Jump to content
anakron

Let’s Encrypt support for SSL certificates

Recommended Posts

jaybroni

Imho, it's a mistake to delay a feature (SSL) because you want to roll out two features (SSL + Auto DDNS). 

 

While it sounds nice to release both features all beautifully integrated and simple, Apple style, you have to admit that down the road you'll end up needing the ability to disable all these features incrementally for troubleshooting purposes. So why not enable them incrementally right now? We might even learn some valuable lessons while testing SSL with our own ddns services and setups, that help the developers. 

 

Let's leverage the thousands of Emby users who have a DDNS solution already in place and are yearning for SSL. We will pave the way.

 

As a visual, you guys could whip up a section like this in the Emby Dashboard's Hosting area:

 

Lets Encrypt SSL Integration

Disclaimer: This is an experimental feature intended for testing purposes only. Do not raise questions anywhere but on Github in the form of a ticket with logs. Thank you.

 

To prepare for SSL integration you will need: 

1) An account with Lets Encrypt

2) An account with a registered ddns provider from this list of Lets Encrypt recognized DDNS services. When completed, you should have an address like: jaybroni_has_ssl_allupinmyemby.dyndns.com

3) Click here to ENABLE ssl management setting.

4) Input your credentials into the Lets Encrypt and DDNS fields and click SAVE

5) Click here REGISTER SSL, TEST SSL, RENEW SSL every 30/60/90 days or select manual renewal, etc. 

6) Congratulations you're done. Now nobody can decode the packets of your aunt's family vacation where you didn't realize she was your second cousin but fortunately you only went to second base.

 

Remember guys, the tortoise won against the hare because slow and steady wins the race. Would you be so kind as to incrementally move this feature forward? So we can use it at least in part sooner rather than later? Pretty please.

Edited by jaybroni
  • Like 3

Share this post


Link to post
Share on other sites
chigh

Imho, it's a mistake to delay a feature (SSL) because you want to roll out two features (SSL + Auto DDNS). 

 

While it sounds nice to release both features all beautifully integrated and simple, Apple style, you have to admit that down the road you'll end up needing the ability to disable all these features incrementally for troubleshooting purposes. So why not enable them incrementally right now? We might even learn some valuable lessons while testing SSL with our own ddns services and setups, that help the developers. 

 

Let's leverage the thousands of Emby users who have a DDNS solution already in place and are yearning for SSL. We will pave the way.

 

As a visual, you guys could whip up a section like this in the Emby Dashboard's Hosting area:

 

Lets Encrypt SSL Integration

Disclaimer: This is an experimental feature intended for testing purposes only. Do not raise questions anywhere but on Github in the form of a ticket with logs. Thank you.

 

To prepare for SSL integration you will need: 

1) An account with Lets Encrypt

2) An account with a registered ddns provider from this list of Lets Encrypt recognized DDNS services. When completed, you should have an address like: jaybroni_has_ssl_allupinmyemby.dyndns.com

3) Click here to ENABLE ssl management setting.

4) Input your credentials into the Lets Encrypt and DDNS fields and click SAVE

5) Click here REGISTER SSL, TEST SSL, RENEW SSL every 30/60/90 days or select manual renewal, etc. 

6) Congratulations you're done. Now nobody can decode the packets of your aunt's family vacation where you didn't realize she was your second cousin but fortunately you only went to second base.

 

Remember guys, the tortoise won against the hare because slow and steady wins the race. Would you be so kind as to incrementally move this feature forward? So we can use it at least in part sooner rather than later? Pretty please.

 

I agree that there needs to be testing done on this so we learn more about how it will integrate with the system. Just discussing this on a forum can only go so far.  

  • Like 1

Share this post


Link to post
Share on other sites
tigrao

I agree that there needs to be testing done on this so we learn more about how it will integrate with the system. Just discussing this on a forum can only go so far.  

 

 

This is exactly why I setup a reverse proxy with IIS on my Windows system.  The Letsencrypt client integrates with IIS and handles the SSL certificates much better than Emby does.

Share this post


Link to post
Share on other sites
Luke

That's your perception. On windows we use some of the same libraries used by Iis.

