Login

TheDreadPirate · 2024-01-02, 11:00 AM

You're missing a lot of the standard nginx config for Jellyfin. Follow our guide.

https://jellyfin.org/docs/general/networking/nginx/

Catter · 2024-01-02, 01:02 PM

thx for the quick response.

finally i found the problem. i just specified the certificate and not the full chain.

changing the line

Code:
ssl_certificate  ../ssl/MY.TLD-crt.pem;

to:

Code:
ssl_certificate  ../ssl/MY.TLD-chain.pem;

fixed the issue.

WoodroweBones · (This post was last modified: 2024-09-16, 08:02 PM by WoodroweBones.)

Any chance you know how to do this with Caddy rather than NGINX?

TheDreadPirate · 2024-09-17, 02:11 PM

There shouldn't be any additional configuration required for Caddy. Caddy handles all of that automatically.

leonerrante · 2024-09-22, 05:35 AM

Hi to all, i just download the APK from play store and my laptops can connect to the server but android device Redmi Note 10 Pro Andriod 13, cant, the device is in the same network but cant connect!

TheDreadPirate · 2024-09-22, 06:34 PM

We'd need more details about your setup. Server version, server OS, are you using a reverse proxy, etc.

raulx222

(2024-09-17, 02:11 PM)TheDreadPirate Wrote: There shouldn't be any additional configuration required for Caddy. Caddy handles all of that automatically.

I'm running a server for about a year, most users are using the Jellyfin Media Player (Windows), Findroid (Android), Infuse (iOS) and there are no problems. But with Jellyfin for Android TV for some users it doesn't connect, when they input the host address, the app says it can't connect. From 3 friends that want to connect from TV, only one friend can connect via Android TV app, but other 2 friends can't connect to the server, one with Android TV and one with Amazon Fire TV stick.

The error on Amazon Fire TV stick is the following (it's also the same error for the other friend with Android TV):

But the same address works fine on other clients or in browser. I can't replicate this error myself since I don't own an Android TV. I tried emulating Android TV, but the app connects to the server without any issues.

Here is my Caddy config:

Code:
jellyfin.mydomain.com {

        reverse_proxy 192.168.3.85:8096

}

I did a SSL handshake simulation and looks good. Results:

Show Content

I don't know how to debug this. What's the reverse proxy setup for the demo.jellyfin.org site? That one works on all TVs, it is possible to achieve the same setup with Caddy? Or the Android TV APK has some certificates baked in to allow the demo site to work properly?
Any help is appreciated. Thanks!

TheDreadPirate

I'm wondering if your clients don't trust the one of the CAs from Let's Encrypt. The intermediate CA in my cert is has a validity date starting earlier this year. If your Android TV clients haven't received any OS updates in a while they may not have that CA in their trust store. And this would require that your proxy offers the full chain.

Code:
Validity

            Not Before: Mar 13 00:00:00 2024 GMT

            Not After : Mar 12 23:59:59 2027 GMT

        Subject: C = US, O = Let's Encrypt, CN = E6

In Nginx (my proxy) it is possible to offer both the chain.pem and the fullchain.pem. Other users with this issue with their ATV clients were able to resolve the problem by configuring their apache or nginx proxy to offer both chains.

What I'm reading seems to indicate that Caddy does not present the chain cert that includes the root, which is also the case for Nginx and Apache, by default. But I'm having trouble finding documentation for configuring Caddy to offer the fullchain.

raulx222

(2024-09-26, 02:23 PM)TheDreadPirate Wrote: I'm wondering if your clients don't trust the one of the CAs from Let's Encrypt. The intermediate CA in my cert is has a validity date starting earlier this year. If your Android TV clients haven't received any OS updates in a while they may not have that CA in their trust store. And this would require that your proxy offers the full chain.

Code:
Validity Not Before: Mar 13 00:00:00 2024 GMT Not After : Mar 12 23:59:59 2027 GMT Subject: C = US, O = Let's Encrypt, CN = E6
In Nginx (my proxy) it is possible to offer both the chain.pem and the fullchain.pem. Other users with this issue with their ATV clients were able to resolve the problem by configuring their apache or nginx proxy to offer both chains.
What I'm reading seems to indicate that Caddy does not present the chain cert that includes the root, which is also the case for Nginx and Apache, by default. But I'm having trouble finding documentation for configuring Caddy to offer the fullchain.

It is possible from Caddy to serve my own .pem file but the problem is that for now everything is done automatically, my caddy script is minimal, I don't know where to get from or how to prepare the .pem file myself.

Edit:
I was wondering why the demo.jellyfin.org/stable works on all ATVs that my server has problem with. And I inspected the SSL and the demo site also has only 2 certs (intermediate and leaf) and still work. Also the demo site has certificate from LetsEncrypt issued by ISRG Root X1 which is the same in my server. The only difference that i found is that the demo site has RSA certificate, I forced RSA on my server and still doesn't work (i checked with SSL inspector site and it confirms that is RSA).

I don't know what to do further... If you want I can PM you my server address so you can check if you see other differences between certificates on my server and the demo one.

Login

Username/Email:
Password:


Or login with a social network below

Login

Username/Email:
Password:


Or login with a social network below

Android apps can't connect on my server