Plugins won't update.

[BrettDioson 4]

Hello

 

I have been having an issue with plugins ever since updating to 4.0 (at least noticing it since 4.0 but may be before that.)  I noticed it with the AutoOrganize plugin which was failing.  Whenever I tried updating the plugin I got an SSL error.

 

I was able to find the repo for AutoOrganize and build the updated DLL (1.3.6.0.  I had 1.2.8.0 which is not compatible with 4.0.  Also I don't know why/when plugin updates stopped working).  After building an updated DLL and replacing the old one, AutoOrganize started working again.

 

I found that MBBackup.dll is also a) out of date (I have version 1.2.3.0) and  also can't be updated with the same SSL error:

 

The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted

 

Unfortunately I cannot find a repo for MBBackup to build an updated DLL but I would really like to get plugin updates working again.  Any help would be appreciated.  My server log file is attached.

 

Thanks

embyserver.20190124.txt

[Luke 42079]

Do you have any system settings configured that might be causing these outgoing requests to fail? Are you behind a vpn?

[BrettDioson 4]

no.  I have the normal router/firewall setup but nothing that should be blocking outgoing.  uPNP is setup and Emby is set to automap ports.

 

Application updates occur without issue.  I did have to reboot to get 4.0.1.0 to install but that seems to have happened to a few other people on the forum.

 

edit:  Well now that you say that, I do have windows firewall set to block outgoing traffic to Afganistan, Azerbaijan, Bosnia, China, Hong Kong, India, Iran, Iraq, Kazakhstan, Lybia, The Netherlands, Pakistan, Russia, Rwanda, Saudi Arabia, Syria, and Ukraine sine I get a lot of zombie hits from those countries.  If the plugins are located in any of those then I guess it could be possible.

Edited January 25, 2019 by BrettDioson

[Luke 42079]

Application updates are coming from GitHub. Plugins come from our admin domain, so that is the difference.

[ebr 16184]

edit:  Well now that you say that, I do have windows firewall set to block outgoing traffic to Afganistan, Azerbaijan, Bosnia, China, Hong Kong, India, Iran, Iraq, Kazakhstan, Lybia, The Netherlands, Pakistan, Russia, Rwanda, Saudi Arabia, Syria, and Ukraine sine I get a lot of zombie hits from those countries.  If the plugins are located in any of those then I guess it could be possible.

 

 

We use CloudFlare for these static files so there is no telling where they may be coming from...

[mina3500 0]

We use CloudFlare for these static files so there is no telling where they may be coming from...

Do you have any framework settings designed that may make these active solicitations fall flat? It is safe to say that you are behind a vpn?

Edited January 25, 2019 by Happy2Play
Removed links

[BrettDioson 4]

I'm not behind a VPN, just connection to my cable provider.  Is there a URL I can test for the plugins to see if it's being blocked?  I understand cloudflare could be anywhere but it seems to fail pretty consistently and I would have expected it to at least connect once if it hit a US or other service provider.

 

Sorry forgot other question.  I have made no other framework configuration settings from whatever the default is.  Is there a particular setting you want me to look at?

Edited January 25, 2019 by BrettDioson

[Luke 42079]

Is windows fully up to date?

[BrettDioson 4]

Yes, I am running windows server 2012R2.  I do NOT have the optional January 2019 Preview of the Quality Rollups for .NET (4481490) or Preview of Monthly Rollup (KB4480969) installed as I typically wait for the final update for them but all other updates are installed.  Are there any other error logs or anything I can provide to help diagnose?

[Luke 42079]

windows event viewer, or windows firewall. It just looks like something is preventing the outgoing requests from happening.

[BrettDioson 4]

In the emby error log, are the source and target fields below supposed to be showing as blank:

 

InnerException: System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted
    Source:
    TargetSite:

 

I'm trying to see where I can find communication being blocked but so far no luck. 

[Luke 42079]

You won't find that information in the emby server log. If the requests are being blocked, the server will not be able to know.

 

Can you check windows event viewer, or windows firewall? Do you have any other security software installed?

[BrettDioson 4]

I've disabled all firewall blocking rules, rebooted and restarted Emby.  I am getting the same error and there is nothing else on my side that can be blocking the traffic.  There is nothing in either the System or Application log that is an error, warning or even information that I can see related to emby, it's services, .net or any communication traffic blocking.  The only other security software I have installed is System Center Endpoint Protection and that is not showing any errors or blocking either.  Can someone DM me the latest version of the MBBackup.dll so I can at least try to get the backups working again in case I need to do a full re-install?

 

Edit: also I tried disabling SystemCenter and testing the plugin install again but same issue.

Edited January 26, 2019 by BrettDioson

[PenkethBoy 2068]

For reference i run two emby servers on the same 2012r2 server and through the whole 3.6 beta and now the 4.1 beta have never had an issue with downloading plugin updates.

 

So the question becomes what is different with your system to mine

 

I have Microsoft Security essentials running and the windows firewall (basic config - nothing fancy - i block stuff at my pfsense router) 

 

My system is up to date apart from those two optional updates you mentioned above in post #9

 

 

So as a basic initial test can you browse (from the 2012r2 machine) to www.mb3admin.com - should get a white page with some text and an emby media link

 

 

Just an off the wall thought - post #11 is a win32 error - you did install the 64bit version of emby 4.0 ?

[BrettDioson 4]

I am able to get to the www.mb3admin.com website from the server running emby.  There is a white banner page with a link to emby.media on it.

 

I do not know as 4.0 auto updated so I assume it installed the 64 bit version since I believe that's what I had before.  How can I determine that?  I don't see anything in the properties of the embyserver file.

