app Android via HTTPS

[gobanow]

Hi

I don't use a proxy.

Jellyfin installed in Docker compose
Where did I make a mistake?

Through the browser - it works.

Through the Android mobile app Jellyfin - no.

I use OMV 7.0.5-1 (Sandworm)

Using the instructions for jellyfin, I'm trying to launch it via https.

Created a self-signed certificate in PKCS 12 format (I use the whole chain - root key, root certificate, intermediate certificate) in the *.pfx file

Code

Code:

openssl pkcs12 -export -out jellyfin.pfx -inkey privkey.pem -in cert.pem -CAfile chain.crt -passout pass:12345678

where:

privkey.pem - is the private key of the certificate,

cert.pem - is a certificate in text format (PEM),

jellyfin.pfx - is the name of the resulting file,

chain.crt - is the root and intermediate certificates combined in one file: Root, First intermediate certificate, Second intermediate certificate.

chain.crt creating:

Code: chain.crt creating

Code:

cat cert.pem intermediate.crt > chain.crt

privkey.pem and cert.pem creating:

Code: privkey.pem and cert.pem creating

Code:

openssl req -x509 -newkey rsa:4096 -keyout ./privkey.pem -out cert.pem -days 1000 -nodes -subj '/CN=jellyfin.lan'

intermediate.crt creating:

Code: I am generating a CSR in the intermediate.csr file


openssl req            \
  -new                  \
  -key intermediate.key \
  -subj "/CN=TEST Intermediate CA/C=EU/O=TEST Ltd" \
  -out intermediate.csr

Code: Generating intermediate.crt

openssl x509          \
  -req                \
  -in intermediate.csr \
  -days 1000          \
  -CA cert.pem        \
  -CAkey privkey.pem  \
  -extfile <(echo -e "basicConstraints=CA:true\nkeyUsage=keyCertSign") \
  -out intermediate.crt

Through the browser - it works.

Through the Android mobile app Jellyfin - no.

writes "it is impossible to access the server".

neither via IP-address, nor via hostname.

Almost like the instructions turned out) it's a pity that it's not working yet

Where did I make a mistake?

Thanks

[TheDreadPirate]

You'd need to add your server cert to your phone's trust store since the Android app has no way to add one locally like the browser does.

[gobanow]

You'd need to add your server cert to your phone's trust store since the Android app has no way to add one locally like the browser does.

yes, I add it to
the Samsung phone, the certificate is not added to the "Security certificates" (trusted certificates), writes "it is impossible to use the file as a CA certificate",
it is installed only in the user certificates "VPN certificate and applications" that does not work, the Jellyfin app does not see it?

where could there be a problem with the certificate?
the OMV certificate itself (, generated from the web interface and signed, was added there and works, but this certificate (Jellyfin) does not want to, I make a mistake somewhere

[gobanow]

I tried to dig even deeper, created a leaf server certificate.

Key

Code:

openssl req -x509 -newkey rsa:4096 -keyout ./sever.pem -days 1000 -nodes -subj '/CN=jellyfin-server'

Csr

Code:

openssl req      \
  -new            \
  -key sever.pem \
  -subj "/CN=Jellyfin-server" \
  -out server.csr

Crt

Code:

openssl x509              \
  -req                    \
  -in server.csr          \
  -days 1000              \
  -CA intermediate.crt    \
  -CAkey intermediate-key.pem \
  -extfile <(echo -e "basicConstraints=CA:false\nkeyUsage=digitalSignature\nsubjectAltName=DNS:localhost") \
  -out server.crt

Сombining the server certificate and the intermediate one:

Code:

cat server.crt intermediate.crt > chain2.crt

Сreating PKCS12:

Code:

openssl pkcs12 -export -out jellyfin2.pfx -inkey privkey.pem -in cert.pem -CAfile chain2.crt -passout pass:12345678

I give you the rights:

Code:

chmod 644 jellyfin2.pfx

In Chrome, Jellyfin is launched via https, there is no android app
This certificate also does not want to be added to the "Security Certificates"
I don't understand where the error is

[gobanow]

I tried it in legacy format, it still doesn't work

Code:

openssl pkcs12 -nodes jellyfin2.pfx certbag.pem
openssl pkcs12 -export -legacy -in certbag.pem > /tmp/legacy.p12

[TheDreadPirate]

Any particular reason you are using a self-signed cert over a legit, and free, cert from Let's Encrypt? If you use Caddy as a reverse proxy, Caddy can automate the cert request and installation into caddy.

[gobanow]

Any particular reason you are using a self-signed cert over a legit, and free, cert from Let's Encrypt?  If you use Caddy as a reverse proxy, Caddy can automate the cert request and installation into caddy.

I do not want to load the system additionally and install profit unnecessarily, because I use Wireguard for remote access to Jellyfin.
And I'm not sure that this will help, because my self-signed certificates work in Jellyfin via https in Chrome.
I'm afraid I'll spend a couple of days studying Let's Encrypt and get the same thing.

[TheDreadPirate]

If you're already using Wireguard for remote access, what is the benefit from also using HTTPS? You are already encrypted end-to-end. There is no benefit to adding HTTPS and it is a pain in the butt to use self-signed certs with Jellyfin in Android.

[gobanow]

If you're already using Wireguard for remote access, what is the benefit from also using HTTPS?  You are already encrypted end-to-end.  There is no benefit to adding HTTPS and it is a pain in the butt to use self-signed certs with Jellyfin in Android.

yes, I understand that wireguard encrypted everything, but the more protection, the better))
Yes, it is a pain in the butt
I think I'm ready to put up with http