GoodOmens 0 Posted March 27, 2016 Share Posted March 27, 2016 Now that DSM6 provides the ability to easily create a certificate for your DDNS I'm trying to get it to work with Emby. I downloaded my private key and the certificate (from the admin page) and generated a pfx file. When trying to load it I get the following error: 2016-03-27 13:46:05.0289 Info HttpServer: attempting to load pfx: /volume1/@appstore/emby/var/ssl/cert.pfx 2016-03-27 13:46:05.0763 Error HttpServer: Exception loading certificate: /volume1/@appstore/emby/var/ssl/cert.pfx *** Error Report *** Version: 3.0.5910.0 Command line: /usr/local/emby/share/emby/MediaBrowser.Server.Mono.exe -programdata /usr/local/emby/var -ffmpeg /usr/local/ffmpeg/bin/ffmpeg -ffprobe /usr/local/ffmpeg/bin/ffprobe Operating system: Unix 3.10.77.0 Processor count: 4 64-Bit OS: True 64-Bit Process: True Program data path: /usr/local/emby/var Mono: 4.2.2 (Stable 4.2.2.30/996df3c Thu Mar 17 11:46:47 CET 2016) Application Path: /volume1/@appstore/emby/share/emby/MediaBrowser.Server.Mono.exe Input data cannot be coded as a valid certificate. System.Security.Cryptography.CryptographicException at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) <0x40409cd0 + 0x00b57> in <filename unknown>:0 at Mono.Security.X509.X509Certificate..ctor (System.Byte[] data) <0x40409be0 + 0x000bb> in <filename unknown>:0 at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.Byte[] rawData, System.String password, X509KeyStorageFlags keyStorageFlags) <0x40405630 + 0x001db> in <filename unknown>:0 at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.String fileName, System.String password, X509KeyStorageFlags keyStorageFlags) <0x404055e0 + 0x0003d> in <filename unknown>:0 at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor (System.String fileName) <0x40405480 + 0x0006c> in <filename unknown>:0 at SocketHttpListener.Net.HttpListener.LoadCertificateAndKey (System.String certificateLocation) <0x404050a0 + 0x0014f> in <filename unknown>:0 InnerException: System.Security.Cryptography.CryptographicException Input data cannot be coded as a valid certificate. at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) <0x40409cd0 + 0x00117> in <filename unknown>:0 Any thoughts? The command I used to generate the PFX file was: openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert.pfx Link to comment Share on other sites More sharing options...
horstepipe 361 Posted April 4, 2016 Share Posted April 4, 2016 (edited) you should get three files (cert, privkey and chain) by exporting the certificate from DSM. Try this: openssl pkcs12 -inkey privkey.pem -in cert.pem -certfile chain.pem -export -out test.pfx Edited April 4, 2016 by horstepipe Link to comment Share on other sites More sharing options...
Luke 38093 Posted July 28, 2016 Share Posted July 28, 2016 We have a new installation procedure for Synology users. It's very easy and is now on our website: http://emby.media/nas-server.html All Synology users are recommended to use this going forward (if your model supports it). http://emby.media/nas-server.html Link to comment Share on other sites More sharing options...
newb 14 Posted October 16, 2016 Share Posted October 16, 2016 (edited) I was also wondering how to set up a valid SSL certificate for Emby on my Synology. The instructions in the above link are silent in this regard. I had already obtained an SSL certificate from Let's Encrypt via the DSM interface and had exposed my NAS to the outside world. So the steps I had to go through after that to get Emby to use that certificate are the following: Edit: there are easier steps in the next post. Export the certificate from DSM via Control Panel -> Security -> Certificates -> Export. This sends you a ZIP file containing 3 files. Extract the contents of the ZIP file to a folder on the NAS. This will extract files cert.pem, chain.pem and privkey.pem. SSH into the NAS and convert the 3 files into a .pfx file: cd /volume1/path/to/theextractedfiles sudo openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: The above creates a new cert.pfx file with no password. Next, copy this file to the Emby var/ssl folder - this seemed to be the most appropriate place, since other self-signed certificates are stored there: sudo cp cert.pfx /var/packages/EmbyServer/target/var/ssl/cert.pfx Change the owner of pfx file which was just copied to the embysvr user, grant read/write access to the owner and read access to everyone else - this matches the permissions which were applied to the other certificates already in the ssl folder: cd /var/packages/EmbyServer/target/var/ssl sudo chown embysvr: cert.pfx sudo chmod 644 cert.pfx Now configure Emby to use the certificate via the dashboard under the Advanced tab. I had to specify the full path to the certificate: /var/packages/EmbyServer/target/var/ssl/cert.pfx Restart Emby server. The certificates issued by Let's Encrypt are only valid for three months. DSM is supposed to automatically renew the certificate, but of course this does not include automatically updating the certificate in Emby. So the above process will need to be followed every three months. If Emby could allow for us to select a certificate from the certificate store, in the case of Synology devices this would be the DSM certificate store, the need for the above process could be elimitated, assuming that selecting a certificate from the certificate store could be implemented. The above was just my way of enabling SSL with a certificate issued by a trusted certification authority. If there are easier ways, please do let me know! Edit: Updated instructions to use /var/packages/EmbyServer/target/var/ssl so that they are not volume-specific. Edited February 16, 2017 by newb 1 1 Link to comment Share on other sites More sharing options...
