Setting up SSL for Emby (WIP)

[jhoff80 87]

Now I just need to workout how to use Certify SSL Manager and the Let’s Encrypt certificate request/auto renewal GUI for IIS on Windows to make the certificate roll ad infinitum.

 

It looks like Certify has an option for post-execution PowerShell scripts.  I would think there has to be a way to export the pfx to a file somewhere and then set Emby to use that file, but I unfortunately don't know PowerShell well enough for that.

[notla49285 46]

I got up to the part of manual verification to get a certificate. I've been waiting over an hour now and it still can't find the TXT record??

Edited August 9, 2018 by notla49285

[jhoff80 87]

So I had mentioned earlier that I thought Certify the Web's post-execution Powershell scripts could be used to export to a pfx file that Emby could point to.

 

It appears that I've got that working now:

 

 

Param($result)
$pfx = get-pfxcertificate -filepath $result.ManagedItem.CertificatePath
certutil -f -p Password -exportpfx $pfx.SerialNumber "C:\Users\Joe\AppData\Roaming\Emby-Server\Certificate.pfx"

 

Basically I cut out parts of a different example script they gave and updated it to Emby's directory.  So now it'll force overwrite the existing file every time, and then Emby will read from that file.  Then, as long as the computer and/or Emby service is restarted within the timeframe before the cert expiry, it should hopefully all work automatically.

[notla49285 46]

I'm still stuck at the point of trying to generate a certificate, I've added a TXT record to my Namecheap site as per the guide and set TTL to 1 min (lowest available). I clicked the verify button and keep getting "No TXT record found".

 

I tried this after 5 minutes, 10 minutes, half hour, 1 hour, 2 hours, 3.5 hours, 12 hours, 15 hours and just now after 20 hours, still nothing.

[vaise 304]

I feel for all you people working on this.

Since I moved to Unraid from Windows, I just added the letsencrypt docker that includes nginx and it does all the cert stuff for you automatically and you are literally up and running in minutes.

It even has emby as one of the samples.

Once I saw how easy it was for a ddns (duckdns), I then used my own domain instead, added subdomains and after just a few minutes of editing I am up again in an even better configuration.

I wish I found this years ago!  I have added so much cool stuff,  and I no longer have to leave a NAS (now sold) and my Windows PC on 24/7.

[gnollo 16]

I feel for all you people working on this.

Since I moved to Unraid from Windows, I just added the letsencrypt docker that includes nginx and it does all the cert stuff for you automatically and you are literally up and running in minutes.

It even has emby as one of the samples.

Once I saw how easy it was for a ddns (duckdns), I then used my own domain instead, added subdomains and after just a few minutes of editing I am up again in an even better configuration.

I wish I found this years ago! I have added so much cool stuff, and I no longer have to leave a NAS (now sold) and my Windows PC on 24/7.

Mhmm any guides? I literally installed a docker on my unraid server yesterday as in looking to move the Emby server there. Emby is running, as it's detected by my phone Emby app but I have no idea on how to configure it...

 

Sent from my SM-A520F using Tapatalk

[vaise 304]

Mhmm any guides? I literally installed a docker on my unraid server yesterday as in looking to move the Emby server there. Emby is running, as it's detected by my phone Emby app but I have no idea on how to configure it...

 

Sent from my SM-A520F using Tapatalk

 

Hi,  You mean configure the emby server on the unraid docker ?  its exactly the same as when configuring windows - except different drive mappings etc etc.  In my case, I moved all my Movies, TV sows etc to unraid sahres, then in emby created libraries for them, then ported ll the rest of the config over bit by bit as I could have both emby consoles open at once.  I was unable to do a backup/restore of the watched history however due to library changes or something (posted in these forums about that).  There is a docker forum area on here that you should post on relating to that stuff if you need help - we better not hijack this thread.

 

For reference - Dockers I have added :

 

EmbyServerBeta - My primary emby

EmbyServer - just for testing if an issue is witht he beta or real

binhex-delugevpn - Auto TV Shows

binhex-jackett - Auto TV Shows

binhex-sonarr - Auto TV Shows

tvheadend - Live TV recording (6 network tuners)

letsencrypt - ssl and nginx reverse proxy

zoneminder - IP Cameras

duplicate - Backups

binhex-krusader - File management

lazy-librarian - keeps track of new book availability

binhex-lidarr -  keeps track of new album availability

 

I have a shed load of plugins too - rclone is used to copy IP camera footage to google drive, user scripts take care of backups to unassigned devices and network shares

 

I also have 4 work related VM's I converted from Oracle Virtualbox on Windows to the unraid system - working great 24/7.

