comfy_server 0 Posted April 17, 2025 Posted April 17, 2025 Hi everyone! I understand that FreeBSD users are certainly a minority, but I have experienced some certificate issues on 13.4-RELEASE, and I thought about sharing how I solved them, could save someone some time. After updating dotnet, I've started getting a certificate error every time emby would start, such as this: System.Security.Cryptography.CryptographicException: System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect. ---> Interop+Crypto+OpenSslCryptographicException: error:0308010C:digital envelope routines::unsupported at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle) at Internal.Cryptography.OpenSslCipher.OpenKey(IntPtr algorithm, Byte[] key, Int32 effectiveKeyLength) at Internal.Cryptography.OpenSslCipher..ctor(IntPtr algorithm, CipherMode cipherMode, Int32 blockSizeInBytes, Int32 paddingSizeInBytes, Byte[] key, Int32 effectiveKeyLength, Byte[] iv, Boolean encrypting) at Internal.Cryptography.RC2Implementation.CreateTransformCore(CipherMode cipherMode, PaddingMode paddingMode, Byte[] key, Int32 effectiveKeyLength, Byte[] iv, Int32 blockSize, Int32 feedbackSize, Int32 paddingSize, Boolean encrypting) at Internal.Cryptography.RC2Implementation.CreateTransform(Byte[] rgbKey, Byte[] rgbIV, Boolean encrypting) at Internal.Cryptography.RC2Implementation.CreateDecryptor(Byte[] rgbKey, Byte[] rgbIV) (stack trace goes on) On the surface it appeared to be a password problem, but I knew it was not that, since I have not changed passwords and I double checked just to be sure. At this point I considered simply proxying SSL through my nginx, but I wanted to get to the bottom of this. My certificate is originally from Lets Encrypt, and my script to repackage it into PKCS12 looked like this: openssl pkcs12 -export \ -in "${CERT_DIR}/${DOMAIN}/fullchain.pem" \ -inkey "${CERT_DIR}/${DOMAIN}/privkey.pem" \ -out "${TARGET_DIR}/${DOMAIN}.pfx" \ -passout pass:${PASS} chown ${CHOWN_AS} "${TARGET_DIR}/${DOMAIN}.pfx" Trying to redo it with cert.pem and chain.pem instead of fullchain.pem would produce pretty much the same result, and emby would still not accept it. However, when inspecting the default crypto algorithms that OpenSSL was using, I found them oddly outdated (output pruned from irrelevant information): root@tyrael:/home/dagal # openssl pkcs12 -help Usage: pkcs12 [options] Valid options are: -descert Encrypt output with 3DES (default RC2-40) -certpbe val Certificate PBE algorithm (default RC2-40) -macalg val Digest algorithm used in MAC (default SHA1) -keypbe val Private key PBE algorithm (default 3DES) Now, all these are still officially supported but I had my doubts. Decided to try with whatever is considered most secure nowadays: openssl pkcs12 -export \ -certpbe AES-256-CBC \ -keypbe AES-256-CBC \ -macalg SHA256 \ -in "${CERT_DIR}/${DOMAIN}/fullchain.pem" \ -inkey "${CERT_DIR}/${DOMAIN}/privkey.pem" \ -out "${TARGET_DIR}/${DOMAIN}.pfx" \ -passout pass:${PASS} chown ${CHOWN_AS} "${TARGET_DIR}/${DOMAIN}.pfx" Restarted emby expecting to see the same error, but this time it was gone! I could load it over HTTPS again, as if nothing happened. I am not actually sure why the FreeBSD port of dotnet 9 would not support any of the previous ciphers, maybe it is hardened by default.
