Beecon 11 Posted September 22, 2021 Share Posted September 22, 2021 I want to use a sub domain of godaddy to access my emby. It shows it’s not secure when logging in externally. I like to know if the SSL provided by synology for the server also covers emby access? how do I refer to that certificate in emby? Link to comment Share on other sites More sharing options...
Luke 37064 Posted September 22, 2021 Share Posted September 22, 2021 Hi, where does it show this? Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 The SSL security coverage is shown in the security tab on the Synology control panel. The need for a link is shown on Emby security menu. The main domain SSL of Godaddy domain is covered by my Google sites, which I use for hosting. The subdomain I want to use is excluded from this, and Godaddy asks 250$ for SSL for subdomains, which is clearly a waste of money. I have two free options: - either I use the Synology server cert - I use the provided quickconnect link by Synology Both may not provide https security out of the box, unless I link the SSL cert to the emby server. Correct? Link to comment Share on other sites More sharing options...
Carlo 4330 Posted September 22, 2021 Share Posted September 22, 2021 I haven't tried this myself but if you set this up to go through DSM you're actually using nginx in DSM. Thus I'm thinking you would put the subdomain in the External domain field. The port being used for https public use in Emby. Then you would change the secure connection mode to handled with secure proxy. Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 The https port is 8920 is presume. How do you do this? "Then you would change the secure connection mode to handled with secure proxy." Any link to a kb? Link to comment Share on other sites More sharing options...
Carlo 4330 Posted September 22, 2021 Share Posted September 22, 2021 Nope, no KB article on this as I haven't done it yet. I have all ports blocked from outside use on my Synology except for Emby ports. If you like we could setup a remote support session to figure out exactly how to do this. I could then use this info to create a KB article or tutorial. We could try it a couple of ways using the Synology server cert or using quickconnect to see which method would work best. Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 (edited) OK. let me study this "secure proxy" magic a bit first. Edited September 22, 2021 by Beecon Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 Hi, I checked the workings, and get confused with settings as expected. My guess is to use to the same port number to: - router-in <> router-out <> proxy <> emby server proxy setting : - allow IP of known user to watch movies - allow incoming router IP (external IP address) (is it necessary?) Any other suggestion? When I run this trial, the other apps cannot get access to the web anymore, so somehow those packages also need to be included in the proxy settings, incl the ports they need to communicate. Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 Cloudflare is recommended on this thread. It appears the easy way out. Let me check it out as well in case this doesn’t work. Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 https://support.cloudflare.com/hc/en-us/articles/360024787372-How-do-I-add-SSL-to-my-site- This site explains it all. Let’s see. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted September 22, 2021 Share Posted September 22, 2021 I wouldn't worry about Cloudflare until you get remote working first. You can get non-SSL port 8096 working first (even if you turn it off right away) then setup for SSL. Link to comment Share on other sites More sharing options...
DJX 18 Posted September 22, 2021 Share Posted September 22, 2021 (edited) I use a ddns URL and have a certificate using synology letsencrypt. Not sure if this helps Edited September 22, 2021 by DJX Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 7 hours ago, cayars said: I wouldn't worry about Cloudflare until you get remote working first. You can get non-SSL port 8096 working first (even if you turn it off right away) then setup for SSL. I’ve got that working now. Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 22, 2021 Author Share Posted September 22, 2021 4 hours ago, DJX said: I use a ddns URL and have a certificate using synology letsencrypt. Not sure if this helps Thanks for the link! The image for conversion is gone. Any chance you can refresh that? Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 23, 2021 Author Share Posted September 23, 2021 19 hours ago, cayars said: Nope, no KB article on this as I haven't done it yet. I have all ports blocked from outside use on my Synology except for Emby ports. If you like we could setup a remote support session to figure out exactly how to do this. I could then use this info to create a KB article or tutorial. We could try it a couple of ways using the Synology server cert or using quickconnect to see which method would work best. Thanks for the offer. After study, the proxy needs me to figure out all the 'allow' rules. I prefer to go for a simple SSL option, using the 2 suggestions. 1 Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 23, 2021 Author Share Posted September 23, 2021 Another nice link with clear steps for Let's Encrypt, supported by Synology. https://miketabor.com/install-a-lets-encrypt-ssl-on-a-synology-nas/ Link to comment Share on other sites More sharing options...