 

Thank you all for your assistance on this.

[Happy2Play 9780]

Looking at the log I would assume it is 64bit.

	64-Bit OS: True
	64-Bit Process: True

Do you have another machine you can test a portable install on and see if you get the same results? 

 

All you would need to do is copy your current \Emby-Server\system folder and drop it in a folder anywhere on another machine and launch embyserver.exe in the system folder.

[PenkethBoy 2068]

the 64-bit was a big guess but as H2P has shown we can forget that wild idea

 

If your test on another machine works ok then i would suspect its the windows firewall on the 2012r2 server thats not configured correctly

[BrettDioson 4]

Thank you for the suggestions, I'll try that as soon as I get a chance.

[BrettDioson 4]

So, I did copy the directory over to my workstation and it does appear that it works and is able to get to the plugins (which incidentally is located at https://embydata.com for those that were wondering).

 

from the windows 2012r2 server that it is not working on, I am able to ping both addresses that are tied to that dns record successfully so it's not firewall.

 

When I try to browse to https://embydata.com from my workstation (which is where I copied the files to and it worked from) I am able to get the embydata splash page.

 

When I try to browse to https:///embydata.com from the server I get this TLS error message:

 

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator. 

 

Anyone have any idea what kind of setting on windows server would cause this problem?  It's not looking like an issue with Emby at this point, but I'm wondering if there is some setting with the SSL connection to the hosted site my server just doesn't seem to like.  Is there some sort of restrictive settings in some .net configuration I would need to look at?

 

(by the way I was able to copy the MBBackup.dll from the workstation to the server and my backups seem to be working again so thanks for the idea of testing that)

[PenkethBoy 2068]

Have you got Internet Explorer Enhanced Security On or Off?

 

 

Its the first thing I turn off on 2012r2

[BrettDioson 4]

I've tried it both on and off with no difference between the two.  I've also added https://embydata.com as a trusted site but get the same error.

[Triton57 1]

 

So, I did copy the directory over to my workstation and it does appear that it works and is able to get to the plugins (which incidentally is located at https://embydata.com for those that were wondering).

 

from the windows 2012r2 server that it is not working on, I am able to ping both addresses that are tied to that dns record successfully so it's not firewall.

 

When I try to browse to https://embydata.com from my workstation (which is where I copied the files to and it worked from) I am able to get the embydata splash page.

 

When I try to browse to https:///embydata.com from the server I get this TLS error message:

 

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator. 

 

Anyone have any idea what kind of setting on windows server would cause this problem?  It's not looking like an issue with Emby at this point, but I'm wondering if there is some setting with the SSL connection to the hosted site my server just doesn't seem to like.  Is there some sort of restrictive settings in some .net configuration I would need to look at?

Finally! Brett, your post pointed me in the right direction and I was able to resolve my issue. The key was having the right address to check on the Qualys site to get the list of cipher suites used by their web server. As it turns out, it's pretty restrictive and my 2008 R2 server (yes I need to upgrade) was not configured with any of the matching cipher suites.

 

To resolve the issue, I downloaded IIS Crypto to my server and ran the GUI version to see what cipher suites were in use on my server. That's the simplest way to add the appropriate cipher suites. As it turns out, none of the ones the website used were listed on my server. This isn't surprising on a 2008 R2 server and apparently not on 2012 R2 either. Anyway, if the server and client don't have matching cipher suites enabled, you'll get the error you were getting to turn on TLS because it can't negotiate with the server. If you look at the results for the the server under cipher suites you'll see in green the ones you want to enable. You only need one that matches, but I picked a couple.

 

This requires a reboot of the server for the new cipher suites to become active. Once I rebooted, my plugins all updated like a charm and I no longer was getting SSL errors. Hope this helps anyone else running into this issue.

 

Edited February 15, 2019 by Triton57

[Luke 42079]

Thanks for the info !

[BrettDioson 4]

Finally! Brett, your post pointed me in the right direction and I was able to resolve my issue. The key was having the right address to check on the Qualys site to get the list of cipher suites used by their web server. As it turns out, it's pretty restrictive and my 2008 R2 server (yes I need to upgrade) was not configured with any of the matching cipher suites.

 

To resolve the issue, I downloaded IIS Crypto to my server and ran the GUI version to see what cipher suites were in use on my server. That's the simplest way to add the appropriate cipher suites. As it turns out, none of the ones the website used were listed on my server. This isn't surprising on a 2008 R2 server and apparently not on 2012 R2 either. Anyway, if the server and client don't have matching cipher suites enabled, you'll get the error you were getting to turn on TLS because it can't negotiate with the server. If you look at the results for the the server under cipher suites you'll see in green the ones you want to enable. You only need one that matches, but I picked a couple.

 

This requires a reboot of the server for the new cipher suites to become active. Once I rebooted, my plugins all updated like a charm and I no longer was getting SSL errors. Hope this helps anyone else running into this issue.

 

 

 

Dude, you are awesome.  just used this and it fixed the issue of Emby connecting to get the plugins.  All my plugins are now up to date.

 

FYI I clicked on "Best Practices" on the utility and bumped the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cyphers to the top of the list.  After reboot Emby seems to be working to get the plugins.  Well done!

[Triton57 1]

Dude, you are awesome.  just used this and it fixed the issue of Emby connecting to get the plugins.  All my plugins are now up to date.

 

FYI I clicked on "Best Practices" on the utility and bumped the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cyphers to the top of the list.  After reboot Emby seems to be working to get the plugins.  Well done!

Awesome! Glad that fixed it for you too, it's been frustrating me for a while now.