jaybroni 4 Posted November 27, 2016 Share Posted November 27, 2016 (edited) Imho, it's a mistake to delay a feature (SSL) because you want to roll out two features (SSL + Auto DDNS). While it sounds nice to release both features all beautifully integrated and simple, Apple style, you have to admit that down the road you'll end up needing the ability to disable all these features incrementally for troubleshooting purposes. So why not enable them incrementally right now? We might even learn some valuable lessons while testing SSL with our own ddns services and setups, that help the developers. Let's leverage the thousands of Emby users who have a DDNS solution already in place and are yearning for SSL. We will pave the way. As a visual, you guys could whip up a section like this in the Emby Dashboard's Hosting area: Lets Encrypt SSL Integration Disclaimer: This is an experimental feature intended for testing purposes only. Do not raise questions anywhere but on Github in the form of a ticket with logs. Thank you. To prepare for SSL integration you will need: 1) An account with Lets Encrypt 2) An account with a registered ddns provider from this list of Lets Encrypt recognized DDNS services. When completed, you should have an address like: jaybroni_has_ssl_allupinmyemby.dyndns.com 3) Click here to ENABLE ssl management setting. 4) Input your credentials into the Lets Encrypt and DDNS fields and click SAVE 5) Click here REGISTER SSL, TEST SSL, RENEW SSL every 30/60/90 days or select manual renewal, etc. 6) Congratulations you're done. Now nobody can decode the packets of your aunt's family vacation where you didn't realize she was your second cousin but fortunately you only went to second base. Remember guys, the tortoise won against the hare because slow and steady wins the race. Would you be so kind as to incrementally move this feature forward? So we can use it at least in part sooner rather than later? Pretty please. Edited November 28, 2016 by jaybroni 3 Link to comment Share on other sites More sharing options...
chigh 10 Posted November 28, 2016 Share Posted November 28, 2016 Imho, it's a mistake to delay a feature (SSL) because you want to roll out two features (SSL + Auto DDNS). While it sounds nice to release both features all beautifully integrated and simple, Apple style, you have to admit that down the road you'll end up needing the ability to disable all these features incrementally for troubleshooting purposes. So why not enable them incrementally right now? We might even learn some valuable lessons while testing SSL with our own ddns services and setups, that help the developers. Let's leverage the thousands of Emby users who have a DDNS solution already in place and are yearning for SSL. We will pave the way. As a visual, you guys could whip up a section like this in the Emby Dashboard's Hosting area: Lets Encrypt SSL Integration Disclaimer: This is an experimental feature intended for testing purposes only. Do not raise questions anywhere but on Github in the form of a ticket with logs. Thank you. To prepare for SSL integration you will need: 1) An account with Lets Encrypt 2) An account with a registered ddns provider from this list of Lets Encrypt recognized DDNS services. When completed, you should have an address like: jaybroni_has_ssl_allupinmyemby.dyndns.com 3) Click here to ENABLE ssl management setting. 4) Input your credentials into the Lets Encrypt and DDNS fields and click SAVE 5) Click here REGISTER SSL, TEST SSL, RENEW SSL every 30/60/90 days or select manual renewal, etc. 6) Congratulations you're done. Now nobody can decode the packets of your aunt's family vacation where you didn't realize she was your second cousin but fortunately you only went to second base. Remember guys, the tortoise won against the hare because slow and steady wins the race. Would you be so kind as to incrementally move this feature forward? So we can use it at least in part sooner rather than later? Pretty please. I agree that there needs to be testing done on this so we learn more about how it will integrate with the system. Just discussing this on a forum can only go so far. 1 Link to comment Share on other sites More sharing options...
tigrao 18 Posted November 29, 2016 Share Posted November 29, 2016 I agree that there needs to be testing done on this so we learn more about how it will integrate with the system. Just discussing this on a forum can only go so far. This is exactly why I setup a reverse proxy with IIS on my Windows system. The Letsencrypt client integrates with IIS and handles the SSL certificates much better than Emby does. Link to comment Share on other sites More sharing options...
