jhoff80 87 Posted July 1, 2018 Share Posted July 1, 2018 Now I just need to workout how to use Certify SSL Manager and the Let’s Encrypt certificate request/auto renewal GUI for IIS on Windows to make the certificate roll ad infinitum. It looks like Certify has an option for post-execution PowerShell scripts. I would think there has to be a way to export the pfx to a file somewhere and then set Emby to use that file, but I unfortunately don't know PowerShell well enough for that. Link to comment Share on other sites More sharing options...
notla49285 46 Posted August 9, 2018 Share Posted August 9, 2018 (edited) I got up to the part of manual verification to get a certificate. I've been waiting over an hour now and it still can't find the TXT record?? Edited August 9, 2018 by notla49285 Link to comment Share on other sites More sharing options...
jhoff80 87 Posted August 10, 2018 Share Posted August 10, 2018 So I had mentioned earlier that I thought Certify the Web's post-execution Powershell scripts could be used to export to a pfx file that Emby could point to. It appears that I've got that working now: Param($result) $pfx = get-pfxcertificate -filepath $result.ManagedItem.CertificatePath certutil -f -p Password -exportpfx $pfx.SerialNumber "C:\Users\Joe\AppData\Roaming\Emby-Server\Certificate.pfx" Basically I cut out parts of a different example script they gave and updated it to Emby's directory. So now it'll force overwrite the existing file every time, and then Emby will read from that file. Then, as long as the computer and/or Emby service is restarted within the timeframe before the cert expiry, it should hopefully all work automatically. Link to comment Share on other sites More sharing options...
notla49285 46 Posted August 16, 2018 Share Posted August 16, 2018 I'm still stuck at the point of trying to generate a certificate, I've added a TXT record to my Namecheap site as per the guide and set TTL to 1 min (lowest available). I clicked the verify button and keep getting "No TXT record found". I tried this after 5 minutes, 10 minutes, half hour, 1 hour, 2 hours, 3.5 hours, 12 hours, 15 hours and just now after 20 hours, still nothing. Link to comment Share on other sites More sharing options...
vaise 307 Posted August 18, 2018 Share Posted August 18, 2018 I feel for all you people working on this. Since I moved to Unraid from Windows, I just added the letsencrypt docker that includes nginx and it does all the cert stuff for you automatically and you are literally up and running in minutes. It even has emby as one of the samples. Once I saw how easy it was for a ddns (duckdns), I then used my own domain instead, added subdomains and after just a few minutes of editing I am up again in an even better configuration. I wish I found this years ago! I have added so much cool stuff, and I no longer have to leave a NAS (now sold) and my Windows PC on 24/7. Link to comment Share on other sites More sharing options...
gnollo 16 Posted August 18, 2018 Share Posted August 18, 2018 I feel for all you people working on this. Since I moved to Unraid from Windows, I just added the letsencrypt docker that includes nginx and it does all the cert stuff for you automatically and you are literally up and running in minutes. It even has emby as one of the samples. Once I saw how easy it was for a ddns (duckdns), I then used my own domain instead, added subdomains and after just a few minutes of editing I am up again in an even better configuration. I wish I found this years ago! I have added so much cool stuff, and I no longer have to leave a NAS (now sold) and my Windows PC on 24/7. Mhmm any guides? I literally installed a docker on my unraid server yesterday as in looking to move the Emby server there. Emby is running, as it's detected by my phone Emby app but I have no idea on how to configure it... Sent from my SM-A520F using Tapatalk Link to comment Share on other sites More sharing options...
