Jump to content


Photo

Let’s Encrypt support for SSL certificates

https secure ssl tls

  • Please log in to reply
106 replies to this topic

#21 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 142781 posts
  • Local time: 05:31 PM

Posted 29 December 2015 - 01:04 AM

great stuff, keep me posted. by the way - since the ddns remote server would be completely separate, you don't have to bundle that all in with emby server changes. in fact it would be easier to isolate the two separately. 



#22 Oakington OFFLINE  

Oakington

    Advanced Member

  • Members
  • 49 posts
  • Local time: 11:31 PM

Posted 29 December 2015 - 01:06 AM

Like create a web frontend for the user to interact with? I think it's better if Emby server handles all the communication with the API. No?

Sent from my Nexus 6 using Tapatalk

#23 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 142781 posts
  • Local time: 05:31 PM

Posted 29 December 2015 - 01:11 AM

i mean integrating the ddns into our remote server is going to be a major project in it's own right. so separating the two sides will make it easier.


  • topnomi likes this

#24 Oakington OFFLINE  

Oakington

    Advanced Member

  • Members
  • 49 posts
  • Local time: 11:31 PM

Posted 29 December 2015 - 01:12 AM

Oh definitely.

Sent from my Nexus 6 using Tapatalk
  • topnomi likes this

#25 topnomi OFFLINE  

topnomi

    Newbie

  • Members
  • 4 posts
  • Local time: 05:31 PM

Posted 31 December 2015 - 06:19 AM

Just wanted to add a +1

 

This feature will be awesome!

 

Seems to me a subdomain dyndns service that procures lets encrypt certs for the generated subdomains would be a nice program in it's own right...


  • runtimesandbox likes this

#26 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 08:31 PM
  • LocationRio de Janeiro - Brazil

Posted 30 January 2016 - 09:23 PM

ACME DNS Challenge is up since January 20th!! Go get them, guys!  :-DD

 

https://twitter.com/...919523164721152

 

As my ISP blocks incoming ports 80 and 443, ACME DNS challenge was the ONLY way I could generate a LetsEncrypt certificate.



#27 grvland OFFLINE  

grvland

    Member

  • Members
  • 19 posts
  • Local time: 05:31 PM

Posted 02 February 2016 - 02:58 PM

Another +1.

 

An easy way to get SSL that works on various devices would easily push me over the edge to Emby Premiere.



#28 user-xyz OFFLINE  

user-xyz

    Newbie

  • Members
  • 1 posts
  • Local time: 03:31 PM

Posted 02 February 2016 - 04:16 PM

Yup, a legit SSL to my home emby box would 100% get me to pay premium (actually, to even start using it). That reminds me, it'd be perfect to get emby.media (all of it) on https. I noticed when I signed up a few days ago, that the entire site (including sign-up and log-in) isn't over SSL.



#29 Oakington OFFLINE  

Oakington

    Advanced Member

  • Members
  • 49 posts
  • Local time: 11:31 PM

Posted 02 February 2016 - 04:41 PM

Sorry I haven't been on this in a while. I'll get cracking again tonight.

Sent from my Nexus 6 using Tapatalk
  • grvland likes this

#30 Oakington OFFLINE  

Oakington

    Advanced Member

  • Members
  • 49 posts
  • Local time: 11:31 PM

Posted 11 February 2016 - 07:04 PM

https://github.com/DirtyJerz/embyDDNS

 

Not done yet, but I'm still working on it. 

 

DDNS side works fine. So does the db mgmt of users and LE bits. I just can't get the local boulder CA to work in my dev env. I can try against staging but I end up hitting rate limits. I'll keep going.

 

@anderbytes: you seem to be encryption literate. Do you know python and if you do, would you mind taking a look at the ddns client/server communication, or maybe PM me and I can try to explain it. I just want to know if there is something I'm missing. 


