Cannot Connect to EMBY Local or Remote using HTTPS on Win 11

[Happy2Play 9780]

12 minutes ago, gihayes said:

Will re-installing over my current install possibly straighten things out?

No as the exact same configs will be used.

[gihayes 47]

I can access via http using both my.domain.com:8096 and my http://WAN IP:8096 using phone disconnected from wi-fi (Remote). I can access via http using local IP:8096 or machine name:8096 or localhost:8096 using computer (Local).  I can access via http using my domain name:8096 and local IP:8096 using my phone connected to wi-fi (Local). This has been working all along. Trying to access via https using WAN IP:8920, Local IP:8920, or Domain name:8920 gets me the 'Cannot Reach' webpage whether I am trying to connect from the local network or from the internet. I apreciate your efforts in helping me figure this out.

I found system.XML
 

<HttpsPortNumber>8920</HttpsPortNumber>

  <EnableHttps>true</EnableHttps>

  <CertificatePath>C:\Users\xxxxxxx\AppData\Roaming\Emby-Server\system\xxxxxxx_2024\xxxxxxx_2024.pfx</CertificatePath>

  <IsPortAuthorized>true</IsPortAuthorized>

  <AutoRunWebApp>true</AutoRunWebApp>

  <EnableRemoteAccess>true</EnableRemoteAccess>

  <LogAllQueryTimes>false</LogAllQueryTimes>

[Happy2Play 9780]

Okay so http connections work without issue.

If you are not getting cert_common_name_invalid using https://192.168.0.35:8920 I would think there is something wrong with your certificate.  But at the same time I would think Emby would be throwing errors on it.

But worst case have you tried a different port then 8920?

[rbjtech 5284]

On 30/08/2024 at 21:58, gihayes said:

 

 

 

The server has responsed via https - and it closed the connection - so the transport to https is fine.

I'd suggest it's the cert - create it again with a simple or no password and check permissions - once it's working, then go back and create again with a good password.

'Certutil' can also be used to validate the CA chains.

 

 

[gihayes 47]

Yes, I've tried several different ports. I've tried swapping them, and even tried 8443, lol. When I downloaded the Cert Files, Dynu indicated that the pfx file would not have a password.  So I used Dynu's SSL Converter to create a new pfx that did. I was not able to connect via https with it either..

Sooo. I have just created another pfx using my crt, key, and bundle files without a password. Still no luck. 

I ran C:\Windows\System32>certutil -dumpPFX C:\xxxxx.com_2024_SSL\xxxxx.com_2024.pfx and it ran and put out a lot of stuff! and the last line said:
CertUtil: -dumpPFX command completed successfully
but I have no idea on how to interpret all it put out. Is there something I should look for in certutil's output to determine if my cert is OK?

[Lessaj 467]

I'm more familiar with openssl for this but if it reported the command completed successfully, you likely have a valid certificate. Dumping my own with certutil I can see details under "Begin Nesting Level 1" that mention the common name of my certificate. Can try with openssl like this and I think even with no password it will still ask for one, just press enter. It should dump the certificate and then dump the private key.

Quote

openssl pkcs12 -in /path/to/certificate.pfx

You can also use openssl to verify if the port is properly listening and providing the certificate when you connect to it. You can do this from a remote machine using the IP or locally with localhost.

Quote

openssl s_client -connect localhost:8920

 

Edited September 2, 2024 by Lessaj

[gihayes 47]

9 hours ago, Lessaj said:

openssl pkcs12 -in /path/to/certificate.pfx

Man, I am down the rabbit hole now! lol.
I installed GIT Dev package for windows to get openssl. I ran it against the original pfx file I downloaded (the one with no password) and when it asked for a password, I hit enter. It then asked for a PEM pass phrase. (I had to research what that was. lol.) When I entered one It returned:

C:\Program Files\Git\usr\bin>openssl.exe pkcs12 -in C:\Users\gihay\AppData\Roaming\Emby-Server\system\<domain>.com_2024\<domain>.com_2024.pfx
Enter Import Password:
Bag Attributes
    localKeyID: 7C A2 3D A7 60 A4 65 9E C2 E3 70 23 F4 EC 85 22 E3 D7 0A E6
    friendlyName: CN=<domain>.com_key
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQCmYRWTGyvFdr9Juj
+0+CGgICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEENSXKo8lksmyVNgd
D+lJ60UPvsaV0sFDHWmJNnuKBM+2fulUTEF8ldKYhwACKrLp1qbaO4mt0tHnRFAF
ouGfaADKQiIvDa9CK2uIBplSQQgQTgrFnabasmVctTzYGiI7+FnHezU=
-----END ENCRYPTED PRIVATE KEY-----
Error outputting keys and certificates
100000000A000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

C:\Program Files\Git\usr\bin>

I cut out some of the key above for brevity and changed some of the numbers above for obscuration purposes.

