Luke 37132 Posted April 26, 2017 Share Posted April 26, 2017 That's exactly what we are considering, yes. 2 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted April 27, 2017 Share Posted April 27, 2017 (edited) So, I have been trying to make all of my internal management resources accessible via a single encrypted url with my own domain. I want to lock it down with mutual authentication so that I can limit access to only my devices that have the client certificate installed. My hope is to get a publicly verifiable SSL certificate setup that automatically updates as needed without user intervention. Before all this I was using an expensive DDNS service ($40 annually). The service was limited to say the least. I decided on the following: 1. let's encrypt for my SSL certificate 2. The squid proxy/reverse proxy hosted on my PFsense router. 3. ACME Package hosted on my PFsense router. The ACME package can automatically sync with the let's encrypt service to facilitate re-issuing a valid certificate. Squid is likely not the optimum service for a reverse proxy but my hope is to keep as much as possible on my firewall in order to avert having to host any more services on my HTPC. I needed a domain name that would provide me with control of the DNS service related to the domain to add a TXT custom reference to. After some digging, I ended up going for a google domain I purchased for $12 annually. I was able to add the TXT custom reference that my ACME service needed to show I owned the domain. Additionally, the google domain supports DDNS and allows updates via API. I was able to create a third level domain that is used for the DDNS that points to my home IP. My PFsense firewall already has a DDNS update package that I was originally using in the original DDNS setup. All in all, the google domain service offers a ton of features for the price. I am still working out the bugs on my reverse proxy and will, god willing, have it working within the next week or so. Then I can work out any left over bugs with getting the emby app and cloud service to working across the reverse proxy. Sent from my iPhone using Tapatalk Edited April 27, 2017 by Tur0k Link to comment Share on other sites More sharing options...
dreimer 0 Posted April 27, 2017 Share Posted April 27, 2017 I use LetsEncrypt for a while now and yes, on a Windows Host. (With a bit of Linux support though). Letsencrypt for my DDNS address is active a while now, but only for my Synlology NAS. So in theory I always have a active and useable certificate on it hidden in the syno user folders. (Took a while to find it with SSH) Right now I do tests on Emby and Plex and both needed a certificate + both are able to use a certificate in PKCS12 format from a SMB share. Thus I tinkered around a bit on my NAS and ended up with a daily task running as root at 12:00: openssl pkcs12 -export -out /volume1/music/cert.pfx -inkey /usr/syno/etc/certificate/system/default/privkey.pem -in /usr/syno/etc/certificate/system/default/cert.pem -certfile /usr/syno/etc/certificate/system/default/chain.pem -passout pass: In this case I put it on my music share folder which is accessible from my media server. Certificate is lying on "\\NAS\music\cert.pfx" which I used as path in Emby and Plex and both are very happy with it. Link to comment Share on other sites More sharing options...
Luke 37132 Posted April 27, 2017 Share Posted April 27, 2017 Thanks @@dreimer ! Link to comment Share on other sites More sharing options...
Spaceboy 2500 Posted April 27, 2017 Share Posted April 27, 2017 I have a dynamic dns service from dyn.com and I get free ssl certs from letsencrypt as a result of owning a synology diskstation. The diskstation handles all the renewal of the cert Link to comment Share on other sites More sharing options...
dreimer 0 Posted April 27, 2017 Share Posted April 27, 2017 I have a dynamic dns service from dyn.com and I get free ssl certs from letsencrypt as a result of owning a synology diskstation. The diskstation handles all the renewal of the cert Thats what I use here. Letsencrypt is free all the time, but a bit complicated to keep valid from Windows. Synology makes the certificate updates and I steal the cert for my Plex and Emby running on the NUC. I use SPDNS.de here (For Router, NAS, Plex and Emby. Last three using the same cert thx to the task I wrote) Link to comment Share on other sites More sharing options...
aptalca 70 Posted April 27, 2017 Share Posted April 27, 2017 (edited) I'm part of the linuxserver.io group and we publish docker images for various apps. We have a docker image for nginx/letsencrypt: https://hub.docker.com/r/linuxserver/letsencrypt/ I run that docker, which automatically receives and updates the certs and stores them on my server. Emby picks up the certs from the same location. Works pretty well. With the same container, I could do a reverse proxy as well, but didn't bother with it yet. Edited April 27, 2017 by aptalca Link to comment Share on other sites More sharing options...
