2025-06-19, 08:23 AM
(This post was last modified: 2025-06-19, 08:24 AM by SirRorick. Edited 1 time in total.)
In my research, I am seeing this. Is this true, or is GPT full of it?
GPT Response:
"Yes—unfortunately, that’s a known limitation of Jellyfin on Windows. Under the hood, the Windows build uses .NET’s HTTP.sys/HttpListener stack, which—regardless of what you bundle into your PFX—only ever sends the leaf certificate to clients. Intermediate certificates simply aren’t included in the TLS handshake.
A couple of notes:
GPT Response:
"Yes—unfortunately, that’s a known limitation of Jellyfin on Windows. Under the hood, the Windows build uses .NET’s HTTP.sys/HttpListener stack, which—regardless of what you bundle into your PFX—only ever sends the leaf certificate to clients. Intermediate certificates simply aren’t included in the TLS handshake.
A couple of notes:
- There’s discussion in the Jellyfin repo about moving to .NET 7’s HTTP listener (which can include the chain), but Jellyfin’s Windows server still targets an earlier runtime where this isn’t supported.
- Practically speaking, until Jellyfin switches to a runtime that includes chain support (or reworks its TLS layer), the only reliable way to serve a full chain is to terminate TLS upstream—e.g. with a reverse proxy or dedicated TLS terminator.