Jump to content

Let’s Encrypt support for SSL certificates


Recommended Posts

So, I have been trying to make all of my internal management resources accessible via a single encrypted url with my own domain. I want to lock it down with mutual authentication so that I can limit access to only my devices that have the client certificate installed. My hope is to get a publicly verifiable SSL certificate setup that automatically updates as needed without user intervention.

 

Before all this I was using an expensive DDNS service ($40 annually). The service was limited to say the least.

 

I decided on the following:

1. let's encrypt for my SSL certificate

2. The squid proxy/reverse proxy hosted on my PFsense router.

3. ACME Package hosted on my PFsense router.

 

The ACME package can automatically sync with the let's encrypt service to facilitate re-issuing a valid certificate.

 

Squid is likely not the optimum service for a reverse proxy but my hope is to keep as much as possible on my firewall in order to avert having to host any more services on my HTPC.

 

I needed a domain name that would provide me with control of the DNS service related to the domain to add a TXT custom reference to. After some digging, I ended up going for a google domain I purchased for $12 annually. I was able to add the TXT custom reference that my ACME service needed to show I owned the domain. Additionally, the google domain supports DDNS and allows updates via API. I was able to create a third level domain that is used for the DDNS that points to my home IP. My PFsense firewall already has a DDNS update package that I was originally using in the original DDNS setup. All in all, the google domain service offers a ton of features for the price.

 

I am still working out the bugs on my reverse proxy and will, god willing, have it working within the next week or so. Then I can work out any left over bugs with getting the emby app and cloud service to working across the reverse proxy.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to post
Share on other sites

I use LetsEncrypt for a while now and yes, on a Windows Host. (With a bit of Linux support though). Letsencrypt for my DDNS address is active a while now, but only for my Synlology NAS. So in theory I always have a active and useable certificate on it hidden in the syno user folders. (Took a while to find it with SSH) Right now I do tests on Emby and Plex and both needed a certificate + both are able to use a certificate in PKCS12 format from a SMB share. Thus I tinkered around a bit on my NAS and ended up with a daily task running as root at 12:00:

openssl pkcs12 -export -out /volume1/music/cert.pfx -inkey /usr/syno/etc/certificate/system/default/privkey.pem -in /usr/syno/etc/certificate/system/default/cert.pem -certfile /usr/syno/etc/certificate/system/default/chain.pem -passout pass:

In this case I put it on my music share folder which is accessible from my media server. Certificate is lying on "\\NAS\music\cert.pfx" which I used as path in Emby and Plex and both are very happy with it.

Link to post
Share on other sites
Spaceboy

I have a dynamic dns service from dyn.com and I get free ssl certs from letsencrypt as a result of owning a synology diskstation. The diskstation handles all the renewal of the cert

Link to post
Share on other sites

I have a dynamic dns service from dyn.com and I get free ssl certs from letsencrypt as a result of owning a synology diskstation. The diskstation handles all the renewal of the cert

 

Thats what I use here. Letsencrypt is free all the time, but a bit complicated to keep valid from Windows. Synology makes the certificate updates and I steal the cert for my Plex and Emby running on the NUC. I use SPDNS.de here (For Router, NAS, Plex and Emby. Last three using the same cert thx to the task I wrote)

Link to post
Share on other sites

I'm part of the linuxserver.io group and we publish docker images for various apps.

 

We have a docker image for nginx/letsencrypt: https://hub.docker.com/r/linuxserver/letsencrypt/

 

I run that docker, which automatically receives and updates the certs and stores them on my server. Emby picks up the certs from the same location. Works pretty well.

 

With the same container, I could do a reverse proxy as well, but didn't bother with it yet.

Edited by aptalca
Link to post
Share on other sites
snake98

I'm part of the linuxserver.io group and we publish docker images for various apps.

 

We have a docker image for nginx/letsencrypt: https://hub.docker.com/r/linuxserver/letsencrypt/

 

I run that docker, which automatically receives and updates the certs and stores them on my server. Emby picks up the certs from the same location. Works pretty well.

 

With the same container, I could do a reverse proxy as well, but didn't bother with it yet.

Could you a quick walk though I just got nginx installed on my emby server

Link to post
Share on other sites
chef

So, I have been scanning through this thread and was wondering if anyone had a step by step example to use lets encrypt and OpenSSL command lines in Windows. Something that could be run on a automated task to use.

 

I have a bit of understanding with these two applications and would like to make my own SSL automatically and not pay for one again.

 

Set it and forget it...

 

Also, how would emby server load the pfx file, when a new one is generated... Automagically?

 

Thanks in advance.

Link to post
Share on other sites
aptalca

Could you a quick walk though I just got nginx installed on my emby server

 

 

So, I have been scanning through this thread and was wondering if anyone had a step by step example to use lets encrypt and OpenSSL command lines in Windows. Something that could be run on a automated task to use.