Tur0k 143 Posted April 27, 2017 Share Posted April 27, 2017 I may have to try Nginx. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
runtimesandbox 153 Posted April 28, 2017 Share Posted April 28, 2017 I may have to try Nginx. Sent from my iPhone using Tapatalk I'd highly recommend it. Has worked flawlessly for me so far. If you are using dynamic IP / dynamicdns I'd recommend using this lets encrypt client with the dns options https://github.com/Neilpang/acme.sh 1 Link to comment Share on other sites More sharing options...
snake98 10 Posted May 4, 2017 Share Posted May 4, 2017 I'm part of the linuxserver.io group and we publish docker images for various apps. We have a docker image for nginx/letsencrypt: https://hub.docker.com/r/linuxserver/letsencrypt/ I run that docker, which automatically receives and updates the certs and stores them on my server. Emby picks up the certs from the same location. Works pretty well. With the same container, I could do a reverse proxy as well, but didn't bother with it yet. Could you a quick walk though I just got nginx installed on my emby server Link to comment Share on other sites More sharing options...
chef 3748 Posted May 4, 2017 Share Posted May 4, 2017 So, I have been scanning through this thread and was wondering if anyone had a step by step example to use lets encrypt and OpenSSL command lines in Windows. Something that could be run on a automated task to use. I have a bit of understanding with these two applications and would like to make my own SSL automatically and not pay for one again. Set it and forget it... Also, how would emby server load the pfx file, when a new one is generated... Automagically? Thanks in advance. Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 4, 2017 Share Posted May 4, 2017 Could you a quick walk though I just got nginx installed on my emby server So, I have been scanning through this thread and was wondering if anyone had a step by step example to use lets encrypt and OpenSSL command lines in Windows. Something that could be run on a automated task to use. I have a bit of understanding with these two applications and would like to make my own SSL automatically and not pay for one again. Set it and forget it... Also, how would emby server load the pfx file, when a new one is generated... Automagically? Thanks in advance. The official client is certbot: https://certbot.eff.org/ I did set it up on my company website a while back, but honestly it was long ago that I don't remember how exactly (involved custom scripts and cron). It's still working so I don't mess with it. At home I use the docker image that my group (linuxserver.io) maintains: https://hub.docker.com/r/linuxserver/letsencrypt/ It is a one stop shop for nginx webserver and reverse proxy with php7, and it automatically retrieves and updates the letsencrypt certs. It also generates the pfx file needed by emby after each cert renewal (every 60 days). The page linked has instructions on how to create a docker container. You just need to make sure that your custom domain points to your server and port 443 is forwarded to the container. You enter your url, subdomains, etc. into the docker create command and it just works. If you need to change the subdomains, remove the existing container, create a new one with the updated settings and it will revoke the old certs and create new ones. The data is stored in a separate persistent volume (mapped as /config in the container) so you easily destroy and recreate the container. 1 Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 4, 2017 Share Posted May 4, 2017 Also, how would emby server load the pfx file, when a new one is generated... Automagically? The letsencrypt certs are symlinks. Every time they are renewed, the symlinks are updated to point to the current certs. The pfx is generated from the letsencrypt certs after each renewal (automatically in our docker image, but you would have to do it manually or through a script otherwise) and saved on the server. Emby looks for the pfx on the server and should pick up the new one as long as the name is the same (may require a restart, I haven't tested that part since my cert didn't get renewed in a while) 1 Link to comment Share on other sites More sharing options...
