Automated SSL Renewal with Synology NAS, Emby, and a pFsense router

[Ahole 3]

This stuff can kinda makes your head swim - so thanks to all who have helped with other issues.

Curently (as I have described in other posts) - I have a domain and several subdomains which are used by various applications (most of which are on the Synology NAS located on my local network. I use HaProxy on the pFsense router to get from external to the various applications - thus no open ports (except for the 443 https port).  I also use ACME and Lets Encrypt for the various subdomains and ACME and pFsense take care of renewing the Let’s Encrypt certs regularly.  But that doesn’t end up getting renewed on the Synology or Emby app itself.

I am sure it would have been better for me to have created a wildcard cert form the beginning - and I guess I can still go back to that — but currently the HAProxy is using a different cert for each subdomain.

I saw this post:

Spoiler

Hello all, 
  
I'm glad I found this thread. I was thinking of doing just that and searching if anyone else had already documented how to do it. So I took the openssl command line here and created the following script, that you may keep wherever you wish on your Synology NAS. It will create/update the cert.pfx file in the /usr/syno/etc/certificate/system/default folder and then restart the Emby server. 

#!/bin/bash

cd /usr/syno/etc/certificate/system/default
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

/var/packages/EmbyServer/scripts/_restart

You may paste this into any text file, name it Whatever.sh, make it executable (chmod +x) and then schedule it with the built-in synology scheduler to run as root (I've scheduled it to run every night). You still need to configure Emby to use the certificate, but after that, you should be good to go. 
  
Regards, 
 

regarding automating a Synology generated cert and using it with Emby.

 

 

Does anyone have any suggestions for using Let’s Encrypt , pFsense , Synology , and Emby all together and somehow automating the cert renewal across the board??

If I create a cert in pFsense and use it with HAProxy will it meets things up or “revoke” the certificate if I create another cert within Synology for use with Emby?

Edited February 14, 2023 by Ahole

[justinrh 174]

Sounds like you need Caddy in reverse proxy mode, or any RP, I suppose since you have the auto cert renewal mechanism already.

[seanbuff 840]

If HAProxy is your RP and has certs for the various subdomains, then Emby should sit behind this and you would not need to generate a Synology cert for Emby - just use the HAProxy cert for your Emby subdomain.

The idea of the reverse-proxy is that it should handle all the SSL certs for all your different subdomains, so that the backend services don't need to.

[Ahole 3]

Yes that is what has been done …..

But Emby requires inserting and pointing to the cert after converting to pkcs#12 format which I have not found a way to automate.  If I could automate this process then all would be ok.  

[justinrh 174]

Did you miss "The idea of the reverse-proxy is that it should handle all the SSL certs for all your different subdomains, so that the backend services don't need to."?  Emby doesn't need a cert unless you are using encryption within the LAN.

[Ahole 3]

So I’m confused, you mean that I don’t need to fill the spot in Emby that asks for where your certificate is located?

i could have sworn I got errors in the past when I tried to bypass this step ??

 Heck if I don’t have to have the latest cert listed in Emby then I should be all good

 Wonder if Synology NAS itself requires the updated certs?  I’ve seen some somewhat complicated posts / tutorials for exporting the pFsense wildcard cert to Synology

 i thought about trying that again but apparently it immediately reboots you NAS when the cert is updated and that can definitely cause problems (just recently had hyper backup get corrupted because of some inadvertent reboot)

[seanbuff 840]

6 minutes ago, Ahole said:

So I’m confused, you mean that I don’t need to fill the spot in Emby that asks for where your certificate is located?

Correct. If your reverse-proxy is handling this for you, which i presume it is.

Then this is all you need in your Emby config:

"Handled by reverse proxy"

 

[Ahole 3]

OK, thanks for that. I don’t think that I have actually tried to use that setting before but I’ll try it and see what happens.

[Ahole 3]

OK, thanks for that. I don’t think that I have actually tried to use that setting before but I’ll try it and see what happens.

 Hey also @seanbuff    Do you happen to know if the same thing can be done with the Synology itself? I’ve been struggling to make sure the certificates were updated and Synology when, in fact, the different services were being accessed by the pfsense HAProxy reverse proxy.  So does Synology even have to have an updated certificate?  I think all of the reverse proxy settings in Synology are basically for using the reverse proxy built into Synology.  

[seanbuff 840]

4 hours ago, Ahole said:

Do you happen to know if the same thing can be done with the Synology itself?

Hi, yes the same principles apply. HAProxy can secure the traffic between itself and remote clients. The services behind the HAProxy and on the Synology can actually be unecrypted (as is Emby in this instance) - the reverse proxy itself is responsible for ensuring traffic is encrypted outside of your local network.

In saying that, if you are really wanting to expose your NAS to the web - I would advise using a VPN instead of a reverse-proxy.