icsy7867 8 Posted June 26, 2018 Posted June 26, 2018 I just noticed this. I was visiting my parents over the weekend and tried on a Roku and Amazon Fire TV. At home, it just uses the 8096, unencrypted port which I am fine with on my internal network. However, I just realizes if I try and use a FireTV or Roku client it seems to error out. The Roku gives me some brief text about the certificate, while the Amazon FireTV just says error. So, I tried to connect to my emby server internally through my FireTV app at home: https://emby.domain.com port 8920, no dice. Also I should note that https://emby.domain.com:8920 works on my cell phone and web browsers externally (I have tested from various external wifi adapters, 4g, etc...). So its not an issue with a firewall or anything. Anyone have any ideas?
Jdiesel 1431 Posted June 26, 2018 Posted June 26, 2018 I assume you created a pfx from your letsencrypt keys and are using the pfx directly in Emby? I had the same experience last time I tried that. I had no issues with the letsencrypt cert in nginx or with a Comodo pfx directly in Emby, only with a letsencrypt pfx directly in Emby on my Rokus.
icsy7867 8 Posted June 26, 2018 Author Posted June 26, 2018 Woo Thanks for the fast reply! I think it is something with the devices not accepting LetsEncrypt CA certificates. And yes, I convert to a PFX. I actually use a script I made without any issues so far: https://emby.media/community/index.php?/topic/59333-automate-pfx-certificate-deployment-from-letsencrypt/ openssl pkcs12 -export -out /certs/emby.pfx -inkey $privkey -in $cert -certfile $chain -password pass:
Angelblue05 4132 Posted June 27, 2018 Posted June 27, 2018 (edited) You could try this here to confirm it's not a problem with your cert: https://www.sslshopper.com/ssl-converter.html Note if you are comfortable with openssl, check at the bottom for the cmd line Select type to convert to: PKCS #12. Certificate file: certificate.crt Private key: private.key Chain certificate: The ca_bundle.crt/CACert.crt or you can also find it here, Let's Encrypt Intermediate certificate.<---- This here, when it was missing, Roku failed the connection in my case. PFX password: set a password to secure the new ssl certificate (password to give to Emby). Edited June 27, 2018 by Angelblue05
icsy7867 8 Posted June 27, 2018 Author Posted June 27, 2018 You could try this here to confirm it's not a problem with your cert: https://www.sslshopper.com/ssl-converter.html Note if you are comfortable with openssl, check at the bottom for the cmd line Select type to convert to: PKCS #12. Certificate file: certificate.crt Private key: private.key Chain certificate: The ca_bundle.crt/CACert.crt or you can also find it here, Let's Encrypt Intermediate certificate.<---- This here, when it was missing, Roku failed the connection in my case. PFX password: set a password to secure the new ssl certificate (password to give to Emby). Thanks for the post. I checked, and my PFX contains /etc/letsencrypt/live/emby.domain.com/chain.pem which is identical to the certificate you sent. I also used openssl to verify that it was contained in the PFX bundle. Interestingly enough, I have FireFox installed on my FireTV, when I visit https://emby.domain.com:8920 I get a "SSL Error", however http://emby.domain.com:8096 works just fine. I am beginning to suspect more and more, that the device does not contain the letsencrypt CA certs for verification. I wonder if there is a way to manually install the certificate?
icsy7867 8 Posted June 27, 2018 Author Posted June 27, 2018 *Update* I did some more poking around. I found that LetsEncrypt also includes a "fullchain.pem" which is useful for users running NGINX. I built my PFX cert using this instead of the chain.pem. Surprisingly, after doing this the FireFox FireTV app loads my https://emby.domain.com:8920 without any issue, however same effect with the emby app... "Error Connecting". So, to test I install emby-server on my windows machine, repointed my internal DNS and tried to manually map https://emby.domain.com and it WORKED! I decided to pull the visible certificates using openssl in a terminal, and to my surprise, the same PFX certificate looked different from the two servers! I ran: openssl s_client -showcerts -connect emby.domain.com:8920 While running emby-server on windows https://pastebin.com/Y0weK67J While running emby-server on linux (Tested on Ubuntu 16.04 and RHEL7) https://pastebin.com/Sii91XTY Not sure why emby would server the certificates differently, but the missing DST Root on the linux side appears to be breaking Roku and FireTV playback. 1
icsy7867 8 Posted June 27, 2018 Author Posted June 27, 2018 did more digging and found another post describing the exact same issue: https://emby.media/community/index.php?/topic/54709-problem-getting-lets-encrypt-ssl-cert-to-work-on-embyserver-dotnetcore/ Posting for reference. 1
icsy7867 8 Posted June 27, 2018 Author Posted June 27, 2018 The forums didn't seem to like it when I tried to post my entire log. However, here are the bits about the unknown SSL certificate: 2018-06-27 13:29:54.672 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.4.1.0 Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-rpm_{version}_x86_64.rpm Operating system: Unix 3.10.0.862 64-Bit OS: True 64-Bit Process: True User Interactive: True Processor count: 6 Program data path: /var/lib/emby Application directory: /opt/emby-server/system System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired) --- End of inner exception stack trace --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpConnection.<Init>d__30.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__29.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__27.MoveNext() System.Security.Authentication.AuthenticationException at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpConnection.