Jump to content

ERR_SSL_PROTOCOL_ERROR


Go to solution Solved by Q-Droid,

Recommended Posts

Posted

Running on Truenas Scale (truecharts app)

 

I cant seem to get emby to respond to an SSL certificate

I have a valid cert installed on the server, I have the key and full chain crt file.

 

Access on http works

Trying https always shows ERR_SSL_PROTOCOL_ERROR

 

** I have been able to place it behind a reverse proxy and get SSL working but we dont want to do this as it causes latency

 

I would like to upload a P12/PFX file and have it work on an open port of my choosing

image.png.b7cb7b855a39370a50e32da647a5d1fa.png

 

The command I used to convert the cert is 

openssl pkcs12 -export -out output.pfx -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey input.key -in input.crt -password pass:

I have tried it with and without a pass to no avail and other apps do take this cert without issues

 

Process is I convert the cert 
Upload to server
Check permissions on the cert file
in the emby portal I choose the cert file
and enter the domain
restart emby service

No message in the logs shows any cert error or cert issues at all

All efforts to resolve https end in 

image.png.a380bcf20c412c49adadfad96f9de401.png

ERR_SSL_PROTOCOL_ERROR, and I do use the domain name.  In the screen shot above I just used the IP was the error is the same?

 

***What am I doing wrong?  emby is the only app on the server SSL is not working for

 

 

 

Posted

You can use openssl to test the connection, verify the cert chain and show the connection handshake details.

openssl s_client -connect <host>:<port>

 

Posted

image.png.8ca59e9e854f3cf1934060e9c2458189.png

 

Acts like it does not even have the cert

 

 

So the same cert file same permission different app on the same server...  and the command 

openssl s_client -connect <host>:<port>

works and spits out the whole cert

So I know the PFX is good but I dont know if the encryption commands used are allowed

 

 

I am assuming that this command I am using to create it is not compatible with emby

 

openssl pkcs12 -export -out output.pfx -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey input.key -in input.crt -password pass:

instead of the above what open ssl command should I be using?   **I assume the chosen encryption is not liked what encryption is liked?

 

Posted

Have you configured the server for secure connections in the settings page you posted above?

Restart your Emby server and attach the newest server log.

It's possible Emby might not like the password encryption scheme you've chosen for the cert store and key but let's look at the log first.

 

Posted

embyserver (10).txt

 

restarted and newest log

Setting on network page

Public https port
PRESENT   correct port router confirmed forwarding

External domain:
PRESENT   and double check

Custom ssl certificate path:
PRESENT   I used the manual navigation to select the cert

Certificate password:
Empty as the command I used set the password empty

 

image.png.29b5691da70bda9b3caebcfbefa61416.png

 

Posted

and this is on a working app

image.png.1ff0f5f5b3716d78bcb25a849219bbf2.png

**next below this is the domain and the certificate chain

 

 

 

this is on emby  (note the get record wrong version number)

 

image.png.e01e70428cbdaeddf6941230bcb066c7.png

 

Posted

also just tried this 

openssl pkcs12 -export -out output.pfx -inkey input.key -in input.crt -password pass:

no change same issue

  • Solution
Posted

The Emby server appears to be okay with the pfx file. Are your port mappings correct for the HTTPS port in the container setup? The server is listening on 8920 as expected so it was able to open and use the certificate. The port you defined and mapped to 8920 should also be working or at least responding.

Quote

2023-08-24 10:58:35.452 Info App: Adding HttpListener prefix http://+:8096/
2023-08-24 10:58:35.452 Info App: Adding HttpListener prefix https://+:8920/

 

  • Thanks 1
Posted (edited)
36 minutes ago, Q-Droid said:

The Emby server appears to be okay with the pfx file. Are your port mappings correct for the HTTPS port in the container setup? The server is listening on 8920 as expected so it was able to open and use the certificate. The port you defined and mapped to 8920 should also be working or at least responding.

 

THANK YOU QDROID

 

 

Truecharts app only had mapping to the http port

This lead me to the answer 

 

Edit app config (in container setup)

add additional port mapping to target port 8920

This was done by 

1.  Add Manual Custom Service
2.  Name it, and choose LoadBalancer
3. Additional Service Port ADD
4.  Name it, TCP, 8920, Then add the container port the same as you intend for emby public https

 

Edited by Zhadum101
  • Thanks 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...