Secure remote connection not working but HTTP is.

[jachin99 88]

I have been going through setting up remote access on my emby server.  So far I have successfully registered my domain, setup a DDNS client, opened and forwarded the needed ports, and created a certificate via zeroSSL that I have imported into emby.  I checked for the open port on canyouseeme.org and the port is open.  Remote access does work for the HTTP site so I'm not entirely sure how to troublshoot this.  Thanks. 

[Luke 42078]

There is a strong chance your client devices are not trusting your SSL certificate. If you have an android device try our mobile android app. It is one of the few that can override this and force the device to accept it by prompting you to confirm it.

[muzicman0 84]

Did you change the public ports back to 8920 after abandoning Caddy in the Emby network settings?  And 8920 is forwarded to the IP address you have the Emby Server on?

[jachin99 88]

I changed the ports back correctly but I'll verify again to be sure.  I don't think its a trust issue, and I'm starting to wonder if something is left over from my caddy install.  when I go to https://mydomain.com for instance I get an IIS default landing page, and when I look at the cert info, it lists my Windows Server Essentials Remote Web Access cert.  Its almost like caddy is still redirecting to 443 somewhere.  I checked on android and I get the same behavior. 

[jachin99 88]

I just looked again.  My suspected redirect isn't coming from the router, or any configuration in emby.  

[jachin99 88]

I grabbed another copy of caddy, and ran the command to uninstall the service but that got me nowhere because I had already taken it down.  Prior to that I tried erasing all traces of caddy on the filesystem, and in the registry but no joy there either.  I'm thinking now if I can find a tool that shows me the network activity on this PC then maybe I could find some trace of whatever is doing my redirect.  Just for good measure I generated a new cert, and imported it but that didn't help either.  I'm really at a loss here because everything in emby and on my router is configured correctly.  I tried grabbing TCPView but I didn't see anything for port 443, which is the RWA port for WSE.  I'm also pretty new at all of this so hopfully I figure something out.  I feel like if I could see exactly  how my name is being resolved to the windows server machine then I could start to fix it. 

[jachin99 88]

And I can't reach emby on 127.0.0.1:8920.  I also tried changing emby's remote access port but that didn't fix anything. 

[muzicman0 84]

You won't be able to reach https://127.0.0.1:8920 since your cert specifies a domain name.  You have to go their by URL.

[jachin99 88]

did you have to install your cert in windows itself also?  I used certutil to check the domain on the cert to be sure and that is also correct. 

Edited March 17, 2020 by jachin99

[muzicman0 84]

You need to break this down into smaller chunks.  I suggest doing the following (get each one working before moving on):

 

1. Verify from outside your home network that your URL resolves to your home IP address.  You can check this by opening a command prompt on a PC (again, outside your home network), and typing nslookup my.domain.name (replace my.domain.name with appropriate name)

2.  try http://my.domain.name:8096? (again, from outside your network)  If this doesn't work, then port forwarding is probably not right on your router (assuming you can reach the server on the local lan).

    --It could also be your firewall.  I would disable the firewall to test this.  If it works with the Firewall off, then we can go from there.

3. Verify that port forwarding on your router is set to forward to the right PC.  It should be forwarded to the local IP address (most likely it will start with 192.168.x.x) of your Emby server

4. Verify that the ports are correct in Emby's network settings.

5. Verify that the path to the cert in Emby;s settings is correct.

 

Try reaching https://my.domain.name:8920 from outside your network.  Does that work?  If so, you are done..

 

If all of the above is correct and it still doesn't work, then it may be a problem with the cert.  It should be in PKCS#12 format iirc.  Is that what you have?  Mine have a .pfx extension.

[muzicman0 84]

did you have to install your cert in windows itself also?

no.

 

EDIT: just so you know, I have one server running using reverse proxy (caddy), and the other is a cert I purchased through ssls.com (so more like what you are trying to do now).

Edited March 17, 2020 by muzicman0

[jachin99 88]

Somewhere in all of this I fixed it.  The fix didn't take effect until after I restarted the PC.  My best guess was I botched the first cert, and making a new one fixed it.  I still get an iis page when I go to my domain and don't specify a port though, which is wierd and I still want to fix that but I get a secure connection now from the looks of it.  I even tried an SSL labs report for my domain, and it comes back showing my RWA cert, which is weird.  