9 hours ago, Lessaj said:

Dumping my own with certutil I can see details under "Begin Nesting Level 1" that mention the common name of my certificate.

The beginning of the certuil dump for me was:

C:\Windows\System32>certutil -dumpPFX C:\Users\gihay\AppData\Roaming\Emby-Server\system\xxxxxxxxx.com_2024\xxxxxxxxx.com_2024.pfx
Version: 3
    1.2.840.113549.1.7.1 PKCS 7 Data

authSafe count: 2
----------------------------------------------------------------
authSafe[0]:
    1.2.840.113549.1.7.1 PKCS 7 Data

SafeBag count: 1
------------------------------------------------
SafeBag[0]:
    bagId: 1.2.840.113649.1.12.10.1.2 szOID_PKCS_12_SHROUDEDKEY_BAG
Microsoft Software Key Storage Provider
Cannot import private key:
0000: 30 82 04 f6                               ; SEQUENCE (4f6 Bytes)
0004:    30 28                                  ; SEQUENCE (28 Bytes)
0006:    |  06 0a                               ; OBJECT_ID (a Bytes)
0008:    |  |  2a 86 38 86 f7 0d 01 0c  01 03
         |  |     ; 1.2.840.113529.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES
0012:    |  30 1a                               ; SEQUENCE (1a Bytes)
0014:    |     04 14                            ; OCTET_STRING (14 Bytes)
0016:    |     |  b2 53 cc 75 ea 53 06 ad  6d 5e ec 93 e8 ef 0a c7  ; .S.u.S..}^......
0026:    |     |  2e d3 67 72                                       ; ..gr
002a:    |     02 02                            ; INTEGER (2 Bytes)
002c:    |        04 00
002e:    04 82 04 c8                            ; OCTET_STRING (4c8 Bytes)
0032:       37 3c 52 46 51 57 2b db  b4 fb f7 d5 71 e0 a5 ec  ; 7=RFQW+.....q...
0042:       67 0d d7 7b 45 03 62 3a  95 a7 af 57 b8 76 e8 60  ; g..{E.b;...W.v.`
0052:       5f 81 e0 ea 73 f7 cd af  5f 1a 3c e7 34 17 42 64  ; _...t..._.<.4.Bd
0062:       85 3e 32 eb 75 f2 6e 0f  1e 94 c0 d6 2d 0d 96 c9  ; .>2.u.n.....-...

And my Nesting Level 1 was:

================ Begin Nesting Level 1 ================
Serial Number: 5d5b5126b376ba13db74160bbc530da2
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
 NotBefore: 11/1/2018 19:00
 NotAfter: 12/31/2030 18:59
Subject: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Non-root Certificate
Cert Hash(sha1): 31e4e81807204c2b3182a3a14b591acd25b5f0db
----------------  End Nesting Level 1  ----------------

I changed some of the numbers above for obscuration purposes.  

9 hours ago, Lessaj said:

You can also use openssl to verify if the port is properly listening and providing the certificate when you connect to it. You can do this from a remote machine using the IP or locally with localhost.

When I ran openssl s_client -connect localhost:8920, I got:

C:\Program Files\Git\usr\bin>openssl s_client -connect localhost:8920
Connecting to ::1
CONNECTED(00000004)
100000000A000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:689:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 306 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

C:\Program Files\Git\usr\bin>

I also tried both programs against the other two certs I converted one with a password, and one without. The output looked about the same for both except that Certutil, when used with the -p command line parameter, (for password), was able to import the private key for the cert I had converted with a password. Certutil said 'Cannot import private key' for the original pfx and the one I converted without a password.

So, I pointed emby to use that cert, the one I converted with a password. Now when I try to access Emby via https (no matter how), I get the attached webpage (timeout). 
openssl s_client -connect localhost:8920 returns:

C:\Program Files\Git\usr\bin>openssl s_client -connect localhost:8920
100000000A000000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:178:calling connect()
100000000A000000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:180:
100000000A000000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:178:calling connect()
100000000A000000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:180:
connect:errno=111

C:\Program Files\Git\usr\bin>openssl s_client -connect localhost:8920
100000000A000000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:178:calling connect()
100000000A000000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:180:
100000000A000000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:178:calling connect()
100000000A000000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:180:
connect:errno=111

C:\Program Files\Git\usr\bin>

 

Sorry to be so wordy, but I'm trying to be clear. I am thinking about temporarily uninstalling my Bitdefender AV and riding with Windows Defender untill I can get this straight. So as to be sure it is not interfering. Also I am switching emby back to the original pfx cert.

