https not working after docker image upgrade

[Smartypants 0]

Hi there,

I just spent my day trying to find what my problem is and I'm running out of ideas.

Yesterday I updated my docker image which was more than 6 months old and at my surprise my https wasn't working anymore. I tried reverting to and older version but I can't get it to work again.

I've got this on the dashboard: Running on http port 8096, and https port 8920. The logs are clean. If I map the ports to the host, it works but it's not sustainable to map all my ports on the host because I have over 20 containers running. It was working with macvlan before, I'm really puzzled why it stopped. I even reinstalled the host from Ubuntu 20.10 to 21.04 and same results.

with curl I get the following:
 

curl -I http://emby.xxxx.com:8096 -vvv
* Rebuilt URL to: http://emby.xxxx.com:8096/
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to emby.xxxxx.com (x.x.x.x) port 8096 (#0)
> HEAD / HTTP/1.1
> Host: emby.xxxxx.com:8096
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Mon, 24 May 2021 01:54:45 GMT
Date: Mon, 24 May 2021 01:54:45 GMT
< Server: Kestrel
Server: Kestrel
< Location: web/index.html
Location: web/index.html

<
* Connection #0 to host emby.xxxx.com left intact

curl -I https://emby.xxxx.com:8920 -vvv
* Rebuilt URL to: https://emby.xxxx.com:8920/
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to emby.xxxx.com (x.x.x.x) port 8920 (#0)
* schannel: SSL/TLS connection with emby.xxxx.com port 8920 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 186 bytes...
* schannel: sent initial handshake data: sent 186 bytes
* schannel: SSL/TLS connection with emby.xxxx.com port 8920 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with emby.xxxx.com port 8920 (step 2/3)
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
* schannel: shutting down SSL/TLS connection with emby.xxxx.com port 8920
* schannel: clear security context handle
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

Spoiler

That's when to port is mapped on the host.

curl -I  https://emby.xxxxx.com:8920 -vvv
*   Trying 127.0.0.1:8920...
* Connected to emby.xxxx.com (127.0.0.1) port 8920 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=xxxx.com
*  start date: Apr  8 23:57:35 2021 GMT
*  expire date: Jul  7 23:57:35 2021 GMT
*  subjectAltName: host "emby.xxxx.com" matched cert's "*.xxxx.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5630ead96580)
> HEAD / HTTP/2
> Host: emby.xxxx.com:8920
> user-agent: curl/7.74.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 302
HTTP/2 302
< date: Mon, 24 May 2021 02:23:00 GMT
date: Mon, 24 May 2021 02:23:00 GMT
< location: web/index.html
location: web/index.html
< server: Kestrel
server: Kestrel

<
* Connection #0 to host emby.xxxx.com left intact

 

 

It looks like the port is open but the handshake doesn't work properly. I tried installing the windows version on my desktop and run the certificate and it does work on windows.

If I map the port to the host

Here's my setup:

  ## Emby
  emby:
    image: emby/embyserver
    container_name: emby
    networks:
      emby:
        ipv4_address: 10.X.X.X
    dns:
      - 10.X.X.X
    environment:
      - "UID=0"
      - "GID=10000"
      - "GIDLIST=100,44"
    devices:
      - "/dev/dri:/dev/dri"
    volumes:
      - "emby_data:/config"
      - "xxxxxxx/Moviez:/xxxxxxx/Moviez:ro"
      - "xxxxxxx/Seriez:xxxxxxx/Seriez:ro"
      - "xxxxxxx/Download:xxxxxxx/Download:ro"
      - ssl_data:/ssl:ro
    restart: unless-stopped

networks:
  emby:
    driver: "macvlan"
    driver_opts:
      parent: "enp4s0.65"
    ipam:
      config:
        - subnet: 10.X.X.X/24

embyserver.txt

[Smartypants 0]

Ahh damn NVM it was a firewall policy for some reasons. It's not supposed to work that way though, there was already a policy egress going to my emby zone. Usually once the session is initiated, the server can answer on the same session and doesn't require a policy to send it's answer back

I'm missing something here.

[Luke 42078]

Glad you figured it out. Thanks for the feedback.