Search the Community

After several days of frustration, I have managed to setup SSL far enough to get a connection but the browser does not like like the certificate - see attached. I tried to follow the various sets of instructions around the site, the only config I could get to work is as follows; Static IP address on my router setup sub domain on my domain DNS with a forward to the router address and port My question is emby instructions say the server will create it's own SSL cert but I cannot get this to work. If I leave the field for the path to cert blank then I am unable to save - this is why I went the create your own cert route (which I cant get to work!). I have found an SSL folder in the emby folder structure (windows 10) but nothing is in there. I have read up all I can find but cannot get the inbuilt cert to work. Any suggestions?

I finally decided it was time to look into getting a secure connection with SSL certificate set up on my server, so I went through the steps of grabbing a domain name and a SSL certificate. The name was easy and the certificate was alright, just a little slower to get because of my own stupidity. After various attempts doing incorrect things between Emby settings and port forwarding, I got the .pfx file linked in Emby, the domain name listed, and all the ports set up correctly. I went to test it by doing a complete new install of the Emby app on my android phone - entered my new HTTPS address in the path and 443 in the android port box, and it took me to the server's login page almost instantly, so I was super happy about that. I then set up an Apple TV box on an external network to try that, and again it loaded up the login screen right away after putting the address in. The oddity that I'm running into now is that I've also tested it in four different web browsers, both from two computers and an iPad on my local network as well as from two different computers off the network just to make sure, and came up with the following results in terms of how quickly the browsers would actually pull up the login page after entering the address in the browser bar: - Safari = almost instantly, 1-2 seconds - Chrome = 17-22 seconds - Firefox = 20-23 seconds - Internet Explorer = 22-26 seconds If I use my straight IP address to get to my server from any of those computers, it's a 1-2 second load time no matter what browser I use. I haven't had time to stream anything for a significant amount of time through the secure connection, so I don't know if streaming is affected or not yet - after a quick forum search, I did see a thread about reverse proxy potentially causing streaming issues, but I'm not running a reverse proxy at all. Has anyone noticed problems with streaming when going through a domain name with SSL? Anyway, after all that explanation, my real question about the login screen is whether others have seen it as a common thing for the login page to be pulled up so slowly when using a domain and SSL certificate to get to the server, especially with the major non-Apple browsers? Thanks for any feedback.

From LDAP test-thread: For greater compatibility, can STARTTLS be implemented? It would save a lot of time mucking about with certificates when using MS AD. This is running perfectly with a Wordpress plugin I'm using. Only had to enter the DC IP, Base DN and credentials and up and running within a minute.

I have been trying to follow the instructions from this Wiki https://github.com/MediaBrowser/Wiki/wiki/Secure-Your-Server to secure my Emby server running on a Windows 10 box. Has anyone tried these instructions lately using the free domain services offered by Freenom? I'm hoping so. It was relatively easy to set up a free domain with Freenom. I then went to SSL for Free and got two text files to upload to my newly acquired Freenom domain which were to be manually verified. I was able to upload them as directed in the Wiki, but then hit a snag with the SSL for Free instructions which require now require you to either confirm that a folder exists called ".well-known" for as a destination for uploading the files, or if no such folder is located to create one. I could not find any information on the Freenom website regarding the existence of or creation of the necessary "well-known" folder structure to house the test files so that the proper uploading to the Freenom could be verified. Hoping (don't we always) that perhaps "well-known" was the default folder structure that my uploads had been placed, I tried to verify the upload through SSL for Free, and always got a 404 not found return in my browser. I am hoping someone can lead me to an answer. Thanks in advance.