Luke 36998 Posted November 29, 2016 Share Posted November 29, 2016 That's your perception. On windows we use some of the same libraries used by Iis. Link to comment Share on other sites More sharing options...
chigh 10 Posted November 29, 2016 Share Posted November 29, 2016 I'm actually using Emby on FreeNAS so I think I am going to try and install letsencrypt inside the jail and then make a cron job to update and convert the cert to the appropriate format. 1 Link to comment Share on other sites More sharing options...
tigrao 18 Posted November 29, 2016 Share Posted November 29, 2016 That's your perception. On windows we use some of the same libraries used by Iis. Yes, that is my perception. My perception will continue to be that way because the Letsencrypt client officially supports IIS. It does not support Emby. It is much easier this way. Link to comment Share on other sites More sharing options...
jaybroni 4 Posted November 30, 2016 Share Posted November 30, 2016 (edited) I'm actually using Emby on FreeNAS so I think I am going to try and install letsencrypt inside the jail and then make a cron job to update and convert the cert to the appropriate format. Power to you! If you figure it out, be so kind as to document it for the rest of us plebeians. I just know I will break my ubuntu server with with my SSL testing, so I went so far as to build a completely separate test server that I can break and repair all day long. But as they say, the first person to break through a wall always gets bloody. After you, kind sir, after you. Edited November 30, 2016 by jaybroni Link to comment Share on other sites More sharing options...
Luke 36998 Posted November 30, 2016 Share Posted November 30, 2016 You know that people here are already using LetsEncrypt with Emby server, right? Link to comment Share on other sites More sharing options...
chigh 10 Posted November 30, 2016 Share Posted November 30, 2016 You know that people here are already using LetsEncrypt with Emby server, right? Yes but, it is not automated. This would be an attempt to have it all automated on freenas on the Emby jail 2 Link to comment Share on other sites More sharing options...
chigh 10 Posted November 30, 2016 Share Posted November 30, 2016 Automating Lets Encrypt for Emby on FreeNAS --to get started go to the jails tab on the top panel and select your emby jail and then click on the terminal button on the bottom --run this command to upgrade your packages pkg upgrade --press y when prompted and hit enter --run this command to install certbot (let's Encrypt) pkg install py27-certbot --press y when prompted and hit enter --run this command to install pkg install openssl --press y when prompted and hit enter --Once installed you are ready to generate your cert. Run this command (change "example.com" to your DDNS) certbot certonly --standalone -d example.com --follow the steps to create the cert --Change directory to your certs cd /usr/local/etc/letsencrypt/live/Your_Domain (change "Your_Domain" to your DDNS) --run openssl so you can convert to the appropriate file format openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx -passout pass: --now we have to set permissions to access this folder because its owner is letsencrypt chmod 777 /usr/local/etc/letsencrypt/live --open a terminal from the left panel on freenas and type jls and it should give you the jail-ID of your emby server. Once you have that, you can create a cron job. --create a cron job in the crons tab in the left panel and click on add cron job. the user: root command: jexec Jail_ID certbot renew --quiet && cd /usr/local/etc/letsencrypt/live/Your_Domain && openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx -passout pass: (remember to change "Jail_ID" to your emby's jail ID and change "Your_Domain" to your DDNS) --Lets encrypt recommends to run this command twice a day so my cron job looks like this --now go into emby server dashboard and click "Advanced" in the left panel now click on the magnifying glass on the "Custom Certificate path:" and then navigate to your .PFX file which is located at /usr/local/etc/letsencrypt/live/Your_Domain/emby.pfx, save and reboot emby. test by going to your DDNS in a browser with the appropriate port if successful then we are all automated! 3 Link to comment Share on other sites More sharing options...
jaybroni 4 Posted December 1, 2016 Share Posted December 1, 2016 You're a beauty, I can't wait to give it a shot this weekend. I run Ubuntu so we'll see what I need to do differently. The jails part I don't quite get but the rest looks possible Link to comment Share on other sites More sharing options...
chigh 10 Posted December 1, 2016 Share Posted December 1, 2016 (edited) You're a beauty, I can't wait to give it a shot this weekend. I run Ubuntu so we'll see what I need to do differently. The jails part I don't quite get but the rest looks possible If you are on ubuntu then the commands will be a little different. But the same concept. Jails are a Freenas/FreeBSD thing it doesn't pertain to ubuntu. Edited December 1, 2016 by chigh Link to comment Share on other sites More sharing options...
