+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+--- Thread: SOLVED: RemoteCertificateNameMismatch (/t-solved-remotecertificatenamemismatch)
RemoteCertificateNameMismatch - Raúl Casado Piqueras - 2024-10-25
I am running jellyfin in a docker container.
OS: Debian GNU/Linux bookworm 12.7 x86_64
Kernel: Linux 6.1.0-26-amd64
Docker: 20.10.24+dfsg1, build 297e128
nginx: 1.27.2
It is configured with /jellyfin url base.
I run nginx in a container for reversing proxy and managing let's encrypt cert bot.
There is a persistent error that doesn't allow update metada:
Code:
[20:08:13] [ERR] [20] MediaBrowser.Providers.Movies.MovieMetadataService: Error in TheMovieDb
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem)
at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
at TMDbLib.Rest.RestRequest.SendInternal(HttpMethod method, CancellationToken cancellationToken)
at TMDbLib.Rest.RestRequest.Get[T](CancellationToken cancellationToken)
at TMDbLib.Rest.RestRequestExtensions.GetOfT[T](RestRequest request, CancellationToken cancellationToken)
at TMDbLib.Client.TMDbClient.GetConfigAsync()
at MediaBrowser.Providers.Plugins.Tmdb.TmdbClientManager.EnsureClientConfigAsync()
at MediaBrowser.Providers.Plugins.Tmdb.TmdbClientManager.SearchMovieAsync(String name, Int32 year, String language, CancellationToken cancellationToken)
at MediaBrowser.Providers.Plugins.Tmdb.Movies.TmdbMovieProvider.GetMetadata(MovieInfo info, CancellationToken cancellationToken)
at MediaBrowser.Providers.Manager.MetadataService`2.ExecuteRemoteProviders(MetadataResult`1 temp, String logName, Boolean replaceData, TIdType id, IEnumerable`1 providers, CancellationToken cancellationToken)Any ideas for resolving this issue?
Thanks in advance.
RE: RemoteCertificateNameMismatch - TheDreadPirate - 2024-10-25
Open a bash shell for the jellyfin container then run these commands and share the full output.
Code:
curl -vvv https://api.tmdb.org
curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpgRE: RemoteCertificateNameMismatch - Raúl Casado Piqueras - 2024-10-25
Thanks for your quick reply.
Here you have the output (I have change my domain):
Code:
$ docker exec -it jellyfin sh
# curl -vvv https://api.tmdb.org
* Trying 52.84.66.51:443...
* Connected to api.tmdb.org (52.84.66.51) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=valid.domain.com
* start date: Sep 19 19:38:02 2024 GMT
* expire date: Dec 18 19:38:01 2024 GMT
* subjectAltName does not match api.tmdb.org
* SSL: no alternative certificate subject name matches target host name 'api.tmdb.org'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'api.tmdb.org'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0* Trying 143.244.56.49:443...
* Connected to image.tmdb.org (143.244.56.49) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2038 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=valid.domain.com
* start date: Sep 19 19:38:02 2024 GMT
* expire date: Dec 18 19:38:01 2024 GMT
* subjectAltName does not match image.tmdb.org
* SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
* Closing connection 0
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (60) SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.RE: RemoteCertificateNameMismatch - TheDreadPirate - 2024-10-25
Why is the request being changed?
Code:
* Server certificate:
* subject: CN=valid.domain.comDo you have anything on your network that could interfere with the request? A VPN? Pihole? Adblocker?
RE: RemoteCertificateNameMismatch - Raúl Casado Piqueras - 2024-10-25
I doing some checks and neither understand with this change. Yes, I have Pihole, but i do curl over http service, there is no problem. It is happening when I do it with https inside docker, outside docker there is no issue.
Code:
$ curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0* Trying 185.93.2.251:443...
