SSL Issues

[Dysan 2]

Because its almost time to renew my certificate, 

I did that trough WACS, what completed sucessfully, i have 2 files a emby.domain.nl-chain.pem , emby.domain.nl-key.pem  

i have to create a pfx file with the following command:

 

pkcs12 -export -out c:/ssl/emby.pfx -inkey c:/ssl/emby.domain.nl-key.pem -in c:/ssl/emby.domain.nl-chain.pem -certfile c:/ssl/emby.domain.nl-chain.pem

and enter the password twice.

 

when pointing Emby to the new certificate i get an error in my log, and https: is not reachable:

C:\ssl>openssl pkcs12 -info -in c:\ssl\emby3.pfx
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 70 F9 62 F3 78 67 92 51 82 D7 B9 A3 8B 44 89 75 35 B3 7F DE
subject=CN = emby.domain.nl

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----
blablabla
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    localKeyID: 70 F9 62 F3 78 67 92 51 82 D7 B9 A3 8B 44 89 75 35 B3 7F DE
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
blablabla
-----END ENCRYPTED PRIVATE KEY-----

 

And a test: 

C:\ssl>openssl s_client -showcerts -connect emby.domain.nl:8920

CONNECTED(000000F8)

write:errno=0

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 315 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

 

But the emby log shows:

 

2019-04-30 23:12:31.010 Error HttpServer: Error in ProcessAccept
	*** Error Report ***
	Version: 4.1.1.0
	Command line: C:\Users\embyserver\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp
	Operating system: Microsoft Windows NT 6.2.9200.0
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///C:/Users/embyserver/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 6
	Program data path: C:\Users\embyserver\AppData\Roaming\Emby-Server
	Application directory: C:\Users\embyserver\AppData\Roaming\Emby-Server\system
	System.ComponentModel.Win32Exception: System.ComponentModel.Win32Exception (0x8009030D): The credentials supplied to the package were not recognized
	   at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface secModule, String package, CredentialUse intent, SCHANNEL_CRED scc)
	   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(CredentialUse credUsage, SCHANNEL_CRED secureCredential)
	   at System.Net.Security.SslStreamPal.AcquireCredentialsHandle(X509Certificate certificate, SslProtocols protocols, EncryptionPolicy policy, Boolean isServer)
	   at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint, Byte[] clientHello)
	   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
	   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
	   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
	   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
	   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__50_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state)
	   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions)
	   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state)
	   at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
	   at SocketHttpListener.Net.HttpConnection.Init()
	   at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args)
	Source: System.Net.Security
	TargetSite: System.Net.Security.SafeFreeCredentials AcquireCredentialsHandle(System.Net.SSPIInterface, System.String, CredentialUse, SCHANNEL_CRED)
	

I'm pretty lost at this point what the real issue is.

 

 

[Dysan 2]

Ok, import it in microsoft, then export it again with the password needed in Emby seems to fix it?

what is the most correct guide on this issue ?

[Luke 42085]

 

 

Ok, import it in microsoft

 

What exactly did you import it into, windows?

[Dysan 2]

Yes into windows , then exported it again

[Luke 42085]

I did read somewhere about pfx password requirements in .net core 2.0, which is what we're built on. I'll have to see if i can find that. Thanks.