chj915 9 Posted December 30, 2022 Share Posted December 30, 2022 (edited) After viewing the other thread for setting Emby server via IIS with auto renewed SSL Cert, I've decided to share my personal approach (no IIS) for non-advanced users: I kept the default Windows Installation of Emby. I setup a local scheduled job to back up the configuration files for Emby Server, so if I need to reinstall Emby one day, all configuration files are available from separate machine. I chose not to use IIS as I don't want to have the hard dependency between Emby Server with the Windows machine. I run the Emby server as it is, so the port 8096 and 8920 remain the same as its default setting. I do use the Port Forwarding feature on my router to expose the Emby server port 8920 (HTTPS) and/or 8096 (HTTP) to public. To be a bit more secured, you may choose to expose only the HTTPS port 8920 to public. You might want to ensure the firewall does not block these ports. I registered a free account on noip.com, as it offers me free DDNS hostname + a free SSL Certificate. I applied this free SSL Cert, downloaded the certificate file to the windows machine, and configured directly on my Emby server configuration page to use the corresponding SSL cert file with password. From the public to access my home Emby Server, the url will just be my free DDNS url + the port I chose to expose. It is a valid public URL with valid SSL Certificate. With such configuration pattern, the only risk is within the Windows Machine. If it is for any reason broken, all I have to do is: Install Emby Server for Windows, restore the configuration files from backup, copy SSL cert to the Emby server hosting machine Configure Router port forwarding from the Windows Machine IP, make sure the Windows machine firewall does not block the ports you want to expose Pros vs Cons: It has less dependency on the Windows Machine itself, and swapping to a new Windows machine would be easy as well. No configuration required for IIS and its required components. Emby comes with its web layer hosting, so for personal users it is a bit of overkill to setup another IIS layer. noip.com offers free tier users the DDNS service with a free SSL Certificate, so why not take the advantage of that. Of course, we might not get the "SSL auto renewal" part, but for an Emby home user/personal user, how much value we are saving by setting up the SSL auto renewal? You need to have certain knowledge of how to apply for the SSL cert on noip.com website. https://www.noip.com/support/knowledgebase/configure-trustcor-standard-dv-ssl/ Edited December 30, 2022 by chj915 2 Link to comment Share on other sites More sharing options...
Luke 37009 Posted January 2, 2023 Share Posted January 2, 2023 Thanks for sharing ! Link to comment Share on other sites More sharing options...
justinrh 174 Posted January 2, 2023 Share Posted January 2, 2023 (edited) "Due to unforeseen circumstances, No-IP has suspended issuing new [free] TrustCor SSL Certificates." Curious @chj915 how did you create the CSR - OpenSSL? Edited January 2, 2023 by justinrh 1 Link to comment Share on other sites More sharing options...
chj915 9 Posted January 2, 2023 Author Share Posted January 2, 2023 (edited) 22 minutes ago, justinrh said: "Due to unforeseen circumstances, No-IP has suspended issuing new [free] TrustCor SSL Certificates." Curious @chj915 how did you create the CSR - OpenSSL? Sorry, I did not notice that NoIP no longer issues new [free] TrustCor SSL cert. That was a big selling point from NoIP free tier account. I got the cert from NoIP.com half year ago. It's been working great. I guess I will have to think about other alternatives for my own Emby server. The noip.com website guided me to create the CSR, etc. If SSL key operations are not your comfort field, you may want to take a look at the free tool: https://keystore-explorer.org/ Edited January 2, 2023 by chj915 Link to comment Share on other sites More sharing options...
chj915 9 Posted January 2, 2023 Author Share Posted January 2, 2023 I logged into my noip.com account. It says they are actively trying to find a replacement offering... not sure if that means they would be able to continue the free SSL cert offering sometime later. Link to comment Share on other sites More sharing options...
chj915 9 Posted February 1, 2023 Author Share Posted February 1, 2023 @Luke @justinrh just to give an update on the free SSL Cert provided by No-IP.com. I have just received an email from them saying that they are retiring the old SSL cert issued by TrustCor as the major browsers are slowly phrasing out the support for that. Instead, No-IP.com will provide another free SSL Cert issued by DigiCert. Quote Dear No-IP Customer You are receiving this email as a No-IP customer who activated a free TrustCor Standard DV SSL Certificate. Unfortunately, you will need to reinstall your certificate as major browsers are ending support for TrustCor, one of the many SSL Certificate Authorities we had partnered with. We understand the importance of securing your hostname with an SSL certificate, therefore we have created a new certificate at no cost to you for you to install with one of our partners, DigiCert. Why do I need to replace my SSL Certificate? Initially, most browsers planned to phase out support for TrustCor for all newly issued certificates. At that time, No-IP stopped issuing new SSL certificates so that customers would not be required to replace their SSL certificates and new certificates could be created with our other partners. However, we have become aware that upcoming releases of Google and Microsoft browsers will stop support for all TrustCor certificates, while other browsers will continue to support Trustcor Certificates that were previously issued. When do I need to take action? To ensure your hostname is not disrupted, you will need to replace your TrustCor SSL Certificate no later than February 14th, 2023 (Google Chrome version 111 which contains this change is scheduled to go to beta on February 9, 2023 and Microsoft is scheduled to release on February 14th, 2023). How do I replace my SSL Certificate? To obtain your free DigiCert Encryption Everywhere SSL Certificate, follow these steps: Login to No-IP and head to the My Services > SSL Certificates At the top of the page, find the Encryption Everywhere DV and select Add CSR Upload your CSR A TXT record will be automatically created to perform domain validation. (Validation completes in minutes) Download and install your SSL Certificate. We apologize for any inconvenience this may cause. If you have any questions or comments, please do not hesitate to open a Support Ticket or give us a call at 775.853.1883. Here is what I see from my No-IP.com page. 2 Link to comment Share on other sites More sharing options...
justinrh 174 Posted February 2, 2023 Share Posted February 2, 2023 (edited) Did you use openSSL to generate the CSR? Maybe you were grandfathered in with the free cert. It looks like if you use the free DDNS service, you can't get a free cert. Edited February 2, 2023 by justinrh Link to comment Share on other sites More sharing options...
chj915 9 Posted February 2, 2023 Author Share Posted February 2, 2023 4 minutes ago, justinrh said: Did you use openSSL to generate the CSR? I use this app to create/modify certificates or key pairs. https://keystore-explorer.org/ 1 Link to comment Share on other sites More sharing options...
chj915 9 Posted February 11, 2023 Author Share Posted February 11, 2023 just to give an update here for the free SSL Cert from NOIP.com. The site offers a replacement for the old SSL Cert, now I have aquired the new SSL cert and applied to my Emby hosting. This new SSL is issued by "Encryption Everywhere DV" - "DigiCert". 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now