No warning of expired certificate

[SteveFintel 29]

I'm enabling SSL for Emby Server using a Let's Encrypt cert automatically obtained by my router. It works great until the router updates the cert. It took me a while to figure out why I wasn't able to use SSL to connect to my server. Once I updated the cert, everything worked as expected.

Is there some way for the server to throw an expired cert error. I didn't see anything in the logs that would have helped me solve the problem. Or have the clients generate a more helpful message?

[Luke 40079]

Hi, I think Emby Server can certainly provide better information about this in the server dashboard.

As far as the clients providing detailed information about this, that's a bit more difficult because it's a catch 22. You've configured SSL and therefore it has to work in order for clients to be able to connect. If they can't connect, then they can't get details from Emby Server about the certificate.

[SteveFintel 29]

Doesn't the client know if the login attempt is refused due to an expired certificate? If I go to the server from a browser, I see an expired certificate notice, right?

[Luke 40079]

3 minutes ago, SteveFintel said:

Doesn't the client know if the login attempt is refused due to an expired certificate? If I go to the server from a browser, I see an expired certificate notice, right?

Not necessarily. The client knows that it can't connect, but most of the time it won't be able to figure out why.

[SteveFintel 29]

Well, a server log entry will still help (a lot). Can this be added before my Let's Encrypt cert expires again?

Also, does the server reread the pfx file automatically or do I need to restart it? If I can arrange automation of updating the pfx it would be nice if the server just reread it.

Edited September 13, 2022 by SteveFintel

[pwhodges 1855]

Where I use a certificate which uses a certificate copied from a place that is automatically updated (my mail server has a copy of the webmail server's certificate) I run a job daily which checks if their dates are the same, and if one has changed changed, copies it to the other (this is a built-in function of Xcopy).  I don't restart to force the updated certificate to be picked up, because the renewal is typically more than a month ahead, and do there will be a monthly Windows update and restart before the expiry is reached.Actually, I no longer need to run this, but when I did, the code was:

Spoiler

 

echo Preparing to copy

:: Move to Caddy directory for mail.cassland.org certificate (/D means change drive too)

cd /D "C:\Users\administrator.CASS\AppData\Roaming\Caddy\certificates\acme-v02.api.letsencrypt.org-directory\mail.cassland.org"

echo %date% %time% >> "%~dp0KerioCertCopy.log"

:: Only copy newer files to the Kerio sslcert store (/D parameter)
:: NB trailing * is necessary to avoid file/directory prompt when changing name!

xcopy /D /Y "mail.cassland.org.crt" "C:\Program Files\Kerio\Mailserver\sslcert\server1.crt*" >> "%~dp0KerioCertCopy.log"
xcopy /D /Y "mail.cassland.org.key" "C:\Program Files\Kerio\Mailserver\sslcert\server1.key*" >> "%~dp0KerioCertCopy.log"

echo Step 4...Done...

exit

Paul

Edited September 13, 2022 by pwhodges

[SteveFintel 29]

Thanks, Paul. I was planning on doing something similar. i'm hosting Emby Server on FreeBSD. In that configuration, Emby is expecting the key and certificate in a single pfx file so I would need to add a step to combine the two.  But if Emby doesn't pick up the update certs, I still need to restart it. Is there a way to programmatically do that?

Edit: Doh! 

service -R emby-server

I might just add a cron job to run this nightly and not wait for the cert to expire

Edited September 13, 2022 by SteveFintel

[Luke 40079]

3 hours ago, SteveFintel said:

Well, a server log entry will still help (a lot). Can this be added before my Let's Encrypt cert expires again?

Also, does the server reread the pfx file automatically or do I need to restart it? If I can arrange automation of updating the pfx it would be nice if the server just reread it.

At this time it is only read on server startup, although that's something we could look at improving. Thanks.