Edited August 18, 2018 by vaise

[customized 1]

I checked out Swynol's blog: https://blog.awelswynol.co.uk Awesome stuff!  I'm actually having a hard time accessing his site right now, so I'll post here.

 

He runs a blacklist on his nginx setup that comes from Emerging Threats.

 

His updating setup is a manual process, so I whipped up an automatic one.

 

If you're running a blacklist like Swynol, save the code below as a batch file, like "RefreshBlacklist.bat" or something memorable in the same folder as your existing blacklist.

 

Make sure to change the paths (the directory of the location of your blacklist, and the drive it's on) on the first few lines.  Same thing on the "bitsadmin" row.  It finds its current location now, though if you have problems you might want to write in your own paths in there.

 

This batch file can be run by Windows Task Scheduler to run overnight or on any schedule you'd like.

:: This program gets the latest IP list from Emerging Threats and formats it in a way that NGINX can read

:: Find the current directory
set mypath=%~dp0
cd %mypath%

:: Remove the old blacklist
del blacklist.conf

:: Get the new source file using WGET (BITSADMIN - below - is the default because no other packages are necessary, use WGET if BITSADMIN breaks someday)
::wget --no-check-certificate https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

:: If you do not want to use WGET, BITSADMIN will work too.
bitsadmin /transfer wcb /priority high https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt "%mypath%emerging-Block-IPs.txt"

:: Remove the comment lines from the source file and create an intermediate file
findstr /V "#" emerging-Block-IPs.txt > nohash.txt

:: Move through the intermediate file and add "deny" and ";" to each line, save as the completed .conf
@[member="Echo"] off
setLocal EnableDelayedExpansion
for /f "tokens=* delims= " %%a in (nohash.txt) do (
set /a N+=1
echo ^deny %%a^;>>blacklist.conf
)

:: Clean up.  Delete the intermediate file and the source file
del nohash.txt
del emerging-Block-IPs.txt

Edited September 18, 2018 by customized

[Overseer 66]

@customized, does nginx need to be restarted everytime the blacklist is updated?

[customized 1]

@customized, does nginx need to be restarted everytime the blacklist is updated?

 

I don't know.  I wondered that myself.  I don't personally run nginx, but I might someday.  I just wanted to do something nice for Swynol since he's done so much awesome stuff for all of us and SSL.

 

This could be tested by running a one line blacklist that a blocks IPs (based on the format), testing access (should fail).  Then replacing the blacklist with a normal one and testing access (should pass).

 

Or the following lines could be added to the end of the batch file to stop and start nginx.  This also hasn't been tested.  Now I want to set up a reverse proxy!

:: This will restart NGINX (assuming the service name is "nginx" and the user has privileges to make changes)
net stop nginx
net start nginx

Edited September 18, 2018 by customized

[Hansel11 0]

First off I just want to say that this is an incredible guide with some phenomenal follow up by everyone (I may or may not have read through every single post ).

 

So my issue occurs after step 4 where I have been able to successfully mimic all prior steps, including 1.a.

The issue occurs when trying to connect remotely via https://emby.mydomain.com. I have no problem connecting to Emby through http://emby.mydomain.com:8096

 

Below are my settings and completions (OS is Windows 10);

1. Set up a DDNS  -  Yes - But reverted to completing 1.a successfully later
2. Purchase a domain name  -  Yes - It's 'mydoman.com' (not really just demonstrating that it's a .com domain)
3. Getting an SSL certificate  -  Yes - I followed the steps to a T and successfully acquired the 3 files 

I added the following sub-domains into sslforfree.com and had successful txt tests for all;

• mydomain.com
• emby.mydomain.com
• dns.mydomain.com
• radarr.mydomain.com
• sonarr.mydomain.com
• sabnzbd.mydomain.com

I then successfully converted into a 'certificate.pfx' file. 

 

I then input all information and settings into Emby (Unsuccessfully)

My settings in the 'Advanced' section are as follows;

• Lan Networks: empty
• Bind local network address: empty
• Local http port: 8096
• Local https port: 443
• Remote IP address filter: empty
• Remote IP address filter mode: Whitelist
• Public http port: 8096
• Public https port: 443
• External domain: 'https://emby.mydomain.com'
• Custom ssl certificate path: 'C:\SSL\certificate.pfx'
• Certificate password: mycertificate password (strong)
• Secure connection mode: Required for all remote connections
• Enable automatic port mapping: Unchecked
• Internet streaming bitrate limit: 450 (I get 500mbps upload)

My port forwarding/router settings on my ASUS RT-AC5300 are as follows;

• 443 forwarded as both UDP + TCP, with 443 as both Internal and external port mapped from my IP
• 8096 forwarded as both UDP + TCP, with 8096 as both Internal and external port mapped from my IP
• I have UPNP Enabled
• I have NAT Enabled
• I have DNS Enabled
• I have DDNS Enabled (using a different NO-IP host name then for the Emby server)

I have verified the following;

• Ports 443 and 8096 are open  -  verified using whatsmyip port scanner)
• Windows firewall is not the issue  -  verified by completely disabling the firewall
• Emby is listening and is the only process listening on port 443  -  verified by checking in 'Resource Monitor'
• There are several TCP connections on port 443  -  NVIDIA Share.exe  nvcontainer.exe  svchost.exe  and potentially chrome.exe although that is grayed out...

