Jump to content

HOWTO: create .pfx to use for https


34626

Recommended Posts

Im using Linux Ubuntu 16.04 64 bit and Asustor AS-604T ADM 3.2.1

This requires you do own a domain and have create a Lets Encrypt certificate!

Following ports should be open: 80, 443, 8096 and 8920

1. Login to ADM web interface > Settings > Certificate Manager - Click on Export Certificate.

2. Extract certificate.zip and open the folder certifiate

3. right click in the folder - select open terminal

4. enter the command:
* Please change the name of the give-me-a-name.pfx
* After execution of this command you will be prompted to create a password, this is recommanded!

openssl pkcs12 -export -out give-me-a-name.pfx -inkey ssl.key -in ssl.crt

5. Save the new create give-me-a-name.pfx file on your NAS in a shared folder of own choice

6. go to:
http://local.ip.of.nas:8096/

7. Go to Advanced and do the following

Check that Allow remote connection to this Emby Server is marked.
* add external domain name
* Custon ssl certificate path (Click on the magnifier right to the text field and navigate to where the .pfx file is.
* Certificate password - Add the password you entered after execution of step 4.
* Secure connection mode - Set to preferred, but not required.

8. Hit save and navigate to Controlpanel > Restart - Now you should be able to access the Emby Media Server from outside.

Link to comment
Share on other sites

  • 4 weeks later...

Just to append what I did to my Asustor + Emby install, where it says above " * add external domain name ", I filled the complete NAS URL which is hostname + domain name. As opposed to what may lead to most to just insert the domain name, again, I inserted the full URL.

 

One quick note, for all the woes Asustor certainly has in terms of its software, for example, they can't ship a proper working WebDAV service on the NAS (gosh! Directly contacted Asustor as customer and nothing; only silence!), in turn, the Emby server seems to be working right and I'm pleased.

Edited by fgs
Link to comment
Share on other sites

  • 1 year later...
Jägs

Ditto.  Worked for me, thanks!

 

I'm very new to this, but I assume you'd need to update the pfx file any time the certificate is updated.  That being the case, I modified this a bit to be completely automated and created a cron job that handles the password, too:

0 1 * * * [path to openssl binary]/openssl pkcs12 -export -out [path to certificate]/ssl.pfx -inkey [path to certificate]/ssl.key -in [path to certificate]/ssl.crt -passout pass:[password]

Obviously you need to replace the parts in brackets to match your needs.

 

This runs the command to create the pfx file at 1:00 AM every morning.

 

NOTE:  for anyone else running an ASUSTOR, the path to the LE certificate on my machine is:

/volume0/usr/builtin/etc/certificate

Your mileage may vary.

  • Like 1
Link to comment
Share on other sites

  • 11 months later...
freeflight29
On 3/25/2020 at 3:18 AM, Jägs said:

Ditto.  Worked for me, thanks!

 

I'm very new to this, but I assume you'd need to update the pfx file any time the certificate is updated.  That being the case, I modified this a bit to be completely automated and created a cron job that handles the password, too:


0 1 * * * [path to openssl binary]/openssl pkcs12 -export -out [path to certificate]/ssl.pfx -inkey [path to certificate]/ssl.key -in [path to certificate]/ssl.crt -passout pass:[password]

Obviously you need to replace the parts in brackets to match your needs.

 

This runs the command to create the pfx file at 1:00 AM every morning.

 

NOTE:  for anyone else running an ASUSTOR, the path to the LE certificate on my machine is:


/volume0/usr/builtin/etc/certificate

Your mileage may vary.

Hello jags, 

i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? 

Thanks for your help 

Link to comment
Share on other sites

4 hours ago, freeflight29 said:

Hello jags, 

i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? 

Thanks for your help 

Hi, are you able to update your pfx manually? Becoming familiar with that process is the first step. Then after that you can look at automating it with a cron job.

Link to comment
Share on other sites

freeflight29
18 hours ago, Luke said:

Hi, are you able to update your pfx manually? Becoming familiar with that process is the first step. Then after that you can look at automating it with a cron job.

hello luke that ok for the pfx now. i would to undersatand how to automating it,  i don't know where to put the script to make it work as cron job... So if you have some suggestion of link?  thank you.

Link to comment
Share on other sites

Jägs
On 3/21/2021 at 5:07 PM, freeflight29 said:

Hello jags, 

i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? 

Thanks for your help 

The exact syntax is going to differ from system to system, but here's what I have on my ASUSTOR AS5304T:

0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/ssl.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:##########

Where "##########" is the password you want to use.  You will enter this password into the Network settings under "Certificate password."

Edited by Jägs
Link to comment
Share on other sites

  • 2 months later...
freeflight29
On 3/23/2021 at 3:26 AM, Jägs said:

The exact syntax is going to differ from system to system, but here's what I have on my ASUSTOR AS5304T:


0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/ssl.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:##########

Where "##########" is the password you want to use.  You will enter this password into the Network settings under "Certificate password."

Hello Jägs, 

i try to do the same on my nas asustor AS6404T, everything is ok, the cert is correctly generate but i have a issue, when i restart emby server to save modification,  i can't connect anymore. I have to renew the pfx cert and it's working again.

 There is the line i add to my crontab: 

0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume1/home/MyUserName/MyCERT.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:MyPassword

And the path i fill under emby interface is: 

/volume1/home/MyUserName/MyCERT.pfx

Thanks in advance for your help 

Link to comment
Share on other sites

Jägs
On 5/31/2021 at 4:22 PM, freeflight29 said:

when i restart emby server to save modification,  i can't connect anymore

When you restart Emby, are you trying to connect via your local network or remotely and having a problem?  If local, can you connect via the non-SSL port (i.e. localhost:8096)?

