+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+--- Thread: IPv6 Finamp -> NGINX -> Jellyfin -> CERTIFICATE_VERIFY_FAILED (/t-ipv6-finamp-nginx-jellyfin-certificate-verify-failed)
IPv6 Finamp -> NGINX -> Jellyfin -> CERTIFICATE_VERIFY_FAILED - pixel24 - 2024-06-28
Hi@all,
I have a problem that has been bothering me for a while. We have an IPv6-only connection from Vodafone. Internally, I have set up a dual-stack network. All server VMs have a public IPv6 address. On the pfSense, I have allowed HTTP connections to hosts (Groupware, Nextcloud, Jellyfin, etc.).
All servers have valid SSL certificates from Let's Encrypt. All applications work externally (mobile network / IPv6). The only thing I can't get to work is Finamp. The Stock app (Android/iOS), the desktop app, and even the web browser have no problem accessing externally via HTTPS.
Do I need to make adjustments to NGINX for Finamp to work, or is there possibly a mistake here? Here is my NGINX configuration:
Code:
server {
listen 80;
listen [::]:80;
server_name media02.lan.example.de;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name media02.lan.example.de;
client_max_body_size 50M;
set $jellyfin media02.lan.example.de;
resolver 192.168.83.5 valid=30s;
ssl_certificate /etc/ssl/media02.lan.example.de.crt;
ssl_certificate_key /etc/ssl/media02.lan.example.de.key; # managed by Certbot
include /etc/nginx/snippets/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_trusted_certificate /etc/ssl/media02.lan.example.de.fullchain;
ssl_stapling on;
ssl_stapling_verify on;
# Logging
error_log /var/log/nginx/error.log debug;
# Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
# CORS Headers
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization' always;
# COOP/COEP. Disable if you use external plugins/images/assets
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Permissions policy. May cause issues on some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location = / {
return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://$jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}Code:
cat /etc/nginx/snippets/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";Finamp freshly installed and set the server to:
https://media02.lan.example.de
It tries to connect for a while but cannot find or display the server. In the Finamp log, I find:
Code:
[Startup/INFO] 2024-06-28 12:57:42.826639: App starting, logging initialized.
[MusicPlayerBackgroundTask/INFO] 2024-06-28 12:57:43.251575: Starting audio service
[QueueService/FINE] 2024-06-28 12:57:43.252342: Loop mode set to FinampLoopMode.none
[QueueService/INFO] 2024-06-28 12:57:43.252418: Restored loop mode to FinampLoopMode.none from settings
[QueueService/FINE] 2024-06-28 12:57:43.252501: Playback speed set to 1.0
[QueueService/INFO] 2024-06-28 12:57:43.252542: Restored playback speed to 1.0 from settings
[MusicPlayerBackgroundTask/INFO] 2024-06-28 12:57:43.254638: Shuffle mode changed to AudioServiceShuffleMode.none (false).
[MusicPlayerBackgroundTask/INFO] 2024-06-28 12:57:43.254741: Loop mode changed to AudioServiceRepeatMode.none (LoopMode.off).
[MusicPlayerBackgroundTask/INFO] 2024-06-28 12:57:43.255522: Loop mode changed to AudioServiceRepeatMode.none (LoopMode.off).
[MusicPlayerBackgroundTask/INFO] 2024-06-28 12:57:43.323392: Queue completed.
[PlaybackHistoryService/INFO] 2024-06-28 12:57:43.324324: Handling playback stop event
[SyncBuffer/INFO] 2024-06-28 12:57:48.247833: All syncs complete.
[DeleteBuffer/INFO] 2024-06-28 12:57:48.248293: All deletes complete.
[IsarTaskQueue/INFO] 2024-06-28 12:57:48.248465: All downloads enqueued.
[JellyfinServerClientDiscovery/FINE] 2024-06-28 12:58:09.934833: Sending discovery messages
[LoginServerState/SEVERE] 2024-06-28 12:58:16.964650: Error loading server info: HandshakeException: Handshake error in client (OS Error:
CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393))
[LoginServerState/SEVERE] 2024-06-28 12:58:26.968426: Error loading server info: ClientException with SocketException: HTTP connection timed out after 0:00:10.000000, host: TEMP_HOST, port: 8096, uri=TEMP_BASEURL/System/Info/PublicCode:
oginServerState/SEVERE] 2024-06-28 12:59:31.233273: Error loading server info: ClientException with SocketException: HTTP connection timed out after 0:00:10.000000, host: TEMP_HOST, port: 8096, uri=TEMP_BASEURL/System/Info/PublicAs mentioned, all other Jellyfin clients work over HTTPS. Does anyone have any ideas for me?
with best
RE: IPv6 Finamp -> NGINX -> Jellyfin -> CERTIFICATE_VERIFY_FAILED - pixel24 - 2024-06-28
Code:
openssl x509 -in /etc/ssl/media02.lan.example.de.crt -text -nooutshow me the correct certificate
RE: IPv6 Finamp -> NGINX -> Jellyfin -> CERTIFICATE_VERIFY_FAILED - pixel24 - 2024-06-28
Shame on me! I didn't set the tag:
server {
...
}
correctly, and it was included twice. Now it seems to be working. Why the Stock App, Desk client, and web browser still worked with this issue is a mystery to me. The main thing is that I finally found the error :-)