Cant connect using SSL

February 24, 2018

Tried using the latest 3.3.0.0 and I still get sec_error_unknown_issuer error in my browser.

If I visit another site "or port" on my server that uses same cert before I visit emby I get green lock (cert ok) until next time my cert is renewed or until I connect whit a client/browser that newer seen that certificate before.

So there must be something wrong when the same certificate work on windows and arch but not on official docker or ubuntu.

I'm not using reverse proxy or anything like that, just opened a port for emby server and connection straight to that using https.

Edited February 24, 2018 by Luke

February 25, 2018

The latest beta has resolved the client certificate problem, if you could try that out it would be helpful. I'm not sure it will affect the original issue this topic was opened for though. Thanks.

February 25, 2018

@@Luke

Tried the latest beta docker and still same problem for me.

February 25, 2018

What same problem?

February 25, 2018

@@Luke

I get site insecure error in my browser when connecting to my emby server.

February 26, 2018

What version does your server dashboard say?

February 26, 2018

@@Luke

3.3.0.1

here is log

Log.txt

Edited February 26, 2018 by Handl3vogn

February 26, 2018

Ok, I could be wrong but I think the original issue is blocking you from being able to accurately confirm that. Thanks.

February 26, 2018

Ok, I could be wrong but I think the original issue is blocking you from being able to accurately confirm that. Thanks.

I did not exactly understand that, but I'm still having trouble getting emby server to work with ssl certificate. And you can see in the logs that there is some problems. And at this point I don't believe that there is anything wrong with my setup when the same setup works in Windows and on binhex-emby docker. Edited February 26, 2018 by Handl3vogn

February 26, 2018

Yea I get that, we're just having a hard time reproducing the problem.

February 26, 2018

Yeah I get that, we're just having a hard time reproducing the problem.

I understand that, is there anything I can do to help? Would it be helpful if I sent you my cert file? Or made some test Dockers you could connect to? One working and one not working? Just tell me if I can do anything to help resolve that issue. Edited February 26, 2018 by Handl3vogn

March 17, 2018

I think I'm having this problem with latest beta as well, although this could be something to do with a pfsense RP issue too. The problem only occurs when I attempt to add the send-proxy option to enable me to see the real-ip address behind my proxy address.


2018-03-16 23:58:17.653 Error HttpServer: Error in ProcessAccept
	*** Error Report ***
	Version: 3.3.1.5
	Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb
	Operating system: Unix 4.9.0.3
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Processor count: 2
	Program data path: /var/lib/emby
	Application directory: /opt/emby-server/system
	System.IO.IOException: The handshake failed due to an unexpected packet format.
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
	   at SocketHttpListener.Net.HttpConnection..ctor(ILogger logger, Socket socket, EndPointListener epl, Boolean secure, X509Certificate cert, ICryptoProvider cryptoProvider, IMemoryStreamFactory memoryStreamFactory, ITextEncoding textEncoding, IFileSystem fileSystem, IEnvironmentInfo environment)
	   at SocketHttpListener.Net.EndPointListener.ProcessAccept(Socket accepted)
	System.IO.IOException
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
	   at SocketHttpListener.Net.HttpConnection..ctor(ILogger logger, Socket socket, EndPointListener epl, Boolean secure, X509Certificate cert, ICryptoProvider cryptoProvider, IMemoryStreamFactory memoryStreamFactory, ITextEncoding textEncoding, IFileSystem fileSystem, IEnvironmentInfo environment)
	   at SocketHttpListener.Net.EndPointListener.ProcessAccept(Socket accepted)

let me know if theres anything I can do to help debug etc.

March 17, 2018

@@pir8radio are you using this option?

March 17, 2018

hey luke, looks like you cut and pasted form the 'other' SSL thread I was reading.... Im using both these options

March 17, 2018

Right ok. I mis-read that and thought you had configured a proxy setting.

March 17, 2018

In any event I don't think your issue is related to this thread, but in case it helps, check the incoming request urls and make sure that the https url has the proper port. Your exception message suggests that you have an incoming https request on your http port.

Additionally, i would set RequireHttps to false. Since you're behind a proxy you probably want to have the proxy handle your SSL and forward everything to Emby over local http.

March 17, 2018

I think you are right in that these are probably two different problems. I have basic proxy needs so rely on pfSense to separate a few internet facing services including emby by subdomain, these all run local letsencrypt HTTPS certs and a simple passthrough from pfSense with the 'send-proxy' option allows me to run fail2ban / log correct IP addresses. It seems emby throws the error I posted when I add that 'send-proxy' flag. Wanted to make sure you understood in case it was a Emby side problem, I have a workaround that gets me where I need to be in th meanwhile, thank you.

Edited March 17, 2018 by GWTPqZp6b

March 17, 2018

hey luke, looks like you cut and pasted form the 'other' SSL thread I was reading.... Im using both these options

<RequireHttps>true</RequireHttps>

<IsBehindProxy>true</IsBehindProxy>

Behind a Reverse proxy you will want:

<EnableHttps>true</EnableHttps> not "RequireHttps" set require to false, and enable to true.

Probably not your issue, but something to fix. Also if the proxy is setup correctly you wont need "IsBehindProxy" set to true, as far as I know.. I'm not sure what this switch does within emby... But emby should be blind to the fact that it is behind a proxy if its setup correctly.

Edited March 17, 2018 by pir8radio

May 11, 2018

If you would like to try the beta server that would be helpful as we've updated to .NET Core 2.1. Thanks.

May 15, 2018

Tried the 3.4.1.2-beta on ubuntu 18.04

Still got ssl certification error so no change for me.

May 15, 2018

New server log? thanks.

May 15, 2018

New server log? thanks.

Here

lots of ssl errors in log

Log.txt

May 15, 2018

Those are all outbound https, which are hopefully resolved for next beta. I don't see anything here related inbound traffic.

May 15, 2018

Those are all outbound https, which are hopefully resolved for next beta. I don't see anything here related inbound traffic.

I still get certification error in my browser.

And tried a online ssl certificate tester and got these results

Edited May 15, 2018 by Handl3vogn

May 17, 2018

Hi, i've the same issue with the docker (Version 3.4.1.0) on debian 8.10 (OpenMediaVault).

I can access and play video with my desktop but with my android phone it's impossible (chrome and emby app)

*** Error Report ***

Version: 3.4.1.0

Command line: /system/EmbyServer.dll -programdata /config -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3

Operating system: Unix 4.9.0.0

64-Bit OS: True

64-Bit Process: True

User Interactive: True

Processor count: 4

Program data path: /config

Application directory: /system

System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

--- End of inner exception stack trace ---

After a moment, Https isn't accessible ... i must restart docker image to restart https access.

PS : My certificat is generate with letsencrypt --> openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out Emby.pfx -passout pass:PASSWORD

It's an Emby problem ?

logEmby.txt

Sign In

Cant connect using SSL

Recommended Posts

Handl3vogn 6

Luke 42077

Handl3vogn 6

Luke 42077

Handl3vogn 6

Luke 42077

Handl3vogn 6

Luke 42077

Handl3vogn 6

Luke 42077

Handl3vogn 6

GWTPqZp6b 50

Luke 42077

GWTPqZp6b 50

Luke 42077

Luke 42077

GWTPqZp6b 50

pir8radio 1312

Luke 42077

Handl3vogn 6

Luke 42077

Handl3vogn 6

Luke 42077

Handl3vogn 6

cristol 0

Create an account or sign in to comment

Create an account

Sign in

Activity