Share this post


Link to post
Share on other sites
chigh

I'm actually using Emby on FreeNAS so I think I am going to try and install letsencrypt inside the jail and then make a cron job to update and convert the cert to the appropriate format.

  • Like 1

Share this post


Link to post
Share on other sites
tigrao

That's your perception. On windows we use some of the same libraries used by Iis.

 

 

Yes, that is my perception.  My perception will continue to be that way because the Letsencrypt client officially supports IIS.  It does not support Emby.  It is much easier this way.

Share this post


Link to post
Share on other sites
jaybroni

I'm actually using Emby on FreeNAS so I think I am going to try and install letsencrypt inside the jail and then make a cron job to update and convert the cert to the appropriate format.

Power to you!

 

If you figure it out, be so kind as to document it for the rest of us plebeians.

 

I just know I will break my ubuntu server with with my SSL testing, so I went so far as to build a completely separate test server that I can break and repair all day long. But as they say, the first person to break through a wall always gets bloody.

 

After you, kind sir, after you. 

Edited by jaybroni

Share this post


Link to post
Share on other sites
Luke

You know that people here are already using LetsEncrypt with Emby server, right?

Share this post


Link to post
Share on other sites
chigh

You know that people here are already using LetsEncrypt with Emby server, right?

Yes but, it is not automated. This would be an attempt to have it all automated on freenas on the Emby jail

  • Like 2

Share this post


Link to post
Share on other sites
chigh
Automating Lets Encrypt for Emby on FreeNAS

 

--to get started go to the jails tab on the top panel and select your emby jail and then click on the terminal button on the bottom 

 

--run this command to upgrade your packages

pkg upgrade

 

--press y when prompted and hit enter

 

--run this command to install certbot (let's Encrypt)

pkg install py27-certbot

 

--press y when prompted and hit enter

 

--run this command to install

pkg install openssl

 

--press y when prompted and hit enter

 

--Once installed you are ready to generate your cert. Run this command (change "example.com" to your DDNS)

certbot certonly --standalone -d example.com

 

--follow the steps to create the cert

 

--Change directory to your certs

cd /usr/local/etc/letsencrypt/live/Your_Domain (change "Your_Domain" to your DDNS)

 

--run openssl so you can convert to the appropriate file format

openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx -passout pass:

 

--now we have to set permissions to access this folder because its owner is letsencrypt

chmod 777 /usr/local/etc/letsencrypt/live

 

--open a terminal from the left panel on freenas and type jls and it should give you the jail-ID of your emby server. Once you have that, you can create a cron job.

 

--create a cron job in the crons tab in the left panel and click on add cron job.

the user: root

 

command: jexec Jail_ID certbot renew --quiet && cd /usr/local/etc/letsencrypt/live/Your_Domain && openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx -passout pass:

(remember to change "Jail_ID" to your emby's jail ID and change "Your_Domain" to your DDNS) 

 

--Lets encrypt recommends to run this command twice a day so my cron job looks like this

 

583f28865bec1_CronJob.jpg

 

--now go into emby server dashboard and click "Advanced" in the left panel

 

now click on the magnifying glass on the "Custom Certificate path:" and then navigate to your .PFX file which is located at /usr/local/etc/letsencrypt/live/Your_Domain/emby.pfx, save and reboot emby.

 

test by going to your DDNS in a browser with the appropriate port

 

if successful then we are all automated!

  • Like 3

Share this post


Link to post
Share on other sites
jaybroni

You're a beauty, I can't wait to give it a shot this weekend. I run Ubuntu so we'll see what I need to do differently. The jails part I don't quite get but the rest looks possible

Share this post


Link to post
Share on other sites
chigh

You're a beauty, I can't wait to give it a shot this weekend. I run Ubuntu so we'll see what I need to do differently. The jails part I don't quite get but the rest looks possible

If you are on ubuntu then the commands will be a little different. But the same concept. Jails are a Freenas/FreeBSD thing it doesn't pertain to ubuntu. 

Edited by chigh

Share this post


Link to post
Share on other sites
ABotelho

If you are on ubuntu then the commands will be a little different. But the same concept. Jails are a Freenas/FreeBSD thing it doesn't pertain to ubuntu. 