After you restart, can you verify that the pfx file still exists in the path?  It's unlikely to disappear, but just to eliminate a possibility.

The only other thing I can think of is your pfx path is different—on volume1 vs volume0—and while it really shouldn't matter, if you continue to have problems, can you place the pfx in the same folder as the rest and see if you still have the same problems?

Link to comment
Share on other sites

freeflight29

Hello, 

Sorry for the delay i was a little busy.....

So here what i'm doing :

When you restart Emby, are you trying to connect via your local network or remotely and having a problem?  If local, can you connect via the non-SSL port (i.e. localhost:8096)?
When i restart it, remotely not working, and  local acces is ok

After you restart, can you verify that the pfx file still exists in the path?  It's unlikely to disappear, but just to eliminate a possibility.
i use mobaXterm to connect to the nas via SSH with root account. Then i generate the certificate  with that command (i modify  the path like you suggest):

/usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/MyCert.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin
/etc/certificate/ssl.crt -passout pass:MyPassword

i confirm that the pfx certificate is present and the path is correct under Emby interface (/volume0/usr/builtin/etc/certificate/MyCert.pfx)

root@MyNAS:/volume0/usr/builtin/etc/certificate # ls -la
total 48
drwxr-xr-x    4 root     root          4096 Jun  9 00:00 ./
drwxr-xr-x   48 root     root          4096 Jun  8 00:08 ../
-rw-r--r--    1 root     root           765 Jun  9 00:00 certificate.json
-rw-r--r--    1 root     root          5717 Jun 10 21:45 MyCert.pfx
drwxr-xr-x    3 root     root          4096 Jul 16  2019 letsencrypt/
drwxr-xr-x    4 root     root          4096 May 16 19:11 ssl/
-rw-r--r--    1 root     root          5630 May 16 19:11 ssl.crt
-rw-r--r--    1 root     root          1675 Dec 28  2019 ssl.key
-rw-r--r--    1 root     root          7306 May 16 19:11 ssl.pem

 

The only other thing I can think of is your pfx path is different—on volume1 vs volume0—and while it really shouldn't matter, if you continue to have problems, can you place the pfx in the same folder as the rest and see if you still have the same problems?
I still have the problem even if i change the the path at the same place as the rest.
 

I don't have any error message during the generation of the pfx, and i also check the password side. So i don't know what can be wrong :(

 

After all the only way is working for me, but without automation (and it's what i want to have) , it's when i generate  the certificate manually with that command with openssl 

openssl pkcs12 -export -out MyCert.pfx -inkey ssl.key -in ssl.crt 

And fill the password twice to generate the password.

:(:( :( 

@Jägs Just in case.... have you try to make it working with reverse proxy? During the configuration i don't encounter any pb when i'm doing the test. But when i validate the configuration, i have a message like "folder not exist" 

In short, thanks a lot to having taking time and try to help me :)

EDIT: 

i tried this directly via mobaxterm manually , and it's working

root@MyNas:/volume0/usr/builtin/etc/certificate # openssl pkcs12 -export -out MyCert.pfx -inkey ssl.key -in ssl.crt
Enter Export Password:
Verifying - Enter Export Password:
root@MyNas:
/volume0/usr/builtin/etc/certificate # ls
certificate.json  MyCert.pfx        letsencrypt/      ssl/              ssl.crt           ssl.key           ssl.pem
root@MyNas:/volume0/usr/builtin/etc/certificate # ls -la
total 48
drwxr-xr-x    4 root     root          4096 Jun  9 00:00 ./
drwxr-xr-x   48 root     root          4096 Jun  8 00:08 ../
-rw-r--r--    1 root     root           765 Jun  9 00:00 certificate.json
-rw-r--r--    1 root     root          5717 Jun 10 23:05 MyCert.pfx
drwxr-xr-x    3 root     root          4096 Jul 16  2019 letsencrypt/
drwxr-xr-x    4 root     root          4096 May 16 19:11 ssl/
-rw-r--r--    1 root     root          5630 May 16 19:11 ssl.crt
-rw-r--r--    1 root     root          1675 Dec 28  2019 ssl.key
-rw-r--r--    1 root     root          7306 May 16 19:11 ssl.pem
 

@Luke so when the certificate is renew via crontab, i can't reach the url with my laptop in https. But i can join the emby server with the emby android app....even if in the dashboard i choose that https is required for external connexion. Can you tell me a little more about how the app working ?  

Edited by freeflight29
add "edit"
Link to comment
Share on other sites

Quote

 

@Luke so when the certificate is renew via crontab, i can't reach the url with my laptop in https. But i can join the emby server with the emby android app....even if in the dashboard i choose that https is required for external connexion. Can you tell me a little more about how the app working ?  

The android app has that override dialog that lets you approve the certificate even if the device by default rejects it. But it's not possible for us to do that for all apps on all devices, so the important thing is, use a certificate that your devices will trust if you want to always just work.

Link to comment
Share on other sites

freeflight29

 

On 6/12/2021 at 9:56 PM, Luke said:

The android app has that override dialog that lets you approve the certificate even if the device by default rejects it. But it's not possible for us to do that for all apps on all devices, so the important thing is, use a certificate that your devices will trust if you want to always just work.

Thanks for your précision about that.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...