vaise 307 Posted August 18, 2018 Share Posted August 18, 2018 (edited) Mhmm any guides? I literally installed a docker on my unraid server yesterday as in looking to move the Emby server there. Emby is running, as it's detected by my phone Emby app but I have no idea on how to configure it... Sent from my SM-A520F using Tapatalk Hi, You mean configure the emby server on the unraid docker ? its exactly the same as when configuring windows - except different drive mappings etc etc. In my case, I moved all my Movies, TV sows etc to unraid sahres, then in emby created libraries for them, then ported ll the rest of the config over bit by bit as I could have both emby consoles open at once. I was unable to do a backup/restore of the watched history however due to library changes or something (posted in these forums about that). There is a docker forum area on here that you should post on relating to that stuff if you need help - we better not hijack this thread. For reference - Dockers I have added : EmbyServerBeta - My primary emby EmbyServer - just for testing if an issue is witht he beta or real binhex-delugevpn - Auto TV Shows binhex-jackett - Auto TV Shows binhex-sonarr - Auto TV Shows tvheadend - Live TV recording (6 network tuners) letsencrypt - ssl and nginx reverse proxy zoneminder - IP Cameras duplicate - Backups binhex-krusader - File management lazy-librarian - keeps track of new book availability binhex-lidarr - keeps track of new album availability I have a shed load of plugins too - rclone is used to copy IP camera footage to google drive, user scripts take care of backups to unassigned devices and network shares I also have 4 work related VM's I converted from Oracle Virtualbox on Windows to the unraid system - working great 24/7. Edited August 18, 2018 by vaise Link to comment Share on other sites More sharing options...
customized 1 Posted September 18, 2018 Share Posted September 18, 2018 (edited) I checked out Swynol's blog: https://blog.awelswynol.co.uk Awesome stuff! I'm actually having a hard time accessing his site right now, so I'll post here. He runs a blacklist on his nginx setup that comes from Emerging Threats. His updating setup is a manual process, so I whipped up an automatic one. If you're running a blacklist like Swynol, save the code below as a batch file, like "RefreshBlacklist.bat" or something memorable in the same folder as your existing blacklist. Make sure to change the paths (the directory of the location of your blacklist, and the drive it's on) on the first few lines. Same thing on the "bitsadmin" row. It finds its current location now, though if you have problems you might want to write in your own paths in there. This batch file can be run by Windows Task Scheduler to run overnight or on any schedule you'd like. :: This program gets the latest IP list from Emerging Threats and formats it in a way that NGINX can read :: Find the current directory set mypath=%~dp0 cd %mypath% :: Remove the old blacklist del blacklist.conf :: Get the new source file using WGET (BITSADMIN - below - is the default because no other packages are necessary, use WGET if BITSADMIN breaks someday) ::wget --no-check-certificate https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt :: If you do not want to use WGET, BITSADMIN will work too. bitsadmin /transfer wcb /priority high https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt "%mypath%emerging-Block-IPs.txt" :: Remove the comment lines from the source file and create an intermediate file findstr /V "#" emerging-Block-IPs.txt > nohash.txt :: Move through the intermediate file and add "deny" and ";" to each line, save as the completed .conf @[member="Echo"] off setLocal EnableDelayedExpansion for /f "tokens=* delims= " %%a in (nohash.txt) do ( set /a N+=1 echo ^deny %%a^;>>blacklist.conf ) :: Clean up. Delete the intermediate file and the source file del nohash.txt del emerging-Block-IPs.txt Edited September 18, 2018 by customized 1 Link to comment Share on other sites More sharing options...
Overseer 66 Posted September 18, 2018 Share Posted September 18, 2018 @customized, does nginx need to be restarted everytime the blacklist is updated? Link to comment Share on other sites More sharing options...
customized 1 Posted September 18, 2018 Share Posted September 18, 2018 (edited) @customized, does nginx need to be restarted everytime the blacklist is updated? I don't know. I wondered that myself. I don't personally run nginx, but I might someday. I just wanted to do something nice for Swynol since he's done so much awesome stuff for all of us and SSL. This could be tested by running a one line blacklist that a blocks IPs (based on the format), testing access (should fail). Then replacing the blacklist with a normal one and testing access (should pass). Or the following lines could be added to the end of the batch file to stop and start nginx. This also hasn't been tested. Now I want to set up a reverse proxy! :: This will restart NGINX (assuming the service name is "nginx" and the user has privileges to make changes) net stop nginx net start nginx Edited September 18, 2018 by customized Link to comment Share on other sites More sharing options...
