Chromecast problem

[willvincent 3]

The only relevant fix I can think of would be exposing the ability to set a custom SSL cert for internal connections, which is only currently possible if you enable external connections.

What I did was enable external connections so that I could populate my custom self-signed cert, but I'm not actually forwarding any external traffic to emby, so it's not possible to hit the server from outside my local network anyway, but enabling external connections within the emby server config allowed defining the certificate to use for https.


The only other thing I could think of that would ease this a bit would be providing a tool to generate and/or obtain a cert to use (letsencrypt, for example)

I've read that it is at least theoretically possible to generate a letsencrypt cert for internal network usage, but you'd have to have a domain to associate it with that is publicly accessible, so that's not super straightforward/easy and not an emby-specific issue.  The only emby specific issue is how one actually defines what cert to use. Which I believe Luke has already stated would be addressed

[Luke 36997]

 

 

The only relevant fix I can think of would be exposing the ability to set a custom SSL cert for internal connections

 

Yes that would be fine. Also for those who may have missed it, you can also use the web app over localhost, or our android mobile app, or iOS app.

[willvincent 3]

you can also use the web app over localhost

Doesn't that necessitate that the server be running on the local machine?

[Luke 36997]

Yes but for some that will be the case.

[Eddie 10]

Well i was hoping that magically this could be addressed by an update on emby's end but if that is not possible then i will look into setting up a cert for https.... i should of prob set one up anyways ... any guides you recommend to follow...

I know i can use android app or ios app but in my current situation i do not have acceess to that and only have a ubuntu client so i cant install the home theater program for windows.. im forced into using the chrome browser to cast it.. thanks for the reply

[Netbug 26]

If anyone can recommend a good step-by-step guide for setting up a cert, it would be very much appreciated. This is causing me a great deal of grief.

[Joe Farmer 2]

@@Eddie this is a Chrome requirement. What fix are you hoping for?

Hi Luke,

 

Can you help me to understand why this is not an Emby issue? Other sites that I use to stream from my daughter's laptop to her Chromecast still work fine ie. Netflix and Youtube but Emby does not. On a very basic level that would seem to me to be something that Emby needs to fix.

[Luke 36997]

Because those sites are running under https. It's not easy for is to just provide that for your server because first you need a domain name to attach the certificate to.

[willvincent 3]

For what it's worth.. a self-signed certificate does work just fine. It's not strictly necessary to expose the server to the net.

Chrome of course will complain that you're accessing an untrusted site:


But after clicking 'proceed' everything will work just fine, you'll see "Not secure" in the address bar, otherwise it's all good.







If you need/want it accessible outside your local network, then yes you'll need a domain, and a proper certificate like those available freely via letsencrypt (note they need frequent refreshing as they're only valid for a few months at a time)

[Joe Farmer 2]

For what it's worth.. a self-signed certificate does work just fine. It's not strictly necessary to expose the server to the net.

 

 

Thanks, guess I'll have to look into how to create a self-signed cert then hey!

[Netbug 26]

For what it's worth.. a self-signed certificate does work just fine. It's not strictly necessary to expose the server to the net.

 

Chrome of course will complain that you're accessing an untrusted site:

 

But after clicking 'proceed' everything will work just fine, you'll see "Not secure" in the address bar, otherwise it's all good.

 

 

 

 

If you need/want it accessible outside your local network, then yes you'll need a domain, and a proper certificate like those available freely via letsencrypt (note they need frequent refreshing as they're only valid for a few months at a time)

 

 

How do you get to this point, willvincent?

 

Edited February 26, 2019 by Netbug

[Joe Farmer 2]

How do you get to this point, willvincent?

 

You will need to create a self-signed certificate. From what I understand it is not a simple task and something that you would need to research and figure out how to do as although several people have mentioned doing it, no one has yet given any information on how to do it or where to get information on how to do it.

 

I'm considering whether or not I take the time to try to figure it out myself, haven't had time to do it yet.