 

I have a bit of understanding with these two applications and would like to make my own SSL automatically and not pay for one again.

 

Set it and forget it...

 

Also, how would emby server load the pfx file, when a new one is generated... Automagically?

 

Thanks in advance.

 

The official client is certbot: https://certbot.eff.org/

I did set it up on my company website a while back, but honestly it was long ago that I don't remember how exactly (involved custom scripts and cron). It's still working so I don't mess with it.

 

At home I use the docker image that my group (linuxserver.io) maintains: https://hub.docker.com/r/linuxserver/letsencrypt/ 

It is a one stop shop for nginx webserver and reverse proxy with php7, and it automatically retrieves and updates the letsencrypt certs. It also generates the pfx file needed by emby after each cert renewal (every 60 days). The page linked has instructions on how to create a docker container. You just need to make sure that your custom domain points to your server and port 443 is forwarded to the container. You enter your url, subdomains, etc. into the docker create command and it just works. If you need to change the subdomains, remove the existing container, create a new one with the updated settings and it will revoke the old certs and create new ones. The data is stored in a separate persistent volume (mapped as /config in the container) so you easily destroy and recreate the container.

  • Like 1
Link to post
Share on other sites
aptalca

Also, how would emby server load the pfx file, when a new one is generated... Automagically?

 

The letsencrypt certs are symlinks. Every time they are renewed, the symlinks are updated to point to the current certs.

 

The pfx is generated from the letsencrypt certs after each renewal (automatically in our docker image, but you would have to do it manually or through a script otherwise) and saved on the server.

 

Emby looks for the pfx on the server and should pick up the new one as long as the name is the same (may require a restart, I haven't tested that part since my cert didn't get renewed in a while)

  • Like 1
Link to post
Share on other sites
chef

The letsencrypt certs are symlinks. Every time they are renewed, the symlinks are updated to point to the current certs.

 

The pfx is generated from the letsencrypt certs after each renewal (automatically in our docker image, but you would have to do it manually or through a script otherwise) and saved on the server.

 

Emby looks for the pfx on the server and should pick up the new one as long as the name is the same (may require a restart, I haven't tested that part since my cert didn't get renewed in a while)

Sounds as though, if a plugin was built to create an SSL with let's encrypt and OpenSSL commandline a it might have to initiate a server restart to load the new SSL.

Link to post
Share on other sites
aptalca

Sounds as though, if a plugin was built to create an SSL with let's encrypt and OpenSSL commandline a it might have to initiate a server restart to load the new SSL.

You're probably right,but I'm not sure what type of webserver emby is using.

 

If you or someone else is interested in writing a plugin for this, I can provide some tips or at least a starting point (I know nothing about emby plugin structures as I'm a recent convert)

 

Here's our script that does the initial validation: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/etc/cont-init.d/50-config#L107

 

And here's the script for renewals: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/app/le-renew.sh#L8

 

The renewal script runs every night. If the cert is expiring in thirty days or less, it runs the prehook, which stops nginx, then renews the cert, and then runs the posthook, which starts nginx and generates the pfx.

 

Certbot in standalone mode puts up its own webserver listening on port 443, waiting for acme servers to connect and verify a file with a key. That's why nginx has to be stopped before validation so port 443 is released

Link to post
Share on other sites
Swynol

Sounds as though, if a plugin was built to create an SSL with let's encrypt and OpenSSL commandline a it might have to initiate a server restart to load the new SSL.

 

if your using NGINX with the cert then yes NGINX will require a restart to load the new certs. very easy to automate using a scheduled task.

 

i've never been able to get letsencrypt certs to renew automatically, i normally just use zeroSSL, once you have created the cert once which can take around 15-20mins depending on how many subdomains you have. When you need to renew it it takes 2-3 mins as you use your CSR which was generated the first time round.

 

another reason i do it manually is that some of my services require work arounds for the cert to work.

  • Like 1
Link to post
Share on other sites
snake98

The official client is certbot: https://certbot.eff.org/

I did set it up on my company website a while back, but honestly it was long ago that I don't remember how exactly (involved custom scripts and cron). It's still working so I don't mess with it.

 

At home I use the docker image that my group (linuxserver.io) maintains: https://hub.docker.com/r/linuxserver/letsencrypt/ 

It is a one stop shop for nginx webserver and reverse proxy with php7, and it automatically retrieves and updates the letsencrypt certs. It also generates the pfx file needed by emby after each cert renewal (every 60 days). The page linked has instructions on how to create a docker container. You just need to make sure that your custom domain points to your server and port 443 is forwarded to the container. You enter your url, subdomains, etc. into the docker create command and it just works. If you need to change the subdomains, remove the existing container, create a new one with the updated settings and it will revoke the old certs and create new ones. The data is stored in a separate persistent volume (mapped as /config in the container) so you easily destroy and recreate the container.

well I got it running under ubuntu, but now i"m trying to get to running under windows. it's not putting out anything when i "docker start letsencrypt"  it shows running, but no files are showing up in the config folder  any idea's

Link to post
Share on other sites
snake98

Windows is a whole another beast when it comes to docker. Try "docker logs letsencrypt"

It's blank.  it's weird it doesn't even make config files.  I can bash into it, but I don't see the etc/letsencrypt folder as on ubuntu.  I've forward port 81 to 80 I can see nginx website

 

I can access the map and create files in bash so I know it has access any ideas?