So in the Plex Client in the settings page you can set a setting to "Prefer insecure connection" : "Always" . This means you will now connect over non-ssl. Firstly does the Emby Client on LG TV attempt to connect over SSL . And if it does, how can I tell the Client to not use SSL and to use an insecure connection ? Thanks

I have had Emby for quite a time now and recently bought Emby Premiere so I could use it on more platforms. I have my Emby server running locally on Debian and can connect remotely through my domain (assume my.domain.com). Emby works fine (with SSL) on following the devices I tested: Android app iOS app Windows Store app Xbox One app Most PCs web interface However, I could not get it working with SSL on my LG TV with WebOS 3.5 (LG OLED55B6V if it matters). It did work on a non-secure connection, but when I try to add the server as SSL connection, it simply denies connection like it doesn't even exist. Even when I log onto my Emby Connect account, it simply doesn't show the server, where all other devices do. Now I've read some problems about the SSL certificate (https://emby.media/community/index.php?/topic/57575-lg-emby-app-106-ssl-problem-connecting-to-server/), I'm currently using Comodo PostiveSSL as a certificate, which I have seen at least one other person have problems with as wel. However, I've also seen that some people with Let'sEncrypt have this problem. (https://emby.media/community/index.php?/topic/61481-unable-to-connect-over-https/) There is suggested that LG is simply blocking my certificate, but when I go to my site with the WebOS webbrowser (same certificate), it allows the certificate and shows the site as 'secure'. So somewhere the TV actually does allow the certificate. So I'm not sure where the problem resides. Also, I've shortly tested it on a PS4 from a friend. There was no app, so I used the built-in webbrowser. It also didn't seem to work there, seemed to have the same problem: simply not showing the server. Didn't have much time to test it there, so don't pin me on this. My question is: does anyone have Emby running over SSL with any certificate on LG WebOS 3.5? If so, what certificate do you use?

Sorry for posting yet another SSL threadTM, but I'm not sure how to troubleshoot this. . I have a subdomain that I've registered through IONOS (formerly 1&1). I have an SSL certificate that IONOS is managing for me at my top-level domain. How do I get my subdomain to direct to my server? Do I just redirect to my server's remote IP address? Also, in reviewing the various other guides I've found on this, it looks like I may need to download my SSL certificate and keys an import those into emby? It doesn't appear I have the option to do that from my IONOS dashboard as I've configured it so that IONOS manages it and not me. Is that a deal breaker? Or is there another way around this? I feel like I have the basic pieces available to setup SSL for remote connections to my server, but I just need to take a few more steps to get to the finish line.

Hi i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ? i tried to put the path of the cert certificate but its not working. here is what i have Custom SSL certificate path: /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert error after restarting EmbyServer 2019-01-05 12:05:44.470 Info AuthenticationRepository: PRAGMA synchronous=1 2019-01-05 12:05:44.526 Error App: No private key included in SSL cert /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert. 2019-01-05 12:05:44.737 Info ActivityRepository: Default journal_mode for /share/CACHEDEV1_DATA/.qpkg/EmbyServer/programdata/data/activitylog.db is wal and in my web page Secure Connection Failed The connection to xxxxxxxxxxxxxxx.myqnapcloud.com:yyyyyy was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. thanks for your help ade05fr

Hi I'm trying to use https for remote connections using Synology reverse proxy and letsencrypt certificate installed using DMS control panel. Here what I did so far: 1. Setup DDNS using synology.me service 2. Create a letsencrypt certificate for this domain using DMS control panel 3. Create a reverse proxy setting on port 8921 to redirect to localhost:8096 4. Setup the https://*:8921 service to use the "mydomain".synology.me certificate 5. Setup port forwarding on my router to forward port 8921 to my nas port 8921 6. Setup emby advance settings, I set the external domain, https port and the secure connection mode to "Handled by reverse proxy". Everthing is working greate except for 1 thing. If I use https://"mydomain".synology.me:8921, I get a secure connection to emby server with the message : Secure connection: verified by Let's Encrypt. However, if I use this url instead: https://"mypublicip":8921, I get to my emby server on a unsecure connection with this message: "mypublicip":8921 uses an invalid security certificate. The certificate is only valid for "mydomain".synology.me. I can add an exception in the browser and get to my emby server on an unsecure connection, which defeat the purposeto have a secure connection at the first place. Did I miss a setting somewhere, anything that could explain why I can get to my emby server on a unsecure connection through my public ip? Thank you

