Jump to content

SSL Certificate


GoodOmens
 Share

Recommended Posts

GoodOmens

Now that DSM6 provides the ability to easily create a certificate for your DDNS I'm trying to get it to work with Emby.  

 

I downloaded my private key and the certificate (from the admin page) and generated a pfx file.  When trying to load it I get the following error:

2016-03-27 13:46:05.0289 Info HttpServer: attempting to load pfx: /volume1/@appstore/emby/var/ssl/cert.pfx
2016-03-27 13:46:05.0763 Error HttpServer: Exception loading certificate: /volume1/@appstore/emby/var/ssl/cert.pfx
    *** Error Report ***
    Version: 3.0.5910.0
    Command line: /usr/local/emby/share/emby/MediaBrowser.Server.Mono.exe -programdata /usr/local/emby/var -ffmpeg /usr/local/ffmpeg/bin/ffmpeg -ffprobe /usr/local/ffmpeg/bin/ffprobe
    Operating system: Unix 3.10.77.0
    Processor count: 4
    64-Bit OS: True
    64-Bit Process: True
    Program data path: /usr/local/emby/var
    Mono: 4.2.2 (Stable 4.2.2.30/996df3c Thu Mar 17 11:46:47 CET 2016)
    Application Path: /volume1/@appstore/emby/share/emby/MediaBrowser.Server.Mono.exe
    Input data cannot be coded as a valid certificate.
    System.Security.Cryptography.CryptographicException
      at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) <0x40409cd0 + 0x00b57> in <filename unknown>:0
      at Mono.Security.X509.X509Certificate..ctor (System.Byte[] data) <0x40409be0 + 0x000bb> in <filename unknown>:0
      at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.Byte[] rawData, System.String password, X509KeyStorageFlags keyStorageFlags) <0x40405630 + 0x001db> in <filename unknown>:0
      at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.String fileName, System.String password, X509KeyStorageFlags keyStorageFlags) <0x404055e0 + 0x0003d> in <filename unknown>:0
      at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor (System.String fileName) <0x40405480 + 0x0006c> in <filename unknown>:0
      at SocketHttpListener.Net.HttpListener.LoadCertificateAndKey (System.String certificateLocation) <0x404050a0 + 0x0014f> in <filename unknown>:0
    InnerException: System.Security.Cryptography.CryptographicException
    Input data cannot be coded as a valid certificate.
      at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) <0x40409cd0 + 0x00117> in <filename unknown>:0

Any thoughts?  The command I used to generate the PFX file was:

 

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert.pfx

Link to comment
Share on other sites

horstepipe

you should get three files (cert, privkey and chain) by exporting the certificate from DSM.

Try this:

openssl pkcs12 -inkey privkey.pem -in cert.pem -certfile chain.pem -export -out test.pfx

Edited by horstepipe
Link to comment
Share on other sites

  • 3 months later...
  • 2 months later...

I was also wondering how to set up a valid SSL certificate for Emby on my Synology.

The instructions in the above link are silent in this regard.

 

I had already obtained an SSL certificate from Let's Encrypt via the DSM interface and had exposed my NAS to the outside world.

 

So the steps I had to go through after that to get Emby to use that certificate are the following:

 

Edit: there are easier steps in the next post.

  1. Export the certificate from DSM via Control Panel -> Security -> Certificates -> Export. This sends you a ZIP file containing 3 files.
  2. Extract the contents of the ZIP file to a folder on the NAS. This will extract files cert.pemchain.pem and privkey.pem.
  3. SSH into the NAS and convert the 3 files into a .pfx file:
    cd /volume1/path/to/theextractedfiles
    sudo openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
  4. The above creates a new cert.pfx file with no password. Next, copy this file to the Emby var/ssl folder - this seemed to be the most appropriate place, since other self-signed certificates are stored there:
    sudo cp cert.pfx /var/packages/EmbyServer/target/var/ssl/cert.pfx
    
  5. Change the owner of pfx file which was just copied to the embysvr user, grant read/write access to the owner and read access to everyone else - this matches the permissions which were applied to the other certificates already in the ssl folder:
    cd /var/packages/EmbyServer/target/var/ssl
    sudo chown embysvr: cert.pfx
    sudo chmod 644 cert.pfx
  6. Now configure Emby to use the certificate via the dashboard under the Advanced tab. I had to specify the full path to the certificate: /var/packages/EmbyServer/target/var/ssl/cert.pfx
  7. Restart Emby server.

