Add support for Raspbian Buster (openssl 1.1.1c)

[Millichrome]

Describe the bug
After installing Jellyfin on a Raspbian Buster based system, I was not able to access the webUI via browser. The service was reported as running but Jellyfin was not listening on port 8096 (other services were running just fine). Based on internet research this seems to be tied to the version of openssl that ships with Raspbian Buster (1.1.1c).

To Reproduce

1. Install Jellyfin as described in https://jellyfin.readthedocs.io/en/latest/administrator-docs/installing/#debian
2. Run "service jellyfin status" - the service is active
3. When you go to [Device IP]:8096, you get a generic "Unable to connect" FF error
4. When you run "netstat -tnlp" Jellyfin is not listed, while other services (e.g. SSH server) are listed and work fine.
5. Try to run Jellyfin manually "/usr/bin/jellyfin start" and you'll get a "No usable version of the libssl was found"

Expected behavior
Jellyfin webUI should be accessible.

System

• OS: Raspbian Buster
• Browser: Firefox
• Jellyfin Version: 10.3.7
• Reverse proxy: None
• OpenSSL 1.1.1c 28 May 2019

Additional context
The following article seems to describe this issue in more detail:

http://www.d0wn.com/installing-jellyfin-on-a-rasberry-pi4/

I did not try downgrading OpenSSL as described by the article.

[joshuaboniface]

So ultimately the issue is that we build Jellyfin once per arch, and that package is reusable. Except, that we're dependent on libssl, and of course we're right in the middle of a conversion between two incompatible versions (thanks, OpenSSL devs...). For the very moment with 10.3.7 stable, you'll need to downgrade OpenSSL to 1.0.

However now that Buster is stable, I think we can reverse it for the next release - build against the more recent LibSSL, then provide the new one in the repos for older distros. Either way it's a hack but this will at least make 1.1.1c the default. I don't even know how Ubuntu factors into this.

[Millichrome]

Thanks for the response!

I am not confident enough in my linux skills to deal with the possible fallout due to a downgrade (and generally I try to avoid straying from defaults). I will just wait for the next major version.

Side note: If I compile my own version of Jellyfin, this issue should be resolved, right? Can the current release of Jellyfin target openssl 1.1.1c that's installed on my system?

[joshuaboniface]

You only need libssl1.0.X, not the entire openssl package, so if you can obtain the .deb file (https://packages.debian.org/stretch/libssl1.0.2) and install it, it should "just work" without recompiling anything and also not conflict with anything else on the system. Normally this would just be handled automatically (and is for Buster on amd64), but I haven't had a chance to forward-port for ARM!

[Millichrome]

I was able to get it running by manually adding openssl 1.0.x. I am liking the UI so far, IMO it's more "focused" then Plex. Thanks for the help! :)

Note to others who might be encountering this problem:

You might want to install the the repo keys for stretch from this page:

https://packages.debian.org/stretch/debian-archive-keyring

Otherwise you will get error when running apt update. I am assuming openssl 1.0.x won't be updated if you don't install the stretch keyring package.

[joshuaboniface]

I've done some more digging, and thanks to a really helpful comment from @Wuerfelbecher we're pretty much confirmed:

./deployment/fedora-package-x64/pkg-src/jellyfin.spec:# Fedora has openssl1.1 which is incompatible with dotnet

This is verified by trying to build Jellyfin using dotnet against libssl1.1:

dotnet publish --configuration Release --output='/jellyfin/usr/lib/jellyfin/bin' --self-contained --runtime debian-x64 \                                                                                                                       
        "-p:GenerateDocumentationFile=false;DebugSymbols=false;DebugType=none" Jellyfin.Server                                                                                                                                                
No usable version of the libssl was found  

So it looks like we're stuck with the Stretch version of OpenSSL 1.0.X for a while to come, until Microsoft gets their stuff together (I won't hold my breath).

For the benefit of repository users, I'm going to forward-port libssl1.0.1c into the ARM and ARM64 Buster repositories, like I did for AMD64, since this will make the transition seamless going forward.

[Millichrome]

Thanks for the update! This should help other users running Jellyfin on Raspbian buster derivatives.

[Wuerfelbecher]

I encountered this as i packaged Jellyfin for Fedora since on CentOS it build and on Fedora it would throw this error, that is why Jellyfin on Fedora requires the compat-openssl10 package for the old OpenSSL1.0.X API (Luckily i commented why it is needed).

I tested this on Fedora 30 just to confirm it and it build Jellyfin without complaining, with only OpenSSL 1.1.1 installed.

After some searching i found out that dotnet already supports OpenSSL1.1.X (on dotnet 3.0) at least on Red Hat Distros tested on Fedora 30 and RHEL 8. The pull request which back-ported the fix from dotnet 3.0 to 2.1/2.2 was already merged into dotnet quite some time ago.

I got no clue why this is not included in the Buster packages.

[joshuaboniface]

Interesting, we're using a specific version so I wonder if it's just slightly too old. I'll try again with a later release.

[joshuaboniface]

Looks like upgrading to v2.2.401 fixed this, so I'll do up a PR for the updates.