Jump to content


Photo

Let’s Encrypt support for SSL certificates

https secure ssl tls

  • Please log in to reply
106 replies to this topic

#41 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 148764 posts
  • Local time: 07:59 PM

Posted 30 May 2016 - 03:51 PM

Does it have to be as complex as Plex? If I already have DDNS and a subdomain working for example, would it be possible to have an extension in Emby that simply request/renews and generates a certificate/pfx for Emby to use?

 

As a plugin, no, one of you guys could do a plugin for whatever you like. As a core feature we have to decide if requiring a domain is something that we're willing to live with or not.


  • ABotelho likes this

#42 jaybroni OFFLINE  

jaybroni

    Member

  • Members
  • 17 posts
  • Local time: 04:59 PM

Posted 24 September 2016 - 05:20 PM

As a plugin, no, one of you guys could do a plugin for whatever you like. As a core feature we have to decide if requiring a domain is something that we're willing to live with or not.

I understand the hesitation; it may raise the bar for entry and increase the demands on the support team.

 

As a solution, could you bake it in but have it disabled by default

You could even include a liittle disclaimer that says this feature "may require a domain for best results" and is included "with love but no support". Then have alink to a communty thread where people are experimenting with it.

 

Having it off by default assists our troubleshooting because a reset to default settings will revert it back to normal.

 

By now you see where I'm going with this - only those users who choose to, can experiment with domains and this feature in general. Inevitably the most popular setups will make their way to the top, and you (and your team) can monitor the progress until you're comfortable with it as an official emby feature. Then you can release it on the world and promote the hell out of it.



#43 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 148764 posts
  • Local time: 07:59 PM

Posted 24 September 2016 - 05:22 PM

Actually we would very much like to have letsencrypt ssl built into the server, first we have to decide on an automated way to get every server it's own domain (unless you have your own). That's something that will work for everyone.



#44 chigh OFFLINE  

chigh

    Member

  • Members
  • 13 posts
  • Local time: 07:59 PM

Posted 18 November 2016 - 06:48 PM

Everyone will just have to go to no-ip.com to obtain DDNS. Its just like going out to schedules direct and creating a account to pull guide data. This is just a step that will have to be taken for letsencrypt. 


  • jaybroni likes this

#45 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 10:59 PM
  • LocationRio de Janeiro - Brazil

Posted 18 November 2016 - 07:46 PM

Everyone will just have to go to no-ip.com to obtain DDNS. Its just like going out to schedules direct and creating a account to pull guide data. This is just a step that will have to be taken for letsencrypt. 

This is not the main issue. As I see, the worst that can happen is the ISP blocks ports 80 and 443 (such as mine ISP), and now I'm forced to used DNS-01 challenge to manually generate my certificates.

 

This would be solved if the official client would support choosing any port to validate the server, instead of only 80 and 443.

 

In short... if the user has it's own domain, fixed IP (or DDNS), and LetsEncrypt allows any port.... It's a matter of time for the solution to come.



#46 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 148764 posts
  • Local time: 07:59 PM

Posted 18 November 2016 - 08:52 PM

What official client? Every emby app allows you to customize the connection port.



#47 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 10:59 PM
  • LocationRio de Janeiro - Brazil

Posted 19 November 2016 - 11:45 AM

I'm talking about Let's Encrypt official client, today that doesn't allow you to choose the port to validate.



#48 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 148764 posts
  • Local time: 07:59 PM

Posted 19 November 2016 - 12:20 PM

Ah ok, thanks.

#49 chigh OFFLINE  

chigh

    Member

  • Members
  • 13 posts
  • Local time: 07:59 PM

Posted 21 November 2016 - 01:14 PM

Couldn't you just use DNS validation?



#50 anderbytes OFFLINE  

anderbytes

    Advanced Member

  • Members
  • 1087 posts
  • Local time: 10:59 PM
  • LocationRio de Janeiro - Brazil

Posted 21 November 2016 - 01:25 PM

Couldn't you just use DNS validation?

DNS validation is possible and a very good alternative to webserver validation....

 

BUT.... you have to manually insert a TXT record in DNS server to be validated by Let'sEncrypt servers.

So it can't be fully automated... I guess



#51 jaybroni OFFLINE  

jaybroni

    Member

  • Members
  • 17 posts
  • Local time: 04:59 PM

Posted 27 November 2016 - 06:24 PM

Imho, it's a mistake to delay a feature (SSL) because you want to roll out two features (SSL + Auto DDNS). 