ABotelho 3 Posted December 2, 2016 Share Posted December 2, 2016 If you are on ubuntu then the commands will be a little different. But the same concept. Jails are a Freenas/FreeBSD thing it doesn't pertain to ubuntu. Does the Jail thing have an equivalent? It's been such a long time I've used FreeNAS, and it wasn't for very long to begin with. I'd love to get this working. Currently I'm using Asus' built in DDNS service on my router. Hoping that would work. Link to comment Share on other sites More sharing options...
chigh 10 Posted December 2, 2016 Share Posted December 2, 2016 Does the Jail thing have an equivalent? It's been such a long time I've used FreeNAS, and it wasn't for very long to begin with. I'd love to get this working. Currently I'm using Asus' built in DDNS service on my router. Hoping that would work. A jail in FreeNAS is like an instants of a system. So you are able to install software on the instants itself using a command prompt. Your DDNS will work just fine. Link to comment Share on other sites More sharing options...
Demati 5 Posted December 2, 2016 Share Posted December 2, 2016 (edited) I did the following on my Linux Mint machine (which is basically Ubuntu). I am not sure this can be automated (and I am sure there is a better way). I didn't have apache installed prior to this as I wasn't running a web server on the machine. I only installed it to get my dynDNS SSL certificate from Letsencrypt. Prerequisits Ports 80 and 443 are enabled in your firewall/router Apache is installed Install letsencrypt binary (which is really certbot): >sudo apt-get install letsencrypt Procedure Substitute "example.com" with your dynDNS address. I've color coded items that should match. >letsencrypt-auto certonly -a manual --email <email_address>@example.com -d example.com You will be prompted with information containing the following: Make sure your web server displays the following content at http://example.com/.well-known/acme-challenge/<LONG_STRING> before continuing: LONG_STRING.ANOTHER_LONG_STRING Create file: sudo vim /var/www/example.com/.well-known/acme-challenge/<LONG_STRING> Copy and paste LONG_STRING.ANOTHER_LONG_STRING into the file sudo chown -R www-data:www-data /var/www/example.com/.well-known sudo chmod -R 733 /var/www/example.com/.well-known Continue with letsencrypt Once certs and keys are created go to: /etc/letsencrypt/live/example.com Create PKCS file from PEM files with the following command >openssl pkcs12 -export -out example.com.pfx -inkey privKey.pem -in cert.pem Enter no password or Emby will break Configure Emby server to point to the path where example.com.pfx can be found. Feel free to try this. It worked for me. If there are better ways I am all ears. :-) Edited December 2, 2016 by Demati 1 Link to comment Share on other sites More sharing options...
feerlessleadr 154 Posted December 2, 2016 Share Posted December 2, 2016 Any guide for getting this up and running on Windows? Link to comment Share on other sites More sharing options...
chigh 10 Posted December 7, 2016 Share Posted December 7, 2016 I did the following on my Linux Mint machine (which is basically Ubuntu). I am not sure this can be automated (and I am sure there is a better way). I didn't have apache installed prior to this as I wasn't running a web server on the machine. I only installed it to get my dynDNS SSL certificate from Letsencrypt. Prerequisits Ports 80 and 443 are enabled in your firewall/router Apache is installed Install letsencrypt binary (which is really certbot): >sudo apt-get install letsencrypt Procedure Substitute "example.com" with your dynDNS address. I've color coded items that should match. >letsencrypt-auto certonly -a manual --email <email_address>@example.com -d example.com You will be prompted with information containing the following: Make sure your web server displays the following content at http://example.com/.well-known/acme-challenge/<LONG_STRING> before continuing: LONG_STRING.ANOTHER_LONG_STRING Create file: sudo vim /var/www/example.com/.well-known/acme-challenge/<LONG_STRING> Copy and paste LONG_STRING.ANOTHER_LONG_STRING into the file sudo chown -R www-data:www-data /var/www/example.com/.well-known sudo chmod -R 733 /var/www/example.com/.well-known Continue with letsencrypt Once certs and keys are created go to: /etc/letsencrypt/live/example.com Create PKCS file from PEM files with the following command >openssl pkcs12 -export -out example.com.pfx -inkey privKey.pem -in cert.pem Enter no password or Emby will break Configure Emby server to point to the path where example.com.pfx can be found. Feel free to try this. It worked for me. If there are better ways I am all ears. :-) I did the reverse proxy with apache2 with ubuntu. That was the best solution because when you add your .PFX to emby the cipher suites aren't up to date and uses obsolete ciphers. with the reverse proxy you have a little more control and a WHOLE lot more secure. If anyone isn't sure what a reverse proxy is there is a good read here: https://emby.media/community/index.php?/topic/22889-emby-behind-a-reverse-proxy-remote-control-issue/ I can put up a quick step by step if anyone is interested but, be warned. It involves router port forwarding and some linux know-how. 2 Link to comment Share on other sites More sharing options...
