Search the Community
Showing results for tags 'pfx'.
-
Im using Linux Ubuntu 16.04 64 bit and Asustor AS-604T ADM 3.2.1 This requires you do own a domain and have create a Lets Encrypt certificate! Following ports should be open: 80, 443, 8096 and 8920 1. Login to ADM web interface > Settings > Certificate Manager - Click on Export Certificate. 2. Extract certificate.zip and open the folder certifiate 3. right click in the folder - select open terminal 4. enter the command: * Please change the name of the give-me-a-name.pfx * After execution of this command you will be prompted to create a password, this is recommanded! openssl pkcs12 -export -out give-me-a-name.pfx -inkey ssl.key -in ssl.crt 5. Save the new create give-me-a-name.pfx file on your NAS in a shared folder of own choice 6. go to: http://local.ip.of.nas:8096/ 7. Go to Advanced and do the following Check that Allow remote connection to this Emby Server is marked. * add external domain name * Custon ssl certificate path (Click on the magnifier right to the text field and navigate to where the .pfx file is. * Certificate password - Add the password you entered after execution of step 4. * Secure connection mode - Set to preferred, but not required. 8. Hit save and navigate to Controlpanel > Restart - Now you should be able to access the Emby Media Server from outside.
-
NB: This script only supports debian O/S, and debian based distributions (ubuntu etc). The script requires systemctl and apt which is present in all newer distributions. This script will probably not work as intended on Debian below v7 and Ubuntu below 14. A while back I created a script that will: Check if Apache and/or Nginx is running, and if running stop them. Disable UFW (firewall). Flush iptables. Check if certbot is installed, and if not, install it. Check if certificate is located in the emby directory, and if found, delete it. Ask for your FQDN of your emby server. Create a new certificate that's valid for 90 days. Convert the certificate to PFX and copy it to your emby directory. Ask for your emby group and user and change permissions of the PFX to the specified user (default is emby). Re-enable UFW (firewall). Re-enable Apache and/or Nginx (if it was stopped). Restart the Emby system service. After you have downloaded and placed the script on your server, you must unzip it and give the script execution permission. To do that, run the command: unzip embycert.zip && chmod +x embycert.sh This script should be run every 3 months to keep your certificate up-to-date. This script MUST be run as root with either SU or SUDO. SUDO is not native in Debian, and I would recommend to run this script it as root. NB: After installation, you must define the path to the certificate (under Network tab) which is: /var/lib/emby/emby.pfx and then again manually restart the emby server system service. Remember, if the FQDN is not typed correctly, the installation will fail, so be sure to spell it correctly, and make sure that the A record is valid and working. embycert.sh
- 8 replies
-
- ssl
- letsencrypt
-
(and 4 more)
Tagged with:
-
I purchased my own domain certificate and then I had a crazy time trying to figure out why my pfx file wouldn't work. After much reading around it seemed that in order to make it work I had to use a pfx file (cert+private key) with no password in place. For me this wasn't an option, as I'm crazy paranoid that by creating this it would then be possible for someone to get their hands on it and then somehow and then be able to compromise my sites (wildcard cert). So instead, I made Emby work with a secure pfx file. Here is my howto.... Requirements: Active Directory enabled domain A Windows Server (2012 or higher) or a Windows workstation (Windows 8 or higher) joined to the domain - I used my Emby server for this SSL Certificate - I used one I had purchased Setup Emby Service Account: 1. In Active Directory create a user account that will be used to launch the Emby service - I placed mine under Managed Service Accounts 2. On the Emby server open Control Panel and type Services 3. Locate the Emby Server service, right click on it the service and choose Properties 4. Click on the Log On tab, select "This Account" radio button and enter in the username and password you created in Step 1, click OK and then Close the Services window 5. Still inside Control Panel, click on User Accounts, then select Give other users access to this computer 6. Click Add then add the Emby user information from Step 1 and click Next 7. Select Administrator and click Next, then Finish Preparing your secured pfx file: 1. Using a Windows 2012/2012R2 Server or Windows 8/8.1/10 workstation, with Control Panel still open type "certificate" 2. Import your certificate making sure to mark it as exportable. 3. Right click on the certificate that was just imported and choose Export 4. Mark "Yes, export the private key", click Next until you reach the Security screen 5. Check the "Group or user names", this will automatically input the user you're using. Remove that user and click Add, then add the Emby user created in Step 1 in the above section. Click Next 6. Give it a filename, I would HIGHLY recommend you do NOT name it the same as your original cert/pfx file since this will be used for this situation only. Click Next, then Finish 7. Once the two things above are done then assign the key as you would normally in Emby - Advanced/Custom certificate path Finally, reboot the server/workstation. This isn't 100% needed, but I like to do it to verify everything works correctly. If you don't do this then make sure to go back into Services and start or restart the Emby Server service. Another suggestion, but not needed for this to work, is to have the certificate saved in a folder by itself (C:\Windows\EmbyCert or some other generic spot). Then edit that folders security settings removing all users except for the Emby account you created. Assign that Emby account with Read access. There you go, Emby is now using your SSL certificate, and you don't have a certificate/private key combo sitting on your machine with no protection on it. Edited to correct some grammatical and spelling errors.
