Shrom 6 Posted May 6, 2016 Share Posted May 6, 2016 (edited) Hello every one !! I just post here to share my SSL renewal script base on Let's Encrypt and Emby on Debian : #!/bin/bash SSLPORT="your_port" HOST="name.domain.tld" RENEWDAY="60" EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $HOST:$SSLPORT 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'` #echo $EXPIRYDATE EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s) CURRENT_DATE_epoch=`date +%s` epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc` ### Get difference of days dayDiff=`echo "$epochDiff"/86400|bc` if [ "$dayDiff" -le "$RENEWDAY" ] then /etc/init.d/emby-server stop /etc/letsencrypt/letsencrypt-auto renew --standalone > /var/log/letsencrypt/renew.log 2>&1 openssl pkcs12 -inkey /etc/letsencrypt/live/"$HOST"/privkey.pem -in /etc/letsencrypt/live/"$HOST"/fullchain.pem -export -out /var/lib/emby-server/ssl/"$HOST".pfx -passout pass: /etc/init.d/emby-server start else echo "There is "$dayDiff" days left for the certificate of "$HOST" and the autorenew is allowed for "$RENEWDAY" days or less" > /var/log/letsencrypt/renew.log 2>&1 fi" This script will check if your certificate have less than $RENEWDAY left and if so, then the ssl will be renewed ans the new pfx (without password because emby need it) will be generated ans plavec on the default path of emby. In both case Emby was stop and restart after this script (because Let's Encrypt need it too ) You just have to make a cron with that script and don't forget to chmod +x it ENJOY IT Edited May 6, 2016 by Shrom 1 Link to comment Share on other sites More sharing options...
anderbytes 139 Posted May 12, 2016 Share Posted May 12, 2016 Very good, but for me still can't use it because my ISP won't allow opening ports 80 and 443. That means my server has another port open... and LetsEncrypt still doesn't support that. The day it supports, please update your script. Good job!! Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 16, 2016 Author Share Posted May 16, 2016 Hey thx a lot At the time my script is already for that with the SSL_PORT variable Just for infos I dont use 443 port too I use a custom port and it works Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default You can use this script now Link to comment Share on other sites More sharing options...
anderbytes 139 Posted May 16, 2016 Share Posted May 16, 2016 (edited) Hey thx a lot At the time my script is already for that with the SSL_PORT variable Just for infos I dont use 443 port too I use a custom port and it works Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default You can use this script now But SSLPORT is used only to get cert expiration. It is not used by letsencrypt-auto yet Edited May 16, 2016 by anderbytes Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 17, 2016 Author Share Posted May 17, 2016 SSLPport is use to check the port on your server. As I said I've other server using lets encrypr with custom port and I don't understand your problem. You can also install lets encrypt with standalone option to use a custom port Link to comment Share on other sites More sharing options...
anderbytes 139 Posted May 17, 2016 Share Posted May 17, 2016 SSLPport is use to check the port on your server. As I said I've other server using lets encrypr with custom port and I don't understand your problem. You can also install lets encrypt with standalone option to use a custom port Understood. Will try it later. Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 17, 2016 Author Share Posted May 17, 2016 Don't hesitate to give your feedback Link to comment Share on other sites More sharing options...
hijinx 4 Posted May 19, 2016 Share Posted May 19, 2016 Small note that now letsencrypt exited beta the letsencrypt tool has been replaced with with certbot. https://github.com/certbot/certbot Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 22, 2016 Author Share Posted May 22, 2016 Thx a lot @hijinx I will post it soon to github with this modification I need to update my servers scripts before Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 22, 2016 Author Share Posted May 22, 2016 Done This script is available here : https://github.com/shrom59/letsencryptemby You just have to make a cron tab and modifiy the vars Enjoy Link to comment Share on other sites More sharing options...
hijinx 4 Posted May 22, 2016 Share Posted May 22, 2016 Thanks @@Shrom. Works great Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 23, 2016 Author Share Posted May 23, 2016 You're welcome ? I just need one person to make a plugin that we can Include in Emby web admin @@Luke, Is anyone can help me ? We can also make a script to create a first certificate Link to comment Share on other sites More sharing options...
Luke 36881 Posted May 23, 2016 Share Posted May 23, 2016 where is the process documented? if i think it's easy enough then i'll just build it into the server and we'll stop using the self-signed cert. Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 23, 2016 Author Share Posted May 23, 2016 hum interesting. The script I made is available here : https://github.com/shrom59/letsencryptemby (renewal script). I can modify it to make a first cert if you need to. The lets encrypt website is available here : https://letsencrypt.org/getting-started/ To make the first script you should something like this : /etc/init.d/emby-server stop /etc/certbot certonly --standalone -d domain.tld openssl pkcs12 -inkey /etc/certbot/live/$domain.tld/privkey.pem -in /etc/certbot/live/$domain.tld/fullchain.pem -export -out /var/lib/emby-server/ssl/domain.pfx -passout pass: /etc/init.d/emby-server start This require a valid domain name (fqdn) redirected to this server. So I think you can use it by default, because a DNS server is needed to make a DNS redirection to the host. But my idea is this : If your a a valid domaine name (an option is present in webadmin emby so I think you can made a control of it (test if this fqdn is recheable to DNS request) then an option will be visible and create a cartificate with this domain name. Then make a planified task in the wbe admin who run every 60 days to renewal it and make log in emby server log if the my renewal script print that if the certificate is not available to renewal (more than 60 days available, this is a letsencrypt limit). What do you think about that @@Luke ? I can talk directly with you in skype or waht else if you want Peace Link to comment Share on other sites More sharing options...
Luke 36881 Posted May 23, 2016 Share Posted May 23, 2016 i think it's a promising idea yes. Link to comment Share on other sites More sharing options...
Shrom 6 Posted May 23, 2016 Author Share Posted May 23, 2016 (edited) I remain at your disposal @@Luke so Edited May 23, 2016 by Shrom Link to comment Share on other sites More sharing options...
nwcatalyst 4 Posted January 24, 2017 Share Posted January 24, 2017 Apologies for necro-bumping this, but this feature seems super useful for a lot of users. Can we get native PEM support? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now