+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: app Android via HTTPS (/t-app-android-via-https)
app Android via HTTPS - gobanow - 2024-05-08
Hi
I don't use a proxy.
Jellyfin installed in Docker compose
Where did I make a mistake?
Where did I make a mistake?
Through the browser - it works.
Through the Android mobile app Jellyfin - no.
I use OMV 7.0.5-1 (Sandworm)
Using the instructions for jellyfin, I'm trying to launch it via https.
Created a self-signed certificate in PKCS 12 format (I use the whole chain - root key, root certificate, intermediate certificate) in the *.pfx file
Code
Code:
openssl pkcs12 -export -out jellyfin.pfx -inkey privkey.pem -in cert.pem -CAfile chain.crt -passout pass:12345678where:
privkey.pem - is the private key of the certificate,
cert.pem - is a certificate in text format (PEM),
jellyfin.pfx - is the name of the resulting file,
chain.crt - is the root and intermediate certificates combined in one file: Root, First intermediate certificate, Second intermediate certificate.
chain.crt creating:
Code: chain.crt creating
Code:
cat cert.pem intermediate.crt > chain.crtprivkey.pem and cert.pem creating:
Code: privkey.pem and cert.pem creating
Code:
openssl req -x509 -newkey rsa:4096 -keyout ./privkey.pem -out cert.pem -days 1000 -nodes -subj '/CN=jellyfin.lan'intermediate.crt creating:
Code: I am generating a CSR in the intermediate.csr file
openssl req \
-new \
-key intermediate.key \
-subj "/CN=TEST Intermediate CA/C=EU/O=TEST Ltd" \
-out intermediate.csr
openssl req \
-new \
-key intermediate.key \
-subj "/CN=TEST Intermediate CA/C=EU/O=TEST Ltd" \
-out intermediate.csr
Code: Generating intermediate.crt
openssl x509 \
-req \
-in intermediate.csr \
-days 1000 \
-CA cert.pem \
-CAkey privkey.pem \
-extfile <(echo -e "basicConstraints=CA:true\nkeyUsage=keyCertSign") \
-out intermediate.crt
openssl x509 \
-req \
-in intermediate.csr \
-days 1000 \
-CA cert.pem \
-CAkey privkey.pem \
-extfile <(echo -e "basicConstraints=CA:true\nkeyUsage=keyCertSign") \
-out intermediate.crt
Through the browser - it works.
Through the Android mobile app Jellyfin - no.
writes "it is impossible to access the server".
neither via IP-address, nor via hostname.
Almost like the instructions turned out) it's a pity that it's not working yet
Where did I make a mistake?
Thanks
RE: app Android via HTTPS - TheDreadPirate - 2024-05-08
You'd need to add your server cert to your phone's trust store since the Android app has no way to add one locally like the browser does.
RE: app Android via HTTPS - gobanow - 2024-05-08
(2024-05-08, 02:44 PM)TheDreadPirate Wrote: You'd need to add your server cert to your phone's trust store since the Android app has no way to add one locally like the browser does.
yes, I add it to
the Samsung phone, the certificate is not added to the "Security certificates" (trusted certificates), writes "it is impossible to use the file as a CA certificate",
it is installed only in the user certificates "VPN certificate and applications" that does not work, the Jellyfin app does not see it?
where could there be a problem with the certificate?
the OMV certificate itself (, generated from the web interface and signed, was added there and works, but this certificate (Jellyfin) does not want to, I make a mistake somewhere
RE: app Android via HTTPS - gobanow - 2024-05-08
I tried to dig even deeper, created a leaf server certificate.
Key
Code:
openssl req -x509 -newkey rsa:4096 -keyout ./sever.pem -days 1000 -nodes -subj '/CN=jellyfin-server'Csr
Code:
openssl req \
-new \
-key sever.pem \
-subj "/CN=Jellyfin-server" \
-out server.csrCrt
Code:
openssl x509 \
-req \
-in server.csr \
-days 1000 \
-CA intermediate.crt \
-CAkey intermediate-key.pem \
-extfile <(echo -e "basicConstraints=CA:false\nkeyUsage=digitalSignature\nsubjectAltName=DNS:localhost") \
-out server.crtСombining the server certificate and the intermediate one:
Code:
cat server.crt intermediate.crt > chain2.crtСreating PKCS12:
Code:
openssl pkcs12 -export -out jellyfin2.pfx -inkey privkey.pem -in cert.pem -CAfile chain2.crt -passout pass:12345678I give you the rights:
Code:
chmod 644 jellyfin2.pfxIn Chrome, Jellyfin is launched via https, there is no android app
This certificate also does not want to be added to the "Security Certificates"
I don't understand where the error is
RE: app Android via HTTPS - gobanow - 2024-05-09
I tried it in legacy format, it still doesn't work
Code:
openssl pkcs12 -nodes jellyfin2.pfx certbag.pem
openssl pkcs12 -export -legacy -in certbag.pem > /tmp/legacy.p12RE: app Android via HTTPS - TheDreadPirate - 2024-05-09
Any particular reason you are using a self-signed cert over a legit, and free, cert from Let's Encrypt? If you use Caddy as a reverse proxy, Caddy can automate the cert request and installation into caddy.
RE: app Android via HTTPS - gobanow - 2024-05-09
(2024-05-09, 12:45 PM)TheDreadPirate Wrote: Any particular reason you are using a self-signed cert over a legit, and free, cert from Let's Encrypt? If you use Caddy as a reverse proxy, Caddy can automate the cert request and installation into caddy.
I do not want to load the system additionally and install profit unnecessarily, because I use Wireguard for remote access to Jellyfin.
And I'm not sure that this will help, because my self-signed certificates work in Jellyfin via https in Chrome.
I'm afraid I'll spend a couple of days studying Let's Encrypt and get the same thing.
RE: app Android via HTTPS - TheDreadPirate - 2024-05-09
If you're already using Wireguard for remote access, what is the benefit from also using HTTPS? You are already encrypted end-to-end. There is no benefit to adding HTTPS and it is a pain in the butt to use self-signed certs with Jellyfin in Android.
RE: app Android via HTTPS - gobanow - 2024-05-09
(2024-05-09, 04:31 PM)TheDreadPirate Wrote: If you're already using Wireguard for remote access, what is the benefit from also using HTTPS? You are already encrypted end-to-end. There is no benefit to adding HTTPS and it is a pain in the butt to use self-signed certs with Jellyfin in Android.
yes, I understand that wireguard encrypted everything, but the more protection, the better))
Yes, it is a pain in the butt
I think I'm ready to put up with http