SSL made easy

[xibinim 7]

Run into my next snag. A friend has been unable to connect to my server on his LG TV since I started using SSL. I assumed it was just a setup issue so went over to troubleshoot and it seems his TV will not play ball with the server (worked fine before). Every time you do the sign in with Emby Connect (pin method), it takes you back to the screen showing 'add server' or 'sign in with Emby Connect'. Adding the server manually doesn't work. Unistalled the app on the TV/reinstalled - no luck. Weirdly, by how his OS menu is, his TV seems newer than my own entry level LG TV (which works fine). I guess it might be older as it seemingly doesn't allow him to cast from his work - something my basic one does fine. I've told him for now to just use a laptop and HDMI cable until I can figure out a solution - which I can only think is either a second instance of Emby on the server of they get a new TV 

[Teknician 3]

Did you create a domain with your ssl key and did you add your home IP for your redirect in your domain settings? Can they use a browser and connect? As long as there is an Emby app that they can install, it shouldn't be the app. 

Or, are you using your WAN IP with the secure port to access your server from outside your home? 

[xibinim 7]

4 minutes ago, Teknician said:

Did you create a domain with your ssl key and did you add your home IP for your redirect in your domain settings? Can they use a browser and connect? As long as there is an Emby app that they can install, it shouldn't be the app. 

Or, are you using your WAN IP with the secure port to access your server from outside your home? 

Thanks for replying. I used the Caddy method (created a domain) for SSL so a reverse proxy I believe (still have to manually enable in CMD as I can't get it work automatically with NSSM). And then for connecting via their TV app, first with EC sign in and then using the WAN IP/port. I've seen other clients view successfully - I think most or all also with LG TVs. Not considered trying a browser on the TV - wouldn't that be a clunky way of using it (never used a browser on a TV)?

[Luke 37008]

7 hours ago, xibinim said:

Thanks for replying. I used the Caddy method (created a domain) for SSL so a reverse proxy I believe (still have to manually enable in CMD as I can't get it work automatically with NSSM). And then for connecting via their TV app, first with EC sign in and then using the WAN IP/port. I've seen other clients view successfully - I think most or all also with LG TVs. Not considered trying a browser on the TV - wouldn't that be a clunky way of using it (never used a browser on a TV)?

You might have to allow http for LG/Samsung as they are rejecting most ssl certs.

[seanbuff 840]

some LG TV models have expired root certs and no longer accept TLS connections from some devices.

12 hours ago, xibinim said:

I used the Caddy method (created a domain) for SSL so a reverse proxy

since you're using Caddy, you can probably configure it to create a ZeroSSL cert instead of the default Let's Encrypt one

you can do that by adding something like this section to your Caddyfile:

{
	#ZeroSSL Email Address
	acme_ca https://acme.zerossl.com/v2/DV90
	email myname@email.com
}

 

There was a whole thread dedicated to it previously, have a read here: https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/

 

[Trevor68 48]

12 hours ago, xibinim said:

 Not considered trying a browser on the TV - wouldn't that be a clunky way of using it (never used a browser on a TV)?

Yes but if you add a browser to the TV, and test it working, then you know for sure it is the app that is not liking your setup. I also use caddy, so my addy is always emby.mydomain.com

some apps (looking at you ROKU) are a pain in the ass when you don't have the standard http+port setup. 

[bandit8623 48]

i know its not what people want to hear but dont use apps on your tv they are security risks.  get a streaming device.  35$  

[Trevor68 48]

Why would my Google TV be anymore of a risk than a Chromecast with Google TV? 

[bandit8623 48]

1 hour ago, Trevor68 said:

Why would my Google TV be anymore of a risk than a Chromecast with Google TV? 

because they dont get the lates security updates.  and if its old enough you cant even use use https...  

https://cybernews.com/editorial/connected-tv-security-headache-cyber-pros/#:~:text=Well%2C for starters%2C leaving your,of service (DDoS) attacks.

and i wasnt suggesting a chromecast btw.

Edited February 6 by bandit8623

[Trevor68 48]

Well there is literally no difference between the google TV in my bedroom and my chromecast in the lougeroom, It is the same OS, so I'm sure I have no idea what you were referring to. maybe older tv's. Not all "smart" TV's are the same. 

 

Also a Chromecast IS a streaming device, so you did refer to it. 

Edited February 6 by Trevor68

[xibinim 7]

11 hours ago, seanbuff said:

some LG TV models have expired root certs and no longer accept TLS connections from some devices.

since you're using Caddy, you can probably configure it to create a ZeroSSL cert instead of the default Let's Encrypt one

you can do that by adding something like this section to your Caddyfile:

{
	#ZeroSSL Email Address
	acme_ca https://acme.zerossl.com/v2/DV90
	email myname@email.com
}

 

There was a whole thread dedicated to it previously, have a read here: https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/

 

Thank you, I'll give it a go but almost lost my marbles trying various encryption solutions last time 

Edited February 6 by xibinim

[Luke 37008]

8 hours ago, xibinim said:

Thank you, I'll give it a go but almost lost my marbles trying various encryption solutions last time 

Let us know how you get on. Thanks.