Luke 42077 Posted April 17, 2025 Posted April 17, 2025 Hi, how did you install Emby Server? Can you please attach the emby server log? I'd like to see if the server is even using your installed dotnet 9. Thanks.
comfy_server 0 Posted April 17, 2025 Author Posted April 17, 2025 You were right, I didn't even notice that it still says "Framework: .NET 6.0.31": embyserver-63880432841.txt Now I am even more puzzled. All I have it .NET 9.0 and it doesn't look like emby knows about any other dotnet. Emby service script (cut to the relevant part): pidfile="${emby_server_pid_dir}/${emby_server_pid}" command="/usr/sbin/daemon" command_args="-r -f -P ${pidfile} /usr/local/bin/dotnet /usr/local/lib/emby-server/system/EmbyServer.dll \ -os freebsd \ -ffdetect ${emby_server_ffdetect} \ -ffmpeg ${emby_server_ffmpeg} \ -ffprobe ${emby_server_ffprobe} \ -programdata ${emby_server_data_dir}" start_precmd=emby_server_start_precmd emby_server_start_precmd() { [ -d ${emby_server_pid_dir} ] || install -d -g ${emby_server_group} -o ${emby_server_user} ${emby_server_pid_dir} [ -d ${emby_server_data_dir} ] || install -d -g ${emby_server_group} -o ${emby_server_user} ${emby_server_data_dir} # .NET 6+ use dual mode sockets to avoid the separate AF handling. # disable .NET use of V6 if no ipv6 is configured. # See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259194#c17 ifconfig -a -u -G lo | grep -q inet6 if [ $? == 1 ]; then export DOTNET_SYSTEM_NET_DISABLEIPV6=1 fi if [ `uname -K` -ge 1400092 ]; then export CLR_OPENSSL_VERSION_OVERRIDE=30 fi export LD_LIBRARY_PATH=/usr/local/lib/emby-server/lib:/usr/local/lib } run_rc_command "$1" The CLR_OPENSSL_VERSION_OVERRIDE does not apply to me since I am on a lower version: dagal@tyrael:~ $ uname -K 1304000 And /usr/local/bin/dotnet is 9.0: dagal@tyrael:~ $ /usr/local/bin/dotnet --info .NET SDK: Version: 9.0.104 Commit: 7931ad4860 Workload version: 9.0.100-manifests.dc2cb94f MSBuild version: 17.12.27+7931ad486 Runtime Environment: OS Name: FreeBSD OS Version: 13 OS Platform: FreeBSD RID: freebsd.13-x64 Base Path: /usr/local/share/dotnet/sdk/9.0.104/ .NET workloads installed: There are no installed workloads to display. Configured to use loose manifests when installing new manifests. Host: Version: 9.0.3 Architecture: x64 Commit: 7931ad4860 .NET SDKs installed: 9.0.104 [/usr/local/share/dotnet/sdk] .NET runtimes installed: Microsoft.AspNetCore.App 9.0.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 9.0.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Other architectures found: None Environment variables: Not set global.json file: Not found Learn more: https://aka.ms/dotnet/info Download .NET: https://aka.ms/dotnet/download No other dotnet installed! dagal@tyrael:~ $ ll /usr/local/share/dotnet/sdk total 58 drwxr-xr-x 3 root wheel uarch 3 Apr 16 17:30 ./ drwxr-xr-x 10 root wheel uarch 13 Apr 16 17:30 ../ drwxr-xr-x 28 root wheel uarch 177 Apr 16 17:30 9.0.104/ dagal@tyrael:~ $ which dotnet /usr/local/bin/dotnet
Luke 42077 Posted April 18, 2025 Posted April 18, 2025 The server gets build with the dotnet runtime embedded, so that's why it's running .net 6. But there are dependencies that are not embedded, such as openssl. I wonder if your installation of dotnet 9 updated some other library to a newer version that isn't compatible?
