Jump to content

No warning of expired certificate


SteveFintel

Recommended Posts

SteveFintel

I'm enabling SSL for Emby Server using a Let's Encrypt cert automatically obtained by my router. It works great until the router updates the cert. It took me a while to figure out why I wasn't able to use SSL to connect to my server. Once I updated the cert, everything worked as expected.

Is there some way for the server to throw an expired cert error. I didn't see anything in the logs that would have helped me solve the problem. Or have the clients generate a more helpful message?

Link to comment
Share on other sites

Hi, I think Emby Server can certainly provide better information about this in the server dashboard.

As far as the clients providing detailed information about this, that's a bit more difficult because it's a catch 22. You've configured SSL and therefore it has to work in order for clients to be able to connect. If they can't connect, then they can't get details from Emby Server about the certificate.

Link to comment
Share on other sites

SteveFintel

Doesn't the client know if the login attempt is refused due to an expired certificate? If I go to the server from a browser, I see an expired certificate notice, right?

Link to comment
Share on other sites

3 minutes ago, SteveFintel said:

Doesn't the client know if the login attempt is refused due to an expired certificate? If I go to the server from a browser, I see an expired certificate notice, right?

Not necessarily. The client knows that it can't connect, but most of the time it won't be able to figure out why.

Link to comment
Share on other sites

SteveFintel

Well, a server log entry will still help (a lot). Can this be added before my Let's Encrypt cert expires again?😀

Also, does the server reread the pfx file automatically or do I need to restart it? If I can arrange automation of updating the pfx it would be nice if the server just reread it.

Edited by SteveFintel
Link to comment
Share on other sites

pwhodges

Where I use a certificate which uses a certificate copied from a place that is automatically updated (my mail server has a copy of the webmail server's certificate) I run a job daily which checks if their dates are the same, and if one has changed changed, copies it to the other (this is a built-in function of Xcopy).  I don't restart to force the updated certificate to be picked up, because the renewal is typically more than a month ahead, and do there will be a monthly Windows update and restart before the expiry is reached.Actually, I no longer need to run this, but when I did, the code was:

Spoiler

 

echo Preparing to copy

:: Move to Caddy directory for mail.cassland.org certificate (/D means change drive too)

cd /D "C:\Users\administrator.CASS\AppData\Roaming\Caddy\certificates\acme-v02.api.letsencrypt.org-directory\mail.cassland.org"

echo %date% %time% >> "%~dp0KerioCertCopy.log"

:: Only copy newer files to the Kerio sslcert store (/D parameter)
:: NB trailing * is necessary to avoid file/directory prompt when changing name!

xcopy /D /Y "mail.cassland.org.crt" "C:\Program Files\Kerio\Mailserver\sslcert\server1.crt*" >> "%~dp0KerioCertCopy.log"
xcopy /D /Y "mail.cassland.org.key" "C:\Program Files\Kerio\Mailserver\sslcert\server1.key*" >> "%~dp0KerioCertCopy.log"

echo Step 4...Done...

exit

Paul

Edited by pwhodges
Link to comment
Share on other sites

SteveFintel

Thanks, Paul. I was planning on doing something similar. i'm hosting Emby Server on FreeBSD. In that configuration, Emby is expecting the key and certificate in a single pfx file so I would need to add a step to combine the two.  But if Emby doesn't pick up the update certs, I still need to restart it. Is there a way to programmatically do that?

Edit: Doh! 

service -R emby-server

I might just add a cron job to run this nightly and not wait for the cert to expire

Edited by SteveFintel
Link to comment
Share on other sites

3 hours ago, SteveFintel said:

Well, a server log entry will still help (a lot). Can this be added before my Let's Encrypt cert expires again?😀

Also, does the server reread the pfx file automatically or do I need to restart it? If I can arrange automation of updating the pfx it would be nice if the server just reread it.

At this time it is only read on server startup, although that's something we could look at improving. Thanks.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...