 

Would be good if someone who has already done it could give us some direction on how to do it or even just a link to some resources that would help us to figure it out ourselves *hint hint*

[willvincent 3]

I've mentioned it earlier, but for me cert generation is built into my router, so I'm not sure how much help I can provide.. I'll see if I can track down some linkage.

Within emby, when managing the server -- on the 'Expert > Advanced' settings form, you must tick the box to enable remote connections so that you can provide your custom self-signed cert. 





I think it'll also require that you populate the "External Domain" field, but if you're not going to actually forward external traffic to the emby server, what you put there isn't entirely important as far as I can figure.

Once you've done that, you simply access your server via the https port, 8920 by default... so for me, I hit: https://emby:8920/web/index.html

Edited February 28, 2019 by willvincent

[willvincent 3]

Try this: https://stackoverflow.com/a/20445432/1972101

 

On linux/mac commands should be the same, but just be openssl ...whatever... instead of C:\Openssl\bin\openssl.exe

Once you've got the cert, you'll need to put it onto the server OR a network path that you can access via emby.


EDIT:

The last comment on that stackoverflow claims it's doable in two steps.. haven't tested.
 

openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem

openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem

Edited February 28, 2019 by willvincent

[Joe Farmer 2]

 

Try this: https://stackoverflow.com/a/20445432/1972101

 

On linux/mac commands should be the same, but just be openssl ...whatever... instead of C:\Openssl\bin\openssl.exe

 

Once you've got the cert, you'll need to put it onto the server OR a network path that you can access via emby.

 

 

EDIT:

 

The last comment on that stackoverflow claims it's doable in two steps.. haven't tested.

 

openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem

openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem

 

Crikey!

 

This all seems way too complicated for me! The sad thing is I actually work for RSA but I'm no coder or engineer so this all goes over my head.....a bit like an aeroplane!

 

If/when I have time I'll try to read through what you provided so thank you.

 

I did also find this topic https://emby.media/community/index.php?/topic/42315-creating-a-letsencrypt-ssl-certificate-for-emby/ but not sure if it's relevant as it dates back to 2016.

[Sp3kt3r 13]

 

Try this: https://stackoverflow.com/a/20445432/1972101

 

On linux/mac commands should be the same, but just be openssl ...whatever... instead of C:\Openssl\bin\openssl.exe

 

Once you've got the cert, you'll need to put it onto the server OR a network path that you can access via emby.

 

 

EDIT:

 

The last comment on that stackoverflow claims it's doable in two steps.. haven't tested.

 

openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem

openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem

 

I had the same issue and just found this thread... and Thx ! this was easy and its work...

 

Just need to install the openSSL from http://slproweb.com/products/Win32OpenSSL.html , I used the version  Win64 OpenSSL v1.1.1b Light

Once installed, I used the 2 step provided from stackoverflow and it works.

 

UPDATE: I spoke to fast, the custom SSL works fine, I can see my chromecast but I can't play anything, when I click the PLAY button it doesn't do anything.

I rebooted my emby server and chromecast.

 

I will continue investigation and look at the log.

Edited March 1, 2019 by Sp3kt3r

[Netbug 26]

I've mentioned it earlier, but for me cert generation is built into my router, so I'm not sure how much help I can provide.. I'll see if I can track down some linkage.

 

Within emby, when managing the server -- on the 'Expert > Advanced' settings form, you must tick the box to enable remote connections so that you can provide your custom self-signed cert. 

 

 

 

I think it'll also require that you populate the "External Domain" field, but if you're not going to actually forward external traffic to the emby server, what you put there isn't entirely important as far as I can figure.

 

Once you've done that, you simply access your server via the https port, 8920 by default... so for me, I hit: https://emby:8920/web/index.html

This is extremely helpful. Thank you.

 

I'm stuck at what is probably a simple point though; where do I place the file on my server? I grew up in a windows environment, so I can't figure out which directory I need to put the certificate in.

[willvincent 3]

This is extremely helpful. Thank you.

 

I'm stuck at what is probably a simple point though; where do I place the file on my server? I grew up in a windows environment, so I can't figure out which directory I need to put the certificate in.

