Jump to content

[Script][Solution]SSL Renewal for EMBY


Recommended Posts

Posted (edited)

Hello every one !!

 

I just post here to share my SSL renewal script base on Let's Encrypt and Emby on Debian :

   #!/bin/bash

SSLPORT="your_port"
HOST="name.domain.tld"
RENEWDAY="60" 


EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $HOST:$SSLPORT 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'`
#echo $EXPIRYDATE


EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s)


CURRENT_DATE_epoch=`date +%s`


epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc`


### Get difference of days
dayDiff=`echo "$epochDiff"/86400|bc`


if [ "$dayDiff" -le "$RENEWDAY" ]
then
/etc/init.d/emby-server stop 
/etc/letsencrypt/letsencrypt-auto renew --standalone > /var/log/letsencrypt/renew.log 2>&1
openssl pkcs12 -inkey /etc/letsencrypt/live/"$HOST"/privkey.pem -in /etc/letsencrypt/live/"$HOST"/fullchain.pem -export -out /var/lib/emby-server/ssl/"$HOST".pfx -passout pass:
/etc/init.d/emby-server start
else
echo "There is "$dayDiff" days left for the certificate of "$HOST" and the autorenew is allowed for "$RENEWDAY" days or less" > /var/log/letsencrypt/renew.log 2>&1
fi"
 
This script will check if your certificate have less than $RENEWDAY left and if so, then the ssl will be renewed ans the new pfx (without password because emby need it) will be generated ans plavec on the default path of emby.
 
In both case Emby was stop and restart after this script (because Let's Encrypt need it too :))
 
You just have to make a cron with that script and don't forget to chmod +x it :D
 
ENJOY IT :)
Edited by Shrom
  • Like 1
anderbytes
Posted

Very good, but for me still can't use it because my ISP won't allow opening ports 80 and 443.

 

That means my server has another port open... and LetsEncrypt still doesn't support that.

The day it supports, please update your script.

 

Good job!!

Posted

Hey  :)

 

thx a lot :)

 

At the time my script is already for that with the SSL_PORT variable :)

 

Just for infos I dont use 443 port too ;) 

 

I use a custom port and it works ;)

 

Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default ;)

 

You can use this script now ;)

anderbytes
Posted (edited)

Hey   :)

 

thx a lot :)

 

At the time my script is already for that with the SSL_PORT variable :)

 

Just for infos I dont use 443 port too ;)

 

I use a custom port and it works ;)

 

Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default ;)

 

You can use this script now ;)

 

But SSLPORT is used only to get cert expiration. It is not used by letsencrypt-auto yet

Edited by anderbytes
Posted

SSLPport is use to check the port on your server. 

 

As I said I've other server using lets encrypr with custom port and I don't understand your problem.

 

You can also install lets encrypt with standalone option to use a custom port ;)

anderbytes
Posted

SSLPport is use to check the port on your server. 

 

As I said I've other server using lets encrypr with custom port and I don't understand your problem.

 

You can also install lets encrypt with standalone option to use a custom port ;)

 

Understood. Will try it later.

Posted

Don't hesitate to give your feedback :D

Posted

Small note that now letsencrypt exited beta the letsencrypt tool has been replaced with with certbot.

https://github.com/certbot/certbot

Posted

Thx a lot @hijinx I will post it soon to github ;) with this modification ;)

I need to update my servers scripts before :)

Posted

You're welcome ? 

 

I just need one person to make a plugin that we can Include in Emby web admin

 

@@Luke, Is anyone can help me ? 

 

We can also make a script to create a first certificate ;)

Posted

where is the process documented? if i think it's easy enough then i'll just build it into the server and we'll stop using the self-signed cert.

Posted

hum interesting.

 

The script I made is available here : https://github.com/shrom59/letsencryptemby (renewal script).

 

I can modify it to make a first cert if you need to.

 

The lets encrypt website is available here : https://letsencrypt.org/getting-started/

 

To make the first script you should something like this :

 

/etc/init.d/emby-server stop

/etc/certbot certonly --standalone -d domain.tld

openssl pkcs12 -inkey /etc/certbot/live/$domain.tld/privkey.pem -in /etc/certbot/live/$domain.tld/fullchain.pem -export -out /var/lib/emby-server/ssl/domain.pfx -passout pass:

/etc/init.d/emby-server start

   

 

This require a valid domain name (fqdn) redirected to this server. So I think you can use it by default, because a DNS server is needed to make a DNS redirection to the host.

 
But my idea is this :
 
If your a a valid domaine name (an option is present in webadmin emby so I think you can made a control of it (test if this fqdn is recheable to DNS request) then an option will be visible and create a cartificate with this domain name.
Then make a planified task in the wbe admin who run every 60 days to renewal it and make log in emby server log if the my renewal script print that if the certificate is not available to renewal (more than 60 days available, this is a letsencrypt limit).
 
What do you think about that @@Luke ?
 
I can talk directly with you in skype or waht else if you want ;)
 
Peace :)
Posted

i think it's a promising idea yes.

Posted (edited)

I remain at your disposal @@Luke ;) so ;)

Edited by Shrom
  • 8 months later...
Posted

Apologies for necro-bumping this, but this feature seems super useful for a lot of users. Can we get native PEM support?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...