kurapov 0 Posted January 31, 2019 Share Posted January 31, 2019 Emby 4.0.1.0 running from official Docker image. Suddenly can't log in via SSL (HTTP 8096 works): 2019-01-31 23:18:31.343 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 4.0.1.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Unix 4.15.0.43 64-Bit OS: True 64-Bit Process: True User Interactive: True Processor count: 2 Program data path: /config Application directory: /system System.IO.IOException: System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__50_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at SocketHttpListener.Net.HttpConnection.Init() at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args) Source: System.Net.Security TargetSite: Void StartReadFrame(Byte[], Int32, System.Net.AsyncProtocolRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__50_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at SocketHttpListener.Net.HttpConnection.Init() at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args) Log shows that HttpClient connections from plugin update checks to HTTPS URLs are timing out. Also can't register with Connect (seems related): 2019-01-31 22:52:53.109 Error App: Error registering with Connect *** Error Report *** Version: 4.0.1.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Unix 4.15.0.43 64-Bit OS: True 64-Bit Process: True User Interactive: True Processor count: 2 Program data path: /config Application directory: /system MediaBrowser.Common.Extensions.RemoteServiceUnavailableException: MediaBrowser.Common.Extensions.RemoteServiceUnavailableException: Exception of type 'MediaBrowser.Common.Extensions.RemoteServiceUnavailableException' was thrown. at Emby.Server.Connect.ConnectManager.UpdateServerRegistration(String wanApiAddress, String localAddress) at Emby.Server.Connect.ConnectManager.UpdateConnectInfoInternal(CancellationToken cancellationToken) Source: Emby.Server.Connect TargetSite: Void MoveNext() at Emby.Server.Connect.ConnectManager.UpdateServerRegistration(String wanApiAddress, String localAddress) at Emby.Server.Connect.ConnectManager.UpdateConnectInfoInternal(CancellationToken cancellationToken) Link to comment Share on other sites More sharing options...
Luke 37058 Posted February 1, 2019 Share Posted February 1, 2019 Hi there, what kind of SSL cert have you set up? Link to comment Share on other sites More sharing options...
kurapov 0 Posted February 1, 2019 Author Share Posted February 1, 2019 PFX cert issued by Let's Encrypt. I verified it's readable, correct, has empty password. Same cert (in PEM format) is used successfully by other web services on the same machine, but what's more - it was working fine for a week since I migrated my Emby install into a docker container. But even then, 8920 port timeout problems first occurred at the same time that outgoing SSL connections started failing. Link to comment Share on other sites More sharing options...
Luke 37058 Posted February 1, 2019 Share Posted February 1, 2019 Are you sure it hasn't expired? Link to comment Share on other sites More sharing options...
kurapov 0 Posted February 1, 2019 Author Share Posted February 1, 2019 100%. As mentioned, I verified with openssl and other apps are using it just fine. Link to comment Share on other sites More sharing options...
Luke 37058 Posted February 1, 2019 Share Posted February 1, 2019 Can you please attach the complete emby server log? thanks. Link to comment Share on other sites More sharing options...
kurapov 0 Posted February 1, 2019 Author Share Posted February 1, 2019 Thanks for your support! Log file attached. Retried with 644 permissions on PFX file, just to be on the safe side - same result. embyserver-63684566536.txt Link to comment Share on other sites More sharing options...
Luke 37058 Posted February 2, 2019 Share Posted February 2, 2019 Ok, you're not going to like my response but I'm afraid I don't know. Obviously there's no widespread ssl problem or we'd have a mass uprising. The exception in the log suggests the client saw something that it didn't like, and then as a result, closed the connection: System.IO.IOException: Authentication failed because the remote party has closed the transport stream. Are you able to reproduce this in a browser? if so, can you pull up the chrome debugger console and capture the contents when this happens? What we really need here is a client-side error message. thanks. Link to comment Share on other sites More sharing options...