Does the Jail thing have an equivalent? It's been such a long time I've used FreeNAS, and it wasn't for very long to begin with.

 

I'd love to get this working. Currently I'm using Asus' built in DDNS service on my router. Hoping that would work.

Share this post


Link to post
Share on other sites
chigh

Does the Jail thing have an equivalent? It's been such a long time I've used FreeNAS, and it wasn't for very long to begin with.

 

I'd love to get this working. Currently I'm using Asus' built in DDNS service on my router. Hoping that would work.

A jail in FreeNAS is like an instants of a system. So you are able to install software on the instants itself using a command prompt. Your DDNS will work just fine.

Share this post


Link to post
Share on other sites
Demati

I did the following on my Linux Mint machine (which is basically Ubuntu).  I am not sure this can be automated (and I am sure there is a better way).  I didn't have apache installed prior to this as I wasn't running a web server on the machine.  I only installed it to get my dynDNS SSL certificate from Letsencrypt.

 

Prerequisits

  1. Ports 80 and 443 are enabled in your firewall/router
  2. Apache is installed
  3. Install letsencrypt binary (which is really certbot):

               >sudo apt-get install letsencrypt

Procedure

Substitute "example.com" with your dynDNS address.  I've color coded items that should match.

 

  1. >letsencrypt-auto certonly -a manual --email <email_address>@example.com -d example.com

  2. You will be prompted with information containing the following:

    Make sure your web server displays the following content at http://example.com/.well-known/acme-challenge/<LONG_STRING> before continuing:

    LONG_STRING.ANOTHER_LONG_STRING

  3. Create file:
    1. sudo vim /var/www/example.com/.well-known/acme-challenge/<LONG_STRING>
    2. Copy and paste LONG_STRING.ANOTHER_LONG_STRING into the file
    3. sudo chown -R www-data:www-data /var/www/example.com/.well-known
    4. sudo chmod -R 733 /var/www/example.com/.well-known
  4. Continue with letsencrypt
  5. Once certs and keys are created go to: /etc/letsencrypt/live/example.com
  6. Create PKCS file from PEM files with the following command
    1. >openssl pkcs12 -export -out example.com.pfx -inkey privKey.pem -in cert.pem
    2. Enter no password or Emby will break
  7. Configure Emby server to point to the path where example.com.pfx can be found.

Feel free to try this.  It worked for me.  If there are better ways I am all ears.  :-)

Edited by Demati
  • Like 1

Share this post


Link to post
Share on other sites
feerlessleadr

Any guide for getting this up and running on Windows?

Share this post


Link to post
Share on other sites
chigh

I did the following on my Linux Mint machine (which is basically Ubuntu).  I am not sure this can be automated (and I am sure there is a better way).  I didn't have apache installed prior to this as I wasn't running a web server on the machine.  I only installed it to get my dynDNS SSL certificate from Letsencrypt.

 

Prerequisits

  1. Ports 80 and 443 are enabled in your firewall/router
  2. Apache is installed
  3. Install letsencrypt binary (which is really certbot):

               >sudo apt-get install letsencrypt

Procedure

Substitute "example.com" with your dynDNS address.  I've color coded items that should match.

 

  1. >letsencrypt-auto certonly -a manual --email <email_address>@example.com -d example.com

  2. You will be prompted with information containing the following:

    Make sure your web server displays the following content at http://example.com/.well-known/acme-challenge/<LONG_STRING> before continuing:

    LONG_STRING.ANOTHER_LONG_STRING

  3. Create file:
    1. sudo vim /var/www/example.com/.well-known/acme-challenge/<LONG_STRING>
    2. Copy and paste LONG_STRING.ANOTHER_LONG_STRING into the file
    3. sudo chown -R www-data:www-data /var/www/example.com/.well-known
    4. sudo chmod -R 733 /var/www/example.com/.well-known
  4. Continue with letsencrypt
  5. Once certs and keys are created go to: /etc/letsencrypt/live/example.com
  6. Create PKCS file from PEM files with the following command
    1. >openssl pkcs12 -export -out example.com.pfx -inkey privKey.pem -in cert.pem
    2. Enter no password or Emby will break
  7. Configure Emby server to point to the path where example.com.pfx can be found.