  • grvland likes this

#31 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 08:31 PM
  • LocationRio de Janeiro - Brazil

Posted 11 February 2016 - 07:52 PM

https://github.com/DirtyJerz/embyDDNS

Not done yet, but I'm still working on it.

DDNS side works fine. So does the db mgmt of users and LE bits. I just can't get the local boulder CA to work in my dev env. I can try against staging but I end up hitting rate limits. I'll keep going.

@anderbytes: you seem to be encryption literate. Do you know python and if you do, would you mind taking a look at the ddns client/server communication, or maybe PM me and I can try to explain it. I just want to know if there is something I'm missing.

I work with IT and I know several concepts about this matter, but I'm no programmer, at least until this day.

I can help you test ACME DNS as much as you need, but not with the standard way they used to require (opening ports).

I also have to tell you that some domain register companies doesn't work with automated api's so your validation process should generate the needed TXT key value to be inserted manually, if the domain only accept it that way.

In those manual scenarios, it would be something like:
- Ask for all the same inputs that the script I mentioned asks
- Use those as parameters to converse with LetsEncrypt and return a key to be used as TXT
- Tell the user the requirements that will be validated and tell him the key
- Await user "Continue" button input, because you don't know how long will he take to insert it manually
- Continue LetsEncrypt validation via DNS challlenge
- If not validated, tell the user then await new "Retry" or "Restart Process"
- When validated, receive the generated key and add it to OMV

In other words... If you could just create a OMV interface for the script I referred, it would be a great help already.

Thanks!
Don't hesitate to ask, if you need help testing

Edited by anderbytes, 11 February 2016 - 07:54 PM.


#32 grvland OFFLINE  

grvland

    Member

  • Members
  • 19 posts
  • Local time: 05:31 PM

Posted 22 February 2016 - 03:40 PM

Just wanted to add that I'm willing to test as well.


Edited by grvland, 22 February 2016 - 03:42 PM.


#33 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 08:31 PM
  • LocationRio de Janeiro - Brazil

Posted 22 February 2016 - 03:43 PM

Just wanted to add that I'm willing to test as well.


I told them in my post in January 30th, above

#34 rice OFFLINE  

rice

    Member

  • Members
  • 24 posts
  • Local time: 12:31 PM

Posted 09 March 2016 - 06:40 AM

Anybody have a noob friendly tutorial on how to manually generate a Let's Encrypt cert for Emby? Something to use in the meantime. Right now I'm using certificates that I have generated myself with OpenSSL but those self signed certs don't really play well with Emby apps. 

 

I have already setup a temporary VM machine for ubuntu, installed apache, git cloned letsencrypt, but I don't know where to go from here. My host machine is Windows and it is also where Emby server is installed. 



#35 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 08:31 PM
  • LocationRio de Janeiro - Brazil

Posted 09 March 2016 - 09:08 AM

Anybody have a noob friendly tutorial on how to manually generate a Let's Encrypt cert for Emby? Something to use in the meantime. Right now I'm using certificates that I have generated myself with OpenSSL but those self signed certs don't really play well with Emby apps. 

 

I have already setup a temporary VM machine for ubuntu, installed apache, git cloned letsencrypt, but I don't know where to go from here. My host machine is Windows and it is also where Emby server is installed. 

 

I will post a small step-by-step that I created when I successfully generated my Let's Encrypt certificate via ACME DNS Challenge.

Hope it will help you.

