Digital_Warrior 0 Posted May 28, 2022 Posted May 28, 2022 Fresh install on Centos 9 Stream. Emby Version 4.7.1.0 I am unable to install any plugins or check for updates. The log shows this error InnerException: System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: NotSignatureValid I am able to download using wget https://embydata.com/admin/service/packageFiles/Emby.PortMapper.dll_1.1.4.exe with out any issue. embyserver.txt
Digital_Warrior 0 Posted May 28, 2022 Author Posted May 28, 2022 (edited) Ok widened my search. https://github.com/dotnet/sdk/issues/25582 and https://github.com/dotnet/sdk/issues/25582 The version that is default install is OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021). Rolling back to the Openssl 1.1.1 branch from CentOS 8 Stream is not realistic as it creates more problems than it solves. Edited May 28, 2022 by Digital_Warrior Update 1
Digital_Warrior 0 Posted May 28, 2022 Author Posted May 28, 2022 Looks like a fix was submitted. https://github.com/dotnet/runtime/commit/dab985716739e1b73a7822ea195b6b3e9600ab6b How long till Emby starts to use the fix?
Luke 42078 Posted May 28, 2022 Posted May 28, 2022 8 hours ago, Digital_Warrior said: Looks like a fix was submitted. https://github.com/dotnet/runtime/commit/dab985716739e1b73a7822ea195b6b3e9600ab6b How long till Emby starts to use the fix? I guess until it makes it into a .net release. Are they backporting that fix into .net 6?
Digital_Warrior 0 Posted May 29, 2022 Author Posted May 29, 2022 (edited) Looks like it was attempted. https://github.com/dotnet/runtime/pull/69668 https://github.com/dotnet/runtime/issues/65874 Edited May 29, 2022 by Digital_Warrior
Luke 42078 Posted May 29, 2022 Posted May 29, 2022 14 minutes ago, Digital_Warrior said: Looks like it was attempted. https://github.com/dotnet/runtime/pull/69668 Great, that's the important thing. Let's hope they decide to put the time in to figure it out.
Q-Droid 989 Posted May 29, 2022 Posted May 29, 2022 (edited) This might be the result of Centos 9 hardening and not necessarily .Net. Would changing the systemwide crypto policy to LEGACY be a workaround? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening Linked from here: https://serverfault.com/questions/1095898/how-can-i-use-a-legacy-ssh-rsa-key-on-centos-9-stream Edit: Well, after more reading and even if this ends up being the workaround there are big differences between rel 8 and 9. The same policy is stricter in 9 so IF this were to be a solution it would have to be more explicit in how the policy is defined. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening Edited May 29, 2022 by Q-Droid 1
Q-Droid 989 Posted May 29, 2022 Posted May 29, 2022 This was kinda bugging me so I decided to test it with a fresh CentOS Stream 9 VM. The default crypto policy is definitely too strict and causing this problem. The workaround is as simple as changing the policy and rebooting. $ update-crypto-policies --set LEGACY $ reboot I tried using the DEFAULT policy first and got the same error as the OP for plug-in installation. Changing policy to LEGACY allowed plug-in installation and then changing policy back to DEFAULT would trigger the errors again for subsequent plug-in installs. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now