Jump to content

[Script][Solution]SSL Renewal for EMBY


Shrom

Recommended Posts

Shrom

Hello every one !!

 

I just post here to share my SSL renewal script base on Let's Encrypt and Emby on Debian :

   #!/bin/bash

SSLPORT="your_port"
HOST="name.domain.tld"
RENEWDAY="60" 


EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $HOST:$SSLPORT 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'`
#echo $EXPIRYDATE


EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s)


CURRENT_DATE_epoch=`date +%s`


epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc`


### Get difference of days
dayDiff=`echo "$epochDiff"/86400|bc`


if [ "$dayDiff" -le "$RENEWDAY" ]
then
/etc/init.d/emby-server stop 
/etc/letsencrypt/letsencrypt-auto renew --standalone > /var/log/letsencrypt/renew.log 2>&1
openssl pkcs12 -inkey /etc/letsencrypt/live/"$HOST"/privkey.pem -in /etc/letsencrypt/live/"$HOST"/fullchain.pem -export -out /var/lib/emby-server/ssl/"$HOST".pfx -passout pass:
/etc/init.d/emby-server start
else
echo "There is "$dayDiff" days left for the certificate of "$HOST" and the autorenew is allowed for "$RENEWDAY" days or less" > /var/log/letsencrypt/renew.log 2>&1
fi"
 
This script will check if your certificate have less than $RENEWDAY left and if so, then the ssl will be renewed ans the new pfx (without password because emby need it) will be generated ans plavec on the default path of emby.
 
In both case Emby was stop and restart after this script (because Let's Encrypt need it too :))
 
You just have to make a cron with that script and don't forget to chmod +x it :D
 
ENJOY IT :)
Edited by Shrom
  • Like 1
Link to comment
Share on other sites

anderbytes

Very good, but for me still can't use it because my ISP won't allow opening ports 80 and 443.

 

That means my server has another port open... and LetsEncrypt still doesn't support that.

The day it supports, please update your script.

 

Good job!!

Link to comment
Share on other sites

Shrom

Hey  :)

 

thx a lot :)

 

At the time my script is already for that with the SSL_PORT variable :)

 

Just for infos I dont use 443 port too ;) 

 

I use a custom port and it works ;)

 

Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default ;)

 

You can use this script now ;)

Link to comment
Share on other sites

anderbytes

Hey   :)

 

thx a lot :)

 

At the time my script is already for that with the SSL_PORT variable :)

 

Just for infos I dont use 443 port too ;)

 

I use a custom port and it works ;)

 

Just configure the port on emby server and choose the .pfx file who is "/var/lib/emby-server/ssl/"$HOST".pfx" by default ;)

 

You can use this script now ;)

 

But SSLPORT is used only to get cert expiration. It is not used by letsencrypt-auto yet

Edited by anderbytes
Link to comment
Share on other sites

Shrom

SSLPport is use to check the port on your server. 

 

As I said I've other server using lets encrypr with custom port and I don't understand your problem.

 

You can also install lets encrypt with standalone option to use a custom port ;)

Link to comment
Share on other sites

anderbytes

SSLPport is use to check the port on your server. 

 

As I said I've other server using lets encrypr with custom port and I don't understand your problem.

 

You can also install lets encrypt with standalone option to use a custom port ;)

 

Understood. Will try it later.

Link to comment
Share on other sites

hijinx

Small note that now letsencrypt exited beta the letsencrypt tool has been replaced with with certbot.

https://github.com/certbot/certbot

Link to comment
Share on other sites

Shrom

You're welcome ? 

 

I just need one person to make a plugin that we can Include in Emby web admin

 

@@Luke, Is anyone can help me ? 

 

We can also make a script to create a first certificate ;)

Link to comment
Share on other sites

where is the process documented? if i think it's easy enough then i'll just build it into the server and we'll stop using the self-signed cert.

Link to comment
Share on other sites

Shrom

hum interesting.

 

The script I made is available here : https://github.com/shrom59/letsencryptemby (renewal script).

 

I can modify it to make a first cert if you need to.

 

The lets encrypt website is available here : https://letsencrypt.org/getting-started/

 

To make the first script you should something like this :

 

/etc/init.d/emby-server stop

/etc/certbot certonly --standalone -d domain.tld

openssl pkcs12 -inkey /etc/certbot/live/$domain.tld/privkey.pem -in /etc/certbot/live/$domain.tld/fullchain.pem -export -out /var/lib/emby-server/ssl/domain.pfx -passout pass:

/etc/init.d/emby-server start

   

 

This require a valid domain name (fqdn) redirected to this server. So I think you can use it by default, because a DNS server is needed to make a DNS redirection to the host.

 
But my idea is this :
 
If your a a valid domaine name (an option is present in webadmin emby so I think you can made a control of it (test if this fqdn is recheable to DNS request) then an option will be visible and create a cartificate with this domain name.
Then make a planified task in the wbe admin who run every 60 days to renewal it and make log in emby server log if the my renewal script print that if the certificate is not available to renewal (more than 60 days available, this is a letsencrypt limit).
 
What do you think about that @@Luke ?
 
I can talk directly with you in skype or waht else if you want ;)
 
Peace :)
Link to comment
Share on other sites

  • 8 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...