JuJuJurassic 42 Posted March 15, 2024 Posted March 15, 2024 (edited) I've implemented SSL on Emby, my server runs Ubuntu, but it should be similar for Windows, and automated the generation of the PFX file. I must hasten, I had a lot of help from the Let Encrypt community, MikeMcQ in particular, but here's how to do it. Use the snap install, you have more options, which, as you'll see is important. Watch out for typos, I typed a - instead of a _ Once it was pointed out it all worked perfectly. You can cheat, which is what I did, I installed certbot using the script from the post "SSL made Easy", which got me working with SSL, I then removed the installed certbot and installed the snap version, as that has the "post_hook" option we need. See here https://certbot.eff.org/instructions?ws=other&os=ubuntufocal The problem is certbot will auto-renew, but it won't create the .PFX file, you need it to do that afterwards for emby The command in ubuntu to to this is openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:******* -passout pass:****** Check the file names, mine are the default for Ubuntu. I don't know what they are for Windows This generates the pkcs12.pfx file But Emby can't see it in Ubuntu, so you need to change the owner using chown emby:root pkcs12.pfx I created a script file, remember to flag it as executable, called convert-to-pfs.sh literally just this openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:***** -passout pass:***** chown emby:root pkcs12.pfx I put it in the /etc/letsencrypt/live/Yourdomain I should move it, it's not good practice, but I didn't want any path problems Once certbot is installed, it creates a conf file in /etc/letsencrypt/live/Yourdomain, called yourdomain.conf in the renewals section it will say something like # Options used in the renewal process [renewalparams] account = ********* authenticator = standalone server = https://acme-v02.api.letsencrypt.org/directory You need to add the line post_hook = /etc/letsencrypt/live/your domain/convert-to-pfs.sh You can do this with the reconfigure command, but you can cut and paste from this post. Remember to change the path. That will then call the conversion AFTER the certificate has been renewed. Hey presto you have the pfx file updated To test use certbot renew --dry-run --run-deploy-hooks This will not renew the certificates, but will call the script. Just make sure you've renamed the original pfx file so you can see the date and time changes. If you get "certbot: error: unrecognized arguments: --run-deploy-hooks", you're not using the snap version of certbot. Apart from that, that's it Have fun juju Edited March 15, 2024 by JuJuJurassic 1
njiska 4 Posted February 10 Posted February 10 On 15/03/2024 at 15:24, JuJuJurassic said: I've implemented SSL on Emby, my server runs Ubuntu, but it should be similar for Windows, and automated the generation of the PFX file. I must hasten, I had a lot of help from the Let Encrypt community, MikeMcQ in particular, but here's how to do it. Use the snap install, you have more options, which, as you'll see is important. Watch out for typos, I typed a - instead of a _ Once it was pointed out it all worked perfectly. You can cheat, which is what I did, I installed certbot using the script from the post "SSL made Easy", which got me working with SSL, I then removed the installed certbot and installed the snap version, as that has the "post_hook" option we need. See here https://certbot.eff.org/instructions?ws=other&os=ubuntufocal The problem is certbot will auto-renew, but it won't create the .PFX file, you need it to do that afterwards for emby The command in ubuntu to to this is openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:******* -passout pass:****** Check the file names, mine are the default for Ubuntu. I don't know what they are for Windows This generates the pkcs12.pfx file But Emby can't see it in Ubuntu, so you need to change the owner using chown emby:root pkcs12.pfx I created a script file, remember to flag it as executable, called convert-to-pfs.sh literally just this openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:***** -passout pass:***** chown emby:root pkcs12.pfx I put it in the /etc/letsencrypt/live/Yourdomain I should move it, it's not good practice, but I didn't want any path problems Once certbot is installed, it creates a conf file in /etc/letsencrypt/live/Yourdomain, called yourdomain.conf in the renewals section it will say something like # Options used in the renewal process [renewalparams] account = ********* authenticator = standalone server = https://acme-v02.api.letsencrypt.org/directory You need to add the line post_hook = /etc/letsencrypt/live/your domain/convert-to-pfs.sh You can do this with the reconfigure command, but you can cut and paste from this post. Remember to change the path. That will then call the conversion AFTER the certificate has been renewed. Hey presto you have the pfx file updated To test use certbot renew --dry-run --run-deploy-hooks This will not renew the certificates, but will call the script. Just make sure you've renamed the original pfx file so you can see the date and time changes. If you get "certbot: error: unrecognized arguments: --run-deploy-hooks", you're not using the snap version of certbot. Apart from that, that's it Have fun juju This looks super helpful. I've been struggling to find a solution to automate this and have been putting off scripting my own. Given the easy and popularity of LetsEncrypt, I with this was just natively supported or at least available as an addon.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now