 

 i saw this also when i ls-l main directory    i see i don't show write access for everybody on config snice it's an ntfs share.     

 

edit

I made a second one, and didn't share.  I just created a config direct on the linux and chmod 777 on /config.  didn't help after reboot, nothing their.

lrwxrwxrwx   1 root root    7 Apr 24 10:02 bin -> usr/bin
drwxr-xr-x   2 root root 4096 Apr  4 09:00 boot
drwxr-xr-x   2 root root    0 May  5 14:38 config
drwxr-xr-x  12 root root 2860 May  5 15:48 dev
drwxr-xr-x   1 root root 4096 May  5 15:48 etc
drwxr-xr-x   2 root root 4096 Apr  4 09:00 home
lrwxrwxrwx   1 root root    7 Apr 24 10:02 lib -> usr/lib
lrwxrwxrwx   1 root root    9 Apr 24 10:02 lib32 -> usr/lib32
lrwxrwxrwx   1 root root    9 Apr 24 10:02 lib64 -> usr/lib64
lrwxrwxrwx   1 root root   10 Apr 24 10:02 libx32 -> usr/libx32
drwxr-xr-x   2 root root 4096 Apr 24 10:02 media
drwxr-xr-x   2 root root 4096 Apr 24 10:02 mnt
drwxr-xr-x   2 root root 4096 Apr 24 10:02 opt
dr-xr-xr-x 122 root root    0 May  5 15:48 proc
drwx------   2 root root 4096 Apr 24 10:02 root
drwxr-xr-x   1 root root 4096 May  5 15:48 run
lrwxrwxrwx   1 root root    8 Apr 24 10:02 sbin -> usr/sbin
drwxr-xr-x   2 root root 4096 Apr 24 10:02 srv
dr-xr-xr-x  13 root root    0 May  5 16:27 sys
drwxr-xr-x   2 root root 4096 May  5 16:32 test
drwxrwxrwt   1 root root 4096 Apr 25 10:20 tmp
drwxr-xr-x   1 root root 4096 Apr 25 10:20 usr
drwxr-xr-x   1 root root 4096 Apr 25 10:20 var

590d093da736e_letsencrypt.pnge then, but I get connection reset

Edited by snake98
Link to post
Share on other sites
aptalca

There is something wrong with the windows screenshot. It shows the file debian_version. This letsencrypt container is alpine based, not debian. Are you sure you pulled the right repo? Could there be another container created with the name letsencrypt from a different image?

 

Please post your docker create command for windows

Link to post
Share on other sites
snake98

There is something wrong with the windows screenshot. It shows the file debian_version. This letsencrypt container is alpine based, not debian. Are you sure you pulled the right repo? Could there be another container created with the name letsencrypt from a different image?

 

Please post your docker create command for windows

You were right, I deleted all images and repulled.  but some reason the port mapping is working right iv'e check with kitematic. and it shows blank

 

update

reinstalled now port mapping shows up, now just got to figure out why it can't connect

PS C:\WINDOWS\system32> docker ps -a
CONTAINER ID        IMAGE                     COMMAND             CREATED             STATUS                     PORTS
             NAMES
488ccf7f8ef1        linuxserver/letsencrypt   "/init"             3 minutes ago       Exited (0) 3 minutes ago
             letsencrypt
PS C:\WINDOWS\system32>

590df7910e488_docker.png

Edited by snake98
Link to post
Share on other sites
snake98

Got it, hyper v uses port 443.  I had the router change port 443 to 446, and had docker map 446 to 443 to the container, now it all works Thanks for the help

 

fyi,  I got this all working inside vmware workstation 12.5.5.  I hand to enable hyper-support.

Edited by snake98
Link to post
Share on other sites
aptalca

Got it, hyper v uses port 443.  I had the router change port 443 to 446, and had docker map 446 to 443 to the container, now it all works Thanks for the help

 

fyi,  I got this all working inside vmware workstation 12.5.5.  I hand to enable hyper-support.

 

Excellent!! That's great to hear that it works under windows

Link to post
Share on other sites
  • 4 weeks later...

Will i need to do anything to to reapply for certificate after 90 days, or will it take care of itself if it's running in docker?  Thanks.

Edited by snake98
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...