freeflight29 2 Posted March 3, 2021 Share Posted March 3, 2021 Hello everyone, I had to renew my SSL certificate on my both asustor nas (same model). For the first one no pb, emby was fine after reboot. but that not the case on the second one. i encounter a pb with the certificate *** Error Report *** Version: 4.6.0.30 Command line: /volume1/.@plugins/AppCentral/emby-server/system/EmbyServer.dll -programdata /home/emby -ffdetect /usr/local/AppCentral/emby-server/bin/ffdetect -ffmpeg /usr/local/AppCentral/emby-server/bin/ffmpeg -ffprobe /usr/local/AppCentral/emby-server/bin/ffprobe -updatepackage emby-server-asustor_{version}_x86-64.apk Operating system: Linux version 4.14.x (root@asustor-build) (gcc version 4.6.4 (crosstool-NG crosstool-ng-1.22.0 - x86_64 64-bit toolchain - ASUSTOR Inc.)) #1 SMP Mon F Framework: .NET Core 3.1.8 OS/Process: x64/x64 Runtime: volume1/.@plugins/AppCentral/emby-server/system/System.Private.CoreLib.dll Processor count: 4 Data path: /home/emby Application path: /volume1/.@plugins/AppCentral/emby-server/system Interop+Crypto+OpenSslCryptographicException: Interop+Crypto+OpenSslCryptographicException: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure at Internal.Cryptography.Pal.OpenSslPkcs12Reader.Decrypt(SafePasswordHandle password) at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts) at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(SafeBioHandle bio, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBio(SafeBioHandle bio, SafePasswordHandle password) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info) Source: System.Security.Cryptography.X509Certificates TargetSite: Void Decrypt(Microsoft.Win32.SafeHandles.SafePasswordHandle) My mistake was, i didn't go checking the log fisrt (i already have the url not reachable, and install the beta version solved this) and i decided to install the beta version for finally a certificate PB..... When i saw in the log it was a certicifate pb i exctract it from the nas, converted it on pfx format and upload it to the path indicate in emby. But i still have the url unreachable with the same error after the restart of emby So i don't know what to do by now thanks in advance for your help ^^ Link to comment Share on other sites More sharing options...
Luke 36886 Posted March 4, 2021 Share Posted March 4, 2021 Hi, this error looks like an issue in the .net core runtime: https://github.com/dotnet/runtime/issues/18254 And that it's possible to workaround it by assigning a password to the certificate. Link to comment Share on other sites More sharing options...
freeflight29 2 Posted March 4, 2021 Author Share Posted March 4, 2021 11 hours ago, Luke said: Hi, this error looks like an issue in the .net core runtime: https://github.com/dotnet/runtime/issues/18254 And that it's possible to workaround it by assigning a password to the certificate. Hello luke, sorry if i'm wrong but i 'm not sure to understand correctly. I extract the password let's encrypt from my nas, after that i convert it in .pfx format with this command : openssl pkcs12 -export -out NameOfMyCertificate.pfx -inkey ssl.key -in ssl.crt and i fill a password like the below: And then i copy the new certificate "emby.pfx" and import it into the NAS, to the same path that i have indicate in the emby network option. After that i stop emby with the application control panel of my nas and restart it, to be sure that emby use the new certificate. But it didn't work. So may be the old password that i have i fill under emby network option is not the same that the new one that i generate? (i'm not sure about it) and if it's the case, can i change the password with a command line to indicate to emby that i want to use the new password instead the old one. May be i didn't correctly understand your link. Thanks for your help Link to comment Share on other sites More sharing options...
Luke 36886 Posted March 4, 2021 Share Posted March 4, 2021 Quote So may be the old password that i have i fill under emby network option is not the same that the new one that i generate? Yes make sure that's up to date. Link to comment Share on other sites More sharing options...
freeflight29 2 Posted March 4, 2021 Author Share Posted March 4, 2021 7 hours ago, Luke said: Yes make sure that's up to date. So If I don't remember it, I have no choice that to reinstall emby??? Link to comment Share on other sites More sharing options...
Luke 36886 Posted March 4, 2021 Share Posted March 4, 2021 Huh? Just go go the server network settings page and configure the password for your ssl certificate. Link to comment Share on other sites More sharing options...
freeflight29 2 Posted March 5, 2021 Author Share Posted March 5, 2021 (edited) 10 hours ago, Luke said: Huh? Just go go the server network settings page and configure the password for your ssl certificate. I told you that because the nas is a remote one. So I could not access it via his local url. May be I could use a command line with ssh access? Edited March 5, 2021 by freeflight29 Link to comment Share on other sites More sharing options...
Luke 36886 Posted March 5, 2021 Share Posted March 5, 2021 Yes I'm sure you could do that. Link to comment Share on other sites More sharing options...
rbjtech 4170 Posted March 6, 2021 Share Posted March 6, 2021 Ah the classic locked myself out renewing a remote HTTPS cert.. If possible, ask somebody local to enable HTTP on emby, then fix the cert issue, then disable HTTP again. In future, it is always wise to have an alternative (ideally secure) method to get to the device before you renew the cert. Link to comment Share on other sites More sharing options...
Q-Droid 609 Posted March 6, 2021 Share Posted March 6, 2021 Under the emby config path edit system.xml. Change the password value and restart the emby server. system.xml: <CertificatePassword></CertificatePassword> 1 Link to comment Share on other sites More sharing options...
rbjtech 4170 Posted March 8, 2021 Share Posted March 8, 2021 The Cert password is held in plain text !? Errr.. I guess if you are already on the system, this isn't a 'huge' issue per say - but c'mon Emby, at least hash it or something ! Link to comment Share on other sites More sharing options...
freeflight29 2 Posted March 12, 2021 Author Share Posted March 12, 2021 (edited) On 3/6/2021 at 2:48 PM, Q-Droid said: Under the emby config path edit system.xml. Change the password value and restart the emby server. system.xml: <CertificatePassword></CertificatePassword> hello, Thanks everyone for your help. i didn't know why but when i could have access to the emby dashboard i had the both adress local and external on the same port... Http://LocalIpOfTheNas:8096 Https://FQSNofTheNas:8096 I had to restart the emby server and i have my access again with the usual port. I though i had my one mistake with my test, by taking also a wrong certificate, so i reinstall it one more time ^^. By now everything is good and thanks for your help luke, Q-droid and rbjtech Edited March 12, 2021 by freeflight29 1 Link to comment Share on other sites More sharing options...
Luke 36886 Posted March 15, 2021 Share Posted March 15, 2021 Thanks for the feedback ! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now