xibinim 7 Posted February 5 Share Posted February 5 Run into my next snag. A friend has been unable to connect to my server on his LG TV since I started using SSL. I assumed it was just a setup issue so went over to troubleshoot and it seems his TV will not play ball with the server (worked fine before). Every time you do the sign in with Emby Connect (pin method), it takes you back to the screen showing 'add server' or 'sign in with Emby Connect'. Adding the server manually doesn't work. Unistalled the app on the TV/reinstalled - no luck. Weirdly, by how his OS menu is, his TV seems newer than my own entry level LG TV (which works fine). I guess it might be older as it seemingly doesn't allow him to cast from his work - something my basic one does fine. I've told him for now to just use a laptop and HDMI cable until I can figure out a solution - which I can only think is either a second instance of Emby on the server of they get a new TV Link to comment Share on other sites More sharing options...
Teknician 3 Posted February 5 Share Posted February 5 Did you create a domain with your ssl key and did you add your home IP for your redirect in your domain settings? Can they use a browser and connect? As long as there is an Emby app that they can install, it shouldn't be the app. Or, are you using your WAN IP with the secure port to access your server from outside your home? Link to comment Share on other sites More sharing options...
xibinim 7 Posted February 5 Share Posted February 5 4 minutes ago, Teknician said: Did you create a domain with your ssl key and did you add your home IP for your redirect in your domain settings? Can they use a browser and connect? As long as there is an Emby app that they can install, it shouldn't be the app. Or, are you using your WAN IP with the secure port to access your server from outside your home? Thanks for replying. I used the Caddy method (created a domain) for SSL so a reverse proxy I believe (still have to manually enable in CMD as I can't get it work automatically with NSSM). And then for connecting via their TV app, first with EC sign in and then using the WAN IP/port. I've seen other clients view successfully - I think most or all also with LG TVs. Not considered trying a browser on the TV - wouldn't that be a clunky way of using it (never used a browser on a TV)? Link to comment Share on other sites More sharing options...
Luke 37008 Posted February 5 Share Posted February 5 7 hours ago, xibinim said: Thanks for replying. I used the Caddy method (created a domain) for SSL so a reverse proxy I believe (still have to manually enable in CMD as I can't get it work automatically with NSSM). And then for connecting via their TV app, first with EC sign in and then using the WAN IP/port. I've seen other clients view successfully - I think most or all also with LG TVs. Not considered trying a browser on the TV - wouldn't that be a clunky way of using it (never used a browser on a TV)? You might have to allow http for LG/Samsung as they are rejecting most ssl certs. 1 1 Link to comment Share on other sites More sharing options...
seanbuff 840 Posted February 5 Share Posted February 5 some LG TV models have expired root certs and no longer accept TLS connections from some devices. 12 hours ago, xibinim said: I used the Caddy method (created a domain) for SSL so a reverse proxy since you're using Caddy, you can probably configure it to create a ZeroSSL cert instead of the default Let's Encrypt one you can do that by adding something like this section to your Caddyfile: { #ZeroSSL Email Address acme_ca https://acme.zerossl.com/v2/DV90 email myname@email.com } There was a whole thread dedicated to it previously, have a read here: https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/ Link to comment Share on other sites More sharing options...
Trevor68 48 Posted February 5 Share Posted February 5 12 hours ago, xibinim said: Not considered trying a browser on the TV - wouldn't that be a clunky way of using it (never used a browser on a TV)? Yes but if you add a browser to the TV, and test it working, then you know for sure it is the app that is not liking your setup. I also use caddy, so my addy is always emby.mydomain.com some apps (looking at you ROKU) are a pain in the ass when you don't have the standard http+port setup. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted February 6 Share Posted February 6 i know its not what people want to hear but dont use apps on your tv they are security risks. get a streaming device. 35$ 2 Link to comment Share on other sites More sharing options...
