SOLVED: SSL Handshake Failed on Fire TV

[Linseed9747]

One other thing I have found so far digging under the hood, EVERY service I have running on the reverse proxy contains it's own folder (a couple dozen), and each of those folders contains it's own file structure for all six of those PEM files. In other words, I feel like making any change to my certificates may require I change the files for EACH and EVERY one of those folders. I'm still trying to figure it out, but assuming I eventually feel comfortable trying to change a certificate directly by ssh, what exactly would I be changing?

---

Okay, sorry I didn't catch your replies, I'll take a look at what you suggested and get back to you.

[Linseed9747]

Okay, so when I nano the file referenced in your link, it contains a couple dozen server blocks, each service using reverse proxy has it's own block.  Here is the jellyfin block.

Code:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name jellyfin.<redacted>.com ;

    if ( $host !~ "(^jellyfin.<redacted>.com$)" ) { return 404; }

    include /usr/syno/etc/www/certificate/ReverseProxy_71437579-6014-46a7-9c46-<redacted>/cert.conf*;

    include /usr/syno/etc/security-profile/tls-profile/config/ReverseProxy_71437579-6014-46a7-9c46-<redacted>.conf*;

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload" always;

    proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    location / {

        proxy_connect_timeout 60;

        proxy_read_timeout 60;

        proxy_send_timeout 60;

        proxy_intercept_errors off;

        proxy_http_version 1.1;

        proxy_set_header        Host            $http_host;

        proxy_set_header        X-Real-IP            $remote_addr;

        proxy_set_header        X-Forwarded-For            $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto            $scheme;

        proxy_pass http://<redacted>:8096;

    }

    error_page 403 404 500 502 503 504 /dsm_error_page;

    location /dsm_error_page {
        internal;
        root /usr/syno/share/nginx;
        rewrite (.*) /error.html break;
        allow all;
    }
}

[TheDreadPirate]

What's in these files?

include /usr/syno/etc/www/certificate/ReverseProxy_71437579-6014-46a7-9c46-<redacted>/cert.conf*;
include /usr/syno/etc/security-profile/tls-profile/config/ReverseProxy_71437579-6014-46a7-9c46-<redacted>.conf*;

[Linseed9747]

#1 file

ssl_certificate /usr/syno/etc/www/certificate/ReverseProxy_71437579-6014-46a7-9c46-<redacted>/dd624636-3fe2-4209-8840.pem;
ssl_certificate_key /usr/syno/etc/www/certificate/ReverseProxy_71437579-6014-46a7-9c46-<redacted>/fc60cdf7-ee40-45c1-83bf.pem;

# 2 file

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECD>
ssl_dhparam /usr/syno/etc/ssl/dh2048.pem;

[TheDreadPirate]

Comment out file #1. Then add these lines to the config.

Code:

ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_trusted_certificate /path/to/chain.pem;

---

My nginx config for reference.

https://sourceb.in/auQ7583d3q

[Linseed9747]

That was a good idea TheDreadPirate, but unfortunately making those modifications to the Nginx config directly on Synology seems to be a no-go. That entire reverse-proxy folder structure gets re-written by the software. Doing so completely killed the services that rely on the reverse-proxy. I saved a backup of the original config so I have been able to recover via shell.

However, I did find the solution:

SOLUTION:

When you import new certificate files for a WILDCARD CERTIFICATE on a Synology NAS, you will be prompted to input three files:

Private Key:
Certificate:
Intermediate certificate (optional):

The private key and certificate are self explanatory, but when you are importing a wildcard certificate, make sure you obtain a CA Bundle from the certificate authority to import into the 'Intermediate certificate' field. I'm not completely sure what I input into that field originally, but when I obtained that 3-certificate bundle from my provider it fixed this issue. Thanks @TheDreadPirate for all your help.