Jump to content

Let’s Encrypt support for SSL certificates


anakron

Recommended Posts

user-xyz

Yup, a legit SSL to my home emby box would 100% get me to pay premium (actually, to even start using it). That reminds me, it'd be perfect to get emby.media (all of it) on https. I noticed when I signed up a few days ago, that the entire site (including sign-up and log-in) isn't over SSL.

Link to comment
Share on other sites

  • 2 weeks later...
Oakington

https://github.com/DirtyJerz/embyDDNS

 

Not done yet, but I'm still working on it. 

 

DDNS side works fine. So does the db mgmt of users and LE bits. I just can't get the local boulder CA to work in my dev env. I can try against staging but I end up hitting rate limits. I'll keep going.

 

@anderbytes: you seem to be encryption literate. Do you know python and if you do, would you mind taking a look at the ddns client/server communication, or maybe PM me and I can try to explain it. I just want to know if there is something I'm missing. 

  • Like 1
Link to comment
Share on other sites

anderbytes

https://github.com/DirtyJerz/embyDDNS

 

Not done yet, but I'm still working on it.

 

DDNS side works fine. So does the db mgmt of users and LE bits. I just can't get the local boulder CA to work in my dev env. I can try against staging but I end up hitting rate limits. I'll keep going.

 

@anderbytes: you seem to be encryption literate. Do you know python and if you do, would you mind taking a look at the ddns client/server communication, or maybe PM me and I can try to explain it. I just want to know if there is something I'm missing.

I work with IT and I know several concepts about this matter, but I'm no programmer, at least until this day.

 

I can help you test ACME DNS as much as you need, but not with the standard way they used to require (opening ports).

 

I also have to tell you that some domain register companies doesn't work with automated api's so your validation process should generate the needed TXT key value to be inserted manually, if the domain only accept it that way.

 

In those manual scenarios, it would be something like:

- Ask for all the same inputs that the script I mentioned asks

- Use those as parameters to converse with LetsEncrypt and return a key to be used as TXT

- Tell the user the requirements that will be validated and tell him the key

- Await user "Continue" button input, because you don't know how long will he take to insert it manually

- Continue LetsEncrypt validation via DNS challlenge

- If not validated, tell the user then await new "Retry" or "Restart Process"

- When validated, receive the generated key and add it to OMV

 

In other words... If you could just create a OMV interface for the script I referred, it would be a great help already.

 

Thanks!

Don't hesitate to ask, if you need help testing

Edited by anderbytes
Link to comment
Share on other sites

  • 2 weeks later...
anderbytes

Just wanted to add that I'm willing to test as well.

I told them in my post in January 30th, above

Link to comment
Share on other sites

  • 3 weeks later...

Anybody have a noob friendly tutorial on how to manually generate a Let's Encrypt cert for Emby? Something to use in the meantime. Right now I'm using certificates that I have generated myself with OpenSSL but those self signed certs don't really play well with Emby apps. 

 

I have already setup a temporary VM machine for ubuntu, installed apache, git cloned letsencrypt, but I don't know where to go from here. My host machine is Windows and it is also where Emby server is installed. 

Link to comment
Share on other sites

anderbytes

Anybody have a noob friendly tutorial on how to manually generate a Let's Encrypt cert for Emby? Something to use in the meantime. Right now I'm using certificates that I have generated myself with OpenSSL but those self signed certs don't really play well with Emby apps. 

 

I have already setup a temporary VM machine for ubuntu, installed apache, git cloned letsencrypt, but I don't know where to go from here. My host machine is Windows and it is also where Emby server is installed. 

 

I will post a small step-by-step that I created when I successfully generated my Let's Encrypt certificate via ACME DNS Challenge.

Hope it will help you.

 

 

x. Generate certificate and private key using the commands:

- openssl genrsa -out your.domain.com.key 2048

- openssl req -new -sha256 -key your.domain.com.key -out your.domain.com.csr

 

x. Download some client that execute ACME DNS Challenge Validation.

READ this --> https://github.com/lukas2511/letsencrypt.sh/blob/master/README.md

 

x. Download a "hook" complementary script that is necessary for that client above

Ex: https://gist.github.com/nneul/76a38010313f55db0f7a

 

 

x. Execute the command : ./letsencrypt.sh --signcsr your.domain.com.csr -d your.domain.com --challenge dns-01 --algo rsa --hook ./HookSample.sh

 

x. Inside the script, follow the instructions about which TXT record generate inside DNS Server.

 

x. (Optional) After creating the TXT Record, I suggest you to validate (in real-time) the record you created in some online dns testing tool that supports TXT, or else the final step of the script above may be painful. There's some delay between creating and validating... and this tool will help you determine the exact momento to click "validate"

 

x. Import certificate inside Webserver

 

 

As we are talking about EMBY, there are some additionals steps to successfully create a trusted PFX

 

 

- Download root certificate from LetsEncrypt in "https://letsencrypt.org/certificates/"

wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

 

- Generate PFX file from the certificate using all the previously generated keys and embeeding the intermediary X1 pem

openssl pkcs12 -export -in your.domain.com.cer -inkey your.domain.com.key -out your.domain.com.pfx -certfile lets-encrypt-x1-cross-signed.pem

  • Like 1
Link to comment
Share on other sites

Thanks anderbytes and sorry for the late reply. I haven't had much time to attempt this yet but it looks doable even for me. 

