Adding SSL to Emby on ubuntu 20.04

[JuJuJurassic 28]

I hope this wil help others running Emby on Ubuntu.

After reading around a lot, I've got let'sEncrypt to kindly provide me with a certificate. I added a txt reord to the domain by editing the DNS. Here are the commands

sudo snap install --classic certbot    -This installs certbot

But you need the right values to add a txt record to your domain, I changed this line from the web "certbot -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns certonly" 

You get the responce "

Please deploy a DNS TXT record under the name
_acme-challenge.bristol3.pki.enigmabridge.com with the following value:

667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc

Once this is deployed,
Press ENTER to continue"

Create and add this text to your domain records, then issue

certbot -d "Your Domain" --manual --preferred-challenges dns certonly   -this issues the certificate, after querying your domain's txt record
sudo certbot renew --dry-run  

I've changed the domain name in the examples below.

root@emby:/etc/letsencrypt/live/domainname# ls
cert.p12  cert.pem  chain.pem  fullchain.pem  privkey.pem  README

I used "openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem -passout pass: -nokeys"

to create a PKS12 certificate, that's the cert.p12 file.

And that's as far as I can get

 

I can't add the path to emby. Once I select live, the path disappears, as if I hadn't entered anything.

Im so close

What am I doing wrong?

Thanks
 

[Luke 37008]

Hi, it sounds like the server is being denied access to the location you're trying to use.  Have you taken a look at this?

You may also want to put the certificate somewhere that you know the server will be able to access.

[JuJuJurassic 28]

Thanks Luke, schoolboy error, I'd set the group permissions and forgot to change the group owner. So I've added the certificate, but it's refusing SSL connections. I've got it set to; Secure connection mode: Preferred, but not required. If I mess up the SSL I want a way back in. I'm connecting locally. Here's an edited summary from the dashboard, connecting over http;

Version 4.7.11.0

Emby Server is up to date

Running on HTTP port 8096

In-Home (LAN) access: http://1xx.xx.xx.xx:8096

Remote (WAN) access: http://emby.domain.com:8096ifiConnection H

I've looked in the embyserver.txt log, but can't see anything regarding the SSL connection, I've tried debug mode. I'd like to find out what's going on, How do I see the SSL connection information in the debug log?

Thanks

[Q-Droid 634]

Restart your Emby server then review/post the newest log. You'll likely find that it has a problem with the cert file.

You need to create the PKCS12 file correctly using the right certs from LE. I don't think there is a key.pem, it's privkey.pem and for the cert you use fullchain.pem.

This directory contains your keys and certificates.

`privkey.pem`  : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`     : will break many server configurations, and should not be used without reading further documentation (see link below).

Follow this post:

 

[rbjtech 4222]

Possibly easier if you just ran a reverse proxy in front of emby - and let it handle the TLS ?    Renewal of the cert will definitely be easier, emby needs a restart to reload it for example.

[Q-Droid 634]

4 hours ago, rbjtech said:

Possibly easier if you just ran a reverse proxy in front of emby - and let it handle the TLS ?    Renewal of the cert will definitely be easier, emby needs a restart to reload it for example.

I agree and perhaps a reverse proxy should become my default answer for anyone trying to enable remote access. There are enough good reasons to do so and certificate maintenance is only one of them.