The certificates issued by Let's Encrypt are only valid for three months. DSM is supposed to automatically renew the certificate, but of course this does not include automatically updating the certificate in Emby. So the above process will need to be followed every three months.

 

If Emby could allow for us to select a certificate from the certificate store, in the case of Synology devices this would be the DSM certificate store, the need for the above process could be elimitated, assuming that selecting a certificate from the certificate store could be implemented.

 

The above was just my way of enabling SSL with a certificate issued by a trusted certification authority. If there are easier ways, please do let me know!

 

Edit: Updated instructions to use /var/packages/EmbyServer/target/var/ssl so that they are not volume-specific.

Edited by newb
  • Like 1
  • Thanks 1
Link to comment
Share on other sites

After spending some more time on this I found out where the default certificate is stored on my Synology device:

/usr/syno/etc/certificate/system/default

 

There is therefore no need to export and extract the certificate. I also figured, why not just create the .pfx file in the same folder and just get Emby to use it where it is.

 

I am therefore updating the commands to the following:

 

  1. SSH to the NAS, go to the default certificate folder and generate a .pfx file from the default certificate:
    cd /usr/syno/etc/certificate/system/default
    sudo openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
  2. A new file will be created called cert.pfx in the default certificate folder. The file should already have read permissions granted to everyone. Now go to the Emby dashboard and get it to use the newly generated .pfx file under the Advanced tab. The path will be: /usr/syno/etc/certificate/system/default/cert.pfx
  3. Restart Emby.

The first command can be run again if the certificate is renewed and Emby will probably need to be restarted. This does make things a lot simpler though.

 

Note: DSM will automatically obtain a new certificate from Let's Encrypt when the current certificate is about to expire (every 3 months), however the .pfx file will not automatically be regenerated. The above commands will need to be run every 3 months after DSM obtains a new certificate and Emby will need to be restarted after that, otherwise HTTPS will stop working in Emby.

 

Any thoughts?

Edited by newb
  • Like 2
Link to comment
Share on other sites

  • 1 month later...

Great job, newb.  I came to the identical method myself, but for some reason, it doesn't work for me.  I still can't get the ssl page to load.

Link to comment
Share on other sites

Hi @@Ashkaan, I am glad that we both came to the same method.

 

It is a pity that it is not working for you though. What is the error that you are getting? Have you exposed the Emby SSL port (default 8920) using UPnP or have you manually opened it up on your router?

 

I used UPnP and initially had Emby do the automatic port mapping using the "Enable automatic port mapping" option on the Advanced screen, however I later opted for doing it via the DSM interface instead because all other automatic port mappings relating to the NAS were done there. It should work either way though. If going the manual route (some routers do not support UPnP) then you would need to open up the port on your router via the virtual server / port forwarding option. On my Asus router I have that under WAN -> Virtual Server / Port Forwarding. In my situation it was a bit more complicated though, the NAS is behind a router (Asus), which is behind another router (ADSL modem with routing enabled, for a specific reason). I opened up the Emby and other NAS ports of interest via UPnP on the Asus but had to manually forward the ports from the ADSL model to the Asus.

 

I am not sure if the above helps at all. Perhaps if you describe your setup / network topology I can try to assist? Can you access Emby using HTTPS on port 8920 when you use the IP address on the NAS, even if you get an SSL error?

Link to comment
Share on other sites

  • 1 month later...
Darkjeje

@@newb

 

Hello Newb,

Sorry for my english,...

I use your topic for my certificat and it work.

But since many days, my https acess is broke https://emby.media/community/index.php?/topic/44503-no-https-access-since-the-beta-update/

I understood why https doesn't work, my file cert.pfx is delete.

I think it's Synology which have renewed my certificate. I have 4 files in the /usr/syno/etc/certificate/system/default/ : fullchain.pem and the 3 usual files.