kurapov 0 Posted February 2, 2019 Author Share Posted February 2, 2019 (edited) Yes, I tried connecting in a browser but there's nothing to debug, the conn just dies on a timeout, no communication occurs. Here're the things I tried: Connecting from desktop (Safari, Chrome) Emby iOS app Emby Samsung TV app netcat -6 --ssl <hostname> 8920 All have the same outcome. I have to admit I'm completely stumped. My first thought was the fault must've been in iptables yet logs show that Emby receives the request. But even then, both ports (8096, 8920) are opened in the same iptables rule, no typos in container's exposed ports, everything equal, yet 8096 connection worked perfectly and 8920 failed. But there was a breakthrough - as soon as I changed my docker image to "host" network mode, it started working like it always did! I'll leave it in host mode for now as a workaround but I would really like to understand what I'm doing wrong there... Edited February 2, 2019 by kurapov Link to comment Share on other sites More sharing options...
Senna 368 Posted February 2, 2019 Share Posted February 2, 2019 You could try to make a post in this topic https://emby.media/community/index.php?/topic/54586-security-101-secure-connections/ describing your issue, with a link to this topic, so that they can respond in your own topic, instead of going off topic there. Link to comment Share on other sites More sharing options...
kurapov 0 Posted February 2, 2019 Author Share Posted February 2, 2019 This no longer seems like a purely SSL issue, but a clash of Docker's bridge and Linux's host networking. As shown in previous post, SSL connection runs fine if I don't use bridge. Link to comment Share on other sites More sharing options...
Senna 368 Posted February 2, 2019 Share Posted February 2, 2019 I know, but that topic is followed by 21 people that are using SSL in lots of setups and maybe also yours. So maybe they have some answers for you and you get more exposure for your issue. Just my 2 cents. Link to comment Share on other sites More sharing options...
kurapov 0 Posted February 2, 2019 Author Share Posted February 2, 2019 Thanks, I'll try this thread as well. @@Luke One thing I forgot to mention is that my external host is IPv6 although local IPv4 connection behaved the same way. Link to comment Share on other sites More sharing options...
Luke 37058 Posted February 3, 2019 Share Posted February 3, 2019 This no longer seems like a purely SSL issue, but a clash of Docker's bridge and Linux's host networking. As shown in previous post, SSL connection runs fine if I don't use bridge. Ok, that's not a surprise. Bridge network mode is always a bit of a challenge. Link to comment Share on other sites More sharing options...
michaellarsen91 0 Posted March 31, 2019 Share Posted March 31, 2019 (edited) Hi, this seems to be the most recent thread on this issue, so throwing in my experience. Used to run Emby on Ubuntu 16.04 where https worked fine, upgraded to 18.04 and inevitably had to do a fresh install because of conflicts with the upgrade. After installing 18.04 I restored my emby backup the manual way, at the last step when you migrate the data from old user data db to the new user data db I had to omit a field so the replace would work because my backup was for an older version of emby that had an extra field that is no longer used, and it did end up working. My main issue now is I cant get https to work, http works fine. I'm using a LetsEncrypt certificate and using openssl pkcs12 -export -out hostcert.pfx -inkey key.pem -in cert.pem to create the correct cert for emby with a password. In my browser I get This site can’t be reached ************.ddns.net unexpectedly closed the connection. Try: Checking the connection Checking the proxy and the firewall Running Windows Network Diagnostics ERR_CONNECTION_CLOSED and my log file is attached. Any help is appreciated! Log.txt Edited April 1, 2019 by michaellarsen91 Link to comment Share on other sites More sharing options...
Luke 37058 Posted April 7, 2019 Share Posted April 7, 2019 Hi, I'm not even sure the traffic reached emby server. Have you checked your port forwarding setup in your router? Link to comment Share on other sites More sharing options...
michaellarsen91 0 Posted April 7, 2019 Share Posted April 7, 2019 (edited) Hi, thanks for the reply. My port forwarding hasn't changed since my upgrade so it should still work remotely, http does. I think it has to be something else because I am also not able to connect locally. https://10.0.0.100:8920 gives this error This site can’t be reached The connection was reset. Try: Checking the connection Checking the proxy and the firewall Running Windows Network Diagnostics ERR_CONNECTION_RESET I've attached the log as well. Thank you! Log-emby-4-7-19.txt Edited April 7, 2019 by michaellarsen91 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now