newb 14 Posted October 16, 2016 Share Posted October 16, 2016 (edited) After spending some more time on this I found out where the default certificate is stored on my Synology device: /usr/syno/etc/certificate/system/default There is therefore no need to export and extract the certificate. I also figured, why not just create the .pfx file in the same folder and just get Emby to use it where it is. I am therefore updating the commands to the following: SSH to the NAS, go to the default certificate folder and generate a .pfx file from the default certificate: cd /usr/syno/etc/certificate/system/default sudo openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: A new file will be created called cert.pfx in the default certificate folder. The file should already have read permissions granted to everyone. Now go to the Emby dashboard and get it to use the newly generated .pfx file under the Advanced tab. The path will be: /usr/syno/etc/certificate/system/default/cert.pfx Restart Emby. The first command can be run again if the certificate is renewed and Emby will probably need to be restarted. This does make things a lot simpler though. Note: DSM will automatically obtain a new certificate from Let's Encrypt when the current certificate is about to expire (every 3 months), however the .pfx file will not automatically be regenerated. The above commands will need to be run every 3 months after DSM obtains a new certificate and Emby will need to be restarted after that, otherwise HTTPS will stop working in Emby. Any thoughts? Edited February 16, 2017 by newb 2 Link to comment Share on other sites More sharing options...
Ashkaan 0 Posted December 14, 2016 Share Posted December 14, 2016 Great job, newb. I came to the identical method myself, but for some reason, it doesn't work for me. I still can't get the ssl page to load. Link to comment Share on other sites More sharing options...
newb 14 Posted December 18, 2016 Share Posted December 18, 2016 Hi @@Ashkaan, I am glad that we both came to the same method. It is a pity that it is not working for you though. What is the error that you are getting? Have you exposed the Emby SSL port (default 8920) using UPnP or have you manually opened it up on your router? I used UPnP and initially had Emby do the automatic port mapping using the "Enable automatic port mapping" option on the Advanced screen, however I later opted for doing it via the DSM interface instead because all other automatic port mappings relating to the NAS were done there. It should work either way though. If going the manual route (some routers do not support UPnP) then you would need to open up the port on your router via the virtual server / port forwarding option. On my Asus router I have that under WAN -> Virtual Server / Port Forwarding. In my situation it was a bit more complicated though, the NAS is behind a router (Asus), which is behind another router (ADSL modem with routing enabled, for a specific reason). I opened up the Emby and other NAS ports of interest via UPnP on the Asus but had to manually forward the ports from the ADSL model to the Asus. I am not sure if the above helps at all. Perhaps if you describe your setup / network topology I can try to assist? Can you access Emby using HTTPS on port 8920 when you use the IP address on the NAS, even if you get an SSL error? Link to comment Share on other sites More sharing options...
Darkjeje 11 Posted February 15, 2017 Share Posted February 15, 2017 @@newb Hello Newb, Sorry for my english,... I use your topic for my certificat and it work. But since many days, my https acess is broke https://emby.media/community/index.php?/topic/44503-no-https-access-since-the-beta-update/ I understood why https doesn't work, my file cert.pfx is delete. I think it's Synology which have renewed my certificate. I have 4 files in the /usr/syno/etc/certificate/system/default/ : fullchain.pem and the 3 usual files. This 4 files are dated of the 29/01/17. I'm OK I'm going to repeat your procedure cd /usr/syno/etc/certificate/system/default sudo openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: but nothing, the file cert.pfx is not created. Have you a problem with your certificat ? Do you have any idea ? Thank you for your help !!! Jérémy Link to comment Share on other sites More sharing options...
Darkjeje 11 Posted February 16, 2017 Share Posted February 16, 2017 Ooooh today it's OK, your order has worked !!! Link to comment Share on other sites More sharing options...
newb 14 Posted February 16, 2017 Share Posted February 16, 2017 Great @@Darkjeje, I am glad it worked for you. That is the one disadvantage of the Let's Encrypt certificates, that they expire every 3 months. I also had the issue where all of the sudden HTTPS stopped working on Emby, while the rest of the Synology apps did work via HTTPS. It took me a while to figure out that the .pfx file generated by the above commands had expired while DSM had automatically issued a new certificate (but it did not generate a new .pfx file). So one must just be vigilant to run the above two commands every three months and after that to restart Emby. If HTTPS stops working, that would be the first thing I check. I think it's a small price to pay to have a free certificate issued by a trusted certification authority. I will edit my posts above to include the warning. Thanks for the feedback! 1 Link to comment Share on other sites More sharing options...
