Zhadum101 2 Posted August 24, 2023 Posted August 24, 2023 Running on Truenas Scale (truecharts app) I cant seem to get emby to respond to an SSL certificate I have a valid cert installed on the server, I have the key and full chain crt file. Access on http works Trying https always shows ERR_SSL_PROTOCOL_ERROR ** I have been able to place it behind a reverse proxy and get SSL working but we dont want to do this as it causes latency I would like to upload a P12/PFX file and have it work on an open port of my choosing The command I used to convert the cert is openssl pkcs12 -export -out output.pfx -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey input.key -in input.crt -password pass: I have tried it with and without a pass to no avail and other apps do take this cert without issues Process is I convert the cert Upload to server Check permissions on the cert file in the emby portal I choose the cert file and enter the domain restart emby service No message in the logs shows any cert error or cert issues at all All efforts to resolve https end in ERR_SSL_PROTOCOL_ERROR, and I do use the domain name. In the screen shot above I just used the IP was the error is the same? ***What am I doing wrong? emby is the only app on the server SSL is not working for
Q-Droid 989 Posted August 24, 2023 Posted August 24, 2023 You can use openssl to test the connection, verify the cert chain and show the connection handshake details. openssl s_client -connect <host>:<port>
Zhadum101 2 Posted August 24, 2023 Author Posted August 24, 2023 Acts like it does not even have the cert So the same cert file same permission different app on the same server... and the command openssl s_client -connect <host>:<port> works and spits out the whole cert So I know the PFX is good but I dont know if the encryption commands used are allowed I am assuming that this command I am using to create it is not compatible with emby openssl pkcs12 -export -out output.pfx -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey input.key -in input.crt -password pass: instead of the above what open ssl command should I be using? **I assume the chosen encryption is not liked what encryption is liked?
Q-Droid 989 Posted August 24, 2023 Posted August 24, 2023 Have you configured the server for secure connections in the settings page you posted above? Restart your Emby server and attach the newest server log. It's possible Emby might not like the password encryption scheme you've chosen for the cert store and key but let's look at the log first.
Zhadum101 2 Posted August 24, 2023 Author Posted August 24, 2023 embyserver (10).txt restarted and newest log Setting on network page Public https port PRESENT correct port router confirmed forwarding External domain: PRESENT and double check Custom ssl certificate path: PRESENT I used the manual navigation to select the cert Certificate password: Empty as the command I used set the password empty
Zhadum101 2 Posted August 24, 2023 Author Posted August 24, 2023 and this is on a working app **next below this is the domain and the certificate chain this is on emby (note the get record wrong version number)
Zhadum101 2 Posted August 24, 2023 Author Posted August 24, 2023 also just tried this openssl pkcs12 -export -out output.pfx -inkey input.key -in input.crt -password pass: no change same issue
Solution Q-Droid 989 Posted August 24, 2023 Solution Posted August 24, 2023 The Emby server appears to be okay with the pfx file. Are your port mappings correct for the HTTPS port in the container setup? The server is listening on 8920 as expected so it was able to open and use the certificate. The port you defined and mapped to 8920 should also be working or at least responding. Quote 2023-08-24 10:58:35.452 Info App: Adding HttpListener prefix http://+:8096/ 2023-08-24 10:58:35.452 Info App: Adding HttpListener prefix https://+:8920/ 1
Zhadum101 2 Posted August 24, 2023 Author Posted August 24, 2023 Okay now that you have said that I think I have found the issue this is a TREUCHARTS issue it seems That is in the https://github.com/truecharts/charts/blob/master/charts/stable/emby/values.yaml So no mapping exists to 8920 so it wont answer... I can add an additional mapping in expert mode trying it now
Zhadum101 2 Posted August 24, 2023 Author Posted August 24, 2023 (edited) 36 minutes ago, Q-Droid said: The Emby server appears to be okay with the pfx file. Are your port mappings correct for the HTTPS port in the container setup? The server is listening on 8920 as expected so it was able to open and use the certificate. The port you defined and mapped to 8920 should also be working or at least responding. THANK YOU QDROID Truecharts app only had mapping to the http port This lead me to the answer Edit app config (in container setup) add additional port mapping to target port 8920 This was done by 1. Add Manual Custom Service 2. Name it, and choose LoadBalancer 3. Additional Service Port ADD 4. Name it, TCP, 8920, Then add the container port the same as you intend for emby public https Edited August 24, 2023 by Zhadum101 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now