Beecon 11 Posted September 23, 2021 Author Share Posted September 23, 2021 (edited) Hi, I got it to work : 1. Set-up ddns xxx.synology.me domain in Synology Control Panel/Security - this step is really necessary? To be verified. - Synology can create a free 'Let's certify' SSL. - When I export it I cannot activate it. I gave up on this and went for other free SSL. (see 3.) 2. From the Control Panel/Security export the SSL cert to my harddisk 3. Get the free SSL cert files from https://www.sslforfree.com/ (3 month expiry) 4. Download the zip file (with pem format cert files) to my harddisk 5. Download the CA bundle file from https://www.ssls.com/knowledgebase/where-do-i-get-a-ca-bundle-file/ - I downloaded both, but used only the ECC format for conversion. 6. Convert the pem files into PKCS#12 format: https://decoder.link/converter - cert file, private key file and CA bundle file - set the password for the certificate (use in control panel/network) 7. Check the SSL with my xxx.synology.me domain using checker tool on the same site. 8. Upload the cert file to the emby content folder on my nas. 9. Enter the SSL file and password info in the Emby server/Network settings 10. Map https: ports in router and firewall, and - Check that you assigned the same port in Emby/Network settings... Hope its helpful. Edited September 23, 2021 by Beecon 1 Link to comment Share on other sites More sharing options...
Beecon 11 Posted January 8, 2022 Author Share Posted January 8, 2022 Now I am 3 months down the road and have to do it again. This sucks big time. Any permanent solution available? Link to comment Share on other sites More sharing options...
Beecon 11 Posted January 8, 2022 Author Share Posted January 8, 2022 'Every 90 days your Synology will automatically renew the Let’s Encrypt SSL cert for you.' I thought this would do the trick Link to comment Share on other sites More sharing options...
Beecon 11 Posted January 8, 2022 Author Share Posted January 8, 2022 I see extension/renewal is automated now. Let me try that first. I am getting old.... Link to comment Share on other sites More sharing options...
rhummer 5 Posted January 8, 2022 Share Posted January 8, 2022 FWIW, When I setup my SSL back in the day I used this guide to get it all going and I access my server via my subdomain: I let DSM generate a cert for Let's Encrypt that I specify as the subdomain I want to expose to the outside world Though things have changed a bit with DSM7 and used the tip here to tweak the process to generate the .pfx that the emby server wants: The cert refreshes every 90 days and I have a scheduled task to re-export the cert to a pfx for the server and everything has been working just fine for a few years now. 1 Link to comment Share on other sites More sharing options...
Beecon 11 Posted January 9, 2022 Author Share Posted January 9, 2022 Thanks for sharing! Let me check it out. I really love this community here! The current version DSM7 security (just updated every version) shows it’s all automated. Great job Emby! I guess it’s taken care of permanently now. Perpetual 90days renewal. 2 Link to comment Share on other sites More sharing options...