<Init>d__30.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__29.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__27.MoveNext() InnerException: Interop+OpenSsl+SslException Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired) at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired) InnerException: Interop+Crypto+OpenSslCryptographicException Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown 2018-06-27 13:30:21.664 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 3.4.1.0 Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-rpm_{version}_x86_64.rpm Operating system: Unix 3.10.0.862 64-Bit OS: True 64-Bit Process: True User Interactive: True Processor count: 6 Program data path: /var/lib/emby Application directory: /opt/emby-server/system System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired) --- End of inner exception stack trace --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpConnection.<Init>d__30.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__29.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__27.MoveNext() System.Security.Authentication.AuthenticationException at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result) at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult) at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization) --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpConnection.<Init>d__30.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__29.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at SocketHttpListener.Net.HttpEndPointListener.<ProcessAccept>d__27.MoveNext() InnerException: Interop+OpenSsl+SslException Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired) at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, SecurityBuffer inputBuffer, SecurityBuffer outputBuffer, Boolean isServer, Boolean remoteCertRequired) InnerException: Interop+Crypto+OpenSslCryptographicException Interop+Crypto+OpenSslCryptographicException: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Solution neik 873 Posted June 27, 2018 Solution Posted June 27, 2018 You might want to try one of the latest beta. At least for me it solved this issue. ;-) 2
icsy7867 8 Posted June 27, 2018 Author Posted June 27, 2018 Just installed 3.4.1.21 beta RPM and just added the server via HTTPS/8920 via my firetv app! Thank you for the suggestion. Not a huge fan of running beta software, but i'll take it for now. Is it difficult to switch from beta to stable? or can I just "yum install *.rpm" with the stable version? 1
Luke 42078 Posted June 28, 2018 Posted June 28, 2018 Yes you can do that later once the current beta goes stable.
Q-Droid 989 Posted June 30, 2018 Posted June 30, 2018 *Update* I did some more poking around. I found that LetsEncrypt also includes a "fullchain.pem" which is useful for users running NGINX. I built my PFX cert using this instead of the chain.pem. Surprisingly, after doing this the FireFox FireTV app loads my https://emby.domain.com:8920 without any issue, however same effect with the emby app... "Error Connecting". So, to test I install emby-server on my windows machine, repointed my internal DNS and tried to manually map https://emby.domain.com and it WORKED! I decided to pull the visible certificates using openssl in a terminal, and to my surprise, the same PFX certificate looked different from the two servers! I ran: openssl s_client -showcerts -connect emby.domain.com:8920 While running emby-server on windows https://pastebin.com/Y0weK67J While running emby-server on linux (Tested on Ubuntu 16.04 and RHEL7) https://pastebin.com/Sii91XTY Not sure why emby would server the certificates differently, but the missing DST Root on the linux side appears to be breaking Roku and FireTV playback. I know this is a bit old and you've probably resolved your issue by now but just in case, the two examples you posted could not have come from the same PFX file since they were two different server certs. They have different validity dates and serial numbers. You might have requested new certs when moving from one machine to the other. Though if you've fixed the original problem by now then it doesn't really matter.
icsy7867 8 Posted June 30, 2018 Author Posted June 30, 2018 That is observant of you. I renewed the certs and tried them various ways with the fullchain and the chain pems. You are probably just seeing my multiple attempts and me copying and pasting the wrong openssl grabs. However the problem remained. The beta has since resolved my issue and see far seems to be working ok.
DarkFeather 3 Posted July 1, 2018 Posted July 1, 2018 I'm seeing this same issue. https://ptpb.pw/NTw5 I've been using the follow to make my .pfx file: echo REDACTED | openssl pkcs12 -password stdin -export -out /var/lib/emby/ssl/yggdrasil.pfx -inkey /etc/letsencrypt/live/aninix.net/privkey.pem -in /etc/letsencrypt/live/aninix.net/cert.pem -certfile /etc/letsencrypt/live/aninix.net/fullchain.pem I then add the PFX file to Emby with the passphrase, and it's not improving. I'm running Version 3.4.1.23 beta on ArchLinux.
Luke 42078 Posted July 1, 2018 Posted July 1, 2018 I haven't seen that one before. Did you configure the password into Emby?
DarkFeather 3 Posted July 1, 2018 Posted July 1, 2018 Yes, I did. I'd been running with the same build for SSL (password on the PKCS12 file, password configured in Emby) for quite a while. I'm getting around it for the most part by proxying through my Lighttpd instance, which is honestly ostensibly better for letting me control my SSL ciphersuite and certificates from a single point at server edge, passed through my router NAT, but I wanted to bring it up in case others who didn't have the additional layers were affected.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now