-
I am running MB3 server through omv (debian). I updated and got the latest Beta with https support. I have a StartSSL cert I use for external access in omv. I created a pfx and have loaded it into MB3, but I get an exception when MB3 tries to load the certificate. 2015-02-12 22:07:51.0890 Info - HttpServer: Adding HttpListener prefix http://+:8096/ 2015-02-12 22:07:51.0890 Info - HttpServer: Adding HttpListener prefix https://+:8920/ 2015-02-12 22:07:51.0954 Info - HttpServer: attempting to load pfx: /media/1a89ed0c-663f-4cc7-84fe-f841d48fb61e/MediaBrowser/dean1120.net.pfx 2015-02-12 22:07:51.1126 Error - HttpServer: Exception loading certificate: /media/1a89ed0c-663f-4cc7-84fe-f841d48fb61e/MediaBrowser/mine.pfx *** Error Report *** Version: 3.0.5518.3 Command line: /opt/mediabrowser/MediaBrowser.Server.Mono.exe -programdata /var/lib/mediabrowser Operating system: Unix 3.2.0.4 Processor count: 4 64-Bit OS: True 64-Bit Process: True Program data path: /var/lib/mediabrowser Mono: 3.12.0 (tarball Sat Feb 7 19:12:57 UTC 2015) Application Path: /opt/mediabrowser/MediaBrowser.Server.Mono.exe Input data cannot be coded as a valid certificate. System.Security.Cryptography.CryptographicException at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) [0x00000] in <filename unknown>:0 at Mono.Security.X509.X509Certificate..ctor (System.Byte[] data) [0x00000] in <filename unknown>:0 at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.Byte[] rawData, System.String password, X509KeyStorageFlags keyStorageFlags) [0x00000] in <filename unknown>:0 at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.String fileName, System.String password, X509KeyStorageFlags keyStorageFlags) [0x00000] in <filename unknown>:0 at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor (System.String fileName) [0x00000] in <filename unknown>:0 at SocketHttpListener.Net.EndPointListener.LoadCertificateAndKey (System.Net.IPAddress addr, Int32 port, System.String certificateLocation) [0x00000] in <filename unknown>:0 InnerException: System.Security.Cryptography.CryptographicException Input data cannot be coded as a valid certificate. at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) [0x00000] in <filename unknown>:0 2015-02-12 22:07:51.5959 Info - ServerWMC: Config IP: mediacenter (192.168.15.11), Config Port: 9080 2015-02-12 22:07:51.5978 Info - ServerWMC: Running in Linux, Linux path to mounted RecTV directory: /media/1a89ed0c-663f-4cc7-84fe-f841d48fb61e/RecordedTV 2015-02-12 22:07:51.8799 Info - App: Core startup complete 2015-02-12 22:07:51.9846 Debug - PortMapper: Starting NAT discovery 2015-02-12 22:07:52.0385 Info - Dlna: SSDP service started 2015-02-12 22:07:52.0581 Debug - Dlna: Starting alive notifier Does anyone have any idea on what might be wrong? Thanks,