Jump to content

SSL: Emby Server sends an intermediate cert of its choice

alanfranz

By alanfranz
in Linux

 Share
Go to solution Solved by Q-Droid,

Recommended Posts

alanfranz

alanfranz 0

Posted
Posted (edited)

OS: Ubuntu Linux 20.04.3

emby-server   deb    4.6.4.0

 

I spent some hours trying to debug this issue. Emby works with Firefox, but it won't work anymore with Chrome or Safari (I'm using MacOS Mojave). My certs are created with Let's Encrypt, I thought the issue was that there was a missing root CA (ISRG Root X1 missing from some older OSes), but no (I even tried installing it): it seems that Emby Server is (someway) sending a wrong intermediate certificate, that doesn't appear in pkcs12, to the client! Firefox seems able to re-create a correct chain, while Chrome and Safari struggle.

Evidence:

This is the actual pkcs12 file which I'm currently using in Emby (you can find the pkcs12 attached, minus the key for obvious reasons):

IMPORTANT: as you can see by dumping the cert, microserver.zt.franzoni.net and microserver.home.franzoni.net resolve to the very same host. I'm not connecting to different machines. 

root@microserver:/tmp# openssl pkcs12 -in microserver.pkcs12 -nokeys -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: A7 CA 28 4F 75 F2 88 6E 55 44 6B D2 78 43 E2 10 C6 46 99 DA
subject=CN = microserver.zt.franzoni.net

issuer=C = US, O = Let's Encrypt, CN = R3

-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIBAgISBCHmdXsaEb5WlLm0GAyQorAHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTkwODU5NTRaFw0yMjAxMTcwODU5NTNaMCYxJDAiBgNVBAMT
G21pY3Jvc2VydmVyLnp0LmZyYW56b25pLm5ldDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAM5rlZRsDMs3ZiP+SrxNi6gaHSIhooqvnDUlTgZ04zQBXenr
Z9Xv8o/xPcG6RiP/AkMCB0Ca8ddlZEUKnBXpAHId18GbIOA89WCCJI7Q9zTkEVDB
qGaKhEvRKOv7U8b7dazHq0ONkLr2wnAOlhZIe2xBF5DsP3dw4QaHReLwUosNq0D7
MJpTzqOdpXP1DsQ8fhOHBKFNvOliuC+tH2nO8CYoi5cZt9xQJeHB3FbcYHYQ9ho7
ZzncypPQdRjwaHNft8+mMI5Uw56M29n4UJ8bAcG7M9x6UxhV+1J31WUVzS7KgmBJ
bPxDXpxEd5EohPjyLHjjqrGC72SBhJ+krrMKTBUCAwEAAaOCAnUwggJxMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQU1Ws+81Y2UAwKy83xJ756nOcWqsgwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wRQYDVR0RBD4wPIIdbWljcm9zZXJ2ZXIuaG9tZS5mcmFu
em9uaS5uZXSCG21pY3Jvc2VydmVyLnp0LmZyYW56b25pLm5ldDBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AEHI
yrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfJf+QU8AAAQDAEgwRgIh
APN6LOuf7xg+5lv9oxI7ljV841NWTXuoA27V3gPJmxajAiEA7qmGtUJJb/teWdDn
rIvPJKMGVbAa9yDFY+OOWS1LJS8AdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlN
XSZcJV3HhAAAAXyX/kE2AAAEAwBGMEQCICgOOAV57N+ituMaFwpF2ZZGMtAKJShW
y1jSSxLgqZvaAiB1LAyZeTdfC+9aQ7dpxBYL/kV1G3QH0GLmAvo4fjsTJTANBgkq
hkiG9w0BAQsFAAOCAQEAqTza8KuQwsy7+yc/C+SZge0f3rCvzJHGV0SrvJtzNaNG
5Oo1ndtQw6zNLBKn6nr10LD9gF7Qq2nTVEFQQ7XGw6WT2TXdvxgHLKs72PkBSaP0
7dETKZn/i9gyDwSst8GizI2DSkALrtqaZfNSh+mrUCW5FvHegepAJNT8Bn50Ubp8
opWUXMdATlwjPm2ofYaeigmjSJ3ShzULYOpmlTg4ocLBbxgGqlqF8S0XqcxVNkm2
6QDsqm4rlBMWtPTGpdmnpI/kj7Y2jssgtVS0DqpPVtuxfrUl78SY5GW9jwxv8GTh
UH7XOZKUrRzETyYPfSnk3GSLfhZAVSmTfNJCG/2HEw==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
subject=C = US, O = Let's Encrypt, CN = R3

issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

 