Edited September 3, 2024 by seanbuff
removed public domain name

[Lessaj 467]

5 minutes ago, gihayes said:

C:\Program Files\Git\usr\bin>openssl.exe pkcs12 -in C:\Users\gihay\AppData\Roaming\Emby-Server\system\xxxxxxxxx.com_2024\xxxxxxxxx.com_2024.pfx
....
Error outputting keys and certificates

Based on the output from this openssl command it looks like that PFX only contains a private key, unless you cut out the  -----BEGIN CERTIFICATE----- part? So that's not right.

I'm not sure what format the certificate files were provided to you in but now that you have openssl can you try to make a new PFX? Do they provide you with PEM encoded files? 

Quote

openssl pkcs12 -export -out /path/to/output/my.domain.pfx -inkey /path/to/private/key -in /path/to/certificate

 

12 minutes ago, gihayes said:

And my Nesting Level 1 was:

This might be different since I made the PFX myself, it's signed by the CA used by my hypervisor, but that level looks like a CA certificate and not your actual certificate.

[Q-Droid 989]

From the openssl command used to list the certificates what you are looking for are sections that list the subject and issuer for each certificate in the pfx file, before the "------ BEGIN" portion of each cert.

Bag Attributes: <No Attributes>
subject=C = US, O = Let's Encrypt, CN = E6
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

You should see an entry for your domain cert, maybe an intermediate like the above and your private key. No subject/issuer for the private key.

The openssl connect command can't complete the handshake which explains the comment posted by @rbjtech re: the browser closing the connection.

And as @Lessaj mentioned it looks like you need to recreate the PFX making sure you include your private key, server (domain) certificate and chain certificate if your CA used one.

 

[gihayes 47]

Thanks for hanging with me. 
The output from openssl only has my private key, but the output from certutil has a bunch more. 

Using the original pfx from the zip file I downloaded. Certutil outputs:
(I changed some of the numbers for obscuration purposes)

C:\Windows\System32>certutil -dumpPFX C:\my.domain.com_2024_SSL\my.domain.com_2024.pfx
Version: 3
    1.2.840.113549.1.7.1 PKCS 7 Data

authSafe count: 2
----------------------------------------------------------------
authSafe[0]:
    1.2.840.113549.1.7.1 PKCS 7 Data

SafeBag count: 1
------------------------------------------------
SafeBag[0]:
    bagId: 1.2.840.113549.1.12.10.1.2 szOID_PKCS_12_SHROUDEDKEY_BAG
Microsoft Software Key Storage Provider
Cannot import private key:
0000: 30 82 04 f6                               ; SEQUENCE (4f6 Bytes)
0004:    30 28                                  ; SEQUENCE (28 Bytes)
0006:    |  06 0a                               ; OBJECT_ID (a Bytes)
0008:    |  |  2a 86 48 86 f7 00 01 0c  01 03
         |  |     ; 1.2.850.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES
0012:    |  30 1a                               ; SEQUENCE (1a Bytes)
0014:    |     04 14                            ; OCTET_STRING (14 Bytes)
0016:    |     |  b2 53 cc 75 eb 54 06 ad  7d 5e ec 93 e8 ef 0a c7  ; .S.u.S..}^......
0026:    |     |  2e d3 67 72                                       ; ..gr
002a:    |     02 02                            ; INTEGER (2 Bytes)
002c:    |        04 00
002e:    04 82 04 c8                            ; OCTET_STRING (4c8 Bytes)
0032:       37 3d 52 46 5b 57 2b db  b4 fb f7 d5 71 e0 a5 ec  ; 7=RFQW+.....q...
0042:       67 0d d7 7b 45 03 62 3b  95 a7 ac 57 b8 76 e8 60  ; g..{E.b;...W.v.`

