Simple CA signed HTTPS SSL certificate with letsencrypt

[hijinx 4]

I just added a CA signed certificate from letsencrypt to get HTTPS for external connections.

This site is really helpful (note - google translate messes up the commands):

http://blog.ouranos..../04/emby-https/

 

Also basic instructions from here:

https://letsencrypt....etting-started/

 

You need to have your own domain e.g. emby.mydomain.com, and have DNS configured to point to emby servers external IP.  (inc use of DDNS service to do this. I use dnsomatic and cloudflare DNS)

You need to have port 443 open on your router and port mapped to your emby servers IP.

(This is because letsencrypt certification issuing process calls back to your server to ensure you own the domain)

git clone https://github.com/certbot/certbot

cd certbot

./certbot-auto certonly --standalone -d emby.domain.com

cd /etc/letsencrypt/live/emby.domain.com

sudo openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx

Note:

1) Because certbot spawns a root owned process, permissions for /etc/letsencrypt dirs have root-only permissions so you may need to adjust permissions)

2) When openssl asks for password pass none (enter)

 

Finally configure emby to use certificate at path /etc/letsencrypt/live/emby.domain.com/emby.pfx

 

letsencrypt certificates are valid for 3 months, so this needs to be repeated every 3 months.

[hijinx 4]

Just seen nice evolution of this in the forums... http://emby.media/community/index.php?/topic/34605-scriptsolutionssl-renewal-for-emby/

Thanks to Shrom

[Shrom 6]

Thx I justed updated the script with your advice @hijinx

[testbug 2]

Is this tutorial still relevant today?

[Luke 36991]

Yes it should be.

[testbug 2]

Yes it should be.

Ok, thank you.

[Eddie 10]

What is the recommended way to give emby access to /etc/letsencrypt/live/emby.domain.com/emby.pfx

 

for now all i did was 

 

chmod -R 777 /etc/letsencrypt/live

 

but im sure there is a more elegant way

 

 

 

 

 

 

 

For people in the future here is slightly more information to get you up and running

 

Forwarded port 443 and 80 to my server so lets encrypt can authenticate

 

git clone https://github.com/certbot/certbot

cd certbot/

./certbot-auto certonly --standalone -d xxx.com

 

sudo su

cd /etc/letsencrypt/live/xxx.com/

sudo openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx

chmod -R 777 /etc/letsencrypt/live

 

Went to 

 

Advanced > External domain: > xxx.com

Advanced > Custom ssl certificate path: > /etc/letsencrypt/live/xxx.com/emby.pfx

Advanced > Secure connection mode: > Required for all remote connections

 

and it worked flawlessly

Edited February 26, 2019 by Eddie

[adventclad 3]

You can have a script triggered automatically after a renewal. I wrote the following one that:

• removes old pfx
• generates a new one (with a custom password to be changed in the script)
  • The file is generated in /var/lib/emby/cert.pfx. I advise to keep this as default as emby already have access to this folder. You should configure the admin to use this path for the certificate
• changes its access rights to be accessible by emby user only
• restarts emby-server

Just create a emby.sh file in /etc/letsencrypt/renewal-hooks/post folder, and chmod +x emby.sh.

#!/bin/sh

set -e

# Should be the same password for the certificate in emby admin
PASS="emby"
DEFAULT_LINEAGE="/etc/letsencrypt/live/YOUR.DOMAIN.TLD/"
RENEWED_LINEAGE=${RENEWED_LINEAGE:-$DEFAULT_LINEAGE}

rm -f /var/lib/emby/cert.pfx
openssl pkcs12 -inkey "$RENEWED_LINEAGE/privkey.pem" -in "$RENEWED_LINEAGE/fullchain.pem" -export -out /var/lib/emby/cert.pfx -passout "pass:$PASS"
chown emby:emby /var/lib/emby/cert.pfx
systemctl restart emby-server
echo "Emby certificate generated"

Edited December 5, 2019 by adventclad