Link to comment
Share on other sites

  • 3 weeks later...
proppa

I installed a Let's Encrypt SSL certificate for my Emby server today. I can access it trough a domain and I though it would be fun to get a real certificate. It was quite easy to make a standalone certificate with Let's Encrypt and it was also easy to install in Emby by pointing it to the .pfx file. However it does only support TLS 1.0 and is insecure. F rating from https://www.ssllabs.com/ssltest. Does anyone here know how I could add TLS 1.2 support? Is it under development?

Link to comment
Share on other sites

Tur0k

This looks very promising for me.  I have been meddling with openssl to create a self-signed certificate as i was unaware that there was a viable route, for DHCP public IP users, who have a DDNS domain, to take in order to better support SSL encryption.  while I am comfortable in other technology related focuses Certificates and their administration aren't one of them.  I will look further into LetsEncrypt on my system.  has anyone tried to get LetsEncrypt on a windows 10 platform?  does anyone know if the LetsEncrypt client can be ran from a separate system inside my network, and then distribute the pfx file to the emby server? 

Link to comment
Share on other sites

  • 3 weeks later...
jaybroni

SSL Encryption HYPE

 

This thread needs a hero! 

 

I'm afraid many of us are using http for simplicity and convenience in order to avoid my users seeing the "this site my not be secure" warning that comes with using a home made SSL cert.

 

 

Plan A

An emby plugin that registers with LetsEncrypt and can be set to renew the certificate with Emby's built in task scheduler automatically

 

Plan B

A tutorial for us to accomplish the same thing using manual methods.

 

Has there been any progress in the last month on either front?

 

I think this is the single most worthwhile project for the Emby community. +

 

Let's get crackin boys! we don't even have to invent a new method, just take inspiration from Plex who enabled ssl certs for all their users, even the free ones:

https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/

Edited by jaybroni
  • Like 1
Link to comment
Share on other sites

  • 5 weeks later...
ABotelho

Does it have to be as complex as Plex? If I already have DDNS and a subdomain working for example, would it be possible to have an extension in Emby that simply request/renews and generates a certificate/pfx for Emby to use?

Link to comment
Share on other sites

Does it have to be as complex as Plex? If I already have DDNS and a subdomain working for example, would it be possible to have an extension in Emby that simply request/renews and generates a certificate/pfx for Emby to use?

 

As a plugin, no, one of you guys could do a plugin for whatever you like. As a core feature we have to decide if requiring a domain is something that we're willing to live with or not.

  • Like 1
Link to comment
Share on other sites

  • 3 months later...

As a plugin, no, one of you guys could do a plugin for whatever you like. As a core feature we have to decide if requiring a domain is something that we're willing to live with or not.

I understand the hesitation; it may raise the bar for entry and increase the demands on the support team.

 

As a solution, could you bake it in but have it disabled by default

You could even include a liittle disclaimer that says this feature "may require a domain for best results" and is included "with love but no support". Then have alink to a communty thread where people are experimenting with it.

 

Having it off by default assists our troubleshooting because a reset to default settings will revert it back to normal.

 

By now you see where I'm going with this - only those users who choose to, can experiment with domains and this feature in general. Inevitably the most popular setups will make their way to the top, and you (and your team) can monitor the progress until you're comfortable with it as an official emby feature. Then you can release it on the world and promote the hell out of it.

Link to comment
Share on other sites

Actually we would very much like to have letsencrypt ssl built into the server, first we have to decide on an automated way to get every server it's own domain (unless you have your own). That's something that will work for everyone.

Link to comment
Share on other sites

  • 1 month later...

Everyone will just have to go to no-ip.com to obtain DDNS. Its just like going out to schedules direct and creating a account to pull guide data. This is just a step that will have to be taken for letsencrypt. 

  • Like 1
Link to comment
Share on other sites

anderbytes

Everyone will just have to go to no-ip.com to obtain DDNS. Its just like going out to schedules direct and creating a account to pull guide data. This is just a step that will have to be taken for letsencrypt. 

This is not the main issue. As I see, the worst that can happen is the ISP blocks ports 80 and 443 (such as mine ISP), and now I'm forced to used DNS-01 challenge to manually generate my certificates.

 

This would be solved if the official client would support choosing any port to validate the server, instead of only 80 and 443.

 

In short... if the user has it's own domain, fixed IP (or DDNS), and LetsEncrypt allows any port.... It's a matter of time for the solution to come.

Link to comment
Share on other sites

anderbytes

I'm talking about Let's Encrypt official client, today that doesn't allow you to choose the port to validate.

Link to comment
Share on other sites

anderbytes

Couldn't you just use DNS validation?

DNS validation is possible and a very good alternative to webserver validation....

 

BUT.... you have to manually insert a TXT record in DNS server to be validated by Let'sEncrypt servers.

So it can't be fully automated... I guess

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...