 

While it sounds nice to release both features all beautifully integrated and simple, Apple style, you have to admit that down the road you'll end up needing the ability to disable all these features incrementally for troubleshooting purposes. So why not enable them incrementally right now? We might even learn some valuable lessons while testing SSL with our own ddns services and setups, that help the developers. 

 

Let's leverage the thousands of Emby users who have a DDNS solution already in place and are yearning for SSL. We will pave the way.

 

As a visual, you guys could whip up a section like this in the Emby Dashboard's Hosting area:

 

Lets Encrypt SSL Integration

Disclaimer: This is an experimental feature intended for testing purposes only. Do not raise questions anywhere but on Github in the form of a ticket with logs. Thank you.

 

To prepare for SSL integration you will need: 

1) An account with Lets Encrypt

2) An account with a registered ddns provider from this list of Lets Encrypt recognized DDNS services. When completed, you should have an address like: jaybroni_has_ssl_allupinmyemby.dyndns.com

3) Click here to ENABLE ssl management setting.

4) Input your credentials into the Lets Encrypt and DDNS fields and click SAVE

5) Click here REGISTER SSL, TEST SSL, RENEW SSL every 30/60/90 days or select manual renewal, etc. 

6) Congratulations you're done. Now nobody can decode the packets of your aunt's family vacation where you didn't realize she was your second cousin but fortunately you only went to second base.

 

Remember guys, the tortoise won against the hare because slow and steady wins the race. Would you be so kind as to incrementally move this feature forward? So we can use it at least in part sooner rather than later? Pretty please.


Edited by jaybroni, 27 November 2016 - 10:41 PM.

  • PhinkBig, Oxide and chigh like this

#52 chigh OFFLINE  

chigh

    Member

  • Members
  • 13 posts
  • Local time: 07:59 PM

Posted 28 November 2016 - 11:21 AM

Imho, it's a mistake to delay a feature (SSL) because you want to roll out two features (SSL + Auto DDNS). 

 

While it sounds nice to release both features all beautifully integrated and simple, Apple style, you have to admit that down the road you'll end up needing the ability to disable all these features incrementally for troubleshooting purposes. So why not enable them incrementally right now? We might even learn some valuable lessons while testing SSL with our own ddns services and setups, that help the developers. 

 

Let's leverage the thousands of Emby users who have a DDNS solution already in place and are yearning for SSL. We will pave the way.

 

As a visual, you guys could whip up a section like this in the Emby Dashboard's Hosting area:

 

Lets Encrypt SSL Integration

Disclaimer: This is an experimental feature intended for testing purposes only. Do not raise questions anywhere but on Github in the form of a ticket with logs. Thank you.

 

To prepare for SSL integration you will need: 

1) An account with Lets Encrypt

2) An account with a registered ddns provider from this list of Lets Encrypt recognized DDNS services. When completed, you should have an address like: jaybroni_has_ssl_allupinmyemby.dyndns.com

3) Click here to ENABLE ssl management setting.

4) Input your credentials into the Lets Encrypt and DDNS fields and click SAVE

5) Click here REGISTER SSL, TEST SSL, RENEW SSL every 30/60/90 days or select manual renewal, etc. 

6) Congratulations you're done. Now nobody can decode the packets of your aunt's family vacation where you didn't realize she was your second cousin but fortunately you only went to second base.

 

Remember guys, the tortoise won against the hare because slow and steady wins the race. Would you be so kind as to incrementally move this feature forward? So we can use it at least in part sooner rather than later? Pretty please.

 

I agree that there needs to be testing done on this so we learn more about how it will integrate with the system. Just discussing this on a forum can only go so far.  


  • Oxide likes this

#53 tigrao OFFLINE  

tigrao

    Advanced Member

  • Members
  • 59 posts
  • Local time: 05:59 PM

Posted 29 November 2016 - 01:38 PM

I agree that there needs to be testing done on this so we learn more about how it will integrate with the system. Just discussing this on a forum can only go so far.  

 

 

This is exactly why I setup a reverse proxy with IIS on my Windows system.  The Letsencrypt client integrates with IIS and handles the SSL certificates much better than Emby does.