Feel free to try this.  It worked for me.  If there are better ways I am all ears.  :-)

 

I did the reverse proxy with apache2 with ubuntu. That was the best solution because when you add your .PFX to emby the cipher suites aren't up to date and uses obsolete ciphers. with the reverse proxy you have a little more control and a WHOLE lot more secure. If anyone isn't sure what a reverse proxy is there is a good read here: https://emby.media/community/index.php?/topic/22889-emby-behind-a-reverse-proxy-remote-control-issue/

 

I can put up a quick step by step if anyone is interested but, be warned. It involves router port forwarding and some linux know-how. 

  • Like 2

Share this post


Link to post
Share on other sites
sansoo22

Anyone looking to do this on an unraid build can follow this link: http://lime-technology.com/forum/index.php?topic=39413.0.  I had a few things that gave me some fits so i will document what they were below.

  1. I had to remap 80 to 8080 on my unraid box because the default UI for unraid is already mapped to 80.
  2. I am using a No-Ip DDNS that is like example.ddns.net so I entered that for the URL setting and left the subdomain setting blank.
  3. /mnt/user/appdata/ngnix/etc/letsencrypt/live/example.ddns.net/privkey.pfx is where i found my cert file for emby.  The /ngnix portion of the path may vary depending on where you install this docker.

Once I pointed emby to the path above for a cert file I restarted my emby instance and was in business.  The one pesky iOS device i have...or should say...my girlfriend has is now working like a charm.  Now all that's left to do is keep coming up with reasons why i can't put her collection of chic flix on my server.

Share this post


Link to post
Share on other sites
Luke

If anyone wants to help assist in getting this into something that can run across windows, linux and osx, we are definitely interested in embedding and automating this.

Share this post


Link to post
Share on other sites
anderbytes

If anyone wants to help assist in getting this into something that can run across windows, linux and osx, we are definitely interested in embedding and automating this.

 

What about an existing open-source Java client?

 

https://github.com/shred/acme4j

 

I don't know much of programming... but Emby server could "git" it down and use it normally.

Share this post


Link to post
Share on other sites
orcist
Automating Lets Encrypt for Emby on FreeNAS

 

--to get started go to the jails tab on the top panel and select your emby jail and then click on the terminal button on the bottom 

...

 

chigh,

 

When you modify an Emby jail like this, what happens when you want to upgrade it using the FreeNAS plugins manager (I'm running 9.3)? Is this persistant, or do you have to redo this each time? 

 

Thanks.

Share this post


Link to post
Share on other sites
chigh

 

Automating Lets Encrypt for Emby on FreeNAS
 
--to get started go to the jails tab on the top panel and select your emby jail and then click on the terminal button on the bottom 
...
 
chigh,
 
When you modify an Emby jail like this, what happens when you want to upgrade it using the FreeNAS plugins manager (I'm running 9.3)? Is this persistant, or do you have to redo this each time? 
 
Thanks.

 

 

That is a good question. I want to say that it would be fine after an update but, I'm not entirely certain. 

Share this post


Link to post
Share on other sites
adam1010

For the Let's Encrypt certs -- have you guys considered hosting a DNS server for Premiere users? You would assign a random subdomain (when enabled) like 987qjwjqwe23.embyserver.tv and have each user's Emby server keep that subdomain's IP address updated. Then you could use Let's Encrypt DNS based verification in order to acquire the certificate. The Emby server software would be responsible for acquiring and renewing its own certificate, but it would rely on the official Emby DNS server to keep a subdomain pointed at it and to allow updating the necessary TXT record.  (This new official Emby DNS server could be self-hosted, or could use Route53)

I would imagine that will be the most universal solution, particularly with users that can't keep ports 80/443 open to their Emby server to handle the Let's Encrypt challenges.

 

I'd be happy to design out the process flow if it's something the Emby maintainers would consider implementing.

Share this post


Link to post
Share on other sites
ebr

Yes, we have considered something like that but we have to build, host and maintain that system first :).  All in good time...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...