https not worling: pfx file is configured but not active

[Friedhelm 1]

I have setup emby on my proxmox in an debian lxc container.

Everything works fine except https.

I have stored the required pfx file in /var/log/emby/config, changed ownership to emby, configured it in the network configuration, and emby says all is fine.

However, when I try to access the server on port 8920, no certificate is present.

I checked it with

   openssl s_client -connect myhost.de:8920

and get "no peer certificate available".

I can't find anything in the log (even at debug level) about the pfx activation, wether the certificate was successfully read or not.

How can i diagnose the HTTPS setup? Are there any other log options to check if and why the certficate activation failed?

Any help is appreciated.

log is attached.

embyserver.txt

[Q-Droid 989]

Restart your Emby server then check the log to see if it's listening on the https port. It will be in the log and needs to be restarted. Rotated logs don't have the info. 

 

[Friedhelm 1]

I restartet already a dozen times, also updated from 4.8.5.0 to 4.8.6.0. What I uploaded was an active log, not a rotated one.

I'm an experienced IT guy, so you can assume I've done the basic troubleshooting already.

Port 8920 is open, telnet connects. So it is not a firewall issue or anything. In the log you don't find a single word regarding the certificate, thats why I'm asked where I should find it and how it should look like,

I checked both the currently written log and the rotated logs.

The only thing I see in the log is:

    Info App: Adding HttpListener prefix https://+:8920/

No word about the pfx.

I also checked system.xml if it contains the proper path, filename and password. All looks good.

[Luke 42077]

It appears that the server is listening on the https port, so I think you're good in that regard. I think the issue is that the requests are never reaching Emby Server, hence no activity in the server log. So it sounds like you have something in the middle causing that.

[Friedhelm 1]

Nope, that's not the problem. When emby is up, port 8920 connects, when it is down, it doesn't. So the datagrams are reaching the server, but since I am requesting https and there is no certificate, the browser returns an error. SSL_ERROR_PROTOCOL_VERSION_ALERT and any communcation is aborted. I also tried http on port 8920, but that resets the connection

[Luke 42077]

How do you know it's not the problem?

[Lessaj 467]

Does openssl work properly inside the container?

[Q-Droid 989]

Have you verified the contents of the pfx to make sure the needed certs are in it? I replied from my phone and didn't look at your log. 

 

[Friedhelm 1]

PS: http on  8096 is working, so the network routes are fine, too

To me it looks like emby has a problem to read the certificate, but - once again - there is nothing in the logs...

[Friedhelm 1]

3 minutes ago, Lessaj said:

Does openssl work properly inside the container?

Good point. But same result:

root@emby:/var/lib/emby# openssl s_client -connect localhost:8920
CONNECTED(00000003)
40D76D37A4730000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1586:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

The pfx is definitely fine, certificates are my daily business. Private key is included and password is correct.
 

[Lessaj 467]

Looks like this is probably a LetsEncrypt certificate or something similar with that ISRG Root. What exact command did you run to create the PFX? I'm assuming something like this.

openssl pkcs12 -export -out cert.pfx -inkey /path/to/private.key -in cert.pem

 

[Friedhelm 1]

I get my LE certificates using the certificate manager of my mailserver which has an embedded cert bot. It has an export function that creates the pfx. The pfx are properly created, I know the developer of the certmanager personally and trust his code. I checked if openssl can extract key and certs from the pfx and all was fine.

[Friedhelm 1]

The openssl dump of the pfx is perfectly fine.

Bag Attributes
    friendlyName:
    localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIF4zCCBMugAwIBAgISAy6kWI0RvfAVKib0OjCy+4rSMA0GCSqGSIb3DQEBCwUA
....
uxAtpeHNc7yqBqf79mozq+VDP1T+Dg==
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName:
    localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2
subject=CN = xxxmyhostxxx.de
issuer=C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIF4zCCBMugAwIBAgISAy6kWI0RvfAVKib0OjCy+4rSMA0GCSqGSIb3DQEBCwUA
....
6kqxXlbS4mfkhyiu91qFmBWzlRLwa9g=
-----END CERTIFICATE-----
Bag Attributes
    friendlyName:
    localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
...
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
Bag Attributes
    friendlyName:
    localKeyID: 29 9E 01 C9 26 BD 3B 15 86 1B 1A 62 3C 47 6C E2
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
...
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

[Lessaj 467]

Can you try creating the PFX with only the private key + certificate? My PFX only contains 1 certificate and 1 key. The root and intermediate CA being there shouldn't be an issue but just to rule it out.

