paszczuu 0 Posted August 7, 2021 Posted August 7, 2021 Hello all, Guys can you point me out how to enable SSL for Raspberry PI OS, I try everything what google says, I create p12 file and put it in settings and it wont help. I have own domain with lets encrypt SSL signed but seems it does not work with Emby, try with different ports also not working, when I try to open HTTPS link I get only that connection for this site is not secure with ERR_SSL_PROTOCOL_ERROR, Could be that pkcs12 file is done with openssl instead of lets encrypt?
Luke 42077 Posted August 9, 2021 Posted August 9, 2021 Did you convert the certificate to a pfx file? That is what Emby Server supports.
Q-Droid 989 Posted August 9, 2021 Posted August 9, 2021 Restart your emby server and attach the most recent server log.
paszczuu 0 Posted August 13, 2021 Author Posted August 13, 2021 Yes, I convert file to pfx format, as it was suggested in other topics but I get message that connection is not secure for this site, Log in attachment, embyserver.txt
paszczuu 0 Posted August 13, 2021 Author Posted August 13, 2021 it is just after restart embyserver (1).txt
Q-Droid 989 Posted August 13, 2021 Posted August 13, 2021 Emby can't use your cert store. Post the output from: ls -l /media/emby.p12 2021-08-13 22:14:12.614 Error App: Error loading cert from /media/emby.p12 *** Error Report *** Version: 4.6.4.0 Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_armhf.deb Operating system: Linux version 5.10.52-v7l+ (dom@buildbot) (arm-linux-gnueabihf-gcc-8 (Ubuntu/Linaro 8.4.0-3ubuntu1) 8.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #144 Framework: .NET Core 3.1.13 OS/Process: arm/arm Runtime: opt/emby-server/system/System.Private.CoreLib.dll Processor count: 4 Data path: /var/lib/emby Application path: /opt/emby-server/system Interop+Crypto+OpenSslCryptographicException: Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info) Source: System.Security.Cryptography.X509Certificates TargetSite: Void CheckValidOpenSslHandle(System.Runtime.InteropServices.SafeHandle)
Q-Droid 989 Posted August 13, 2021 Posted August 13, 2021 Change the ownership of the file to the user running the emby server process then restart.
paszczuu 0 Posted August 13, 2021 Author Posted August 13, 2021 which one should I use than, I am run out of ideas,
Q-Droid 989 Posted August 13, 2021 Posted August 13, 2021 ls -l /var/lib/emby/logs/embyserver.txt Then replace user and group below with the user and group from above. chown user:group /media/emby.p12 Restart emby.
paszczuu 0 Posted August 13, 2021 Author Posted August 13, 2021 seems it is not working, I change the ownership but it give me no access to the emby at all, which permissions should I have setup
Q-Droid 989 Posted August 13, 2021 Posted August 13, 2021 Post the embyserver.txt log from the latest restart. No change needed to permissions. Also: ls -l /media/emby.p12
Q-Droid 989 Posted August 14, 2021 Posted August 14, 2021 The error is the same. Do the user and group pi:pi match the ownership of the emby server log? Wasn't expecting that but I don't run Pi. Lets check the cert file, it will prompt you for the password used to create it. openssl pkcs12 -in /media/emby.p12 -info -nodes Output should be the cert, intermediates if any and the private key in PEM format. DO NOT POST THEM. The output should have subject=, issuer=, ---BEGIN CERTIFICATE---, ---END CERTIFICATE---, ---BEGIN PRIVATE KEY---, ---END PRIVATE KEY---. If you don't see any of these or get an error then you likely have to recreate your PFX file.
paszczuu 0 Posted August 14, 2021 Author Posted August 14, 2021 Ownership of server logs has emby:emby ownership, but this doesn't looks like an issue, In certificate file I have subject, issuer and than 3x BEGIN CERTIFICATE 3x END CERTIFICATE and than BEGIN and END PRIVATE KEY What I see more is that after line with MAC and MAC lenght, I have line with PKCS7 encrypted data, is that correct? shouldn't be PKCS12?
Q-Droid 989 Posted August 14, 2021 Posted August 14, 2021 Yes, it's good. PKCS12 is the container p12 file. The contents can be a different format, PKCS7 in this case. Ownership is certainly an issue which is why I suggested to make the p12 owner the same as the emby server logs. Make the file emby:emby. chown emby:emby /media/emby.p12 Restart emby. For reference the cert store is typically made accessible only to the runtime process (owner) for security reasons. On a personal system this is less of an issue but there's no reason to deviate from best practice and keep owner rw only. Since the file is now owned by pi no other user besides root can open it. Making the file world readable would also work but again, stick to best practice.
paszczuu 0 Posted August 14, 2021 Author Posted August 14, 2021 after changing ownership I can't connect to the emby website, not even as localhost log attached embyserver-63764554243.txt
paszczuu 0 Posted August 14, 2021 Author Posted August 14, 2021 OK works now with SSL enabled, port 8920 was taken by apache process, changing port in settings solve the issue Thank @Q-Droid for your help,
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now