Hello, I have not been able to send email notifications using TLS/SSL using the email notification plug-in. I am able to send using non-secure settings. I have attached the log of the tests I have done. I am in the process of migrating my server to FreeNAS 11. I was not able to send using secure setting on my previous Freenas 9 set-up. Any help would be appreciated. Set-up Emby: 3.5.2.0 (FreeNAS plugin build) OS: FreeNAS-11.2-RC1 Plug-in Version: 3.1.2.0 embytlsemailerrorlog.txt

Im using Linux Ubuntu 16.04 64 bit and Asustor AS-604T ADM 3.2.1 This requires you do own a domain and have create a Lets Encrypt certificate! Following ports should be open: 80, 443, 8096 and 8920 1. Login to ADM web interface > Settings > Certificate Manager - Click on Export Certificate. 2. Extract certificate.zip and open the folder certifiate 3. right click in the folder - select open terminal 4. enter the command: * Please change the name of the give-me-a-name.pfx * After execution of this command you will be prompted to create a password, this is recommanded! openssl pkcs12 -export -out give-me-a-name.pfx -inkey ssl.key -in ssl.crt 5. Save the new create give-me-a-name.pfx file on your NAS in a shared folder of own choice 6. go to: http://local.ip.of.nas:8096/ 7. Go to Advanced and do the following Check that Allow remote connection to this Emby Server is marked. * add external domain name * Custon ssl certificate path (Click on the magnifier right to the text field and navigate to where the .pfx file is. * Certificate password - Add the password you entered after execution of step 4. * Secure connection mode - Set to preferred, but not required. 8. Hit save and navigate to Controlpanel > Restart - Now you should be able to access the Emby Media Server from outside.

The error message is: System.ObjectDisposedException: Cannot access a disposed object. Object name: 'SslStream'. Maybe this is related to these other reports but the error message I get is different (see attached file): https://emby.media/community/index.php?/topic/59531-external-ssl-connections-crashing https://emby.media/community/index.php?/topic/61243-server-crashing-within-minutes Thanks embyserver-63670224519.txt