[bandit8623 48]

https://url9788.noip.com/ls/click?upn=LUi80JKtjcz7uPXfjVJj8LSQHPQzUIFMAC7OUEsZs6MQwLf9R-2Bx04fGcxwL6ks-2FrmbBQsk-2F6B9VqBtiWBwYh5SljAdC1RzKwtUkq7I01U3BnLM36L7PHZ8NNi4eLuNdBijH4IL2u13DQw8Zhxbe3xs2KdXYly2Feas-2B9mgzzPaybpgElMN-2Binq9Hj89u5dIxonEIqTjukeDo6BgXeGer7KWqF9OeYF9WNk7gQaSZME6QVI6KCWaKt8hZr5nM3lHY7n8T_mIyFQlk6GRFD99qfuV7hxOHOpJFZsywgz4ZCd6J0wDUNhZOQhnlz9mMtS-2F0L8nyXSwvywisfF1sjG0dgQYHSfOqB3je-2BzwkbdAevS3Vuag-2FjnDSR5jX3fkVF2-2BW0Yuv2IEo5ZPFHe8gmH9P-2FPwElR9gQRfhhBxNGD8dWsPnHDGodfGgXmbtbOFtCjd-2FM2x5sZxcfxU8te6bGbVT238qglBbdrKASbpGcWi2BnL1wxjxf2VyVDRY-2B44tQGaXiH4nbJoRoT8sxpCTLvb181sh4clwxcLUA-2BLKMsI5SD4GkT-2FtXvQEFiFyMgAotilRiLBxY4KJx9dNWnkd-2BkAN6XpMMnOPKQ8TB9-2BEO1wJV06gGfpg-3D

 

8$ is pretty good for the year.

• Includes 1 No-IP Vital Encrypt DV SSL Certificate

Edited February 13 by bandit8623

[Antonio491 0]

Thanks for providing this valuable info

[Nzzer0 3]

note on the OP: Google domains is now part of Squarespace, who provide autorenewing SSL as part of their basic domain services (no hosting package required either). 

[Nzzer0 3]

uggh spoke too soon. I think the 'free' Squarespace SSL can only be used on the the free holding page and cant be used on your own server. Still working through it...

Jeez this external access is a mission and a half to work out! .. one step forward, two steps back ... 

Edited March 11 by Nzzer0

[darkassassin07 418]

I always just used acme.sh to auto-renew lets encrypt certs via cloudflare and DNS-01 verification.

[xnappo 1593]

So... I just had to renew my SSL cert, and I am having trouble getting Emby to work again.  I keep getting the error below.  I attempted to use a simpler password(just a lowercase word) to no avail.  Any ideas?

2024-04-06 12:30:42.957 Error App: Error loading cert from C:\exes\ssl\certificate.pfx
    *** Error Report ***
    Version: 4.8.3.0
    Command line: C:\Users\cnapp\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp
    Operating system: Microsoft Windows 10.0.22631
    Framework: .NET 6.0.27
    OS/Process: x64/x64
    Runtime: C:/Users/cnapp/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
    Processor count: 20
    Data path: C:\Users\cnapp\AppData\Roaming\Emby-Server\programdata
    Application path: C:\Users\cnapp\AppData\Roaming\Emby-Server\system
    Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.
       at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
       at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
       at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
       at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
       at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info)
    Source: System.Security.Cryptography.X509Certificates
    TargetSite: Internal.Cryptography.Pal.Native.SafeCertContextHandle FilterPFXStore(System.ReadOnlySpan`1[System.Byte], Microsoft.Win32.SafeHandles.SafePasswordHandle, Internal.Cryptography.Pal.Native.PfxCertStoreFlags)

[darkassassin07 418]

Quote

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.

 

You have entered the wrong password for your pfx file.

Edited April 6 by darkassassin07

[xnappo 1593]

4 minutes ago, darkassassin07 said:

 

You have entered the wrong password for your pfx file.

I mean, that is what it say, but I don't get how.  I am following some instructions that has this command:

./le64.exe --key account.key --csr domain.csr --csr-key domain.key --crt certificate_20240406.csr --domains "domain.com" --generate-missing --handle-as dns --export-pfx "password" --live

I have tried both with, and without quotes?

[Q-Droid 634]

25 minutes ago, xnappo said:

C:\exes\ssl\certificate.pfx

Did you check to make sure your command created this file? Does it have a new date/time stamp?

[xnappo 1593]

10 minutes ago, Q-Droid said:

Did you check to make sure your command created this file? Does it have a new date/time stamp?

Yes and yes.

I saw in another thread talk of a tool called 'certutil' to locally test, I installed it in Ubuntu, but doesn't seem like it is the right tool.  Any other tool test test the cert password?

Unfortunately in messing with this I have exhausted my 'let's encrypt' renewals...

[EDIT] Answering my own question, this passes fine:
xnappo@jupiter:/mnt/c/exes/ssl$ openssl pkcs12 -in certificate_20240406.pfx -noout
Enter Import Password:
MAC verified OK

Edited April 6 by xnappo

[Q-Droid 634]

openssl pkcs12 -in filename.pfx -info -nokeys

EDIT: nokeys is better for just viewing/verifying

 

 

Edited April 6 by Q-Droid

[xnappo 1593]

Thanks guys, I think it was the quotes around the password in my original setup, and now my domain/ssl cert setup is borked due to too many tries.  Will mess with it more.

BTW: The problem with the password was that I copied and pasted from HTML into a terminal, and the "" were the damn fancy "".

Unicode Character "“" (U+201C)

Sigh.  That was a fun hour of my Saturday lol.

Edited April 6 by xnappo

[Q-Droid 634]

Yep. Paste into notepad(++) first, always.