chef 3748 Posted May 4, 2017 Share Posted May 4, 2017 The letsencrypt certs are symlinks. Every time they are renewed, the symlinks are updated to point to the current certs. The pfx is generated from the letsencrypt certs after each renewal (automatically in our docker image, but you would have to do it manually or through a script otherwise) and saved on the server. Emby looks for the pfx on the server and should pick up the new one as long as the name is the same (may require a restart, I haven't tested that part since my cert didn't get renewed in a while) Sounds as though, if a plugin was built to create an SSL with let's encrypt and OpenSSL commandline a it might have to initiate a server restart to load the new SSL. Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 4, 2017 Share Posted May 4, 2017 Sounds as though, if a plugin was built to create an SSL with let's encrypt and OpenSSL commandline a it might have to initiate a server restart to load the new SSL.You're probably right,but I'm not sure what type of webserver emby is using. If you or someone else is interested in writing a plugin for this, I can provide some tips or at least a starting point (I know nothing about emby plugin structures as I'm a recent convert) Here's our script that does the initial validation: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/etc/cont-init.d/50-config#L107 And here's the script for renewals: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/app/le-renew.sh#L8 The renewal script runs every night. If the cert is expiring in thirty days or less, it runs the prehook, which stops nginx, then renews the cert, and then runs the posthook, which starts nginx and generates the pfx. Certbot in standalone mode puts up its own webserver listening on port 443, waiting for acme servers to connect and verify a file with a key. That's why nginx has to be stopped before validation so port 443 is released Link to comment Share on other sites More sharing options...
chef 3748 Posted May 5, 2017 Share Posted May 5, 2017 Hmmm... NodeJS server right? Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 5, 2017 Share Posted May 5, 2017 Sounds as though, if a plugin was built to create an SSL with let's encrypt and OpenSSL commandline a it might have to initiate a server restart to load the new SSL. if your using NGINX with the cert then yes NGINX will require a restart to load the new certs. very easy to automate using a scheduled task. i've never been able to get letsencrypt certs to renew automatically, i normally just use zeroSSL, once you have created the cert once which can take around 15-20mins depending on how many subdomains you have. When you need to renew it it takes 2-3 mins as you use your CSR which was generated the first time round. another reason i do it manually is that some of my services require work arounds for the cert to work. 1 Link to comment Share on other sites More sharing options...
snake98 10 Posted May 5, 2017 Share Posted May 5, 2017 The official client is certbot: https://certbot.eff.org/ I did set it up on my company website a while back, but honestly it was long ago that I don't remember how exactly (involved custom scripts and cron). It's still working so I don't mess with it. At home I use the docker image that my group (linuxserver.io) maintains: https://hub.docker.com/r/linuxserver/letsencrypt/ It is a one stop shop for nginx webserver and reverse proxy with php7, and it automatically retrieves and updates the letsencrypt certs. It also generates the pfx file needed by emby after each cert renewal (every 60 days). The page linked has instructions on how to create a docker container. You just need to make sure that your custom domain points to your server and port 443 is forwarded to the container. You enter your url, subdomains, etc. into the docker create command and it just works. If you need to change the subdomains, remove the existing container, create a new one with the updated settings and it will revoke the old certs and create new ones. The data is stored in a separate persistent volume (mapped as /config in the container) so you easily destroy and recreate the container. well I got it running under ubuntu, but now i"m trying to get to running under windows. it's not putting out anything when i "docker start letsencrypt" it shows running, but no files are showing up in the config folder any idea's Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 5, 2017 Share Posted May 5, 2017 Windows is a whole another beast when it comes to docker. Try "docker logs letsencrypt" Link to comment Share on other sites More sharing options...