 

 

x. Generate certificate and private key using the commands:
- openssl genrsa -out your.domain.com.key 2048
- openssl req -new -sha256 -key your.domain.com.key -out your.domain.com.csr

x. Download some client that execute ACME DNS Challenge Validation.
READ this --> https://github.com/l...aster/README.md

x. Download a "hook" complementary script that is necessary for that client above
Ex: https://gist.github....010313f55db0f7a


x. Execute the command : ./letsencrypt.sh --signcsr your.domain.com.csr -d your.domain.com --challenge dns-01 --algo rsa --hook ./HookSample.sh

x. Inside the script, follow the instructions about which TXT record generate inside DNS Server.

x. (Optional) After creating the TXT Record, I suggest you to validate (in real-time) the record you created in some online dns testing tool that supports TXT, or else the final step of the script above may be painful. There's some delay between creating and validating... and this tool will help you determine the exact momento to click "validate"

x. Import certificate inside Webserver
 

 

As we are talking about EMBY, there are some additionals steps to successfully create a trusted PFX

 

 

- Download root certificate from LetsEncrypt in "https://letsencrypt.org/certificates/"
wget https://letsencrypt....ross-signed.pem

- Generate PFX file from the certificate using all the previously generated keys and embeeding the intermediary X1 pem
openssl pkcs12 -export -in your.domain.com.cer -inkey your.domain.com.key -out your.domain.com.pfx -certfile lets-encrypt-x1-cross-signed.pem


  • jaybroni likes this

#36 rice OFFLINE  

rice

    Member

  • Members
  • 24 posts
  • Local time: 12:31 PM

Posted 14 March 2016 - 09:18 PM

Thanks anderbytes and sorry for the late reply. I haven't had much time to attempt this yet but it looks doable even for me. 



#37 proppa OFFLINE  

proppa

    Newbie

  • Members
  • 3 posts
  • Local time: 11:31 PM

Posted 04 April 2016 - 02:42 PM

I installed a Let's Encrypt SSL certificate for my Emby server today. I can access it trough a domain and I though it would be fun to get a real certificate. It was quite easy to make a standalone certificate with Let's Encrypt and it was also easy to install in Emby by pointing it to the .pfx file. However it does only support TLS 1.0 and is insecure. F rating from https://www.ssllabs.com/ssltest. Does anyone here know how I could add TLS 1.2 support? Is it under development?



#38 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 518 posts
  • Local time: 04:31 PM

Posted 12 April 2016 - 12:40 AM

This looks very promising for me.  I have been meddling with openssl to create a self-signed certificate as i was unaware that there was a viable route, for DHCP public IP users, who have a DDNS domain, to take in order to better support SSL encryption.  while I am comfortable in other technology related focuses Certificates and their administration aren't one of them.  I will look further into LetsEncrypt on my system.  has anyone tried to get LetsEncrypt on a windows 10 platform?  does anyone know if the LetsEncrypt client can be ran from a separate system inside my network, and then distribute the pfx file to the emby server? 



#39 jaybroni OFFLINE  

jaybroni

    Member

  • Members
  • 17 posts
  • Local time: 02:31 PM

Posted 01 May 2016 - 02:05 PM

SSL Encryption HYPE

 

This thread needs a hero! 

 

I'm afraid many of us are using http for simplicity and convenience in order to avoid my users seeing the "this site my not be secure" warning that comes with using a home made SSL cert.

 

 

Plan A

An emby plugin that registers with LetsEncrypt and can be set to renew the certificate with Emby's built in task scheduler automatically

 

Plan B

A tutorial for us to accomplish the same thing using manual methods.

 

Has there been any progress in the last month on either front?

 

I think this is the single most worthwhile project for the Emby community. +

 

Let's get crackin boys! we don't even have to invent a new method, just take inspiration from Plex who enabled ssl certs for all their users, even the free ones:

https://blog.filippo...-all-its-users/


Edited by jaybroni, 01 May 2016 - 02:06 PM.

  • grvland likes this

#40 ABotelho OFFLINE  

ABotelho

    Member

  • Members
  • 23 posts
  • Local time: 06:31 PM

Posted 30 May 2016 - 03:44 PM

Does it have to be as complex as Plex? If I already have DDNS and a subdomain working for example, would it be possible to have an extension in Emby that simply request/renews and generates a certificate/pfx for Emby to use?







Also tagged with one or more of these keywords: https, secure, ssl, tls

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users