Anywhere really.. emby provides a file picker in the ui so that you can navigate to and select the file.. so anywhere accessible is sufficient.

 

Easiest would be in your home directory `/home/your_user_name`

[Netbug 26]

Anywhere really.. emby provides a file picker in the ui so that you can navigate to and select the file.. so anywhere accessible is sufficient.

 

Easiest would be in your home directory `/home/your_user_name`

 

Got it. I can access it now, and Chromecast shows up, but for some reason, it won't actually cast. No error, just won't cast. Seems to be the same issue that Sp3ct3r is having.

[willvincent 3]

Hmm... so the only significant difference I can think of is that for my cert I first made a custom signing cert for my internal network, and signed with that. Could be that makes a difference.

All of that too was through my OPNsense router, but here's info about doing it manually: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

 

As much of a hassle as all of this is, the better solution might be to get a device other than a chromecast that is less particular about how you can use it. There have to be other options that are easier to work with

Edited March 2, 2019 by willvincent

[Netbug 26]

Hmm... so the only significant difference I can think of is that for my cert I first made a custom signing cert for my internal network, and signed with that. Could be that makes a difference.

 

All of that too was through my OPNsense router, but here's info about doing it manually: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

 

As much of a hassle as all of this is, the better solution might be to get a device other than a chromecast that is less particular about how you can use it. There have to be other options that are easier to work with

 

You're right. This is getting mighty difficult. I'm thinking I might just use it from the devices like my iPad and Android as they seem to continue to function. Might be worth looking in to down the road though.

[denkuy 2]

I'm currently setting the "unsafely-treat-insecure-origin-as-secure" flag in chrome so that I can use my chromecast with a local server without https

 

- go to chrome://flags/#unsafely-treat-insecure-origin-as-secure

- enable unsafely-treat-insecure-origin-as-secure

- add http://<EMBY_SERVER_IP>:8096

- restart browser

Edited March 14, 2019 by denkuy

[z3ndra 7]

finally it's so easy to create a certificate for Emby, I can make a tuto on ubuntu if you want

[z3ndra 7]

Tutorial make emby to https

I make that under Ubuntu and with a fix ip, but if you have a dynamic ip, get a dds (dynamic domain name) make sure  that you are root on your server, with this command : sudo -i

1. it is imperative that you obtain a domain name
2. redirect your domain name to your server, for that go to the dns parameter and create a record and enter the IP address of your server.

3 ) make sure that there is not a single iptables rule that concerns port 80, which is very important for lets encrypt get certified to your domain name. Verify with : iptables -L -t nat --line-number

1. Install  open ssl on your server with the command : apt-get install openssl
2. Install let’s encrypt a free certificate for that, place you in the root folder with : cd /root/

And install let’s encrypt with :

git clone https://github.com/letsencrypt/letsencrypt

install git if install if this is not the case with : apt-get git

1. Place you in the let’s encrypt folder with : cd letsencrypt
2. Generate your certificate with : ./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly
3. choose the choice 1, enter your mail address and accept conditions and enter your domain name and valid
4. go to the folder : cd /  /etc/letsencrypt/live/mydomainname.xx/ (replace mydomainname.xx to your domain name of course)
5. (There you will find 3 files : cert.pem  chain.pem  fullchain.pem  privkey.pem
6. Convert this files to pfx for compatible with emby with : openssl pkcs12 -export -out mydomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:
7. move this file to the opt / emby-server / ssl folder
8. in emby : enter your domain name, selec your certificate and choose “required for all connections” in secure connection mode
9. redirect your ports 443 and 80 with : iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8920
10. and  : iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8096
11. restart your server

[willvincent 3]

I'm currently setting the "unsafely-treat-insecure-origin-as-secure" flag in chrome so that I can use my chromecast with a local server without https

 

- go to chrome://flags/#unsafely-treat-insecure-origin-as-secure

- enable unsafely-treat-insecure-origin-as-secure

- add http://<EMBY_SERVER_IP>:8096

- restart browser

 

Seems nice and easy, but doesn't work for me. Thus all the hoop jumping.