Jump to content

how do I get emby to generate self-signed certificate?

Bingie

By Bingie
in General/Windows

 Share

Recommended Posts

Bingie

Bingie   99

Posted
Posted

Hi all,

Today I'm testing remote access for the first time.  I don't want to pay dyndns $50/year to host a dns server name.

My ISP already hosts a generic dns server name for my public IP address.  I want Emby to generate a self-signed certificate for that domain, but don't see an option for it.

Thanks

 

Link to comment
Share on other sites
rbjtech

rbjtech   4223

Posted
Posted (edited)

Self signed Certs are no longer accepted by the majority of Browsers - so I would not go down that route.

For free SSL cert's - look at lets-encrypt - but you are going to need a DNS name as any free Certs will need that - again, there are many free options out there or use the ISP one.

Look in the guides section - I'm pretty sure there are full end-end guides on how to setup SSL for emby.

Edited by rbjtech
  • Like 1
Link to comment
Share on other sites
Carlo Emby Team

Carlo   4330

Posted
Posted

Self signed certificates are not supported.

Any certificate used needs to be a legitimate certs so that the device manufactures (out of our control) will recognize the SSL cert and allow the traffic.  With a self signed cert this will fail and get blocked as it should.

Get your own domain and then you can use a free cert from Lets Encrypt or from Cloudflare if you want a CND/proxy in front of your Emby Server.

  • Like 1
Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

I'm on the Let's Encrypt site, but it's asking me questions I don't know the answer to.  I have no idea what web server Emby uses.  The certbot instructions are for linux, my Emby server is Windows 10 Home.  I didn't install a web server, shouldn't have to, when Emby has one built-in.

I'm trying to keep things simple, but it seems every year everything just gets more complicated, for complication's sake.

Thanks

 

Link to comment
Share on other sites
rodainas

rodainas   188

Posted
Posted
7 minutes ago, Bingyyyy said:

It's asking for the Emby webserver's webroot... I have no idea :o

 

Use the other option as no webserver, certonly.

Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

Thanks all, I tried / as webroot, and it looks like that might be right (although that horrifies me my entire hard disk might be accessible via web).

I get a new error, says likely firewall problem, but my router is showing the UPnP appears to be working, has the Emby server registered for ports 8096 and 8920.  I never used UPnP before, but it appears to be working.  I can manually add the port forwarding in, just to eliminate the possibility that UPnP isn't working right.  I'll also reboot both the router and the Emby server, just in case it needed that too.

 

Link to comment
Share on other sites
rbjtech

rbjtech   4223

Posted
Posted

After confirming the manual port forward works - disable UPnP if you can - it's a security risk.

 

Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

OMFG now let's encrypt saying too many failed attempts, looks like I get 5 attempts per hour?  now I have to wait an hour before trying again?

!#$%!#$%@#%$@!%$!#$%!#$%!%$!#$%!#$!#$!$#%!#%!#$#!#$%

Time to go kick the neighbor's cat into orbit

  • Haha 1
Link to comment
Share on other sites
Scott D

Scott D   62

Posted
Posted

A bit out of my comfort zone, but...

Make sure your ISP is not blocking ports necessary to generate the cert.  I found that one of my ISP's is blocking port 80 while another is not.  The one that blocks the port takes a bit more configuration to get it working.  The one that does not block the port worked right out of the gate.

Try canyouseeme.org and enter ports to test.  Try port 80 first.  If blocked, follow the instructions on alternate configuration requirements.

Good luck.

Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

Okay I figured it out...

I may not know much about web certs, but routers I do know...

Emby only tries to port forward 8920 using UPnP (and 8096 for remote mgmt which I don't want).

Certbot needs port 443 forwarded to do it's thing.  I port forwarded tcp 80 and 443 to the emby server, and when running certbot, told it to spin up it's own webserver (that listens to ports 80 and 443).  This shouldn't conflict with Emby's web service that listens on 8096 and 8920.

Anyways, I got certbot to certify and test renew using --dry-run it works fine

I think I broke my Emby though, after a reboot, the emby service not starting now, even when using task manager->startup and manually start it.  I had to run the emby server app instead.  I'll fix the service after I go find another cat..............

Link to comment
Share on other sites
Luke Emby Team

Luke   37022

Posted
Posted
11 minutes ago, Bingyyyy said:

Okay I figured it out...

I may not know much about web certs, but routers I do know...

Emby only tries to port forward 8920 using UPnP (and 8096 for remote mgmt which I don't want).

Certbot needs port 443 forwarded to do it's thing.  I port forwarded tcp 80 and 443 to the emby server, and when running certbot, told it to spin up it's own webserver (that listens to ports 80 and 443).  This shouldn't conflict with Emby's web service that listens on 8096 and 8920.

Anyways, I got certbot to certify and test renew using --dry-run it works fine

I think I broke my Emby though, after a reboot, the emby service not starting now, even when using task manager->startup and manually start it.  I had to run the emby server app instead.  I'll fix the service after I go find another cat..............

Thanks for the feedback.

Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

okay what do I put in emby's "Custom ssl certificate path:"

it sees the files, but if I put the directory, it keeps saying not found

if I put a filename with it, like fullchain.pem I get no error from emby, but remote connections say invalid connection

Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

shouldn't I get something on the emby server using:

https://127.0.0.1:8920

it says connection refused, which tells me emby isn't listening, even though the dashboard says it is

can one of you please try that on your local emby server, that is configured to accept remote connections?

thanks

 

Link to comment
Share on other sites
rbjtech

rbjtech   4223

Posted
Posted
22 minutes ago, Bingyyyy said:

okay what do I put in emby's "Custom ssl certificate path:"

it sees the files, but if I put the directory, it keeps saying not found

if I put a filename with it, like fullchain.pem I get no error from emby, but remote connections say invalid connection

Emby needs a .pfx file - so you need to convert your .pem into a pfx.

There are tools online that can do this or openSSL toolsets can do it locally..

Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

LOL I just noticed my phone now has a login screen, albiet slower than dog pooh

there has to be a better way of doing this

Link to comment
Share on other sites
Bingie

Bingie   99

Posted
  • Author
Posted

okay after kicking a few more cats into orbit, ripping the heads off some dolls, and burning some ant mounds, I feel better :) ready to try again

I looked around the forums, and found this thread:

 

I think I'll start over, and do that one.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...