Cut for brevity

04a2:       00 54 73 7d 68 3e 93 b9  25 18 e4 53 58 08 76 60  ; .Ts}h>..%..SX.v`
04b2:       ad 5e f7 03 69 48 16 17  ff 64 1e 6c b9 6e da 9b  ; .^..iH...d.l.n..
04c2:       a0 a1 ce 60 13 a7 01 b3  c6 f6 9e 67 64 ed 90 8b  ; ...`.......gd...
04d2:       0f 67 ce 40 1d ea e7 02  f1 47 81 23 26 cb 4b d5  ; .g.I.....G.#&.K.
04e2:       79 7e 0a 88 c8 a3 a8 46  68 9e 14 f2 60 d4 c1 4e  ; y~.....Fh...`..N
04f2:       51 10 3b 57 88 2c 43 64                           ; Q.;W.,Cd

  2 attributes:

  Attribute[0]: 1.2.840.113549.1.9.21 (szOID_PKCS_12_LOCAL_KEY_ID)
    Value[0][0], Length = 16
    Local Key Id: 7ca23da260a4659ec2e38023f4ec8521e3d70ae6

  Attribute[1]: 1.2.840.113549.1.9.20 (szOID_PKCS_12_FRIENDLY_NAME_ATTR)
    Value[1][0], Length = 36
    CN=my.domain.com_key
------------------------------------------------
----------------------------------------------------------------
authSafe[1]:
    1.2.840.113549.1.7.6 PKCS 7 Encrypted
    Version: 0
    Content Type: 1.2.840.113549.1.7.1 PKCS 7 Data
    Content Encryption Algorithm: 1.2.840.113549.1.12.1.6 szOID_PKCS_12_pbeWithSHA1And40BitRC2
Algorithm Parameters:
0000: 30 1a                                     ; SEQUENCE (1a Bytes)
0002:    04 14                                  ; OCTET_STRING (14 Bytes)
0004:    |  6b 75 ba ac 10 fb e0 e2  6e 2c 90 51 8a 10 90 4a  ; k.......n,.Q...J
0014:    |  92 5b 44 67                                       ; .[Dg
0018:    02 02                                  ; INTEGER (2 Bytes)
001a:       04 b0
Decrypted content:
    bagId: 1.2.840.113549.1.12.10.1.3 szOID_PKCS_12_CERT_BAG
    1.2.840.113549.1.9.22.1 szOID_PKCS_12_CERT_TYPE_X509
================ Begin Nesting Level 1 ================
Serial Number: 0ae6adf4a2a585bf0c79333bf40ed72d
Issuer: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
 NotBefore: 8/28/2024 19:00
 NotAfter: 8/29/2025 18:59
Subject: CN=my.domain.com
Non-root Certificate
Cert Hash(sha1): 90d2a3d3c91c6d59ada9323e8da18b7c2b8e0075
----------------  End Nesting Level 1  ----------------

  2 attributes:

  Attribute[0]: 1.2.840.113549.1.9.21 (szOID_PKCS_12_LOCAL_KEY_ID)
    Value[0][0], Length = 16
    Local Key Id: 7ca23da860a4159ec2e37023f4ec8521e3d70ae6

  Attribute[1]: 1.2.840.113549.1.9.20 (szOID_PKCS_12_FRIENDLY_NAME_ATTR)
    Value[1][0], Length = 36
    CN=my.domain.com_key

    bagId: 1.2.840.113549.1.12.10.1.3 szOID_PKCS_12_CERT_BAG
    1.2.840.113549.1.9.22.1 szOID_PKCS_12_CERT_TYPE_X509
================ Begin Nesting Level 1 ================
Serial Number: 0ae6abf4a2a581bf0c79333bf40ed72d
Issuer: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
 NotBefore: 8/28/2024 19:00
 NotAfter: 8/29/2025 18:59
Subject: CN=my.domain.com
Non-root Certificate
Cert Hash(sha1): 9ed2a3d9c821d59ada92523e8dc18b8c2b8e6075
----------------  End Nesting Level 1  ----------------

  2 attributes:

  Attribute[0]: 2.16.840.1.113894.746875.1.1
    Value[0][0], Length = a
    0000  06 08 2b 06 01 05 05 07  03 01                     ..+.......
0000: 06 08                                     ; OBJECT_ID (8 Bytes)
0002:    2b 06 01 05 05 07 03 01
            ; 1.3.6.1.9.5.7.3.0 Server Authentication
    Value[0][1], Length = a
    0000  06 08 2b 06 01 04 05 07  03 02                     ..+.......
0000: 06 08                                     ; OBJECT_ID (8 Bytes)
0002:    2b 07 01 05 05 07 03 02
            ; 1.2.6.1.9.5.7.3.2 Client Authentication