Speedyhome 1 Posted April 5, 2022 Share Posted April 5, 2022 (edited) (Sorry for my bad English!) DSM7.x Ready Example for Wildcard Cert Download Acme.sh script / set Certbot to Letsencrypt / First Initial Command for TXT-Record execute script not from root !! (domain.de is your domain this is example) mkdir ~/bin cd ~/bin wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh chmod 755 acme.sh acme.sh –set-default-ca –server letsencrypt cd ~/bin ./acme.sh --issue -d *.domain.de --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please [Sun Oct 27 08:18:17 CET 2019] Add the following TXT record: [Sun Oct 27 08:18:17 CET 2019] Domain: '_acme-challenge.domain.de' [Sun Oct 27 08:18:17 CET 2019] TXT value: 'xyzPdaswererfdsf_v9xdfsdfHdsfhHLWEFldsfsf' Login to Provider for yours DNS and Add TXT Setting from acme.sh script (example Strato) Run Script again but with -renew -force cd ~/bin ./acme.sh --renew --force -d *.domain.de --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please copy Certs from hidden path to user home path mkdir /home/admin/certs cp /home/admin/.acme.sh/\*.domain.de/\*.domain.de.cer /home/admin/certs/domain.de.cer cp /home/admin/.acme.sh/\*.domain.de/\*.domain.de.key /home/admin/certs/domain.de.key cp /home/admin/.acme.sh/\*.domain.de/ca.cer /home/admin/certs/ca.cer cp /home/admin/.acme.sh/\*.domain.de/fullchain.cer /home/admin/certs/fullchain.cer then insert the Cert in DSM I have written a renew Script for letsencrypt wildcard Cert this script can you execute in DSM Planner with root every day # !/bin/bash # # Update LetsEncrypt Wildcard-Certificate # # Params XXXX Certpath CERTPATH="/usr/syno/etc/certificate/_archive/XXXXX" PEM="fullchain.pem" DAYS="604800" OPENSSL="/usr/bin/openssl" # User der im DSM für das acme.sh verwendet wird USER="USERNAME" # Optional Emby Server EMBYSSLPATH="PATHTOEMBYCERT" EMBYSSL="Emby.pfx" PASSOUT="PASSWORDFOREMBYCERT" USER_HOME=$(bash -c "cd ~$(printf %q "$USER") && pwd") # Check Cert will be Expire in VALUE $DAYS $OPENSSL x509 -enddate -noout -in "$CERTPATH/$PEM" -checkend "$DAYS" | grep -q 'Certificate will expire' if [ $? -eq 0 ] then # Renew LetsEncrypt command su $USER -c "$USER_HOME/bin/acme.sh --renew --force -d *.domain.de --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please" # Copy Certifikate to SynoPath cp $USER_HOME/.acme.sh/\*.domain.de/\*.domain.de.cer $CERTPATH/cert.pem cp $USER_HOME/.acme.sh/\*.domain.de/\*.domain.de.key $CERTPATH/privkey.pem cp $USER_HOME/.acme.sh/\*.domain.de/ca.cer $CERTPATH/chain.pem cp $USER_HOME/.acme.sh/\*.domain.de/fullchain.cer $CERTPATH/fullchain.pem # Synology Web Server neu starten synosystemctl restart nginx # Optional der einen Emby Media Server betreibt # Emby Server Stop /usr/syno/bin/synopkg stop EmbyServer # Create Pfx-Cert for Emby $OPENSSL pkcs12 -inkey $CERTPATH/privkey.pem -in $CERTPATH/fullchain.pem -export -out $EMBYSSLPATH/$EMBYSSL -passout pass:$PASSOUT # Emby Server Start /usr/syno/bin/synopkg start EmbyServer fi renew_wildcard_cert.sh Edited April 5, 2022 by Speedyhome 1 Link to comment Share on other sites More sharing options...
Speedyhome 1 Posted April 14, 2022 Share Posted April 14, 2022 Correction Script pls change in script synosystemctl restart nginx to synosystemctl reload nginx why this --> my nas reboot VMM Syno Office and more PKG's and running Server in VMM whas killed not shutdown !!! Link to comment Share on other sites More sharing options...
Speedyhome 1 Posted June 24, 2022 Share Posted June 24, 2022 Hi I have found reload nginx with reload cert in Synology after renew certs here the commands synow3tool --gen-all && systemctl reload nginx synosystemctl restart pkgctl-WebStation.service Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now