snake98 10 Posted May 5, 2017 Share Posted May 5, 2017 (edited) Windows is a whole another beast when it comes to docker. Try "docker logs letsencrypt" It's blank. it's weird it doesn't even make config files. I can bash into it, but I don't see the etc/letsencrypt folder as on ubuntu. I've forward port 81 to 80 I can see nginx website I can access the map and create files in bash so I know it has access any ideas? i saw this also when i ls-l main directory i see i don't show write access for everybody on config snice it's an ntfs share. edit I made a second one, and didn't share. I just created a config direct on the linux and chmod 777 on /config. didn't help after reboot, nothing their. lrwxrwxrwx 1 root root 7 Apr 24 10:02 bin -> usr/bin drwxr-xr-x 2 root root 4096 Apr 4 09:00 boot drwxr-xr-x 2 root root 0 May 5 14:38 config drwxr-xr-x 12 root root 2860 May 5 15:48 dev drwxr-xr-x 1 root root 4096 May 5 15:48 etc drwxr-xr-x 2 root root 4096 Apr 4 09:00 home lrwxrwxrwx 1 root root 7 Apr 24 10:02 lib -> usr/lib lrwxrwxrwx 1 root root 9 Apr 24 10:02 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Apr 24 10:02 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Apr 24 10:02 libx32 -> usr/libx32 drwxr-xr-x 2 root root 4096 Apr 24 10:02 media drwxr-xr-x 2 root root 4096 Apr 24 10:02 mnt drwxr-xr-x 2 root root 4096 Apr 24 10:02 opt dr-xr-xr-x 122 root root 0 May 5 15:48 proc drwx------ 2 root root 4096 Apr 24 10:02 root drwxr-xr-x 1 root root 4096 May 5 15:48 run lrwxrwxrwx 1 root root 8 Apr 24 10:02 sbin -> usr/sbin drwxr-xr-x 2 root root 4096 Apr 24 10:02 srv dr-xr-xr-x 13 root root 0 May 5 16:27 sys drwxr-xr-x 2 root root 4096 May 5 16:32 test drwxrwxrwt 1 root root 4096 Apr 25 10:20 tmp drwxr-xr-x 1 root root 4096 Apr 25 10:20 usr drwxr-xr-x 1 root root 4096 Apr 25 10:20 var e then, but I get connection reset Edited May 5, 2017 by snake98 Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 5, 2017 Share Posted May 5, 2017 There is something wrong with the windows screenshot. It shows the file debian_version. This letsencrypt container is alpine based, not debian. Are you sure you pulled the right repo? Could there be another container created with the name letsencrypt from a different image? Please post your docker create command for windows Link to comment Share on other sites More sharing options...
snake98 10 Posted May 6, 2017 Share Posted May 6, 2017 (edited) There is something wrong with the windows screenshot. It shows the file debian_version. This letsencrypt container is alpine based, not debian. Are you sure you pulled the right repo? Could there be another container created with the name letsencrypt from a different image? Please post your docker create command for windows You were right, I deleted all images and repulled. but some reason the port mapping is working right iv'e check with kitematic. and it shows blank update reinstalled now port mapping shows up, now just got to figure out why it can't connect PS C:\WINDOWS\system32> docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 488ccf7f8ef1 linuxserver/letsencrypt "/init" 3 minutes ago Exited (0) 3 minutes ago letsencrypt PS C:\WINDOWS\system32> Edited May 6, 2017 by snake98 Link to comment Share on other sites More sharing options...
snake98 10 Posted May 6, 2017 Share Posted May 6, 2017 (edited) Got it, hyper v uses port 443. I had the router change port 443 to 446, and had docker map 446 to 443 to the container, now it all works Thanks for the help fyi, I got this all working inside vmware workstation 12.5.5. I hand to enable hyper-support. Edited May 6, 2017 by snake98 Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 6, 2017 Share Posted May 6, 2017 Got it, hyper v uses port 443. I had the router change port 443 to 446, and had docker map 446 to 443 to the container, now it all works Thanks for the help fyi, I got this all working inside vmware workstation 12.5.5. I hand to enable hyper-support. Excellent!! That's great to hear that it works under windows Link to comment Share on other sites More sharing options...
snake98 10 Posted May 31, 2017 Share Posted May 31, 2017 (edited) Will i need to do anything to to reapply for certificate after 90 days, or will it take care of itself if it's running in docker? Thanks. Edited May 31, 2017 by snake98 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now