EarlyOnsetPooka 0 Posted May 4 Share Posted May 4 I am pulling my hair out here. Trying to get certs installed for my emby install on a dedicated Ubuntu server VM in proxmox. Earlier today, I was able to use certbot to get LE certs, but when I attempted to USE those certs, I couldn't browse to or read the /etc/letsencrypt/live/mydomain/ subfolder ... No idea how I'm supposed to get the emby.service to be able to access these files. Got frustrated and installed nobody's favorite reverse proxy host NPM in a proxmox container. Managed to get the SSL certs. Could only get either a 502 Bad Gateway message or a server timeout when attempting to connect from a remote device. Finally got that squared away by having my NPM point to the local non-SSL port and setting the emby remote secure connection to letting the reverse proxy handle it. Yay. Everything works. I'd still prefer to just use certs on my actual emby VM and let it handle getting the cert and renewing it as needed. Not sure if the reverse proxy is really necessary for anything other than that I didn't have file permission issues when I set that up. Link to comment Share on other sites More sharing options...
sargenthp 29 Posted May 4 Share Posted May 4 The emby user needs permissions to get to the cert. Either need to update the folder permissions to and including the cert. Or move the files to where the emby user has permissions. 1 Link to comment Share on other sites More sharing options...
EarlyOnsetPooka 0 Posted May 4 Author Share Posted May 4 4 minutes ago, sargenthp said: The emby user needs permissions to get to the cert. Either need to update the folder permissions to and including the cert. Or move the files to where the emby user has permissions. I had attempted to update the permissions of the folder using chgrp emby /path/to/certs and on the files themselves. Should that have been chown emby:emby /path/to/certs? And would that survive a renewal, or would I need to manually chown them again after a renewal. I suppose that part could be scripted. Moving them should also work, I just didn't want to interfere with any auto renewal process Link to comment Share on other sites More sharing options...
sargenthp 29 Posted May 4 Share Posted May 4 (edited) One test you can do is switch to the emby user and make sure you can cd to the directory and cat out certs. You might have just missed a single folder. sudo -u emby /bin/sh cd /path/to/cert cat cert.crt Edited May 4 by sargenthp Link to comment Share on other sites More sharing options...
sargenthp 29 Posted May 4 Share Posted May 4 Of course I am not home to refresh my memory on what I ended up doing. 1 Link to comment Share on other sites More sharing options...
EarlyOnsetPooka 0 Posted May 4 Author Share Posted May 4 Just now, sargenthp said: One test you can do is switch to the emby and make sure you can cd to the directory and cat out certs. You might have just missed a single folder. sudo -u emby /bin/sh cd /path/to/cert cat cert.crt Can't do it as any other user than root. Paths are correct, but the service is run as a user and not as root (thankfully), and the emby user doesn't have the permissions. using ls -al /etc/letsencrypt/blah/blah/cert.crt shows them as owned by root:root Link to comment Share on other sites More sharing options...
sargenthp 29 Posted May 4 Share Posted May 4 (edited) Pretty sure what I ended up doing was a file access control permission on my system. setfacl -Rm u:emby:rx,d:u:emby:rx /etc/letsencrypt Edited May 4 by sargenthp 1 Link to comment Share on other sites More sharing options...
EarlyOnsetPooka 0 Posted May 4 Author Share Posted May 4 20 minutes ago, sargenthp said: Pretty sure what I ended up doing was a file access control permission on my system. setfacl -Rm u:emby:rx,d:u:emby:rx /etc/letsencrypt Ok, so you did a recursive special access to those folders? Do you know if that needs refreshed when new certs are generated? Link to comment Share on other sites More sharing options...
sargenthp 29 Posted May 4 Share Posted May 4 Using a FACL it should keep the permissions... Unless the app specifically kills it Link to comment Share on other sites More sharing options...
EarlyOnsetPooka 0 Posted May 4 Author Share Posted May 4 Just now, sargenthp said: Using a FACL it should keep the permissions... Unless the app specifically kills it I suppose a cron job to check them daily and then fix them if they've changed would work Link to comment Share on other sites More sharing options...
Q-Droid 671 Posted May 4 Share Posted May 4 Emby can't use the cert PEM files. You need a PKCS12 container, a PFX file with all of the certs and it's better to place it somewhere under the Emby config path. Link to comment Share on other sites More sharing options...
sargenthp 29 Posted May 7 Share Posted May 7 Getting back to this now that I am home... I did end up creating a script that takes the letsencrypt certs and dumping them into a pfx file in a location that Emby can read from... openssl pkcs12 -export -out /output_path/certs/emby_ssl.pfx -inkey /etc/letsencrypt/live/domain/privkey.pem -in /etc/letsencrypt/live/domain/fullchain.pem -keypbe NONE -certpbe NONE -nomaciter -passout pass: 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now