sansoo22 11 Posted December 8, 2016 Share Posted December 8, 2016 Anyone looking to do this on an unraid build can follow this link: http://lime-technology.com/forum/index.php?topic=39413.0. I had a few things that gave me some fits so i will document what they were below. I had to remap 80 to 8080 on my unraid box because the default UI for unraid is already mapped to 80. I am using a No-Ip DDNS that is like example.ddns.net so I entered that for the URL setting and left the subdomain setting blank. /mnt/user/appdata/ngnix/etc/letsencrypt/live/example.ddns.net/privkey.pfx is where i found my cert file for emby. The /ngnix portion of the path may vary depending on where you install this docker. Once I pointed emby to the path above for a cert file I restarted my emby instance and was in business. The one pesky iOS device i have...or should say...my girlfriend has is now working like a charm. Now all that's left to do is keep coming up with reasons why i can't put her collection of chic flix on my server. Link to comment Share on other sites More sharing options...
Luke 36998 Posted December 8, 2016 Share Posted December 8, 2016 If anyone wants to help assist in getting this into something that can run across windows, linux and osx, we are definitely interested in embedding and automating this. Link to comment Share on other sites More sharing options...
anderbytes 139 Posted December 8, 2016 Share Posted December 8, 2016 If anyone wants to help assist in getting this into something that can run across windows, linux and osx, we are definitely interested in embedding and automating this. What about an existing open-source Java client? https://github.com/shred/acme4j I don't know much of programming... but Emby server could "git" it down and use it normally. Link to comment Share on other sites More sharing options...
puithove 208 Posted December 8, 2016 Share Posted December 8, 2016 Actually, better than Java - there is a .NET library already: https://github.com/ebekker/ACMESharp And here is what appears to be a console-app implementation using that library (for example purposes at least): https://github.com/Lone-Coder/letsencrypt-win-simple Link to comment Share on other sites More sharing options...
orcist 2 Posted December 28, 2016 Share Posted December 28, 2016 Automating Lets Encrypt for Emby on FreeNAS --to get started go to the jails tab on the top panel and select your emby jail and then click on the terminal button on the bottom ... chigh, When you modify an Emby jail like this, what happens when you want to upgrade it using the FreeNAS plugins manager (I'm running 9.3)? Is this persistant, or do you have to redo this each time? Thanks. Link to comment Share on other sites More sharing options...
chigh 10 Posted December 29, 2016 Share Posted December 29, 2016 Automating Lets Encrypt for Emby on FreeNAS --to get started go to the jails tab on the top panel and select your emby jail and then click on the terminal button on the bottom ... chigh, When you modify an Emby jail like this, what happens when you want to upgrade it using the FreeNAS plugins manager (I'm running 9.3)? Is this persistant, or do you have to redo this each time? Thanks. That is a good question. I want to say that it would be fine after an update but, I'm not entirely certain. Link to comment Share on other sites More sharing options...
adam1010 19 Posted April 26, 2017 Share Posted April 26, 2017 For the Let's Encrypt certs -- have you guys considered hosting a DNS server for Premiere users? You would assign a random subdomain (when enabled) like 987qjwjqwe23.embyserver.tv and have each user's Emby server keep that subdomain's IP address updated. Then you could use Let's Encrypt DNS based verification in order to acquire the certificate. The Emby server software would be responsible for acquiring and renewing its own certificate, but it would rely on the official Emby DNS server to keep a subdomain pointed at it and to allow updating the necessary TXT record. (This new official Emby DNS server could be self-hosted, or could use Route53)I would imagine that will be the most universal solution, particularly with users that can't keep ports 80/443 open to their Emby server to handle the Let's Encrypt challenges. I'd be happy to design out the process flow if it's something the Emby maintainers would consider implementing. Link to comment Share on other sites More sharing options...
ebr 14902 Posted April 26, 2017 Share Posted April 26, 2017 Yes, we have considered something like that but we have to build, host and maintain that system first . All in good time... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now