Jump to content

Problem url access after certificate update


freeflight29

Recommended Posts

freeflight29

Hello everyone,

I had to renew my SSL certificate on my both asustor nas (same model). For the first one no pb, emby was fine after reboot. but that not  the case on the second one. i encounter a pb with the certificate 

*** Error Report ***
    Version: 4.6.0.30
    Command line: /volume1/.@plugins/AppCentral/emby-server/system/EmbyServer.dll -programdata /home/emby -ffdetect /usr/local/AppCentral/emby-server/bin/ffdetect -ffmpeg /usr/local/AppCentral/emby-server/bin/ffmpeg -ffprobe /usr/local/AppCentral/emby-server/bin/ffprobe -updatepackage emby-server-asustor_{version}_x86-64.apk
    Operating system: Linux version 4.14.x (root@asustor-build) (gcc version 4.6.4 (crosstool-NG crosstool-ng-1.22.0 - x86_64 64-bit toolchain - ASUSTOR Inc.)) #1 SMP Mon F
    Framework: .NET Core 3.1.8
    OS/Process: x64/x64
    Runtime: volume1/.@plugins/AppCentral/emby-server/system/System.Private.CoreLib.dll
    Processor count: 4
    Data path: /home/emby
    Application path: /volume1/.@plugins/AppCentral/emby-server/system
    Interop+Crypto+OpenSslCryptographicException: Interop+Crypto+OpenSslCryptographicException: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
       at Internal.Cryptography.Pal.OpenSslPkcs12Reader.Decrypt(SafePasswordHandle password)
       at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts)
       at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(SafeBioHandle bio, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException)
       at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBio(SafeBioHandle bio, SafePasswordHandle password)
       at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
       at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
       at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
       at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info)
    Source: System.Security.Cryptography.X509Certificates
    TargetSite: Void Decrypt(Microsoft.Win32.SafeHandles.SafePasswordHandle)

My mistake was,  i didn't go checking the log fisrt (i already have the url not reachable, and install the beta version solved this) and i decided to install the beta version for finally a certificate PB.....

When i saw in the log it was a certicifate pb i exctract it from the nas, converted it on pfx format and upload it to the path indicate in emby. But i still have the url unreachable with the same error after the restart of emby

So i don't know what to do by now :(

thanks in advance for your help ^^
 

Link to comment
Share on other sites

freeflight29
11 hours ago, Luke said:

Hi, this error looks like an issue in the .net core runtime:

https://github.com/dotnet/runtime/issues/18254

And that it's possible to workaround it by assigning a password to the certificate.

Hello luke, 

sorry if i'm wrong but i 'm not sure to understand correctly. I extract the password let's encrypt from my nas, after that i convert it in .pfx format with this command : 
openssl pkcs12 -export -out NameOfMyCertificate.pfx -inkey ssl.key -in ssl.crt

and i fill a password like the below:

CertEmby.PNG.a264a3a3f9a5a8ae006ce6ba18ed23a6.PNG

And then i copy the new certificate "emby.pfx" and import it into the NAS, to the same path that i have indicate in the emby network option.

After that i stop emby with the application control panel of my nas and restart it, to be sure that emby use the new certificate.

But it didn't work. So may be the old password that i have i fill under emby network option is not the same that the new one that i generate? (i'm not sure about it) and if it's the case, can i change the password with a command line to indicate to emby that i want to use the new password instead the old one.

May be i didn't correctly understand your link.

Thanks for your help

 

 

Link to comment
Share on other sites

Quote

So may be the old password that i have i fill under emby network option is not the same that the new one that i generate?

Yes make sure that's up to date.

Link to comment
Share on other sites

freeflight29
7 hours ago, Luke said:

Yes make sure that's up to date.

So If I don't remember it, I have no choice that to reinstall emby??? 

Link to comment
Share on other sites

Huh? Just go go the server network settings page and configure the password for your ssl certificate.

Link to comment
Share on other sites

freeflight29
10 hours ago, Luke said:

Huh? Just go go the server network settings page and configure the password for your ssl certificate.

I told you that because the nas is a remote one. So I could not access it via his local url. May be I could use a command line with ssh access? 

Edited by freeflight29
Link to comment
Share on other sites

rbjtech

Ah the classic locked myself out renewing a remote HTTPS cert.. 🤪 

If possible, ask somebody local to enable HTTP on emby, then fix the cert issue, then disable HTTP again.

In future, it is always wise to have an alternative (ideally secure) method to get to the device before you renew the cert.   

 

Link to comment
Share on other sites

Q-Droid

Under the emby config path edit system.xml. Change the password value and restart the emby server.

system.xml:  <CertificatePassword></CertificatePassword>

 

  • Sad 1
Link to comment
Share on other sites

rbjtech

The Cert password is held in plain text !? 

Errr.. I guess if you are already on the system, this isn't a 'huge' issue per say - but c'mon Emby, at least hash it or something !

Link to comment
Share on other sites

freeflight29
On 3/6/2021 at 2:48 PM, Q-Droid said:

Under the emby config path edit system.xml. Change the password value and restart the emby server.

system.xml:  <CertificatePassword></CertificatePassword>

 

hello,

Thanks everyone for your help.

i didn't know why but when i could have access to the emby dashboard i had the both adress local and external on the same port...

Http://LocalIpOfTheNas:8096

Https://FQSNofTheNas:8096

I had to restart the emby server and i have my access again with the usual port. I though i had my one mistake with my test, by taking also a wrong certificate, so i reinstall it one more time ^^. 

By now everything  is good and thanks for your help luke, Q-droid and rbjtech

Edited by freeflight29
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...