Jump to content

https not working after docker image upgrade


Recommended Posts

Smartypants
Posted

Hi there,

I just spent my day trying to find what my problem is and I'm running out of ideas.

Yesterday I updated my docker image which was more than 6 months old and at my surprise my https wasn't working anymore. I tried reverting to and older version but I can't get it to work again.

I've got this on the dashboard: Running on http port 8096, and https port 8920. The logs are clean. If I map the ports to the host, it works but it's not sustainable to map all my ports on the host because I have over 20 containers running. It was working with macvlan before, I'm really puzzled why it stopped. I even reinstalled the host from Ubuntu 20.10 to 21.04 and same results.

with curl I get the following:
 

curl -I http://emby.xxxx.com:8096 -vvv
* Rebuilt URL to: http://emby.xxxx.com:8096/
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to emby.xxxxx.com (x.x.x.x) port 8096 (#0)
> HEAD / HTTP/1.1
> Host: emby.xxxxx.com:8096
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Mon, 24 May 2021 01:54:45 GMT
Date: Mon, 24 May 2021 01:54:45 GMT
< Server: Kestrel
Server: Kestrel
< Location: web/index.html
Location: web/index.html

<
* Connection #0 to host emby.xxxx.com left intact
curl -I https://emby.xxxx.com:8920 -vvv
* Rebuilt URL to: https://emby.xxxx.com:8920/
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to emby.xxxx.com (x.x.x.x) port 8920 (#0)
* schannel: SSL/TLS connection with emby.xxxx.com port 8920 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 186 bytes...
* schannel: sent initial handshake data: sent 186 bytes
* schannel: SSL/TLS connection with emby.xxxx.com port 8920 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with emby.xxxx.com port 8920 (step 2/3)
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
* schannel: shutting down SSL/TLS connection with emby.xxxx.com port 8920
* schannel: clear security context handle
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
Spoiler

That's when to port is mapped on the host.

curl -I  https://emby.xxxxx.com:8920 -vvv
*   Trying 127.0.0.1:8920...
* Connected to emby.xxxx.com (127.0.0.1) port 8920 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=xxxx.com
*  start date: Apr  8 23:57:35 2021 GMT
*  expire date: Jul  7 23:57:35 2021 GMT
*  subjectAltName: host "emby.xxxx.com" matched cert's "*.xxxx.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5630ead96580)
> HEAD / HTTP/2
> Host: emby.xxxx.com:8920
> user-agent: curl/7.74.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 302
HTTP/2 302
< date: Mon, 24 May 2021 02:23:00 GMT
date: Mon, 24 May 2021 02:23:00 GMT
< location: web/index.html
location: web/index.html
< server: Kestrel
server: Kestrel

<
* Connection #0 to host emby.xxxx.com left intact

 

 

It looks like the port is open but the handshake doesn't work properly. I tried installing the windows version on my desktop and run the certificate and it does work on windows.

If I map the port to the host

Here's my setup:

  ## Emby
  emby:
    image: emby/embyserver
    container_name: emby
    networks:
      emby:
        ipv4_address: 10.X.X.X
    dns:
      - 10.X.X.X
    environment:
      - "UID=0"
      - "GID=10000"
      - "GIDLIST=100,44"
    devices:
      - "/dev/dri:/dev/dri"
    volumes:
      - "emby_data:/config"
      - "xxxxxxx/Moviez:/xxxxxxx/Moviez:ro"
      - "xxxxxxx/Seriez:xxxxxxx/Seriez:ro"
      - "xxxxxxx/Download:xxxxxxx/Download:ro"
      - ssl_data:/ssl:ro
    restart: unless-stopped

networks:
  emby:
    driver: "macvlan"
    driver_opts:
      parent: "enp4s0.65"
    ipam:
      config:
        - subnet: 10.X.X.X/24

embyserver.txt

Smartypants
Posted

Ahh damn NVM it was a firewall policy for some reasons. It's not supposed to work that way though, there was already a policy egress going to my emby zone. Usually once the session is initiated, the server can answer on the same session and doesn't require a policy to send it's answer back

I'm missing something here.

Posted

Glad you figured it out. Thanks for the feedback.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...