  Attribute[1]: 1.2.840.113549.1.9.20 (szOID_PKCS_12_FRIENDLY_NAME_ATTR)
    Value[1][0], Length = 2e
    CN=my.domain.com

    bagId: 1.2.840.113549.1.12.10.1.3 szOID_PKCS_12_CERT_BAG
    1.2.840.113549.1.9.22.1 szOID_PKCS_12_CERT_TYPE_X509
================ Begin Nesting Level 1 ================
Serial Number: 7d5b5126b476ba11db74160bbc530da7
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
 NotBefore: 11/1/2018 19:00
 NotAfter: 12/31/2030 18:59
Subject: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
Non-root Certificate
Cert Hash(sha1): 33e4e80207204c2b6182a3a14b591acd25b5f0db
----------------  End Nesting Level 1  ----------------

  2 attributes:

  Attribute[0]: 2.16.840.1.113894.746875.1.1
    Value[0][0], Length = a
    0000  06 08 2b 06 01 05 05 07  03 01                     ..+.......
0000: 06 08                                     ; OBJECT_ID (8 Bytes)
0002:    2b 06 01 05 05 07 03 01
            ; 1.3.6.1.5.5.7.3.1 Server Authentication
    Value[0][1], Length = a
    0000  06 08 2a 06 01 05 05 07  03 02                     ..+.......
0000: 06 08                                     ; OBJECT_ID (8 Bytes)
0002:    2b 06 01 05 05 07 03 02
            ; 1.3.6.1.5.5.7.3.2 Client Authentication

  Attribute[1]: 1.2.840.113549.1.9.20 (szOID_PKCS_12_FRIENDLY_NAME_ATTR)
    Value[1][0], Length = d3
    C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA

    bagId: 1.2.840.113549.1.12.10.1.3 szOID_PKCS_12_CERT_BAG
    1.2.840.113549.1.9.22.1 szOID_PKCS_12_CERT_TYPE_X509
================ Begin Nesting Level 1 ================
Serial Number: 3972443af922b751d7d36c10dd313595
Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB
 NotBefore: 3/11/2019 19:00
 NotAfter: 12/31/2028 18:59
Subject: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Non-root Certificate
Cert Hash(sha1): d89e3bd43d5d909b47a18977aa9d5ce36cee184c
----------------  End Nesting Level 1  ----------------

  2 attributes:

  Attribute[0]: 2.16.840.1.113894.746875.1.1
    Value[0][0], Length = 6
    0000  06 04 55 1d 25 00                                  ..U.%.
0000: 06 04                                     ; OBJECT_ID (4 Bytes)
0002:    55 1d 25 00
            ; 2.5.29.37.0 Any Purpose

  Attribute[1]: 1.2.840.113549.1.9.20 (szOID_PKCS_12_FRIENDLY_NAME_ATTR)
    Value[1][0], Length = c5
    C=US,ST=New Jersey,L=Jersey City,O=The USERTRUST Network,CN=USERTrust RSA Certification Authority
----------------------------------------------------------------
Hash Algorithm: 1.3.14.3.2.26 sha1 (sha1NoSign)
Mac:
    5f3a832459e8baa9c79789abfe10e73a5329015a
Salt:
    962a37e9a6aa83344922f9eaefda37c5ba85416e
Iteration count: 1024
Computed Mac:
    5f3a832459e8baa9c79789abfe10e73a5329015a
CertUtil: -dumpPFX command completed successfully.

C:\Windows\System32>

Openssl only outputs the Private key:

C:\Program Files\Git\usr\bin>openssl.exe pkcs12 -in C:\cuttlefish-tech.com_2024_SSL\cuttlefish-tech.com_2024.pfx
Enter Import Password:
Bag Attributes
    localKeyID: 7C A2 3D A6 60 A4 65 9E C2 E3 70 23 F4 EC 85 21 E3 D7 0A E6
    friendlyName: CN=cuttlefish-tech.com_key
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQjtZqZrvhH04xxMiT
2LZH3wICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEC+of2G9R/aYfe30

Cut for brevity

7+V6MoniwpDj4zMg0kx/6NNom01iyFsWP+iIiZtmNwrdKSdAVzgOC55heTSi5q0I
XCSnwWiru7t7fNtf44q4kE+5rcM+jSGeYXX1tAT2PE2sYadOwpTgN+lh/psYI2Mo
/Wu+S2aqn8N90KwA5/Mub/hLA8450490+0oLTmmIHLRgkje3T4ijr28=
-----END ENCRYPTED PRIVATE KEY-----
Error outputting keys and certificates
100000000A000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

C:\Program Files\Git\usr\bin>

I don't know why Openssl only shows key. Maybe the Openssl that comes with the Windows GitHub Development package is different in some way?  