Edited March 17, 2020 by jachin99

[Luke 42078]

Thanks for the feedback.

[jachin99 88]

So the last issue I see is my root domain name, I.E. mydomain.com resolves to my remote web access page for my windows server machine.  I can easily get around this by uisng my domain.com:8920 but I would prefer to have the domain.com point directly to my emby server without using the port.  The only thing I see that I can change right now is the order of my port forwarding rules on my router.  The first rule forwards my RWA port for windows server, and my second rule is for emby HTTPS.  If I change the order of these to have emby be the first rule will that possibly resovle the issue?  I have also closed the HTTP port because I dont plan to use that.  Thakns. 

@@pir8radio

@@Swynol

@@muzicman0

[muzicman0 84]

I don't know what RWA is, but if it's not something you need, you should be able to use port forwrding.  Forward incoming port 443 to local port 8920.

[Swynol 375]

are you running a reverse proxy now? ie. caddy? or are you just port forwarding on your router direct to emby?

 

if you arent using a reverse proxy then all you need to do is forward external port 443 to internal port 8920 (emby server IP).

[jachin99 88]

I don't have any proxies setup at the moment.  Right now I'm forwarding from 8920 at the router to 8920 at the Emby PC.  I forward external 443 to internal 443 on my windows server essentials machine, which does not have emby server.  If I want to access my emby server I need to specify domain name, and port but if I want to access Remote web access for Windows Server, then I just need a domain name.  All of this is both inside, and outside of the LAN.  

[muzicman0 84]

I doubt you will be able to set it up where you can access 2 separate servers from outside on port 443 (the default port for https).  You will have to specify port 8920 remotely.  That's assuming you are actually running a website on your Windows server, and need port 443 to go there.

[Swynol 375]

if you have 2 services both needing port 443 forwarding then you need a reverse proxy.

[jachin99 88]

Windows server is running on 443. Who enforces what port SSL uses for inbound connections out of curiosity? If I absolutely have to could I setup a reverse proxy on the win server machine and forward traffic to 443 on windows server essentials once that traffic is on the LAN. I don't know that I will do that but I'm curious to learn more.

[pwhodges 2012]

443 is the conventional port for HTTPS (the one your browser uses unless you specify a different one in the URL), but any port you choose can be used.  There is no enforcement.  Multiple ports can link to different HTTPS servers.

 

Which port is (ports are) used in your system is determined by your router's forwarding, your reverse proxy, or your server's settings depending on the architecture you have set up.

 

One advantage of a reverse proxy is that you can use the single default port for connections to multiple servers; for this there need to be multiple DNS names pointing to the same machine which the reverse proxy can use to direct traffic to the required places, or it is possible (but often more fiddly) to use folder names following a single DNS name for that purpose.

 

Paul

[denz 501]

Thanks @@pwhodges for the description I was just about to ask what is this reverse proxy that have been mentioned many times. Just to clarify for us that only have one 3 or 4 family members using the server this this reverse proxy is not needed as we only have one server ? .  

[jachin99 88]

I doubt you will be able to set it up where you can access 2 separate servers from outside on port 443 (the default port for https).  You will have to specify port 8920 remotely.  That's assuming you are actually running a website on your Windows server, and need port 443 to go there.

 

This is what is confusing me then because everything for emby server is setup so that emby uses 8920 and thats it.  There aren't any other proxies or anything like that, and the only other port I have forwarded is 443 to a different IP.  

Edited March 18, 2020 by jachin99

[jachin99 88]

I guess a better question would be, Why are my two incoming secure connections defaulting to my Windows server remote web access page?  

[Happy2Play 9780]

I have not proxy or anything special and 443 goes to my WHS2011 https login and 8920 goes to https Emby.

 

Exported my WHS2011 custom.homserver.com (Godaddy) ssl cert and applied in Emby

 

You are applying port 8920 to url to get to Emby, correct?

Edited March 18, 2020 by Happy2Play