* Connected to image.tmdb.org (185.93.2.251) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3968 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: CN=image.tmdb.org
* start date: Oct 6 12:45:51 2024 GMT
* expire date: Jan 4 12:45:50 2025 GMT
* subjectAltName: host "image.tmdb.org" matched cert's "image.tmdb.org"
* issuer: C=US; O=Let's Encrypt; CN=R10
* SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg]
* h2h3 [:scheme: https]
* h2h3 [:authority: image.tmdb.org]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x563b9a644ce0)
} [5 bytes data]
> GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/2
> Host: image.tmdb.org
> user-agent: curl/7.88.1
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 200
< date: Fri, 25 Oct 2024 21:27:11 GMT
< content-type: image/jpeg
< content-length: 50330
< server: BunnyCDN-FR1-1186
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: ES
< cache-control: public, max-age=31919000
< etag: "6272f494-c49a"
< last-modified: Wed, 04 May 2022 21:48:04 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 266
< perma-cache: HIT
< cdn-proxyver: 1.04
< cdn-requestpullcode: 200
< cdn-cachedat: 10/09/2024 20:20:48
< cdn-edgestorageid: 1187
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 91a0f5895fc08e6629232bcf7fd5e410
< cdn-cache: HIT
< accept-ranges: bytes
<
{ [15736 bytes data]
100 50330 100 50330 0 0 18362 0 0:00:02 0:00:02 --:--:-- 18361
* Connection #0 to host image.tmdb.org left intactInside nginx server (jellyfin subnet in docker)for instance:
Code:
# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0* Trying 143.244.56.49:443...
* Connected to image.tmdb.org (143.244.56.49) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2038 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=valid.domain.com
* start date: Sep 19 19:38:02 2024 GMT
* expire date: Dec 18 19:38:01 2024 GMT
* subjectAltName does not match image.tmdb.org
* SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
* Closing connection 0
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* old SSL session ID is stale, removing
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (60) SSL: no alternative certificate subject name matches target host name 'image.tmdb.org'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.In pihole or unifi docker service:
Code:
$ docker exec -it pihole sh
# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0* Trying 143.244.56.49:443...
* Connected to image.tmdb.org (143.244.56.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3968 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=image.tmdb.org
* start date: Oct 6 12:45:51 2024 GMT
* expire date: Jan 4 12:45:50 2025 GMT
* subjectAltName: host "image.tmdb.org" matched cert's "image.tmdb.org"
* issuer: C=US; O=Let's Encrypt; CN=R10
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x56440d1a6620)
} [5 bytes data]
> GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/2
> Host: image.tmdb.org
> user-agent: curl/7.74.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 200
< date: Fri, 25 Oct 2024 21:30:58 GMT
< content-type: image/jpeg
< content-length: 50330
< server: BunnyCDN-FR1-1072
< cdn-pullzone: 775336
< cdn-uid: 29af4e0e-bcbd-4fcb-8635-74ddc38a1ebf
< cdn-requestcountrycode: ES
< cache-control: public, max-age=31919000
< etag: "6272f494-c49a"
< last-modified: Wed, 04 May 2022 21:48:04 GMT
< cdn-storageserver: NY-427
< cdn-requestpullsuccess: True
< cdn-fileserver: 266
< perma-cache: HIT
< cdn-proxyver: 1.04
< cdn-requestpullcode: 200
< cdn-cachedat: 10/09/2024 20:20:48
< cdn-edgestorageid: 1187
< cdn-status: 200
< cdn-requesttime: 0
< cdn-requestid: 66a9348c1fcf42551aafee7263ce1c6b
< cdn-cache: HIT
< accept-ranges: bytes
<
{ [15754 bytes data]
100 50330 100 50330 0 0 15703 0 0:00:03 0:00:03 --:--:-- 15703
* Connection #0 to host image.tmdb.org left intactMy nginx configuration is this:
Code:
$ cat nginx.conf
user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Configuración HTTP para renovar los certificados con Certbot
server {
listen 80;
server_name valid.domain.com www.valid.domain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Excepción para Certbot (no redirigir)
location /.well-known/acme-challenge/ {
root /var/www/certbot; # Ruta donde Certbot almacena los archivos de desafío
}
# Redirigir todas las demás peticiones al puerto 8444 (HTTPS)
location / {
return 301 https://$host:443$request_uri;
}
# location / {
# root /usr/share/nginx/html;
# index index.html index.htm;
# }
}
# Configuración HTTPS
server {
listen 443 ssl; # Escucha en el puerto 443 con SSL habilitado
server_name valid.domain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
ssl_certificate /etc/letsencrypt/live/valid.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/valid.domain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
if ($host != "valid.domain.com") {
return 444; # Cerrar conexión si el host no coincide
}
proxy_pass http://jellyfin:8096; # Redirigir las peticiones a Jellyfin
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
# Nueva configuración para Filebrowser
location /filebrowser/ {
if ($host != "valid.domain.com") {
return 444; # Cerrar conexión si el host no coincide
}
proxy_pass http://filebrowser:80/filebrowser;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
rewrite ^/filebrowser(/.*)$ $1 break; # Reescribe la URL para eliminar "/filebrowser"
client_max_body_size 10G; # Aumenta el límite a 100 MB
}
}
}RE: RemoteCertificateNameMismatch - TheDreadPirate - 2024-10-25
Is it your http 444 block in your nginx config that is causing the problem?