The first cert is my host's cert; the second is the intermediate R3, which I hereby dump via openssl:

  

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:
                    92:c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:
                    2b:b9:c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:
                    94:14:55:35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:
                    a9:4e:6e:f5:3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:
                    e7:ed:cf:69:f0:5a:0b:1b:be:c0:94:24:25:87:fa:
                    37:71:b3:13:e7:1c:ac:e1:9b:ef:db:e4:3b:45:52:
                    45:96:a9:c1:53:ce:34:c8:52:ee:b5:ae:ed:8f:de:
                    60:70:e2:a5:54:ab:b6:6d:0e:97:a5:40:34:6b:2b:
                    d3:bc:66:eb:66:34:7c:fa:6b:8b:8f:57:29:99:f8:
                    30:17:5d:ba:72:6f:fb:81:c5:ad:d2:86:58:3d:17:
                    c7:e7:09:bb:f1:2b:f7:86:dc:c1:da:71:5d:d4:46:
                    e3:cc:ad:25:c1:88:bc:60:67:75:66:b3:f1:18:f7:
                    a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18:ea:98:
                    09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14:af:
                    63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d:
                    a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:
                    db:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            X509v3 Authority Key Identifier:
                keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E

            Authority Information Access:
                CA Issuers - URI:http://x1.i.lencr.org/

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://x1.c.lencr.org/

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: sha256WithRSAEncryption
         85:ca:4e:47:3e:a3:f7:85:44:85:bc:d5:67:78:b2:98:63:ad:
         75:4d:1e:96:3d:33:65:72:54:2d:81:a0:ea:c3:ed:f8:20:bf:
         5f:cc:b7:70:00:b7:6e:3b:f6:5e:94:de:e4:20:9f:a6:ef:8b:
         b2:03:e7:a2:b5:16:3c:91:ce:b4:ed:39:02:e7:7c:25:8a:47:
         e6:65:6e:3f:46:f4:d9:f0:ce:94:2b:ee:54:ce:12:bc:8c:27:
         4b:b8:c1:98:2f:a2:af:cd:71:91:4a:08:b7:c8:b8:23:7b:04:
         2d:08:f9:08:57:3e:83:d9:04:33:0a:47:21:78:09:82:27:c3:
         2a:c8:9b:b9:ce:5c:f2:64:c8:c0:be:79:c0:4f:8e:6d:44:0c:
         5e:92:bb:2e:f7:8b:10:e1:e8:1d:44:29:db:59:20:ed:63:b9:
         21:f8:12:26:94:93:57:a0:1d:65:04:c1:0a:22:ae:10:0d:43:
         97:a1:18:1f:7e:e0:e0:86:37:b5:5a:b1:bd:30:bf:87:6e:2b:
         2a:ff:21:4e:1b:05:c3:f5:18:97:f0:5e:ac:c3:a5:b8:6a:f0:
         2e:bc:3b:33:b9:ee:4b:de:cc:fc:e4:af:84:0b:86:3f:c0:55:
         43:36:f6:68:e1:36:17:6a:8e:99:d1:ff:a5:40:a7:34:b7:c0:
         d0:63:39:35:39:75:6e:f2:ba:76:c8:93:02:e9:a9:4b:6c:17:
         ce:0c:02:d9:bd:81:fb:9f:b7:68:d4:06:65:b3:82:3d:77:53:
         f8:8e:79:03:ad:0a:31:07:75:2a:43:d8:55:97:72:c4:29:0e:
         f7:c4:5d:4e:c8:ae:46:84:30:d7:f2:85:5f:18:a1:79:bb:e7:
         5e:70:8b:07:e1:86:93:c3:b9:8f:dc:61:71:25:2a:af:df:ed:
         25:50:52:68:8b:92:dc:e5:d6:b5:e3:da:7d:d0:87:6c:84:21:
         31:ae:82:f5:fb:b9:ab:c8:89:17:3d:e1:4c:e5:38:0e:f6:bd:
         2b:bd:96:81:14:eb:d5:db:3d:20:a7:7e:59:d3:e2:f8:58:f9:
         5b:b8:48:cd:fe:5c:4f:16:29:fe:1e:55:23:af:c8:11:b0:8d:
         ea:7c:93:90:17:2f:fd:ac:a2:09:47:46:3f:f0:e9:b0:b7:ff:
         28:4d:68:32:d6:67:5e:1e:69:a3:93:b8:f5:9d:8b:2f:0b:d2:
         52:43:a6:6f:32:57:65:4d:32:81:df:38:53:85:5d:7e:5d:66:
         29:ea:b8:dd:e4:95:b5:cd:b5:56:12:42:cd:c4:4e:c6:25:38:
         44:50:6d:ec:ce:00:55:18:fe:e9:49:64:d4:4e:ca:97:9c:b4:
         5b:c0:73:a8:ab:b8:47:c2
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

