https not working

[woenk 62]

did a fresh install with version 3.4.0.0 using the .deb on Ubuntu 17.10.

so far a way better performance and less errors.

Works fine over http, but https brings nothing

thing I found in logs

2018-05-03 07:12:21.345 Info ServerManager: Loading Http Server

2018-05-03 07:12:21.370 Info HttpServer: Adding HttpListener prefix http://+:8096/
2018-05-03 07:12:21.373 Info HttpServer: Adding HttpListener prefix https://+:8920/
2018-05-03 07:12:21.750 Info HttpServer: HTTP GET http://192.168.1.12:8096/emby/System/Info. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
2018-05-03 07:12:21.856 Info HttpServer: HTTP Response 503 to 192.168.1.60. Time: 141ms. http://192.168.1.12:8096/emby/System/Info
2018-05-03 07:12:22.300 Info HttpServer: HTTP GET http://192.168.1.12:8096/emby/System/Info. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
2018-05-03 07:12:22.308 Info HttpServer: HTTP Response 503 to 192.168.1.60. Time: 8ms. http://192.168.1.12:8096/emby/System/Info

 

 netstat -tupl brings 

 

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      551/rpcbind

tcp        0      0 0.0.0.0:22260           0.0.0.0:*               LISTEN      1069/sshd

tcp        0      0 0.0.0.0:hostmon         0.0.0.0:*               LISTEN      762/systemd-resolve

tcp        0      0 0.0.0.0:40269           0.0.0.0:*               LISTEN      -

tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      551/rpcbind

tcp6       0      0 [::]:8920               [::]:*                  LISTEN      16673/EmbyServer

tcp6       0      0 [::]:37531              [::]:*                  LISTEN      -

tcp6       0      0 [::]:8096               [::]:*                  LISTEN      16673/EmbyServer

tcp6       0      0 [::]:hostmon            [::]:*                  LISTEN      762/systemd-resolve

udp        0      0 0.0.0.0:7359            0.0.0.0:*                           16673/EmbyServer

udp        0      0 0.0.0.0:hostmon         0.0.0.0:*                           762/systemd-resolve

udp        0      0 0.0.0.0:1900            0.0.0.0:*                           16673/EmbyServer

udp        0      0 localhost:domain        0.0.0.0:*                           762/systemd-resolve

udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*                           551/rpcbind

udp        0      0 0.0.0.0:727             0.0.0.0:*                           551/rpcbind

udp        0      0 emby:37651              0.0.0.0:*                           16673/EmbyServer

udp        0      0 localhost:58300         0.0.0.0:*                           16673/EmbyServer

udp        0      0 0.0.0.0:48087           0.0.0.0:*                           16673/EmbyServer

udp6       0      0 [::]:hostmon            [::]:*                              762/systemd-resolve

udp6       0      0 [::]:sunrpc             [::]:*                              551/rpcbind

udp6       0      0 [::]:727                [::]:*                              551/rpcbind

 

first would think, that it is because IPv6 (which is deactivated), but then again http is working

Could it be, that the new install is using the old certificate (did not do a purge before installing)?

 

[Luke 42077]

Hi, why do you feel that https isn't working? What happens when you try it?

[woenk 62]

absolutely nothing, says the server closed the connection in the browser.

Dashboard even states that it is only server the http.

Checked the advanced settings and if I set the setting to "secure connection mode required" it even states "To enable HTTPS for external connections, you will need to supply a trusted SSL certificate, such as Let's Encrypt.". Does that mean that the self signed certificates are not any more useable ?

[Luke 42077]

Yes you'll need to bring your own certificate.

[woenk 62]

Which also means I need to buy a domain right ? 

Because letsencrypt needs to either.connect to ports 80/443 (which I have used for VPN stuff on my firewall) or you must prove the ownership of the domain, which again is impossible if one is using ddns.

Would really know the reason behind this, even a sefl signed encrypted connection is more secure than an absolutely unencrypted one.

[Luke 42077]

There's really a couple reasons. One being that a self signed cert won't work with all apps and in most cases there's no way for us to force it to work. Most devices will reject the self signed cert. Unfortunately no matter how much we try and warn users about that, it's just a constant source of "https not working" troubleshooting for us.

 

However, even with that, we probably would have kept it except that we've moved from the mono runtime to the microsoft .net core runtime, and the APIs we were using before to create the self-signed certificate are no longer available, meaning we'd have to find a whole new day of doing it.

[mastrmind11 722]

Which also means I need to buy a domain right ? 

Because letsencrypt needs to either.connect to ports 80/443 (which I have used for VPN stuff on my firewall) or you must prove the ownership of the domain, which again is impossible if one is using ddns.

Would really know the reason behind this, even a sefl signed encrypted connection is more secure than an absolutely unencrypted one.

I'm using a ddns and letsencrypt and have 0 issues w/ it.  The proof of domain ownership is that letsencrypt can reach your server via the dns name you provide.  

[neik 873]

@@mastrmind11, I am using a Let's Encrypt and ddns as well but with newer versions than 3.2.70.0 and Emby for Kodi I get handshake problems, see -> https://emby.media/community/index.php?/topic/58411-ssl-handshake-and-occassional-playback-issue/&do=findComment&comment=571976

 

So, I was wondering what your setup looks like?!

[woenk 62]

I'm using a ddns and letsencrypt and have 0 issues w/ it.  The proof of domain ownership is that letsencrypt can reach your server via the dns name you provide.  

As stated before, I can not use ports 80 and 443 because they are useded for something I really need.

 

I really find it quite appalling that such a major change was not published.

As long as there is not a built-in  way for most of users to obtain a certificate easily this option is really BS.