#54 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 148764 posts
  • Local time: 07:59 PM

Posted 29 November 2016 - 01:41 PM

That's your perception. On windows we use some of the same libraries used by Iis.

#55 chigh OFFLINE  

chigh

    Member

  • Members
  • 13 posts
  • Local time: 07:59 PM

Posted 29 November 2016 - 01:44 PM

I'm actually using Emby on FreeNAS so I think I am going to try and install letsencrypt inside the jail and then make a cron job to update and convert the cert to the appropriate format.


  • jaybroni likes this

#56 tigrao OFFLINE  

tigrao

    Advanced Member

  • Members
  • 59 posts
  • Local time: 05:59 PM

Posted 29 November 2016 - 01:49 PM

That's your perception. On windows we use some of the same libraries used by Iis.

 

 

Yes, that is my perception.  My perception will continue to be that way because the Letsencrypt client officially supports IIS.  It does not support Emby.  It is much easier this way.



#57 jaybroni OFFLINE  

jaybroni

    Member

  • Members
  • 17 posts
  • Local time: 04:59 PM

Posted 29 November 2016 - 10:04 PM

I'm actually using Emby on FreeNAS so I think I am going to try and install letsencrypt inside the jail and then make a cron job to update and convert the cert to the appropriate format.

Power to you!

 

If you figure it out, be so kind as to document it for the rest of us plebeians.

 

I just know I will break my ubuntu server with with my SSL testing, so I went so far as to build a completely separate test server that I can break and repair all day long. But as they say, the first person to break through a wall always gets bloody.

 

After you, kind sir, after you. 


Edited by jaybroni, 29 November 2016 - 10:04 PM.


#58 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 148764 posts
  • Local time: 07:59 PM

Posted 30 November 2016 - 12:03 AM

You know that people here are already using LetsEncrypt with Emby server, right?



#59 chigh OFFLINE  

chigh

    Member

  • Members
  • 13 posts
  • Local time: 07:59 PM

Posted 30 November 2016 - 12:14 AM

You know that people here are already using LetsEncrypt with Emby server, right?


Yes but, it is not automated. This would be an attempt to have it all automated on freenas on the Emby jail
  • tigrao and jaybroni like this

#60 chigh OFFLINE  

chigh

    Member

  • Members
  • 13 posts
  • Local time: 07:59 PM

Posted 30 November 2016 - 03:36 PM

Automating Lets Encrypt for Emby on FreeNAS
 
--to get started go to the jails tab on the top panel and select your emby jail and then click on the terminal button on the bottom 
 
--run this command to upgrade your packages
pkg upgrade
 
--press y when prompted and hit enter
 
--run this command to install certbot (let's Encrypt)
pkg install py27-certbot
 
--press y when prompted and hit enter
 
--run this command to install
pkg install openssl
 
--press y when prompted and hit enter
 
--Once installed you are ready to generate your cert. Run this command (change "example.com" to your DDNS)
certbot certonly --standalone -d example.com
 
--follow the steps to create the cert
 
--Change directory to your certs
cd /usr/local/etc/letsencrypt/live/Your_Domain (change "Your_Domain" to your DDNS)
 
--run openssl so you can convert to the appropriate file format
openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx -passout pass:
 
--now we have to set permissions to access this folder because its owner is letsencrypt
chmod 777 /usr/local/etc/letsencrypt/live
 
--open a terminal from the left panel on freenas and type jls and it should give you the jail-ID of your emby server. Once you have that, you can create a cron job.
 
--create a cron job in the crons tab in the left panel and click on add cron job.
the user: root
 
command: jexec Jail_ID certbot renew --quiet && cd /usr/local/etc/letsencrypt/live/Your_Domain && openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx -passout pass:
(remember to change "Jail_ID" to your emby's jail ID and change "Your_Domain" to your DDNS) 
 
--Lets encrypt recommends to run this command twice a day so my cron job looks like this
 
583f28865bec1_CronJob.jpg
 
--now go into emby server dashboard and click "Advanced" in the left panel
 
now click on the magnifying glass on the "Custom Certificate path:" and then navigate to your .PFX file which is located at /usr/local/etc/letsencrypt/live/Your_Domain/emby.pfx, save and reboot emby.
 
test by going to your DDNS in a browser with the appropriate port
 
if successful then we are all automated!

  • PhinkBig, jaybroni and dolphin like this





Also tagged with one or more of these keywords: https, secure, ssl, tls

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users