letsencrypt.org/t/cert-reports-error-on-some-but-not-all-ios-devices/66620

[vaise 307]

I checked both those links, they seem to refer to the apple browsers (safari etc) on the IOS devices.

 

The browsers on the iphones (safara and chrome) bith work fins with the https:// direct emby url.

 

It is ONLY the new updated emby IOS APP that does not connect.

[vaise 307]

Hi,

Anything else I can do here ?

All links you mention relate to safari not working on IOS devices.  That is not my issue.

Safari on the remote iphone is working fine.

It is only the emby IOS app that no longer works since it was last updated.

Every other remote browser and remote device I have (roku and android) works fine remotely with https.

Thanks.

[Luke 37132]

In my testing with a letencrypt cert it is working OK. Perhaps it could be related to the way you've setup the cert? iOS can be a little pickier than the other platforms.

[vaise 307]

OK - as long as it can somehow work.

I find it strange that I had two IOS users that have been working fine for ages and then stopped working as soon as they updated the emby app - so it cant be my config, just something new on the ios end.

Nothing changed on the server side at that time.

 

I was thinking of a re-config using nginx reverse proxy in a docker (with lets encrypt also) anyway - so this has just brought all that planning forward.

[gnollo 16]

OK - as long as it can somehow work.

I find it strange that I had two IOS users that have been working fine for ages and then stopped working as soon as they updated the emby app - so it cant be my config, just something new on the ios end.

Nothing changed on the server side at that time.

 

I was thinking of a re-config using nginx reverse proxy in a docker (with lets encrypt also) anyway - so this has just brought all that planning forward.

I got a friend setup on his iPhone yesterday and he was able to connect, also using letsencrypt. So I don't think that's a general problem. He just downloaded the app on his phone. Let me know if the reverse proxy works for you cause I gave up on that a while ago instead and I also would like to add a password into the process

 

Sent from my SM-A520F using Tapatalk

[vaise 307]

I got a friend setup on his iPhone yesterday and he was able to connect, also using letsencrypt. So I don't think that's a general problem. He just downloaded the app on his phone. Let me know if the reverse proxy works for you cause I gave up on that a while ago instead and I also would like to add a password into the process

 

Sent from my SM-A520F using Tapatalk

 

I used this failure to force me to put the effort into the nginx reverse proxy.

As I was building a new unraid system using dockers, this was a very very easy thing to do for me.

I added the letsencrypt docker, which has nginx, added my configs, I have 6 separate sub domains working fine all forced onto port 443 now.  Emby is not password protected, as password are in there anyway for remote connections, and that would break the app connectivity from iphones/androids etc etc.  If you only use web sites to connect, then you could add the extra layer of password security in nginx.