comfy_server 0 Posted April 18, 2025 Author Posted April 18, 2025 Not sure about that. dotnet is listed as a dependency for the emby package for FreeBSD, while openssl is not listed. Then again, I am not sure what a good half of these dependencies do, either: dagal@tyrael:~ $ pkg info -dx emby emby-server-4.8.11.0_1: pango-1.56.1 fontconfig-2.15.0_3,1 krb5-1.21.3_1 gnutls-3.8.9 freetype2-2.13.3 x265-3.6_1 libx264-0.164.3095 libvpx-1.15.0 libva-2.22.0 libtheora-1.1.1_7 libass-0.17.3 intel-media-sdk-22.5.4 dav1d-1.5.1 aribb24-1.0.4 dotnet-9.0.3 webp-1.5.0 tiff-4.7.0 tesseract-5.5.0_1 png-1.6.47 openjpeg-2.5.3 openexr-3.3.3 libraw-0.21.3 libjxl-0.11.1_1 libimagequant-4.3.4_1 libheif-1.19.7 libexif-0.6.25 libdrm-2.4.123,1 ImageMagick6-6.9.13.23,1 orc-0.4.40 ocl-icd-2.3.2 libzvbi-0.2.44 libunwind-20240221_2 libinotify-20240724 icu-76.1,1 sqlite3-3.46.1_1,1 fribidi-1.0.16 opus-1.5.2 libvorbis-1.3.7_2,3 libogg-1.3.5,4 lame-3.100_5 chromaprint-1.5.1.20221217_1 ocl-icd-2.3.2 (libOpenCL.so.1) libarchive-3.7.9,1 (libarchive.so.13) aribb24-1.0.4 (libaribb24.so.0) libass-0.17.3 (libass.so.9) cairo-1.18.2,3 (libcairo.so.2) chromaprint-1.5.1.20221217_1 (libchromaprint.so.1) dav1d-1.5.1 (libdav1d.so.7) libdrm-2.4.123,1 (libdrm.so.2) libexif-0.6.25 (libexif.so.12) expat-2.7.1 (libexpat.so.1) fontconfig-2.15.0_3,1 (libfontconfig.so.1) freetype2-2.13.3 (libfreetype.so.6) fribidi-1.0.16 (libfribidi.so.0) glib-2.82.4_1,2 (libgio-2.0.so.0) glib-2.82.4_1,2 (libglib-2.0.so.0) gnutls-3.8.9 (libgnutls.so.30) glib-2.82.4_1,2 (libgobject-2.0.so.0) krb5-1.21.3_1 (libgssapi_krb5.so.2.2) libinotify-20240724 (libinotify.so.0) gettext-runtime-0.23.1 (libintl.so.8) intel-media-sdk-22.5.4 (libmfx.so.1) lame-3.100_5 (libmp3lame.so.0) opus-1.5.2 (libopus.so.0) pango-1.56.1 (libpango-1.0.so.0) pango-1.56.1 (libpangocairo-1.0.so.0) pango-1.56.1 (libpangoft2-1.0.so.0) librsvg2-rust-2.60.0 (librsvg-2.so.2) tesseract-5.5.0_1 (libtesseract.so.5) libtheora-1.1.1_7 (libtheoradec.so.1) libtheora-1.1.1_7 (libtheoraenc.so.1) libunwind-20240221_2 (libunwind-x86_64.so.8) libunwind-20240221_2 (libunwind.so.8) libva-2.22.0 (libva-drm.so.2) libva-2.22.0 (libva.so.2) libvorbis-1.3.7_2,3 (libvorbis.so.0) libvorbis-1.3.7_2,3 (libvorbisenc.so.2) libvpx-1.15.0 (libvpx.so.9) webp-1.5.0 (libwebp.so.7) webp-1.5.0 (libwebpmux.so.3) libx264-0.164.3095 (libx264.so.164) x265-3.6_1 (libx265.so.209) libzvbi-0.2.44 (libzvbi.so.0)