Trevor68 48 Posted February 6 Share Posted February 6 Why would my Google TV be anymore of a risk than a Chromecast with Google TV? Link to comment Share on other sites More sharing options...
bandit8623 48 Posted February 6 Share Posted February 6 (edited) 1 hour ago, Trevor68 said: Why would my Google TV be anymore of a risk than a Chromecast with Google TV? because they dont get the lates security updates. and if its old enough you cant even use use https... https://cybernews.com/editorial/connected-tv-security-headache-cyber-pros/#:~:text=Well%2C for starters%2C leaving your,of service (DDoS) attacks. and i wasnt suggesting a chromecast btw. Edited February 6 by bandit8623 Link to comment Share on other sites More sharing options...
Trevor68 48 Posted February 6 Share Posted February 6 (edited) Well there is literally no difference between the google TV in my bedroom and my chromecast in the lougeroom, It is the same OS, so I'm sure I have no idea what you were referring to. maybe older tv's. Not all "smart" TV's are the same. Also a Chromecast IS a streaming device, so you did refer to it. Edited February 6 by Trevor68 1 Link to comment Share on other sites More sharing options...
xibinim 7 Posted February 6 Share Posted February 6 (edited) 11 hours ago, seanbuff said: some LG TV models have expired root certs and no longer accept TLS connections from some devices. since you're using Caddy, you can probably configure it to create a ZeroSSL cert instead of the default Let's Encrypt one you can do that by adding something like this section to your Caddyfile: { #ZeroSSL Email Address acme_ca https://acme.zerossl.com/v2/DV90 email myname@email.com } There was a whole thread dedicated to it previously, have a read here: https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/ Thank you, I'll give it a go but almost lost my marbles trying various encryption solutions last time Edited February 6 by xibinim Link to comment Share on other sites More sharing options...
Luke 37008 Posted February 6 Share Posted February 6 8 hours ago, xibinim said: Thank you, I'll give it a go but almost lost my marbles trying various encryption solutions last time Let us know how you get on. Thanks. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted February 13 Share Posted February 13 (edited) https://url9788.noip.com/ls/click?upn=LUi80JKtjcz7uPXfjVJj8LSQHPQzUIFMAC7OUEsZs6MQwLf9R-2Bx04fGcxwL6ks-2FrmbBQsk-2F6B9VqBtiWBwYh5SljAdC1RzKwtUkq7I01U3BnLM36L7PHZ8NNi4eLuNdBijH4IL2u13DQw8Zhxbe3xs2KdXYly2Feas-2B9mgzzPaybpgElMN-2Binq9Hj89u5dIxonEIqTjukeDo6BgXeGer7KWqF9OeYF9WNk7gQaSZME6QVI6KCWaKt8hZr5nM3lHY7n8T_mIyFQlk6GRFD99qfuV7hxOHOpJFZsywgz4ZCd6J0wDUNhZOQhnlz9mMtS-2F0L8nyXSwvywisfF1sjG0dgQYHSfOqB3je-2BzwkbdAevS3Vuag-2FjnDSR5jX3fkVF2-2BW0Yuv2IEo5ZPFHe8gmH9P-2FPwElR9gQRfhhBxNGD8dWsPnHDGodfGgXmbtbOFtCjd-2FM2x5sZxcfxU8te6bGbVT238qglBbdrKASbpGcWi2BnL1wxjxf2VyVDRY-2B44tQGaXiH4nbJoRoT8sxpCTLvb181sh4clwxcLUA-2BLKMsI5SD4GkT-2FtXvQEFiFyMgAotilRiLBxY4KJx9dNWnkd-2BkAN6XpMMnOPKQ8TB9-2BEO1wJV06gGfpg-3D 8$ is pretty good for the year. Includes 1 No-IP Vital Encrypt DV SSL Certificate Edited February 13 by bandit8623 1 Link to comment Share on other sites More sharing options...
Antonio491 0 Posted February 15 Share Posted February 15 Thanks for providing this valuable info Link to comment Share on other sites More sharing options...
Nzzer0 3 Posted March 10 Share Posted March 10 note on the OP: Google domains is now part of Squarespace, who provide autorenewing SSL as part of their basic domain services (no hosting package required either). 1 Link to comment Share on other sites More sharing options...