This 4 files are dated of the 29/01/17.

I'm OK I'm going to repeat your procedure

cd /usr/syno/etc/certificate/system/default
sudo openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: 

but nothing, the file cert.pfx is not created.

Have you a problem with your certificat ? Do you have any idea ?

 

Thank you for your help !!!

 

Jérémy

Link to comment
Share on other sites

Great @@Darkjeje, I am glad it worked for you.

 

That is the one disadvantage of the Let's Encrypt certificates, that they expire every 3 months.

 

I also had the issue where all of the sudden HTTPS stopped working on Emby, while the rest of the Synology apps did work via HTTPS. It took me a while to figure out that the .pfx file generated by the above commands had expired while DSM had automatically issued a new certificate (but it did not generate a new .pfx file). So one must just be vigilant to run the above two commands every three months and after that to restart Emby. If HTTPS stops working, that would be the first thing I check. I think it's a small price to pay to have a free certificate issued by a trusted certification authority.

 

I will edit my posts above to include the warning. Thanks for the feedback!

  • Like 1
Link to comment
Share on other sites

Darkjeje

Thank you for your feedback and your warning !!!

 

My old certificate had to expire on Sunday so by being renewed in January I did not think that the problem came from there.

Link to comment
Share on other sites

  • 6 months later...
lesensei

Hello all,

 

I'm glad I found this thread. I was thinking of doing just that and searching if anyone else had already documented how to do it. So I took the openssl command line here and created the following script, that you may keep wherever you wish on your Synology NAS. It will create/update the cert.pfx file in the /usr/syno/etc/certificate/system/default folder and then restart the Emby server.

#!/bin/bash

cd /usr/syno/etc/certificate/system/default
openssl pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

/var/packages/EmbyServer/scripts/_restart

You may paste this into any text file, name it Whatever.sh, make it executable (chmod +x) and then schedule it with the built-in synology scheduler to run as root (I've scheduled it to run every night). You still need to configure Emby to use the certificate, but after that, you should be good to go.

 

Regards,

Edited by lesensei
Link to comment
Share on other sites

  • 3 months later...
rhummer

These instructions are perfect worked for me just fine, after some finagling.

 

Though one odd thing, I thought it wasn't working initially as during startup I'm seeing the attached exception in my log.  Not sure if it's something you want to look into Luke.

SSL_Log.txt

Link to comment
Share on other sites

rhummer

Correct, it connected just fine. I thought it wasn't working at first since I saw that error in the log.  Just pointing out something odd. :)

Link to comment
Share on other sites

lesensei

Sorry to go off-topic, but I would have liked to look at the exception in the log file. Only, I get a message when trying to retrieve it saying I lack the authorization :-/ Is there a way to look at it ?

 

Thanks.

Link to comment
Share on other sites

Sorry to go off-topic, but I would have liked to look at the exception in the log file. Only, I get a message when trying to retrieve it saying I lack the authorization :-/ Is there a way to look at it ?

 

Thanks.

Not unless he wishes to send it to you.

Link to comment
Share on other sites

lesensei

Yes, I just saw I can't even look at attachments I have uploaded myself. May I ask (for my own enlightenment) the reasoning behind this configuration of the forums ? It feels a bit awkward, but I guess it hasn't been setup this way just for the fun of it.

 

Thanks again.

Link to comment
Share on other sites

We want to secure data in attachments, and our forum software doesn't give us many options so this is the best we can do right now.

Link to comment
Share on other sites

  • 3 weeks later...

Yeah, after trying out the reverse proxy solution, it is definitely superior to the previous method. There is no longer a need for a script to run in order to regenerate any .pfx file or to restart Emby after the certificate changes. DSM handles the SSL all the way and it just works.

 

Below is my new configuration:

 

5a678ae37c46d_Reverseproxy.png

 

Note that I mapped DSM HTTPS port 8921 to Emby (localhost on the NAS) HTTP port 8096 as port 8920 was already taken, hence the rule:

https://*:8921 -> http://localhost:8096

I then let Emby know that the public HTTPS port is now 8921 and cleared the custom certificate path:

5a678c54499e8_Emby.png

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...