Emby on Ubuntu server, Let's Encrypt, DuckDNS, certbot

[EarlyOnsetPooka 0]

I am pulling my hair out here. Trying to get certs installed for my emby install on a dedicated Ubuntu server VM in proxmox.

Earlier today, I was able to use certbot to get LE certs, but when I attempted to USE those certs, I couldn't browse to or read the /etc/letsencrypt/live/mydomain/ subfolder ... No idea how I'm supposed to get the emby.service to be able to access these files.

 

Got frustrated and installed nobody's favorite reverse proxy host NPM in a proxmox container. Managed to get the SSL certs. Could only get either a 502 Bad Gateway message or a server timeout when attempting to connect from a remote device. Finally got that squared away by having my NPM point to the local non-SSL port and setting the emby remote secure connection to letting the reverse proxy handle it. Yay. Everything works.

 

I'd still prefer to just use certs on my actual emby VM and let it handle getting the cert and renewing it as needed. Not sure if the reverse proxy is really necessary for anything other than that I didn't have file permission issues when I set that up.

[sargenthp 29]

The emby user needs permissions to get to the cert.  Either need to update the folder permissions to and including the cert.  Or move the files to where the emby user has permissions.

[EarlyOnsetPooka 0]

4 minutes ago, sargenthp said:

The emby user needs permissions to get to the cert.  Either need to update the folder permissions to and including the cert.  Or move the files to where the emby user has permissions.

I had attempted to update the permissions of the folder using chgrp emby /path/to/certs and on the files themselves. Should that have been chown emby:emby /path/to/certs? And would that survive a renewal, or would I need to manually chown them again after a renewal. I suppose that part could be scripted.

 

Moving them should also work, I just didn't want to interfere with any auto renewal process

[sargenthp 29]

One test you can do is switch to the emby user and make sure you can cd to the directory and cat out certs.  You might have just missed a single folder.

 

sudo -u emby /bin/sh

cd /path/to/cert

cat cert.crt

Edited May 4 by sargenthp

[sargenthp 29]

Of course I am not home to refresh my memory on what I ended up doing.

[EarlyOnsetPooka 0]

Just now, sargenthp said:

One test you can do is switch to the emby and make sure you can cd to the directory and cat out certs.  You might have just missed a single folder.

 

sudo -u emby /bin/sh

cd /path/to/cert

cat cert.crt

Can't do it as any other user than root. Paths are correct, but the service is run as a user and not as root (thankfully), and the emby user doesn't have the permissions.

using ls -al /etc/letsencrypt/blah/blah/cert.crt shows them as owned by root:root

[sargenthp 29]

Pretty sure what I ended up doing was a file access control permission on my system.

setfacl -Rm u:emby:rx,d:u:emby:rx /etc/letsencrypt

Edited May 4 by sargenthp

[EarlyOnsetPooka 0]

20 minutes ago, sargenthp said:

Pretty sure what I ended up doing was a file access control permission on my system.

setfacl -Rm u:emby:rx,d:u:emby:rx /etc/letsencrypt

Ok, so you did a recursive special access to those folders?
Do you know if that needs refreshed when new certs are generated?

[sargenthp 29]

Using a FACL it should keep the permissions... Unless the app specifically kills it 

[EarlyOnsetPooka 0]

Just now, sargenthp said:

Using a FACL it should keep the permissions... Unless the app specifically kills it 

I suppose a cron job to check them daily and then fix them if they've changed would work

[Q-Droid 670]

Emby can't use the cert PEM files. You need a PKCS12 container, a PFX file with all of the certs and it's better to place it somewhere under the Emby config path.

 

[sargenthp 29]

Getting back to this now that I am home...

I did end up creating a script that takes the letsencrypt certs and dumping them into a pfx file in a location that Emby can read from...

openssl pkcs12 -export -out /output_path/certs/emby_ssl.pfx -inkey /etc/letsencrypt/live/domain/privkey.pem -in /etc/letsencrypt/live/domain/fullchain.pem -keypbe NONE -certpbe NONE -nomaciter -passout pass: