[Script][Solution]SSL Renewal for EMBY

[Shrom 6]

Hello every one !!

 

I just post here to share my SSL renewal script base on Let's Encrypt and Emby on Debian :

   #!/bin/bash

SSLPORT="your_port"
HOST="name.domain.tld"
RENEWDAY="60" 


EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $HOST:$SSLPORT 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'`
#echo $EXPIRYDATE


EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s)


CURRENT_DATE_epoch=`date +%s`


epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc`


### Get difference of days
dayDiff=`echo "$epochDiff"/86400|bc`


if [ "$dayDiff" -le "$RENEWDAY" ]
then
/etc/init.d/emby-server stop 
/etc/letsencrypt/letsencrypt-auto renew --standalone > /var/log/letsencrypt/renew.log 2>&1
openssl pkcs12 -inkey /etc/letsencrypt/live/"$HOST"/privkey.pem -in /etc/letsencrypt/live/"$HOST"/fullchain.pem -export -out /var/lib/emby-server/ssl/"$HOST".pfx -passout pass:
/etc/init.d/emby-server start
else
echo "There is "$dayDiff" days left for the certificate of "$HOST" and the autorenew is allowed for "$RENEWDAY" days or less" > /var/log/letsencrypt/renew.log 2>&1
fi"

 

This script will check if your certificate have less than $RENEWDAY left and if so, then the ssl will be renewed ans the new pfx (without password because emby need it) will be generated ans plavec on the default path of emby.

 

In both case Emby was stop and restart after this script (because Let's Encrypt need it too )

 

You just have to make a cron with that script and don't forget to chmod +x it

 

ENJOY IT

Edited May 6, 2016 by Shrom

[anderbytes 140]

Very good, but for me still can't use it because my ISP won't allow opening ports 80 and 443.

 

That means my server has another port open... and LetsEncrypt still doesn't support that.

The day it supports, please update your script.

 

Good job!!

[Shrom 6]

Hey  

 

thx a lot

 

At the time my script is already for that with the SSL_PORT variable

 

Just for infos I dont use 443 port too  

 

I use a custom port and it works

 

Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default

 

You can use this script now

[anderbytes 140]

Hey  

 

thx a lot

 

At the time my script is already for that with the SSL_PORT variable

 

Just for infos I dont use 443 port too

 

I use a custom port and it works

 

Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default

 

You can use this script now

 

But SSLPORT is used only to get cert expiration. It is not used by letsencrypt-auto yet

Edited May 16, 2016 by anderbytes

[Shrom 6]

SSLPport is use to check the port on your server. 

 

As I said I've other server using lets encrypr with custom port and I don't understand your problem.

 

You can also install lets encrypt with standalone option to use a custom port

[anderbytes 140]

SSLPport is use to check the port on your server. 

 

As I said I've other server using lets encrypr with custom port and I don't understand your problem.

 

You can also install lets encrypt with standalone option to use a custom port

 

Understood. Will try it later.

[Shrom 6]

Don't hesitate to give your feedback

[hijinx 4]

Small note that now letsencrypt exited beta the letsencrypt tool has been replaced with with certbot.

https://github.com/certbot/certbot

[Shrom 6]

Thx a lot @hijinx I will post it soon to github with this modification

I need to update my servers scripts before

[Shrom 6]

Done

 

This script is available here :

 

https://github.com/shrom59/letsencryptemby

 

You just have to make a cron tab and modifiy the vars

 

Enjoy

[hijinx 4]

Thanks @@Shrom. Works great

[Shrom 6]

You're welcome ? 

 

I just need one person to make a plugin that we can Include in Emby web admin

 

@@Luke, Is anyone can help me ? 

 

We can also make a script to create a first certificate

[Luke 40065]

where is the process documented? if i think it's easy enough then i'll just build it into the server and we'll stop using the self-signed cert.

[Shrom 6]

hum interesting.

 

The script I made is available here : https://github.com/shrom59/letsencryptemby (renewal script).

 

I can modify it to make a first cert if you need to.

 

The lets encrypt website is available here : https://letsencrypt.org/getting-started/

 

To make the first script you should something like this :

 

/etc/init.d/emby-server stop

/etc/certbot certonly --standalone -d domain.tld

openssl pkcs12 -inkey /etc/certbot/live/$domain.tld/privkey.pem -in /etc/certbot/live/$domain.tld/fullchain.pem -export -out /var/lib/emby-server/ssl/domain.pfx -passout pass:

/etc/init.d/emby-server start

   

 

This require a valid domain name (fqdn) redirected to this server. So I think you can use it by default, because a DNS server is needed to make a DNS redirection to the host.

 

But my idea is this :

 

If your a a valid domaine name (an option is present in webadmin emby so I think you can made a control of it (test if this fqdn is recheable to DNS request) then an option will be visible and create a cartificate with this domain name.

Then make a planified task in the wbe admin who run every 60 days to renewal it and make log in emby server log if the my renewal script print that if the certificate is not available to renewal (more than 60 days available, this is a letsencrypt limit).

 

What do you think about that @@Luke ?

 

I can talk directly with you in skype or waht else if you want

 

Peace

[Luke 40065]

i think it's a promising idea yes.

[Shrom 6]

I remain at your disposal @@Luke so

Edited May 23, 2016 by Shrom

[nwcatalyst 4]

Apologies for necro-bumping this, but this feature seems super useful for a lot of users. Can we get native PEM support?