Emby Theater (Linux) "Unable to Reach Server" (but browser works)

[PaulAdams 4]

I have had my Emby Premiere container running for a few months now and it is accessible from the Internet via NAT, the following client types are working perfectly:

Microsoft Windows (11)
- Emby Theater (Win32 and Windows Store versions)
- Edge
- Firefox

Apple iOS (iPad,iPhone)
- Emby Theater
- Safari
- Firefox

I am looking to change the OS on my HTPCs from Windows 11 to Linux Mint, and while I can get Emby working through Firefox, the Emby Theater app throws the following error (immediately):

Unable to Reach Server
We're unable to connect to the selected server right now. Please ensure it is running and try again.
[Got It]

My container is using a certificate from my own CA so this has been imported into Trusted Root Certification Authorities on Windows and manually into Firefox's own CA store to prevent any warnings - I have done the same on the Linux Mint client (CA .crt file is present in /etc/ssl/certs) and confirmed with openssl verify that the OS is happy with the server's certificate.

Does the Emby Theater app on Linux ignore the list of trusted CAs configred in the OS?

Is there a way to add a .pem/.crt file for my CA somewhere for the app to work on this platform?

Is there a way to get more verbose error handling in the app?

[Luke 42077]

Hi @PaulAdams are you still having an issue with this?

[PaulAdams 4]

Hi @Lukeyep, I can connect on the LAN using the HTTP port using the app, but the error is thrown when trying the HTTPS port (but works from a browser on the same machine).

Problem exists on the 3 Linux machines on the LAN (my house where the server lives) and on 2 others connecting via NAT or VPN tunnel (my apartment).

iPad and Windows apps at both locations work fine.

[Luke 42077]

Hi, can you please try our new Emby Theater 3.0.21 package?

https://emby.media/download

Please let us know how this compares. Thanks !

[PaulAdams 4]

Hi @Lukeno difference I'm afraid.

[Luke 42077]

Are you able to try without https for comparison purposes?

[PaulAdams 4]

My original server configuration loaded as default (working) with the new version, then I tried changing to the server with the HTTPS URL and port (same error as before), then I went back to the HTTP configuration and it was working as before.

[Luke 42077]

OK we'll have to provide a way to get the error message from the client app but I'm pretty sure this comes down to the embedded Chromium build not accepting the SSL certificate.

[PaulAdams 4]

Is there any command-line way for me to verify the Chromium component?

openssl seems happy enough with the certificate, the only thing I can think of is that the server certificate was issued by a root CA and not an intermediate?

openssl s_client -showcerts -connect xx.xx.xx:xxxx

CONNECTED(00000003)
depth=1 DC = xx, DC = xx, DC = xx, DC = xx, CN = xx
verify return:1
depth=0 CN = xx.xx.xx
verify return:1
---
Certificate chain
 0 s:CN = xx.xx.xx
   i:DC = xx, DC = xx, DC = xx, DC = xx, CN = xx
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 23 16:05:09 2023 GMT; NotAfter: Dec 24 16:05:09 2024 GMT
-----BEGIN CERTIFICATE-----
snipped
-----END CERTIFICATE-----
---
Server certificate
subject=CN = xx.xx.xx
issuer=DC = xx, DC = xx, DC = xx, DC = xx, CN = xx
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2054 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9E00943D2FE839BF0707081F2E0122C06324DA7510576B2232CD757944A9A36B
    Session-ID-ctx: 
    Resumption PSK: 5EB8FDB7508F5A8712A260779768C776B5EEF9DE62F9CB477A0A6B965C8E4B90B6FA0CADACC91934AFFD8FCE678C1823
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket: snipped
    Start Time: 1719222668
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 79124DC39CDF1F345F7B8182F5E3FEE8B4FEBC8F0CA8D69F32A012EB2A536050
    Session-ID-ctx: 
    Resumption PSK: E512203C7744E664C5A13474780192023A662265FAB696B3BE095027013CECA111B2013F996E8C67CC8C070D64CAB56A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket: snipped      
    Start Time: 1719222668
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

 

[Luke 42077]

@PaulAdamsif you locate the theater install folder, under there somewhere you'll find main.js. If you open this file and edit these two lines:

    var enableDevTools = false;
    var enableDevToolsOnStartup = false;

set them both to true, then start theater and it will have a debug console. The debug console should show the error I'm mentioning.

It might not be your certificate's fault though, but rather due to the fact that the embedded chromium build is three years old now. We are working on getting that updated. Thanks.

[PaulAdams 4]

@Lukefound main.js under /opt/emby-theater/electron/resources/app and edited it according to your instructions, got the debug console up no problems.

Reproduced the error in the GUI and the console reports:

GET https://x.x.x.x:xxxx/embysystem/info/public
https://tv.emby.media/modules/emby-apiclient/connectionmanager.js?...:1
net::ERR_CERT_AUTHORITY_INVALID

So I guess chromium (at least on the Ubuntu platform) doesn't use the operating systems list of trusted CAs (in the same way that e.g. Firefox doesn't), I just wonder if it's possible to append to that list in the same way...

[PaulAdams 4]

Solved!

After spending a while trying how to unpack chromium .pak files to see if there was anything in them that I could fiddle with (or override with an unpacked version in the filesystem) I came across a method to add a custom CA certificate to chromium-based packages on Debian.

First a package was needed in order for certutil to become available:

sudo apt install libnss3-tools

Then certutil imports the CA certificate with absolutely no feedback whatsoever:

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "MY CA" -i /etc/ssl/certs/my_ca.pem

Now Emby Theater connects without a hitch (and I have restored my main.js to the original version).

Thanks for the pointers @Luke!

[Luke 42077]

Thanks for the feedback !