This is the correct intermediate CA.

Now, from my Mac, I run this: 

> openssl s_client -showcerts -connect microserver.home.franzoni.net:8920
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
CONNECTED(00000005)
---
Certificate chain
 0 s:/CN=microserver.zt.franzoni.net
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIBAgISBCHmdXsaEb5WlLm0GAyQorAHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTkwODU5NTRaFw0yMjAxMTcwODU5NTNaMCYxJDAiBgNVBAMT
G21pY3Jvc2VydmVyLnp0LmZyYW56b25pLm5ldDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAM5rlZRsDMs3ZiP+SrxNi6gaHSIhooqvnDUlTgZ04zQBXenr
Z9Xv8o/xPcG6RiP/AkMCB0Ca8ddlZEUKnBXpAHId18GbIOA89WCCJI7Q9zTkEVDB
qGaKhEvRKOv7U8b7dazHq0ONkLr2wnAOlhZIe2xBF5DsP3dw4QaHReLwUosNq0D7
MJpTzqOdpXP1DsQ8fhOHBKFNvOliuC+tH2nO8CYoi5cZt9xQJeHB3FbcYHYQ9ho7
ZzncypPQdRjwaHNft8+mMI5Uw56M29n4UJ8bAcG7M9x6UxhV+1J31WUVzS7KgmBJ
bPxDXpxEd5EohPjyLHjjqrGC72SBhJ+krrMKTBUCAwEAAaOCAnUwggJxMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQU1Ws+81Y2UAwKy83xJ756nOcWqsgwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wRQYDVR0RBD4wPIIdbWljcm9zZXJ2ZXIuaG9tZS5mcmFu
em9uaS5uZXSCG21pY3Jvc2VydmVyLnp0LmZyYW56b25pLm5ldDBMBgNVHSAERTBD
MAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8v
Y3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AEHI
yrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfJf+QU8AAAQDAEgwRgIh
APN6LOuf7xg+5lv9oxI7ljV841NWTXuoA27V3gPJmxajAiEA7qmGtUJJb/teWdDn
rIvPJKMGVbAa9yDFY+OOWS1LJS8AdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlN
XSZcJV3HhAAAAXyX/kE2AAAEAwBGMEQCICgOOAV57N+ituMaFwpF2ZZGMtAKJShW
y1jSSxLgqZvaAiB1LAyZeTdfC+9aQ7dpxBYL/kV1G3QH0GLmAvo4fjsTJTANBgkq
hkiG9w0BAQsFAAOCAQEAqTza8KuQwsy7+yc/C+SZge0f3rCvzJHGV0SrvJtzNaNG
5Oo1ndtQw6zNLBKn6nr10LD9gF7Qq2nTVEFQQ7XGw6WT2TXdvxgHLKs72PkBSaP0
7dETKZn/i9gyDwSst8GizI2DSkALrtqaZfNSh+mrUCW5FvHegepAJNT8Bn50Ubp8
opWUXMdATlwjPm2ofYaeigmjSJ3ShzULYOpmlTg4ocLBbxgGqlqF8S0XqcxVNkm2
6QDsqm4rlBMWtPTGpdmnpI/kj7Y2jssgtVS0DqpPVtuxfrUl78SY5GW9jwxv8GTh
UH7XOZKUrRzETyYPfSnk3GSLfhZAVSmTfNJCG/2HEw==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=microserver.zt.franzoni.net
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3128 bytes and written 293 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 54E4D9FE5C0FE4245B1B2BCFDB9BA1AFBF8433D817AD5E33AD94CE057E517966
    Session-ID-ctx:
    Master-Key: 33F7E77E1281B787D01646E72AC5CE4145AB4CA5341BD42557E99FEA3EE0E879AE3BFF7E4DC18E819BFDD0F8196CF267
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ca a5 04 85 46 63 12 ab-1d f8 d9 ed af f8 22 0d   ....Fc........".
    0010 - 28 1b c1 d5 fa 8e 6e a6-10 c0 f8 5b 2d fd 18 44   (.....n....[-..D
    0020 - 6a ae 5d 69 08 82 c2 64-43 5b 73 13 1d 69 56 cc   j.]i...dC[s..iV.
    0030 - b5 ee ff 2a fa 1d 77 a6-6c 2a f5 7d d1 2f 56 bb   ...*..w.l*.}./V.
    0040 - 96 fd b4 d5 c4 4b 59 5e-61 21 75 5c b0 ae ba ea   .....KY^a!u\....
    0050 - 36 bc 5c e0 22 a7 df 91-5f d0 ad 1d c5 db 2a 57   6.\."..._.....*W
    0060 - 4d b9 8d 73 40 d5 5c 50-a1 a3 8f ab 49 61 a3 21   M..s@.\P....Ia.!
    0070 - 44 47 71 40 61 82 a5 52-16 24 08 d9 7c a4 6e f1   DGq@a..R.$..|.n.
    0080 - 40 87 6b 10 d1 6c f4 34-5f 03 14 db bc 08 e7 11   @.k..l.4_.......
    0090 - 5c 8d 85 e8 6a 34 ec fe-c1 c9 fa 32 43 4d ee b2   \...j4.....2CM..

