AlanBatie 5 Posted September 11, 2025 Posted September 11, 2025 Since I'm allowing remote access, I wanted to make sure the connections were secure, but I find that emby isn't listening for https (port 8920) as configured, and there's nothing in the server log that indicates it's even trying...
Luke 42077 Posted September 11, 2025 Posted September 11, 2025 Hi, did you restart the server after configuring your certificate?
AlanBatie 5 Posted September 11, 2025 Author Posted September 11, 2025 (edited) yup # systemctl restart emby-server # netstat -plan | grep Emby tcp6 0 0 :::8096 :::* LISTEN 847555/EmbyServer tcp6 0 0 10.1.1.51:52860 10.1.1.51:8096 ESTABLISHED 847555/EmbyServer tcp6 0 0 10.1.1.51:8096 10.1.1.51:52860 ESTABLISHED 847555/EmbyServer tcp6 0 1 2601:1c0:8300:468:48222 2600:3c02::f03c:91f:443 SYN_SENT 847555/EmbyServer udp 0 0 10.1.1.51:47854 0.0.0.0:* 847555/EmbyServer udp 0 0 0.0.0.0:48614 0.0.0.0:* 847555/EmbyServer udp 0 0 0.0.0.0:1900 0.0.0.0:* 847555/EmbyServer udp 0 0 127.0.0.1:53126 0.0.0.0:* 847555/EmbyServer udp6 0 0 :::7359 :::* 847555/EmbyServer unix 2 [ ACC ] STREAM LISTENING 6607022 847555/EmbyServer /tmp/dotnet-diagnostic-847555-187797432-socket unix 3 [ ] STREAM CONNECTED 6607015 847555/EmbyServer Edited September 11, 2025 by AlanBatie
Luke 42077 Posted September 11, 2025 Posted September 11, 2025 Hi there, please attach the Emby server log from when the problem occurred: How to Report a Problem Thanks!
Luke 42077 Posted September 11, 2025 Posted September 11, 2025 If you go back to the screen, are you sure the certificate is saved there?
AlanBatie 5 Posted September 11, 2025 Author Posted September 11, 2025 Yes, it's actually been configured for some time; I double checked access to the cert too, though I would have expected errors if it couldn't get to it
Luke 42077 Posted September 12, 2025 Posted September 12, 2025 OK I don't this will matter but can you update to Emby Server 4.8.11 and see if that helps? Thanks.
Happy2Play 9780 Posted September 12, 2025 Posted September 12, 2025 To me it would suggest Emby can't use that cert location as it doesn't appear to load at all. Have you tried a different location?
AlanBatie 5 Posted September 12, 2025 Author Posted September 12, 2025 update didn't help There's no indication in the log that it's even looking for a cert - if it can't find it or access it, it should report that These days, if it doesn't think it's configured for ssl, it should report that and why it thinks that
Normanos 13 Posted September 12, 2025 Posted September 12, 2025 Shot in dark, can't be because Remote filter mode is "blacklist? I using nginx proxy for SSL, but I have "whitelist"
AlanBatie 5 Posted September 12, 2025 Author Posted September 12, 2025 It says "if left blank, all remote addresses will be allowed", but grasping at straws...and it didn't help
Luke 42077 Posted September 12, 2025 Posted September 12, 2025 1 hour ago, AlanBatie said: update didn't help There's no indication in the log that it's even looking for a cert - if it can't find it or access it, it should report that These days, if it doesn't think it's configured for ssl, it should report that and why it thinks that Can you please provide a new log following the update? thanks.
AlanBatie 5 Posted September 12, 2025 Author Posted September 12, 2025 The strange thing is that it *was* working a few days ago...I haven't rebooted either. embyserver.txt
GrimReaper 4739 Posted September 12, 2025 Posted September 12, 2025 (edited) What does your Dashboard state under Remote (WAN) address (mask external IP/domain)? Is your internet access properly configured? As all your outgoing requests are timing out: Quote 2025-09-11 16:27:51.645 Error HttpClient: Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out MediaBrowser.Model.Net.HttpException: Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out 2025-09-11 16:28:59.504 Error HttpClient: Connection to https://api.themoviedb.org/3/configuration/primary_translations?api_key=f6bd687ffa63cd282b6ff2c6877f2669 timed out MediaBrowser.Model.Net.HttpException: Connection to https://api.themoviedb.org/3/configuration/primary_translations?api_key=f6bd687ffa63cd282b6ff2c6877f2669 timed out etc. You also have permission issues, as your log is flooded with access errors: Quote System.UnauthorizedAccessException: Access to the path '/nfs/nas03/Videos/Movies/W/Wizard_of_Oz/The_Wizard_of_Oz.nfo' is denied. ---> System.IO.IOException: Permission denied System.UnauthorizedAccessException: Access to the path '/nfs/nas07/Videos/Online/Foundation/Foundation-S03/Foundation-S03E07.nfo' is denied. ---> System.IO.IOException: Permission denied System.UnauthorizedAccessException: Access to the path '/nfs/nas07/Videos/Online/Lucifer/Lucifer-S01/Lucifer.S01E08.nfo' is denied. ---> System.IO.IOException: Permission denied etc. Edited September 12, 2025 by GrimReaper
AlanBatie 5 Posted September 12, 2025 Author Posted September 12, 2025 (edited) There would be a heck of a lot more broken if my internet were down Remote (WAN) access: http://[redacted]:8096 the .nfo file doesn't exist, so no surprise it can't access it... Edited September 12, 2025 by GrimReaper Domain name masked
AlanBatie 5 Posted September 12, 2025 Author Posted September 12, 2025 (edited) There was something wonky with my ipv6, which is probably why those are timing out, but that would have nothing to do with emby not listening on the https port, and that's been fixed now in any case... Edited September 12, 2025 by AlanBatie
GrimReaper 4739 Posted September 12, 2025 Posted September 12, 2025 58 minutes ago, AlanBatie said: the .nfo file doesn't exist, so no surprise it can't access it... If it were only files not present, error would've been different, but sure. 59 minutes ago, AlanBatie said: Remote (WAN) access: http://[redacted]:8096 Can you share a screenshot of the first part of your Network settings?
Q-Droid 989 Posted September 12, 2025 Posted September 12, 2025 2 hours ago, AlanBatie said: There was something wonky with my ipv6, which is probably why those are timing out, but that would have nothing to do with emby not listening on the https port, and that's been fixed now in any case... What's fixed, the IPv6 or HTTPS issues? The LE path has PEM (base64) certs and not the keystore format that Emby needs which is PKCS12. You have to create a keystore for Emby using those LE certs and preferably put that file in a different path and owned or readable by user emby.
Luke 42077 Posted September 12, 2025 Posted September 12, 2025 What is the file extension of your certificate?
AlanBatie 5 Posted September 12, 2025 Author Posted September 12, 2025 It was ipv6 that was fixed; I have a letsencrypt posthook that makes a pkcs12 file openssl pkcs12 -password xxx -export -in fullchain.pem -inkey privkey.pem -out combined.pfx chmod 644 combined.pfx 1 1
Solution AlanBatie 5 Posted September 13, 2025 Author Solution Posted September 13, 2025 Problem solved after I started the server manually to strace it and discovered that it worked when I started it manually as root - it was a permission problem on the letsencrypt live/archive directories - a shared nfs directory that got changed to fix a problem on another server. Both are using the ssl group now. This would have been a simple diagnosis if the access problem had gotten logged...
Q-Droid 989 Posted September 13, 2025 Posted September 13, 2025 Normally a failure to access or open the keystore is logged. Which is why users are asked to restart their server and post the fresh log since this step is only attempted on startup.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now