Hansel11 0 Posted March 27, 2019 Share Posted March 27, 2019 (edited) First off I just want to say that this is an incredible guide with some phenomenal follow up by everyone (I may or may not have read through every single post ). So my issue occurs after step 4 where I have been able to successfully mimic all prior steps, including 1.a. The issue occurs when trying to connect remotely via https://emby.mydomain.com. I have no problem connecting to Emby through http://emby.mydomain.com:8096 Below are my settings and completions (OS is Windows 10); Set up a DDNS - Yes - But reverted to completing 1.a successfully later Purchase a domain name - Yes - It's 'mydoman.com' (not really just demonstrating that it's a .com domain) Getting an SSL certificate - Yes - I followed the steps to a T and successfully acquired the 3 files I added the following sub-domains into sslforfree.com and had successful txt tests for all; mydomain.com emby.mydomain.com dns.mydomain.com radarr.mydomain.com sonarr.mydomain.com sabnzbd.mydomain.com I then successfully converted into a 'certificate.pfx' file. I then input all information and settings into Emby (Unsuccessfully) My settings in the 'Advanced' section are as follows; Lan Networks: empty Bind local network address: empty Local http port: 8096 Local https port: 443 Remote IP address filter: empty Remote IP address filter mode: Whitelist Public http port: 8096 Public https port: 443 External domain: 'https://emby.mydomain.com' Custom ssl certificate path: 'C:\SSL\certificate.pfx' Certificate password: mycertificate password (strong) Secure connection mode: Required for all remote connections Enable automatic port mapping: Unchecked Internet streaming bitrate limit: 450 (I get 500mbps upload) My port forwarding/router settings on my ASUS RT-AC5300 are as follows; 443 forwarded as both UDP + TCP, with 443 as both Internal and external port mapped from my IP 8096 forwarded as both UDP + TCP, with 8096 as both Internal and external port mapped from my IP I have UPNP Enabled I have NAT Enabled I have DNS Enabled I have DDNS Enabled (using a different NO-IP host name then for the Emby server) I have verified the following; Ports 443 and 8096 are open - verified using whatsmyip port scanner) Windows firewall is not the issue - verified by completely disabling the firewall Emby is listening and is the only process listening on port 443 - verified by checking in 'Resource Monitor' There are several TCP connections on port 443 - NVIDIA Share.exe nvcontainer.exe svchost.exe and potentially chrome.exe although that is grayed out... I believe this pretty much covers my position. I am able to remotely connect to http://emby.mydomain.com:8096 with success. I an not able to connect to https://emby.mydomain.com Reading through the entirety of the forum I ran across a few tid-bits that may be the cause of the issue. Creating sub-domains - Is this something that I need to manually do within namecheap? Verrifying https://mydomain.com - I input https://emby.mydomain.com into ssllabs.com/ssltest and it kicked me back with 'Assessment failed: No supported protocols supported'. Do I need to verify my domain? If so how? I believe this goes hand in hand with the previous point but I heard mention of need to verify the SSL certificate...? Do I need to do this? If so how? Any help or suggestions are greatly appreciated. I've spent over 10 hrs trying to get this working with no success. If anyone can help me it's you guys!! Edited March 28, 2019 by Hansel11 Link to comment Share on other sites More sharing options...
Hansel11 0 Posted March 28, 2019 Share Posted March 28, 2019 Small update on my predicament. I made my IP for the server static. I figured if I can get the https working with static then I can work backwards from there... but alas, still no luck. The situation is the same; I am able to remotely connect to http://emby.mydomain.com:8096 with success. I an not able to connect to https://emby.mydomain.com Link to comment Share on other sites More sharing options...
Hansel11 0 Posted March 28, 2019 Share Posted March 28, 2019 UPDATE: I got the HTTPS working BUT only because I recreated the certificate.pfx file in sslconverter with no password. This is definite progress but I obviously would like to have a secure password there. Is there any way to achieve this? Link to comment Share on other sites More sharing options...