RE: RemoteCertificateNameMismatch - Raúl Casado Piqueras - 2024-10-25
Yes, i think so.
When I do and insecure curl, I can see the request in the nginx logs:
Code:
# curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg -k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0* Trying 185.93.2.251:443...
* Connected to image.tmdb.org (185.93.2.251) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2038 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=valid.domain.com
* start date: Sep 19 19:38:02 2024 GMT
* expire date: Dec 18 19:38:01 2024 GMT
* issuer: C=US; O=Let's Encrypt; CN=E6
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.1
} [5 bytes data]
> GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/1.1
> Host: image.tmdb.org
> User-Agent: curl/7.88.1
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* old SSL session ID is stale, removing
* Empty reply from server
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
* Closing connection 0
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (52) Empty reply from serverCode:
172.24.0.1 - - [25/Oct/2024:21:42:32 +0000] "GET /t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg HTTP/1.1" 444 0 "-" "curl/7.88.1"RE: RemoteCertificateNameMismatch - TheDreadPirate - 2024-10-25
What is the point of that 444?
RE: RemoteCertificateNameMismatch - Raúl Casado Piqueras - 2024-10-26
To stop asking for other domains. But I think the points is why is redirecting https to my nginx server instead of go to Internet. If a ping, i get the correct ip
RE: RemoteCertificateNameMismatch - Raúl Casado Piqueras - 2024-10-27
I've solved it! Eureka!
When I started to deploy the services with containers, as there were several of them on the same server, I started to have problems because I was trying to use ports that were already busy. I published the Jellyfin https service on port 8444 because I had a local nginx server using port 443.
When I was able to generate the ssl certificate I made sure to route port 443 from the street to 8444 and everything started working great. But it only worked from the street inwards. Then I had an idea: create an entry in pihole's DNS and set up a rule in the server's firewall so that requests to port 443 would be redirected to 8444, but without configuring the source. A few days later I removed the local server that had occupied port 443 by integrating the rules in the dockerised nginx server I had in jellyfin. I didn't remember this rule anymore and as everything worked I decided not to touch anything.
I continued adding material to Jellyfin and I discovered that the information of what I was adding was not visible (metadata) and that's when I found the error in the certificate.
Why was this happening? Because from jellyfin's private network a request was made to port 443 and when it reached the host, due to the firewall rule it was sent to 8444 and therefore back to the nginx that publishes jellyfin. In fact, I had an error of too many redirections.
It was the command ‘curl -vvv https://image.tmdb.org/t/p/original/uqIVJR1fmkiwpcIsIcV0vxiyY4z.jpg -o /tmp/futurama.jpg -k’ that helped me to trace and reconstruct the port forwarding.
I removed the rule (metadata download started working instantly) and configured the port to listen on 443 instead of 8444. I updated the port forwarding on the router and voila, everything is working.
Thank you very much for your time and especially for recommending me to do a curl from the jellyfin server.