How do I make my OpenSUSE server use encryption (https)

[jarome 0]

Emby is useless to me unless it uses encryption. How do I enable this on OpenSUSE LEAP15.3?

Also, I bought a pro key, but the page to enter the key does not accept any input! (Edge and Firefox).

[jarome 0]

So I entered the key in the server console, and that worked, and I found out how to set up https. But it is not yet working.

I have letsencrypt certs

It the /etc/letsencrypt/live/myserver/ directory, I did

openssl pkcs12 -export -out keyStore.p12 -inkey privkey.pem -in cert.pem

and put the path to keyStore.p12 in the ssl setup page, and restarted the server. Even https://localhost:8920 does not connect.

What am I doing wrong?

[jarome 0]

How do I debug this? Emby is NOT listening on 8920, just 8096.

jarfx:/opt/emby-server # netstat -tulpn | grep EmbyServer
tcp6       0      0 :::8096                 :::*                    LISTEN      14903/EmbyServer     
udp        0      0 192.168.1.5:49802       0.0.0.0:*                           14903/EmbyServer     
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           14903/EmbyServer     
udp        0      0 0.0.0.0:53523           0.0.0.0:*                           14903/EmbyServer     
udp        0      0 127.0.0.1:60676         0.0.0.0:*                           14903/EmbyServer     
udp6       0      0 :::7359                 :::*                                14903/EmbyServer    
 

Edited November 28, 2021 by jarome

[Luke 37213]

Quote

and put the path to keyStore.p12

Hi, the server is expecting a pfx file, not p12. Please let us know if this helps. Thanks.

[Happy2Play 8351]

22 minutes ago, Luke said:

Hi, the server is expecting a pfx file, not p12. Please let us know if this helps. Thanks.

I thought this did not matter?

 

[Q-Droid 670]

There's a README file in the letsencrypt/live/servername directory with some useful details.

cat README
This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
 

LetsEncrypt has intermediate certs in its chain and you want to include those in your cert store (PKCS12 file), hence the fullchain.pem.

openssl pkcs12 -export -in <path to fullchain.pem> -inkey <path to privkey.pem> -out <path to PKCS12 file>

Create a directory in the emby user home (/var/lib/emby) for the cert store, something like /var/lib/emby/ssl owned by emby.

Copy, move or directly create the PKCS12 file in that directory then make sure it's owned by emby. chown -R emby:emby /var/lib/emby/ssl.

Update the path in the Emby server console -> Network settings and restart.

If it's working you're set. If not then attach the server log created right after restart.

 

[jarome 0]

Before I did not use fullchain.pem. Now i did:

/etc/letsencrypt/live/jarfx.dyndns.org # openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out emby.pex
Enter Export Password:

Changed the cert name in networking, and restarted the server. Had to change permissions too. Now it works!

Jim

[Luke 37213]

Thanks for the feedback !