Nzzer0 3 Posted March 11 Share Posted March 11 (edited) uggh spoke too soon. I think the 'free' Squarespace SSL can only be used on the the free holding page and cant be used on your own server. Still working through it... Jeez this external access is a mission and a half to work out! .. one step forward, two steps back ... Edited March 11 by Nzzer0 Link to comment Share on other sites More sharing options...
darkassassin07 418 Posted March 11 Share Posted March 11 I always just used acme.sh to auto-renew lets encrypt certs via cloudflare and DNS-01 verification. Link to comment Share on other sites More sharing options...
xnappo 1593 Posted April 6 Share Posted April 6 So... I just had to renew my SSL cert, and I am having trouble getting Emby to work again. I keep getting the error below. I attempted to use a simpler password(just a lowercase word) to no avail. Any ideas? 2024-04-06 12:30:42.957 Error App: Error loading cert from C:\exes\ssl\certificate.pfx *** Error Report *** Version: 4.8.3.0 Command line: C:\Users\cnapp\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp Operating system: Microsoft Windows 10.0.22631 Framework: .NET 6.0.27 OS/Process: x64/x64 Runtime: C:/Users/cnapp/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll Processor count: 20 Data path: C:\Users\cnapp\AppData\Roaming\Emby-Server\programdata Application path: C:\Users\cnapp\AppData\Roaming\Emby-Server\system Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct. at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info) Source: System.Security.Cryptography.X509Certificates TargetSite: Internal.Cryptography.Pal.Native.SafeCertContextHandle FilterPFXStore(System.ReadOnlySpan`1[System.Byte], Microsoft.Win32.SafeHandles.SafePasswordHandle, Internal.Cryptography.Pal.Native.PfxCertStoreFlags) Link to comment Share on other sites More sharing options...
darkassassin07 418 Posted April 6 Share Posted April 6 (edited) Quote Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct. You have entered the wrong password for your pfx file. Edited April 6 by darkassassin07 Link to comment Share on other sites More sharing options...
xnappo 1593 Posted April 6 Share Posted April 6 4 minutes ago, darkassassin07 said: You have entered the wrong password for your pfx file. I mean, that is what it say, but I don't get how. I am following some instructions that has this command: ./le64.exe --key account.key --csr domain.csr --csr-key domain.key --crt certificate_20240406.csr --domains "domain.com" --generate-missing --handle-as dns --export-pfx "password" --live I have tried both with, and without quotes? Link to comment Share on other sites More sharing options...
Q-Droid 634 Posted April 6 Share Posted April 6 25 minutes ago, xnappo said: C:\exes\ssl\certificate.pfx Did you check to make sure your command created this file? Does it have a new date/time stamp? Link to comment Share on other sites More sharing options...
xnappo 1593 Posted April 6 Share Posted April 6 (edited) 10 minutes ago, Q-Droid said: Did you check to make sure your command created this file? Does it have a new date/time stamp? Yes and yes. I saw in another thread talk of a tool called 'certutil' to locally test, I installed it in Ubuntu, but doesn't seem like it is the right tool. Any other tool test test the cert password? Unfortunately in messing with this I have exhausted my 'let's encrypt' renewals... [EDIT] Answering my own question, this passes fine: xnappo@jupiter:/mnt/c/exes/ssl$ openssl pkcs12 -in certificate_20240406.pfx -noout Enter Import Password: MAC verified OK Edited April 6 by xnappo Link to comment Share on other sites More sharing options...
Q-Droid 634 Posted April 6 Share Posted April 6 (edited) openssl pkcs12 -in filename.pfx -info -nokeys EDIT: nokeys is better for just viewing/verifying Edited April 6 by Q-Droid Link to comment Share on other sites More sharing options...
xnappo 1593 Posted April 6 Share Posted April 6 (edited) Thanks guys, I think it was the quotes around the password in my original setup, and now my domain/ssl cert setup is borked due to too many tries. Will mess with it more. BTW: The problem with the password was that I copied and pasted from HTML into a terminal, and the "" were the damn fancy "". Unicode Character "“" (U+201C) Sigh. That was a fun hour of my Saturday lol. Edited April 6 by xnappo 1 Link to comment Share on other sites More sharing options...
Q-Droid 634 Posted April 6 Share Posted April 6 Yep. Paste into notepad(++) first, always. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now