I have had a few people ask me to explain how I set up my Apache server to forward to my Emby server. Here is a breakdown of how mine is set up should anyone else wish to try this. This is just my way of doing this (yeah, I know, Nginx exists but I have always been an Apache user). Note that I use RPM based distributions, and my frontend Apache server is running on Fedora Server Edition (so that I can have the http/2 goodness). My instructions will emphasize this type of Linux distribution, so you will need to read up on how your particular flavor of Linux handles Apache installations. First off, here is an overview of my network. Everyone's network is different, but this is what I have set up: edge firewall -> wireless ap/firewall -> apache server -> media server (where the media files are actually stored) On my firewalls, I only have ports 80 and 443 tcp opened up, and they forward to my Apache server. No other ports are exposed to the Internet. My Emby server is not configured with SSL. All SSL is terminated at my Apache server. This way, I can use one SSL certificate to encrypt any web services that I run on my network, without trying to get a certificate for each individual server installation. Anything that comes in on port 80 automatically gets forced over to port 443 (this is done by my Apache server itself). I am also using HTTP/2 which has helped with the various web services that my Apache frontend is exposing to the web. Also, all of my internal servers are running host-based firewalls. There is nothing wrong with security in depth here, and I have personally not heard a valid reason to not run a host-based firewall for your networking services. I use https://letsencrypt.org/ for my SSL certificate. It's free, and their tools are awesome. If you use their services, please donate to them as they are providing a valuable service to practically every community. I also have my own domain name set up and registered, with a dynamic IP from my ISP. There are a plethora of services that will let you register your dynamic IP for a domain name, so search around for the one that suits you best. Personally, I am using Google Domains for mine. My firewall assists in keeping my latest IP registered for my domain. This is extremely handy for mobile devices and family members who wish to use my Emby server remotely. Here are the general steps I would recommend to someone setting this up for themselves: Use an edge firewall. The extra protection is worth it. Use your edge firewall to keep track of your public IP, and use whatever agent that your dynamic DNS provider provides to keep your latest IP registered for your domain. I do not recommend doing this from your Apache server, as your Apache server should be further into your network and protected by your other firewall(s). Set up an SSL certificate for your domain. Again, LetsEncrypt is pretty awesome. Install Apache on a server that can handle a fair amount of network traffic. If you are using LetsEncrypt, set up the agent to keep up with your SSL certificate on this server. dnf groupinstall "Web Server" dnf install mod_http2 Configure your Apache server. On a Fedora, CentOS, RHEL system create a file called /etc/httpd/conf.d/00_yourdomain.conf (the two zeroes are there to make sure that your domain file is loaded first). Here are snippets of my configuration (cleaned up a bit for, you know, security): <VirtualHost *:80> Protocols h2c http/1.1 # Send everything over to https instead, best practice over mod_rewrite ServerName example.com Redirect / https://example.com/ </VirtualHost> <VirtualHost _default_:443> # Enable http/2 Protocols h2 http/1.1 <IfModule http2_module> LogLevel http2:info </IfModule> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DH-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLHonorCipherOrder On SSLCompression off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" Header always set X-Frame-Options SAMEORIGIN Header always set X-Content-Type-Options nosniff SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ServerName example.com ServerAlias example.com ErrorLog logs/example-error_log RewriteEngine on RewriteRule ^/emby(.*) http://127.0.0.1:8096/emby$1 [proxy] RewriteRule ^/emby http://127.0.0.1:8096 [proxy] RewriteRule ^/embywebsocket(.*) http://127.0.0.1:8096/embywebsocket$1 [proxy] RewriteRule ^/embywebsocket http://127.0.0.1:8096 [proxy] <location /emby> ProxyPass http://127.0.0.1:8096/ ProxyPassReverse http://127.0.0.1:8096/ </location> <location /embywebsocket> ProxyPass http://127.0.0.1:8096/ ProxyPassReverse http://127.0.0.1:8096/ </location> </VirtualHost> So what this does for me is let Apache handle all incoming port 80 requests, and turns them into encrypted traffic. All connections to and from the server (that can support it) are encapsulated in HTTP/2 packets. All of my SSL encrypted web traffic is handled by one certificate, so I can have multiple URL paths served by the same domain name, with only the https port used, and it just plain looks cleaner. For example, you can have: https://example.com/emby https://example.com/nextcloud https://example.com/hello_kitty_island_adventure Or whatever suits your needs. My Emby server doesn't have to worry about any proxy configurations or SSL, as Apache takes care of all of that. My example is using the localhost IP address to direct all incoming and outgoing Emby requests, but if you are using a separate host that runs Emby, just make sure to use the IP of that system instaed and that you have port 8096 open and available. I hope that others may find this helpful.

I am still having issues with the chrome browser. I get a message saying SSL Version Interference. I Attached is the mono version I have installed (5.2.0) I believe to understand that I have this issue because Chrome requires a higher TLS version.

Hello, I have a old ssl cert that has expired so I have loaded the new cert onto the server but it is still hosting the old cert. I have tried restarting the emby server application multiple times, restarting the server, recreating the .pfx and reloading it and it is still using the old cert. Any suggestions as to why this is happening? Thank you for your time,

Hello, I used Swynol's guide on setting up a reverse proxy in attempt to set up my own (Reference Post #5 - https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy/). In terms of NGINX config set up, I essentially copy and pasted his last post replacing his domains and sub-domains with my own. For the Emby server set up I have the public https port to 443, the external domain set, and the secure connection mode set to "Reverse Proxy". I have manually checked the server config xml and verified that "requirehttps" is false. I also have my 80 and 443 ports forwarded to the NGINX server on my router. The issue I'm getting is that when I try to access my server I get a "ERR_TOO_MANY_REDIRECTS" in chrome. I've exhausted my google-fu techniques and come to seek knowledge from others who may be more savvy with NGINX and reverse proxies.