    Start Time: 1634675191
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
---
HTTP/1.1 400 Bad Request
Connection: close
Date: Tue, 19 Oct 2021 20:26:35 GMT
Server: Kestrel
Content-Length: 0

read:errno=0

You can verify that the first certificate, the one for my host, is correct, and it's exactly the one that was in the pkcs12. It's a brand new certificate (I had forced a renewal for let's encrypt at the beginning).

But the 2nd one is a different cert, an expired Let's Encrypt R3: 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:01:75:04:83:14:a4:c8:21:8c:84:a9:0c:16:cd:df
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Oct  7 19:21:40 2020 GMT
            Not After : Sep 29 19:21:40 2021 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:
                    92:c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:
                    2b:b9:c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:
                    94:14:55:35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:
                    a9:4e:6e:f5:3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:
                    e7:ed:cf:69:f0:5a:0b:1b:be:c0:94:24:25:87:fa:
                    37:71:b3:13:e7:1c:ac:e1:9b:ef:db:e4:3b:45:52:
                    45:96:a9:c1:53:ce:34:c8:52:ee:b5:ae:ed:8f:de:
                    60:70:e2:a5:54:ab:b6:6d:0e:97:a5:40:34:6b:2b:
                    d3:bc:66:eb:66:34:7c:fa:6b:8b:8f:57:29:99:f8:
                    30:17:5d:ba:72:6f:fb:81:c5:ad:d2:86:58:3d:17:
                    c7:e7:09:bb:f1:2b:f7:86:dc:c1:da:71:5d:d4:46:
                    e3:cc:ad:25:c1:88:bc:60:67:75:66:b3:f1:18:f7:
                    a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18:ea:98:
                    09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14:af:
                    63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d:
                    a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:
                    db:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            Authority Information Access:
                CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

            X509v3 Authority Key Identifier:
                keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.root-x1.letsencrypt.org