Luke 42077 Posted April 27, 2025 Posted April 27, 2025 On 4/18/2025 at 12:01 PM, comfy_server said: Not sure about that. dotnet is listed as a dependency for the emby package for FreeBSD, while openssl is not listed. Then again, I am not sure what a good half of these dependencies do, either: dagal@tyrael:~ $ pkg info -dx emby emby-server-4.8.11.0_1: pango-1.56.1 fontconfig-2.15.0_3,1 krb5-1.21.3_1 gnutls-3.8.9 freetype2-2.13.3 x265-3.6_1 libx264-0.164.3095 libvpx-1.15.0 libva-2.22.0 libtheora-1.1.1_7 libass-0.17.3 intel-media-sdk-22.5.4 dav1d-1.5.1 aribb24-1.0.4 dotnet-9.0.3 webp-1.5.0 tiff-4.7.0 tesseract-5.5.0_1 png-1.6.47 openjpeg-2.5.3 openexr-3.3.3 libraw-0.21.3 libjxl-0.11.1_1 libimagequant-4.3.4_1 libheif-1.19.7 libexif-0.6.25 libdrm-2.4.123,1 ImageMagick6-6.9.13.23,1 orc-0.4.40 ocl-icd-2.3.2 libzvbi-0.2.44 libunwind-20240221_2 libinotify-20240724 icu-76.1,1 sqlite3-3.46.1_1,1 fribidi-1.0.16 opus-1.5.2 libvorbis-1.3.7_2,3 libogg-1.3.5,4 lame-3.100_5 chromaprint-1.5.1.20221217_1 ocl-icd-2.3.2 (libOpenCL.so.1) libarchive-3.7.9,1 (libarchive.so.13) aribb24-1.0.4 (libaribb24.so.0) libass-0.17.3 (libass.so.9) cairo-1.18.2,3 (libcairo.so.2) chromaprint-1.5.1.20221217_1 (libchromaprint.so.1) dav1d-1.5.1 (libdav1d.so.7) libdrm-2.4.123,1 (libdrm.so.2) libexif-0.6.25 (libexif.so.12) expat-2.7.1 (libexpat.so.1) fontconfig-2.15.0_3,1 (libfontconfig.so.1) freetype2-2.13.3 (libfreetype.so.6) fribidi-1.0.16 (libfribidi.so.0) glib-2.82.4_1,2 (libgio-2.0.so.0) glib-2.82.4_1,2 (libglib-2.0.so.0) gnutls-3.8.9 (libgnutls.so.30) glib-2.82.4_1,2 (libgobject-2.0.so.0) krb5-1.21.3_1 (libgssapi_krb5.so.2.2) libinotify-20240724 (libinotify.so.0) gettext-runtime-0.23.1 (libintl.so.8) intel-media-sdk-22.5.4 (libmfx.so.1) lame-3.100_5 (libmp3lame.so.0) opus-1.5.2 (libopus.so.0) pango-1.56.1 (libpango-1.0.so.0) pango-1.56.1 (libpangocairo-1.0.so.0) pango-1.56.1 (libpangoft2-1.0.so.0) librsvg2-rust-2.60.0 (librsvg-2.so.2) tesseract-5.5.0_1 (libtesseract.so.5) libtheora-1.1.1_7 (libtheoradec.so.1) libtheora-1.1.1_7 (libtheoraenc.so.1) libunwind-20240221_2 (libunwind-x86_64.so.8) libunwind-20240221_2 (libunwind.so.8) libva-2.22.0 (libva-drm.so.2) libva-2.22.0 (libva.so.2) libvorbis-1.3.7_2,3 (libvorbis.so.0) libvorbis-1.3.7_2,3 (libvorbisenc.so.2) libvpx-1.15.0 (libvpx.so.9) webp-1.5.0 (libwebp.so.7) webp-1.5.0 (libwebpmux.so.3) libx264-0.164.3095 (libx264.so.164) x265-3.6_1 (libx265.so.209) libzvbi-0.2.44 (libzvbi.so.0) @comfy_server Do you have any packages that are significantly ahead of those in version number?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now