Hello, I wanted I have my emby server running on a server that is accessed by a reverse proxy. This allows me to have multiple domains (other services) under the same IP address. This works great, and I have it running for some time now. Now I would like to enhance the security by adding a required Client Certificate Authentication, so that only authorised personal have access to the server. I configured it on the reverse proxy, and now when I access the server by the Webbrowser (desktop and android) it works, only people that have the certificate installed can communicate with the server. But the app does not work. When I access by the browser it asks me what is the client certificate to use, but in the app I simply can't connect. Is this possible? Or I have some miss configuration? Thank you

Hey, I have read most of the posts on the forum and i am still really struggling with setting up external connection and SSL. Now I have bought a domain through namecheap.com and have been following the guide Setting up SSL for Emby (WIP) by Swynol Now i have followed every step but I cant seem to get it to work. now I am not that technically gifted but know my way around a computer. Please could some help even further or dumb the process a bit even though its dumbed down already. I struggle with ssl free as it never finds my txt line to verify my domain. So any help would be greatfully appreciated Setting up SSL for Emby (WIP)

So I recently bought a domain and anticipated using Lets Encrypt. I had an extremely difficult time following their tutorials on how to acquire and validate a certificate but I found a YouTube video in which I created a certificate via a LAMP server on Ubuntu. The cert works fine and is verified on the LAMP server but when tried to compile the pem files in the pfx and set it up in advanced settings in my emby server, I cannot connect to my server when the settings are applied. When I remove the cert and the domain in advanced, it works again perfectly with the self signed certificate. Looking for a little help on how to get this working, maybe I didn't approach this correctly? I force all connections to HTTPS and would like to get this working so basically every other device other than a web browser and android OS can access the server.

This started to happen 7 days ago. I am running no fancy plugins and the server version 3.2.27.0 (I know it is not the latest but it works) has served me well. Attached is the log as well as a picture from the Dashboard. I searched the forum and it looks like that there is a problem with the SSL connection. No idea what I need to do on my side. But any updates through the Dashboard seems to be impossible. Please advise. O2G server-63655498727.txt

Hello Guys, facts: installed emby on a debian vps. allow 8096 and 8920 in ufw buy a Domain at namecheap. create A Record for the VPS IP. create a letsencrypt cert (https://emby.media/community/index.php?/topic/42315-creating-a-letsencrypt-ssl-certificate-for-emby/ Emby config: add certfolder to /opt/emby-server/ssl/ssl.pfx Emby config: add external Domain "https://xxx.xxx" Problem: I got emby over "http://xxx.xxx:8096"but on "https://xxx.xxx:8920" I got "ERR_TUNNEL_CONNECTION_FAILED" can you help me with this issue? thanks

Hi, Since the latest update 3.3.0.0 I have an issue where when I browse to emby through my URL via https I get a popup asking to verify myself. If I press OK the site doesn't load but if I press cancel the site loads as normal. This happens once per browser session i.e if I close the browser and navigate back to emby it will pop up again. The certificate is fine and been generated correctly using openssl creating a .csr and getting signed with godaddy then creating a .pfx file from the generated godaddy certificates. I have not had any problems with the SSL certificate until the latest update. See attached screenshot. Pleas fix ASAP. Thanks

Hello, I have been trying to set-up Emby and allow remote access with docker containers. No matter what I do I cannot connect from any app including the web app. If I put in the URL it will connect just fine as long as force SSL is not enabled, if force SSL is enabled then I get an error that there has been too many redirects. I have looked at the posts about setting up remote access and setting up reverse proxy and nothing is working, I am not sure where to begin any help would be greatly appreciated Thank you!

Hi I was experimenting with using a SSL Cert with Emby this morning, I changed the public https port in server manager and now my Emby will not start, attached are the Emby logs from when this happened, in my Event viewer I can see the following The description for Event ID 7024 from source Service Control Manager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: Emby %%2148734208 The locale specific resource for the desired message is not present can anyone help me get my Emby back working again? server-63652297203.txt unhandled_4bb46dc1-e932-4b4d-95ed-5ac75b15ea40.txt

Hi, I've set up my Emby-server with "HTTPS using reverse proxy" using the "Setting up SSL for Emby (WIP)" guide. My question is: How can I switch between my LAN IP-address 192.168.1.20:8096 if I'm at home and my https: // emby.domainname.com:443 address if I'm on the road (using the Android-app)? Manually adding the other address for the same server doesn't seem to work? Thanks!