Luke 37132 Posted March 28, 2019 Share Posted March 28, 2019 You can configure your certificate password on the same screen where you configure your certificate. Link to comment Share on other sites More sharing options...
tmirzaian 3 Posted March 31, 2019 Share Posted March 31, 2019 Part 1.A. Ok, so this is an extension of Part 1. Dynamic DNS. If you used Part.1 above then got a SSL Cert for your shiny new domain name and followed all the other steps. When browsing to https://emby.embyssltest.com you will connect via HTTPS however your browser will warn you that the Cert isnt trusted as it was assigned to embyssltest.com however you are browsing to embyssltest.ddns.net because of the CNAME and URL redirecting. To fix this we need to setup your new domain name to do the Dynamic DNS'ing. For this I will demonstrate on NameCheap how I have mine setup. Head over to namecheap.com Create an account or login to your existing account. Go to Advanced DNS Scroll to the bottom where is says Dynamic DNS and turn it on. Create a A+ Dynamic DNS record. Host = a subdomain for example DNS Value = 127.0.0.1 (this doesnt really matter as it will be dynamically updated) TTL = Automatic We also need to edit the CNAME we created in Part.2 for emby. Under the Host Records Find the CNAME we created for emby. Host = emby Value = DNS.embyssltest.com We now need to find a way to update the NameCheap DDNS. Some routers will support this (follow Part.1 but substitute no-ip for the namecheap details) however if your router is like mine and doesnt support namecheap ddns then you need to download software to do this. Namecheap offer their own client. https://namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Dynamic%20DNS%20Client%20%202.0.0.7%20Beta.zip Unzip it and enter your details for namecheap. Once running it will update the 127.0.0.1 entry above with your external IP. Now that is setup we need to revisit Part.3 Getting the SSL Cert. When applying for the cert you now need to add another subdomain. DNS.embyssltest.com. so it should now look like embyssltest.com emby.embyssltest.com dns.embyssltest.com. Now follow the other parts to configuring the SSL cert. Once done you should now get a nice green HTTPS:// connection to https://emby.embyssltest.com A couple of questions - #1 - With this step - does it eliminate the need for the Noip client to be running on the emby server? #2 - When you say to edit the CNAME in the Dynamic DNS setting. Can you give your example of what it gets changed to? Link to comment Share on other sites More sharing options...
dudeskin 0 Posted April 7, 2020 Share Posted April 7, 2020 Hello, Apologies for replying so late.. I have just followed all of your instructions, i have created the SSL cert, and downloaded nginx, done all the config you said When i run it.. Nothing happens. i try to get in emby via my domain which previously worked with the old 8096 port but now when i put 443 at the end it throws: 400 Bad Request The plain HTTP request was sent to HTTPS port nginx/1.17.9.1 Unicorn The port 443 is forwarded in my router Any ideas? Thanks in advance Link to comment Share on other sites More sharing options...
leungalv 6 Posted May 31, 2020 Share Posted May 31, 2020 Seems as though sslforfree has been purchased by ZeroSSL - can no longer verify by TXT Record. Which means that can no longer verify duckdns.org dynamic host without an actual domain it seems Link to comment Share on other sites More sharing options...
MachineLearning 0 Posted December 12, 2020 Share Posted December 12, 2020 (edited) Thank you swynol for such a comprehensive, noob friendly guide. It works pretty well for me up to part 4. Part 5 nginx setup got me stuck because im my local emby server runs on ubuntu, an old desktop which i use as file/NAS server 2 be exact. While im researching nginx setup for emby on linux, i came across this https://gist.github.com/LukeCarrier/7cda1c5143ebc35f4a1b9329b999b181. Now would this setup work for ubuntu emby server stationed in home network where nginx run on the same server? Also, if i enable nginx, can i still access my emby server on my local network without detouring to external one? Edited December 12, 2020 by MachineLearning Link to comment Share on other sites More sharing options...
MachineLearning 0 Posted December 13, 2020 Share Posted December 13, 2020 The above approach aint working for my ubuntu server. Other than that, access from local network can indeed be whitelisted from ufw. What i did was sudo ufw allow from 192.168.0.0/24 and that's it Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now