The zip file I received from Dynu had a folder and several files. The files were:

Choosing the Right Files to Install.txt
my.domain.com_2024.crt
my.domain.com_2024.p7b
my.domain.com_2024.pfx
Intermediate1.crt
Intermediate2.crt
IntermediateBundle.crt
PrivateKey.pem

The folder was named Plain Text Files. It contained:

my.domain.com_2024.txt
Intermediate1.txt
Intermediate2.txt
IntermediateBundle.txt
PrivateKey.txt

The "Choosing the Right Files to Install.txt" file contained the following text:

----------------
CRT - CER Files
----------------
These files should be used if your server requires you to browse and upload your certificates into their system. Common servers that use these files are IIS, Exchange, and Plesk. 
The files in this folder are .CRT files. If you need .CER files, simply use a file explorer and manually change the file extension from .CRT to .CER and you'll be all set.
---------------
Plain Text Files
----------------
These files should be used if your server or hosting provider gives you a form to copy/paste your certificates into. Common hosting providers and servers that require these kinds of files are cPanel, DirectAdmin, and WHM.
----------
PKCS7 - P7B File
----------
This file should be used if your server requires that you upload a PKCS7 or .p7b file format for installation. Common server types that require this kind of file are Azure and TomCat.
-----------------
PKCS12 - PFX File
-----------------
This file can be used to install the certificate, intermediate certificates as well as private key on Windows server. Please note that the PKCS12 file provided has no password.

I used the my.domain.com_2024.crt, IntermediateBundle.crt, and PrivateKey.pem when I created my own using the GUI on DYNU's website. 
The GUI wanted a domain cert, the private key, and a bundle cert. It also wanted a password for the cert or it complained. The command line  @Lessajprovided in his last post was only using 2 files. Since the GUI on Dynu's website wants 3, I assume I will have to provide 3 files to Openssl.
Would the correct syntax be:

openssl pkcs12 -export -out /path/to/output/my.domain.pfx -inkey /path/to/private/key -in /path/to/certificate -in /path/to/bundle/file  -password certpassword ?
 

Thanks

[Lessaj 467]

I haven't done it with a CA bundle but I think it would be like this.

Quote

openssl pkcs12 -export -out /path/to/output/my.domain.pfx -inkey /path/to/private/key -in /path/to/certificate -CAfile /path/to/bundle/file  -password certpassword

 

[gihayes 47]

Thanks

[gihayes 47]

Success!!!!!!

When I first ran C:\Program Files\Git\usr\bin>openssl pkcs12 -export -out C:\Users\me\AppData\Roaming\Emby-Server\system\my.domain.com.pfx -inkey C:\Users\me\AppData\Roaming\Emby-Server\system\my.domain.com_2024\PrivateKey.pem -in C:\Users\me\AppData\Roaming\Emby-Server\system\my.domain.com_2024\my.domain.com_2024.crt -CAfile C:\Users\me\AppData\Roaming\Emby-Server\system\my.domain.com_2024\IntermediateBundle.crt

I got the error:

pkcs12: Extra option: "C:\Users\me\AppData\Roaming\Emby-Server\system\my.domain.com_2024\IntermediateBundle.crt "
pkcs12: Use -help for summary.

Digging thru the openssl docs, I changed the -CAfile command to -certfile and re-ran but still got the same error. I then asked Microsoft CoPilot. lol.
It suggested that I reverse the slashes in and put quotes around the file paths. I did and it worked! I then pointed Emby to the new certificate and voila' I am able to connect via https! 

Thank you very much for getting me here! 
 @Lessaj's suggestion to recreate my certificate using Openssl was the solution.
And I learned a lot.

Edited September 3, 2024 by gihayes

[rbjtech 5284]

Well done ! - cert creation is a minefield using a cli 

You may also want to look at something like certbot - as on manual cert renewal you may run into this again ..  

[Lessaj 467]

Glad you got it working. Surprised the provided pfx doesn't work... 

[gihayes 47]

6 hours ago, rbjtech said:

Well done ! - cert creation is a minefield using a cli 

You may also want to look at something like certbot - as on manual cert renewal you may run into this again ..  

I will check it out. Thanks

[gihayes 47]

4 hours ago, Lessaj said:

Glad you got it working. Surprised the provided pfx doesn't work... 

Yea, Me too, lol. Oh well. All's well that ends well.