Server access

[wolfgang 17]

Hi,

 

I really could need some help..

 

I'm hosting a website on my very own server (debian latest). Bought a domain from noip.com, so I can also setup subdomains. For those I also got valid ssl certificates. My self-hosted wordpress site works well this way.

 

Now I want to have access to Emby from "outside".

 

https://blabla.com:8920 gives me NET::ERR_CERT_AUTHORITY_INVALID, most likely because I use my own certificate which doesn't cooperate with Emby!?

 

https://emby.blabla.com would be nice, but how do I do that? Only got subdomains working with Apache. Also it wouldn't solve my problem, right?

 

Trying to use my own certificate in Emby results in "ERR_CONNECTION_CLOSED".

 

Unencrypted http works fine, but obviously I want to avoid that. So, what can I do?

[Cerothen 89]

Did you ensure that the certificate you are trying to use with Emby is an unpassworded PFX file?

 

You can use openSSL to convert any certificate (+chain +key) into a pfx file then when it asks for a password just leave it blank.

 

This is the command line I use for my letsencrypt certs:

openssl pkcs12 -export -out hostcert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

The "-passout pass:" deliberately doesn't have anything after it since it should be blank

[wolfgang 17]

Thank you for your quick reply. Since I pretty much messed up the cert files on my computer I want to re-download them from auth.startssl.com, but I cannot log in since my browsers tell me the server doesn't respond.. ??

 

On the other hand, I think my startssl.com.p12 file is all what I should need, still it doesn't work..

 

Edit: I redownloaded my certificates and followed your advice (using crt files). Now it works. Thank you a lot!

 

Edit2: Well it works in Chromium, Safari, but not Firefox..

"SEC_ERROR_UNKNOWN_ISSUER"

Edited April 18, 2016 by wolfgang

[wolfgang 17]

It kinda works now in Firefox too. Had to create a unified certificate which consists of my very own and a second one from startssl I previously downloaded already. Using this certificate I managed to create the pfx file. It works in Firefox Developer Edition completely fine, also in the Android version. Current Firefox stable gives me an error still, but I can add an exception.

Safari, Chrome (+Chromium-based), IE etc. are fine.

 

Good enough for now, thank you.

[H3kt0r 0]

I too have issues with self-created-SSL-cert

Steps taken:

- created non-password-protected cert > converted it to foo.pfx > configured it to Emby-settings

- configured local ssl-port 8920, domain blahblahblah.net, public ssl-port is 55555, local ip-address to Emby-settings

- [ x ] Report https as external address

- forwarded port 55555 > 8920 in my router

- initiated connection from internet with FF-browser: https://blahblahblah.net:55555 responds but warns about the cert > made security exception > logged in OK

- however Emby Theater Windows-client (Win 7 Pro x64) refuses to see the very same server:

 

Connection error - We're unable to connect to the selected server. Please ensure its running and try again

 

Is Emby-Theater incompatible with ssl-certs/connections?

[hijinx 4]

I just added a CA signed certificate from letsencrypt.

This site is really helpful (note - google translate messes up the commands):

 

http://blog.ouranos.fr/index.php/2016/01/04/emby-https/

 

Also basic instructions from here:

https://letsencrypt.org/getting-started/

 

You need to have your own domain e.g. emby.mydomain.com, and have DNS configured to point to emby servers external IP.  (inc use of DDNS service to do this. I use dnsomatic and cloudflare DNS)

You need to have port 443 open on your router and port mapped to your emby servers IP.

(This is because letsencrypt certification issuing process calls back to your server to ensure you own the domain)

git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto certonly --standalone -d emby.domain.com
cd /etc/letsencrypt/live/emby.domain.com
sudo openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx

Note:

1) Because certbot spawns a root owned process, permissions for /etc/letsencrypt dirs have root-only permissions so you may need to adjust permissions)

2) When openssl asks for password pass none (enter)

 

Finally configure emby to use certificate at path /etc/letsencrypt/live/emby.domain.com/emby.pfx

 

letsencrypt certificates are valid for 3 months, so this needs to be repeated every 3 months.