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

            X509v3 Subject Key Identifier:
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         d9:4c:e0:c9:f5:84:88:37:31:db:bb:13:e2:b3:fc:8b:6b:62:
         12:6c:58:b7:49:7e:3c:02:b7:a8:1f:28:61:eb:ce:e0:2e:73:
         ef:49:07:7a:35:84:1f:1d:ad:68:f0:d8:fe:56:81:2f:6d:7f:
         58:a6:6e:35:36:10:1c:73:c3:e5:bd:6d:5e:01:d7:6e:72:fb:
         2a:a0:b8:d3:57:64:e5:5b:c2:69:d4:d0:b2:f7:7c:4b:c3:17:
         8e:88:72:73:dc:fd:fc:6d:bd:e3:c9:0b:8e:61:3a:16:58:7d:
         74:36:2b:55:80:3d:c7:63:be:84:43:c6:39:a1:0e:6b:57:9e:
         3f:29:c1:80:f6:b2:bd:47:cb:aa:30:6c:b7:32:e1:59:54:0b:
         18:09:17:5e:63:6c:fb:96:67:3c:1c:73:0c:93:8b:c6:11:76:
         24:86:de:40:07:07:e4:7d:2d:66:b5:25:a3:96:58:c8:ea:80:
         ee:cf:69:3b:96:fc:e6:8d:c0:33:f3:89:f8:29:2d:14:14:2d:
         7e:f0:61:70:95:5d:f7:0b:e5:c0:fb:24:fa:ec:8e:cb:61:c8:
         ee:63:71:28:a8:2c:05:3b:77:ef:9b:5e:03:64:f0:51:d1:e4:
         85:53:5c:b0:02:97:d4:7e:c6:34:d2:ce:10:00:e4:b1:df:3a:
         c2:ea:17:be
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----

Such expired R3 is nowhere to be found in my pkcs12.

Ideas and questions:

  • Maybe emby is trying to do the "right thing" for the user (who maybe doesn't know how to properly setup a chain), and it tries to load the innermost cert only and then retrieve a correct intermediate, and it fails in my case?
  • Maybe emby caching an older R3 intermediate cert somewhere, maybe it's using the CN or something like that as cache key, so it gets a stale entry?

I attach:

  • the pkcs12 without the key;
  • the original PEM chain;
  • server logs

Additional notes:

  •  The original certificates are obtained from let's encrypt via certbot. I tried various ways of creating the pkcs12 (manual cert chaining exported as single fail, using the certfile option from openssl with certificate and chain from certbot, even keytool from JDK) and nothing changes.
  • I am sure that emby isn't just using a whole stale pkcs12 because the host cert is properly sent, and it's got today's date (I re-generated it this very morning, when I started experiencing issues)

 

Sorry for the long post, but a proper bug report takes a lot of space (and time).

 

 

microserver-nokeys.pkcs12 embylogs.tar.gz chained.pem

Edited by alanfranz
fix: important piece of info was missing
Luke Emby Team

Luke 42078

Posted
Posted

HI, thank you for the investigation. This is all handled for us by the .net core runtime, and would likely require stepping into it's source code to see what's going on.

alanfranz

alanfranz 0

Posted
  • Author
Posted

Hello Luke,

while I'm not a .NET Core expert, I'd say that it's likely a matter of configuration rather than runtime sources. You could try checking how you configure the webserver (I can imagine you're using a library or a framework), maybe .NET "magically" fetches an intermediate when one is not provided... and maybe emby it's not configured for fetching intermediates from the pkcs12 file?

 

  • Solution
Q-Droid

Q-Droid 989

Posted
  • Solution
Posted

Look through this thread. I found the same thing and this was the cause.

 

alanfranz

alanfranz 0

Posted
  • Author
Posted

@Q-Droid that did the trick! Thanks. Incidentally, I had tried some of the solutions from the first github issue above, and it seemingly forced a refresh of the store (I had modified emby CAs). My install is not in docker.

I think it's a serious problem for a client application... if it's a .NET bug, maybe @Luke you could think about cleaning the /var/lib/emby/.dotnet when starting the service. There seems to be basically NOTHING there but the x509stores cache directory.

 

Luke Emby Team

Luke 42078

Posted
Posted

Thanks for the feedback.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...