[Friedhelm 1]

That worked.

But I would still call it a bug. A certificate with included chain should bot break a server. and if it does, I'd expect any kind of warning. A cert sanity check would be nice.

Maybe you can update the documentation that the pfy may not contain a chain. Key and cert only.

 

[Q-Droid 989]

Nope. Emby works with the chain and the LE fullchain PEM is what should be used when creating the keystore.

[Friedhelm 1]

Well, it didn't in my case and my checks of the pfx did not show any issues as you can see in the dump I posted.

Dumping the pfx and rebuilding it without the chain fixed it, so proof me wrong.

However: It is fixed now thanks to Lessaj.

But my major complaint is still there: Something didn't work correctly, emby did not offer the certificate to the connecting clients though it was properly set up, and there was nothing about it in the logs. No "unable to open pfx" or "Invalid pfx structure" or whatever. Same pfx works fine on other hosts.

[Friedhelm 1]

I tested it once more and manually built a pfx with the fullchain, and this time it worked.
I think the difference to the original fullchain pfx is the encryption of the private key.
The new pfx contains an unencrypted privated key, and only the pfx itself is password encrypted.
The original pfx had both the pfx and the private key encrypted with the same password.

[Q-Droid 989]

That's something the developers could consider. Having both a storepass and a keypass involved, even if the same, might need changes in the Emby code to handle. LE issues the full stack and generates a new private key for each issue/renewal and doesn't encrypt any of it. Sometimes this is taken for granted when people want to create their keystores in specific and more secure ways. Since most CAs handle CSRs you don't have to ever expose your private key and that's the price to pay for ease and convenience of the free services like LE.

 

 

 

[Lessaj 467]

Yes that was another thought that I had, the key that I used when I created my PFX is not an encrypted key. It asks for an import password as well as PEM pass phrase when trying to view the pfx with openssl but they happen to be the same password. It's been a while since I created it.

[sftech13 25]

after 4.8.6.0 I'm getting this same issue. 

Ubuntu 20.04

I's using LE and cant see any errors. Ports are open and working. PFK is valid but EMBY will not work with it. 

Nothing in the logs. 

I use domain.me for my panel, and apps. They are all secure. When I try to apply cert. to EMBY it will not work using domain.me:8920

embyserver.txt

Edited May 13, 2024 by sftech13

[sftech13 25]

Is it possible that on the update port 8290 is blocked? I cant get to from open port check tool. I have it open on my router, no firewall running on server, tried to dmz and same thing. 

[Q-Droid 989]

It's in your log that it has a problem with the cert file.

Quote

2024-05-13 10:31:28.126 Error App: Error loading cert from /home/sftech13/scripts/emby/certificate.pfx
        *** Error Report ***
        Version: 4.8.6.0
        Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffdetect /opt/emby-server/bin/ffdetect -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
        Operating system: Linux version 5.4.0-181-generic (buildd@lcy02-amd64-102) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #201-Ubuntu SMP Thu Mar 28 15:39:01 UTC 2
        Framework: .NET 6.0.25
        OS/Process: x64/x64
        Runtime: opt/emby-server/system/System.Private.CoreLib.dll
        Processor count: 8
        Data path: /var/lib/emby
        Application path: /opt/emby-server/system
        Interop+Crypto+OpenSslCryptographicException: Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib
           at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle)
           at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
           at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
           at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
           at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info)
        Source: System.Security.Cryptography.X509Certificates
        TargetSite: Void CheckValidOpenSslHandle(System.Runtime.InteropServices.SafeHandle)

 

[sftech13 25]

damn I feel dumb!!!!! thank you 

[Luke 42077]

Hi, has this helped you resolve your issue?