JuJuJurassic 28 Posted March 9, 2023 Share Posted March 9, 2023 I hope this wil help others running Emby on Ubuntu. After reading around a lot, I've got let'sEncrypt to kindly provide me with a certificate. I added a txt reord to the domain by editing the DNS. Here are the commands sudo snap install --classic certbot -This installs certbot But you need the right values to add a txt record to your domain, I changed this line from the web "certbot -d bristol3.pki.enigmabridge.com --manual --preferred-challenges dns certonly" You get the responce " Please deploy a DNS TXT record under the name _acme-challenge.bristol3.pki.enigmabridge.com with the following value: 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc Once this is deployed, Press ENTER to continue" Create and add this text to your domain records, then issue certbot -d "Your Domain" --manual --preferred-challenges dns certonly -this issues the certificate, after querying your domain's txt record sudo certbot renew --dry-run I've changed the domain name in the examples below. root@emby:/etc/letsencrypt/live/domainname# ls cert.p12 cert.pem chain.pem fullchain.pem privkey.pem README I used "openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem -passout pass: -nokeys" to create a PKS12 certificate, that's the cert.p12 file. And that's as far as I can get I can't add the path to emby. Once I select live, the path disappears, as if I hadn't entered anything. Im so close What am I doing wrong? Thanks Link to comment Share on other sites More sharing options...
Luke 37008 Posted March 10, 2023 Share Posted March 10, 2023 Hi, it sounds like the server is being denied access to the location you're trying to use. Have you taken a look at this? You may also want to put the certificate somewhere that you know the server will be able to access. Link to comment Share on other sites More sharing options...
JuJuJurassic 28 Posted March 10, 2023 Author Share Posted March 10, 2023 Thanks Luke, schoolboy error, I'd set the group permissions and forgot to change the group owner. So I've added the certificate, but it's refusing SSL connections. I've got it set to; Secure connection mode: Preferred, but not required. If I mess up the SSL I want a way back in. I'm connecting locally. Here's an edited summary from the dashboard, connecting over http; Version 4.7.11.0 Emby Server is up to date Running on HTTP port 8096 In-Home (LAN) access: http://1xx.xx.xx.xx:8096 Remote (WAN) access: http://emby.domain.com:8096ifiConnection H I've looked in the embyserver.txt log, but can't see anything regarding the SSL connection, I've tried debug mode. I'd like to find out what's going on, How do I see the SSL connection information in the debug log? Thanks Link to comment Share on other sites More sharing options...
Q-Droid 634 Posted March 10, 2023 Share Posted March 10, 2023 Restart your Emby server then review/post the newest log. You'll likely find that it has a problem with the cert file. You need to create the PKCS12 file correctly using the right certs from LE. I don't think there is a key.pem, it's privkey.pem and for the cert you use fullchain.pem. This directory contains your keys and certificates. `privkey.pem` : the private key for your certificate. `fullchain.pem`: the certificate file used in most server software. `chain.pem` : used for OCSP stapling in Nginx >=1.3.7. `cert.pem` : will break many server configurations, and should not be used without reading further documentation (see link below). Follow this post: Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted March 11, 2023 Share Posted March 11, 2023 Possibly easier if you just ran a reverse proxy in front of emby - and let it handle the TLS ? Renewal of the cert will definitely be easier, emby needs a restart to reload it for example. 2 Link to comment Share on other sites More sharing options...
Q-Droid 634 Posted March 11, 2023 Share Posted March 11, 2023 4 hours ago, rbjtech said: Possibly easier if you just ran a reverse proxy in front of emby - and let it handle the TLS ? Renewal of the cert will definitely be easier, emby needs a restart to reload it for example. I agree and perhaps a reverse proxy should become my default answer for anyone trying to enable remote access. There are enough good reasons to do so and certificate maintenance is only one of them. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now