SteveFintel 25 Posted September 12, 2022 Share Posted September 12, 2022 I'm enabling SSL for Emby Server using a Let's Encrypt cert automatically obtained by my router. It works great until the router updates the cert. It took me a while to figure out why I wasn't able to use SSL to connect to my server. Once I updated the cert, everything worked as expected. Is there some way for the server to throw an expired cert error. I didn't see anything in the logs that would have helped me solve the problem. Or have the clients generate a more helpful message? Link to comment Share on other sites More sharing options...
Luke 36888 Posted September 13, 2022 Share Posted September 13, 2022 Hi, I think Emby Server can certainly provide better information about this in the server dashboard. As far as the clients providing detailed information about this, that's a bit more difficult because it's a catch 22. You've configured SSL and therefore it has to work in order for clients to be able to connect. If they can't connect, then they can't get details from Emby Server about the certificate. Link to comment Share on other sites More sharing options...
SteveFintel 25 Posted September 13, 2022 Author Share Posted September 13, 2022 Doesn't the client know if the login attempt is refused due to an expired certificate? If I go to the server from a browser, I see an expired certificate notice, right? Link to comment Share on other sites More sharing options...
Luke 36888 Posted September 13, 2022 Share Posted September 13, 2022 3 minutes ago, SteveFintel said: Doesn't the client know if the login attempt is refused due to an expired certificate? If I go to the server from a browser, I see an expired certificate notice, right? Not necessarily. The client knows that it can't connect, but most of the time it won't be able to figure out why. Link to comment Share on other sites More sharing options...
SteveFintel 25 Posted September 13, 2022 Author Share Posted September 13, 2022 (edited) Well, a server log entry will still help (a lot). Can this be added before my Let's Encrypt cert expires again? Also, does the server reread the pfx file automatically or do I need to restart it? If I can arrange automation of updating the pfx it would be nice if the server just reread it. Edited September 13, 2022 by SteveFintel Link to comment Share on other sites More sharing options...
pwhodges 1510 Posted September 13, 2022 Share Posted September 13, 2022 (edited) Where I use a certificate which uses a certificate copied from a place that is automatically updated (my mail server has a copy of the webmail server's certificate) I run a job daily which checks if their dates are the same, and if one has changed changed, copies it to the other (this is a built-in function of Xcopy). I don't restart to force the updated certificate to be picked up, because the renewal is typically more than a month ahead, and do there will be a monthly Windows update and restart before the expiry is reached.Actually, I no longer need to run this, but when I did, the code was: Spoiler  echo Preparing to copy :: Move to Caddy directory for mail.cassland.org certificate (/D means change drive too) cd /D "C:\Users\administrator.CASS\AppData\Roaming\Caddy\certificates\acme-v02.api.letsencrypt.org-directory\mail.cassland.org" echo %date% %time% >> "%~dp0KerioCertCopy.log" :: Only copy newer files to the Kerio sslcert store (/D parameter) :: NB trailing * is necessary to avoid file/directory prompt when changing name! xcopy /D /Y "mail.cassland.org.crt" "C:\Program Files\Kerio\Mailserver\sslcert\server1.crt*" >> "%~dp0KerioCertCopy.log" xcopy /D /Y "mail.cassland.org.key" "C:\Program Files\Kerio\Mailserver\sslcert\server1.key*" >> "%~dp0KerioCertCopy.log" echo Step 4...Done... exit Paul Edited September 13, 2022 by pwhodges Link to comment Share on other sites More sharing options...
SteveFintel 25 Posted September 13, 2022 Author Share Posted September 13, 2022 (edited) Thanks, Paul. I was planning on doing something similar. i'm hosting Emby Server on FreeBSD. In that configuration, Emby is expecting the key and certificate in a single pfx file so I would need to add a step to combine the two. But if Emby doesn't pick up the update certs, I still need to restart it. Is there a way to programmatically do that? Edit: Doh! service -R emby-server I might just add a cron job to run this nightly and not wait for the cert to expire Edited September 13, 2022 by SteveFintel Link to comment Share on other sites More sharing options...
Luke 36888 Posted September 13, 2022 Share Posted September 13, 2022 3 hours ago, SteveFintel said: Well, a server log entry will still help (a lot). Can this be added before my Let's Encrypt cert expires again? Also, does the server reread the pfx file automatically or do I need to restart it? If I can arrange automation of updating the pfx it would be nice if the server just reread it. At this time it is only read on server startup, although that's something we could look at improving. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now