Most people will tell their friend "switch the port"....

nope...really unprofessionell to not provide the means to get a halfway secure connection and instead forcing an unsecured one.

pissed enough to get back to the recent version, repository is working at least and https is working

[Luke 42077]

Thanks for the feedback and apologies for the disruption.

[mastrmind11 722]

@@mastrmind11, I am using a Let's Encrypt and ddns as well but with newer versions than 3.2.70.0 and Emby for Kodi I get handshake problems, see -> https://emby.media/community/index.php?/topic/58411-ssl-handshake-and-occassional-playback-issue/&do=findComment&comment=571976

 

So, I was wondering what your setup looks like?!

I don't use Kodi, sorry.

[woenk 62]

Just as a short feddback...got myself a domain and used Letsincrypt.

Still a hassle for me to switch the port to Emby every 3 months and really not satisfied that the change was not mentioned in the changelogs (with big capital letters).

And yes...more detailed changelogs with the releases would be very welcome

 

On the PLUS side..this build is a great improvement concerning library scan...went down to 30 minutes with my setup, 

And on Ubuntu 18.04 it runs like a charm  using less CPU and RAM

[Luke 42077]

Thanks for the feedback !

[williamk15 0]

I need help with https. I've got the domain set just fine. Port forwarded the 8920 port, installed certificates and all happy, except i have to use the local htttps port because the remote https will not responde.

Server version is latest. 

Os win 7 sp 1, 

Local https 443 works

Remote 8920 not listening

Ive tries port forward to both but only local https will respond.

 

Any advice?

Edited January 20, 2021 by williamk15

[Luke 42077]

6 hours ago, williamk15 said:

I need help with https. I've got the domain set just fine. Port forwarded the 8920 port, installed certificates and all happy, except i have to use the local htttps port because the remote https will not responde.

Server version is latest. 

Os win 7 sp 1, 

Local https 443 works

Remote 8920 not listening

Ive tries port forward to both but only local https will respond.

 

Any advice?

Hi there, exactly what port forwarding did you setup?

[mastrmind11 722]

On 6/15/2018 at 1:04 PM, woenk said:

Just as a short feddback...got myself a domain and used Letsincrypt.

Still a hassle for me to switch the port to Emby every 3 months and really not satisfied that the change was not mentioned in the changelogs (with big capital letters).

And yes...more detailed changelogs with the releases would be very welcome

 

On the PLUS side..this build is a great improvement concerning library scan...went down to 30 minutes with my setup, 

And on Ubuntu 18.04 it runs like a charm  using less CPU and RAM

You can set up certbot and not have to worry about it.  https://www.google.com/search?q=letsencrypt+renew+certbot&oq=letsencrypt+renew&aqs=chrome.2.0i457j0l3j0i395l6.4487j1j7&sourceid=chrome&ie=UTF-8

 

this still seems a bit strange, i've literally got this same setup with CF and have no issues.  I'm guessing you jacked up the CF config somewhere but have no idea since I don't know what tutorial you followed.  however, i will say, if you plan to use this externally on a regular basis, getting a domain vs using a DDNS is significantly cleaner and easier to maintain.

[mastrmind11 722]

7 hours ago, williamk15 said:

I need help with https. I've got the domain set just fine. Port forwarded the 8920 port, installed certificates and all happy, except i have to use the local htttps port because the remote https will not responde.

Server version is latest. 

Os win 7 sp 1, 

Local https 443 works

Remote 8920 not listening

Ive tries port forward to both but only local https will respond.

 

Any advice?

start a new thread, this isn't related to the OP

[woenk 62]

On 1/20/2021 at 9:44 PM, mastrmind11 said:

You can set up certbot and not have to worry about it.  https://www.google.com/search?q=letsencrypt+renew+certbot&oq=letsencrypt+renew&aqs=chrome.2.0i457j0l3j0i395l6.4487j1j7&sourceid=chrome&ie=UTF-8

 

this still seems a bit strange, i've literally got this same setup with CF and have no issues.  I'm guessing you jacked up the CF config somewhere but have no idea since I don't know what tutorial you followed.  however, i will say, if you plan to use this externally on a regular basis, getting a domain vs using a DDNS is significantly cleaner and easier to maintain.

I have a certbot running, but the renewal via a TXT is not supported by most registrars. Also I do not like to have port 80 open all the time. 

No need for DDNS either, it's a fixed IP

Another thing is that I have web protection acivated on my Sophos XG firewall, so I need to upload the certificate on the firewall as well (the old UTMs allow for automatic renewal).

[Q-Droid 989]

I think you mean to say that certbot plug-ins for TXT renewal are not available for many registrars. You can still use the TXT method manually or if the registrar has an API then create or modify a plug-in to work with them. No need to switch ports when using TXT.

You don't need to switch the Emby port. A simple temporary HTTP server can satisfy the certbot validation requirement. Spin up something for WAN port 80, run certbot, spin it down.

[woenk 62]

5 hours ago, Q-Droid said:

I think you mean to say that certbot plug-ins for TXT renewal are not available for many registrars. You can still use the TXT method manually or if the registrar has an API then create or modify a plug-in to work with them. No need to switch ports when using TXT.

You don't need to switch the Emby port. A simple temporary HTTP server can satisfy the certbot validation requirement. Spin up something for WAN port 80, run certbot, spin it down.

You misunderstood, I have to open port 80 on my Emby VM in order to have the certbot running there update, not switching the port of Emby itself.

Tried the TXT method, but did not work, almost looks like certbot ask for another entry every 3 months and even if it worked, I would still need to upload the cert to my firewall and set it manually there (unless I can find an automated way using the REST API of the firewall, but so far no one has done it).