Jump to content

SSL connection doesn't work


kurapov
 Share

Recommended Posts

Emby 4.0.1.0 running from official Docker image.

 

Suddenly can't log in via SSL (HTTP 8096 works):

2019-01-31 23:18:31.343 Error HttpServer: Error in ProcessAccept
	*** Error Report ***
	Version: 4.0.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 4.15.0.43
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Processor count: 2
	Program data path: /config
	Application directory: /system
	System.IO.IOException: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__50_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state)
	   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions)
	   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state)
	   at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
	   at SocketHttpListener.Net.HttpConnection.Init()
	   at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args)
	Source: System.Net.Security
	TargetSite: Void StartReadFrame(Byte[], Int32, System.Net.AsyncProtocolRequest)
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__50_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state)
	   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions)
	   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state)
	   at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
	   at SocketHttpListener.Net.HttpConnection.Init()
	   at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args)

Log shows that HttpClient connections from plugin update checks to HTTPS URLs are timing out.

 

Also can't register with Connect (seems related):

2019-01-31 22:52:53.109 Error App: Error registering with Connect
	*** Error Report ***
	Version: 4.0.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 4.15.0.43
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Processor count: 2
	Program data path: /config
	Application directory: /system
	MediaBrowser.Common.Extensions.RemoteServiceUnavailableException: MediaBrowser.Common.Extensions.RemoteServiceUnavailableException: Exception of type 'MediaBrowser.Common.Extensions.RemoteServiceUnavailableException' was thrown.
	   at Emby.Server.Connect.ConnectManager.UpdateServerRegistration(String wanApiAddress, String localAddress)
	   at Emby.Server.Connect.ConnectManager.UpdateConnectInfoInternal(CancellationToken cancellationToken)
	Source: Emby.Server.Connect
	TargetSite: Void MoveNext()
	   at Emby.Server.Connect.ConnectManager.UpdateServerRegistration(String wanApiAddress, String localAddress)
	   at Emby.Server.Connect.ConnectManager.UpdateConnectInfoInternal(CancellationToken cancellationToken)
Link to comment
Share on other sites

PFX cert issued by Let's Encrypt. I verified it's readable, correct, has empty password. Same cert (in PEM format) is used successfully by other web services on the same machine, but what's more - it was working fine for a week since I migrated my Emby install into a docker container. But even then, 8920 port timeout problems first occurred at the same time that outgoing SSL connections started failing.

Link to comment
Share on other sites

Ok, you're not going to like my response but I'm afraid I don't know. Obviously there's no widespread ssl problem or we'd have a mass uprising. The exception in the log suggests the client saw something that it didn't like, and then as a result, closed the connection:

System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

Are you able to reproduce this in a browser? if so, can you pull up the chrome debugger console and capture the contents when this happens? What we really need here is a client-side error message. thanks.

Link to comment
Share on other sites

Yes, I tried connecting in a browser but there's nothing to debug, the conn just dies on a timeout, no communication occurs. Here're the things I tried:

  • Connecting from desktop (Safari, Chrome)
  • Emby iOS app
  • Emby Samsung TV app
  • netcat -6 --ssl <hostname> 8920

All have the same outcome.

 

I have to admit I'm completely stumped. My first thought was the fault must've been in iptables yet logs show that Emby receives the request. But even then, both ports (8096, 8920) are opened in the same iptables rule, no typos in container's exposed ports, everything equal, yet 8096 connection worked perfectly and 8920 failed.

 

But there was a breakthrough - as soon as I changed my docker image to "host" network mode, it started working like it always did!

 

I'll leave it in host mode for now as a workaround but I would really like to understand what I'm doing wrong there...

Edited by kurapov
Link to comment
Share on other sites

This no longer seems like a purely SSL issue, but a clash of Docker's bridge and Linux's host networking. As shown in previous post, SSL connection runs fine if I don't use bridge.

Link to comment
Share on other sites

I know, but that topic is followed by 21 people that are using SSL in lots of setups and maybe also yours. So maybe they have some answers for you and you get more exposure for your issue.

Just my 2 cents.

Link to comment
Share on other sites

Thanks, I'll try this thread as well.

 

@@Luke One thing I forgot to mention is that my external host is IPv6 although local IPv4 connection behaved the same way.

Link to comment
Share on other sites

This no longer seems like a purely SSL issue, but a clash of Docker's bridge and Linux's host networking. As shown in previous post, SSL connection runs fine if I don't use bridge.

 

Ok, that's not a surprise. Bridge network mode is always a bit of a challenge.

Link to comment
Share on other sites

  • 1 month later...
michaellarsen91

Hi, this seems to be the most recent thread on this issue, so throwing in my experience. Used to run Emby on Ubuntu 16.04 where https worked fine, upgraded to 18.04 and inevitably had to do a fresh install because of conflicts with the upgrade. After installing 18.04 I restored my emby backup the manual way, at the last step when you migrate the data from old user data db to the new user data db I had to omit a field so the replace would work because my backup was for an older version of emby that had an extra field that is no longer used, and it did end up working. My main issue now is I cant get https to work, http works fine. I'm using a LetsEncrypt certificate and using openssl pkcs12 -export -out hostcert.pfx -inkey key.pem -in cert.pem to create the correct cert for emby with a password.  In my browser I get

 

This site can’t be reached

************.ddns.net unexpectedly closed the connection.

ERR_CONNECTION_CLOSED

 

 

and my log file is attached. Any help is appreciated!

Log.txt

Edited by michaellarsen91
Link to comment
Share on other sites

Hi, I'm not even sure the traffic reached emby server. Have you checked your port forwarding setup in your router?

Link to comment
Share on other sites

michaellarsen91

Hi, thanks for the reply. My port forwarding hasn't changed since my upgrade so it should still work remotely, http does. I think it has to be something else because I am also not able to connect locally. https://10.0.0.100:8920 gives this error

 

This site can’t be reached

The connection was reset.

ERR_CONNECTION_RESET
 
 

I've attached the log as well.

 

Thank you!

Log-emby-4-7-19.txt

Edited by michaellarsen91
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...