Darkjeje 11 Posted February 17, 2017 Share Posted February 17, 2017 Thank you for your feedback and your warning !!! My old certificate had to expire on Sunday so by being renewed in January I did not think that the problem came from there. Link to comment Share on other sites More sharing options...
lesensei 0 Posted September 8, 2017 Share Posted September 8, 2017 (edited) Hello all, I'm glad I found this thread. I was thinking of doing just that and searching if anyone else had already documented how to do it. So I took the openssl command line here and created the following script, that you may keep wherever you wish on your Synology NAS. It will create/update the cert.pfx file in the /usr/syno/etc/certificate/system/default folder and then restart the Emby server. #!/bin/bash cd /usr/syno/etc/certificate/system/default openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: /var/packages/EmbyServer/scripts/_restart You may paste this into any text file, name it Whatever.sh, make it executable (chmod +x) and then schedule it with the built-in synology scheduler to run as root (I've scheduled it to run every night). You still need to configure Emby to use the certificate, but after that, you should be good to go. Regards, Edited September 8, 2017 by lesensei Link to comment Share on other sites More sharing options...
Darkjeje 11 Posted September 10, 2017 Share Posted September 10, 2017 Thank you lesensei for your brilliant idea !!! Link to comment Share on other sites More sharing options...
rhummer 5 Posted January 3, 2018 Share Posted January 3, 2018 These instructions are perfect worked for me just fine, after some finagling. Though one odd thing, I thought it wasn't working initially as during startup I'm seeing the attached exception in my log. Not sure if it's something you want to look into Luke. SSL_Log.txt Link to comment Share on other sites More sharing options...
Luke 38093 Posted January 3, 2018 Share Posted January 3, 2018 But you weren't actually having a problem? Link to comment Share on other sites More sharing options...
rhummer 5 Posted January 3, 2018 Share Posted January 3, 2018 Correct, it connected just fine. I thought it wasn't working at first since I saw that error in the log. Just pointing out something odd. Link to comment Share on other sites More sharing options...
Luke 38093 Posted January 3, 2018 Share Posted January 3, 2018 Thanks for the info. Link to comment Share on other sites More sharing options...
lesensei 0 Posted January 3, 2018 Share Posted January 3, 2018 Sorry to go off-topic, but I would have liked to look at the exception in the log file. Only, I get a message when trying to retrieve it saying I lack the authorization :-/ Is there a way to look at it ? Thanks. Link to comment Share on other sites More sharing options...
Luke 38093 Posted January 3, 2018 Share Posted January 3, 2018 Sorry to go off-topic, but I would have liked to look at the exception in the log file. Only, I get a message when trying to retrieve it saying I lack the authorization :-/ Is there a way to look at it ? Thanks. Not unless he wishes to send it to you. Link to comment Share on other sites More sharing options...
lesensei 0 Posted January 3, 2018 Share Posted January 3, 2018 Yes, I just saw I can't even look at attachments I have uploaded myself. May I ask (for my own enlightenment) the reasoning behind this configuration of the forums ? It feels a bit awkward, but I guess it hasn't been setup this way just for the fun of it. Thanks again. Link to comment Share on other sites More sharing options...
Luke 38093 Posted January 3, 2018 Share Posted January 3, 2018 We want to secure data in attachments, and our forum software doesn't give us many options so this is the best we can do right now. Link to comment Share on other sites More sharing options...
pikeupe 3 Posted January 3, 2018 Share Posted January 3, 2018 Hellois why not just used reverse proxy of synology? 2 Link to comment Share on other sites More sharing options...
Spaceboy 2557 Posted January 3, 2018 Share Posted January 3, 2018 Hello is why not just used reverse proxy of synology? works well for me Link to comment Share on other sites More sharing options...
newb 14 Posted January 23, 2018 Share Posted January 23, 2018 Yeah, after trying out the reverse proxy solution, it is definitely superior to the previous method. There is no longer a need for a script to run in order to regenerate any .pfx file or to restart Emby after the certificate changes. DSM handles the SSL all the way and it just works. Below is my new configuration: Note that I mapped DSM HTTPS port 8921 to Emby (localhost on the NAS) HTTP port 8096 as port 8920 was already taken, hence the rule: https://*:8921 -> http://localhost:8096 I then let Emby know that the public HTTPS port is now 8921 and cleared the custom certificate path: 1 1 Link to comment Share on other sites More sharing options...
stratumorien 8 Posted January 26, 2018 Share Posted January 26, 2018 Thank you @@newb ; works great for me! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now