I believe this pretty much covers my position.

 

I am able to remotely connect to http://emby.mydomain.com:8096 with success.

I an not able to connect to https://emby.mydomain.com

 

Reading through the entirety of the forum I ran across a few tid-bits that may be the cause of the issue.

• Creating sub-domains  -  Is this something that I need to manually do within namecheap?
• Verrifying https://mydomain.com -  I input https://emby.mydomain.com into ssllabs.com/ssltest and it kicked me back with 'Assessment failed: No supported protocols supported'. Do I need to verify my domain? If so how?
• I believe this goes hand in hand with the previous point but I heard mention of need to verify the SSL certificate...? Do I need to do this? If so how?

 

Any help or suggestions are greatly appreciated. I've spent over 10 hrs trying to get this working with no success. If anyone can help me it's you guys!!

Edited March 28, 2019 by Hansel11

[Hansel11 0]

Small update on my predicament.

 

I made my IP for the server static. I figured if I can get the https working with static then I can work backwards from there... but alas, still no luck.

 

The situation is the same;

I am able to remotely connect to http://emby.mydomain.com:8096 with success.

I an not able to connect to https://emby.mydomain.com

[Hansel11 0]

UPDATE:

 

I got the HTTPS working BUT only because I recreated the certificate.pfx file in sslconverter with no password.

 

This is definite progress but I obviously would like to have a secure password there. Is there any way to achieve this?

[Luke 37064]

You can configure your certificate password on the same screen where you configure your certificate.

[tmirzaian 3]

Part 1.A.

 

Ok, so this is an extension of Part 1. Dynamic DNS. If you used Part.1 above then got a SSL Cert for your shiny new domain name and followed all the other steps. When browsing to https://emby.embyssltest.com you will connect via HTTPS however your browser will warn you that the Cert isnt trusted as it was assigned to embyssltest.com however you are browsing to embyssltest.ddns.net because of the CNAME and URL redirecting.

 

To fix this we need to setup your new domain name to do the Dynamic DNS'ing. For this I will demonstrate on NameCheap how I have mine setup. 

 

Head over to namecheap.com

Create an account or login to your existing account.

Go to Advanced DNS

Scroll to the bottom where is says Dynamic DNS and turn it on.

Create a A+ Dynamic DNS record. 

Host = a subdomain for example DNS

Value = 127.0.0.1 (this doesnt really matter as it will be dynamically updated)

TTL = Automatic

 

We also need to edit the CNAME we created in Part.2 for emby.

Under the Host Records

Find the CNAME we created for emby.

Host = emby

Value = DNS.embyssltest.com

 

We now need to find a way to update the NameCheap DDNS. Some routers will support this (follow Part.1 but substitute no-ip for the namecheap details) however if your router is like mine and doesnt support namecheap ddns then you need to download software to do this. Namecheap offer their own client. https://namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Dynamic%20DNS%20Client%20%202.0.0.7%20Beta.zip

 

Unzip it and enter your details for namecheap.

Once running it will update the 127.0.0.1 entry above with your external IP.

 

Now that is setup we need to revisit Part.3 Getting the SSL Cert. When applying for the cert you now need to add another subdomain. DNS.embyssltest.com. so it should now look like embyssltest.com emby.embyssltest.com dns.embyssltest.com. 

 

Now follow the other parts to configuring the SSL cert. Once done you should now get a nice green HTTPS:// connection to https://emby.embyssltest.com 

 

A couple of questions -

 

#1 - With this step - does it eliminate the need for the Noip client to be running on the emby server?

#2 - When you say to edit the CNAME in the Dynamic DNS setting.  Can you give your example of what it gets changed to?

[dudeskin 0]

Hello,

Apologies for replying so late..

I have just followed all of your instructions, 

i have created the SSL cert,

and downloaded nginx, done all the config you said

 

When i run it.. Nothing happens.

i try to get in emby via my domain which previously worked with the old 8096 port but now when i put 443 at the end it throws:

400 Bad Request The plain HTTP request was sent to HTTPS port

nginx/1.17.9.1 Unicorn

 

 

The port 443 is forwarded in my router

 

Any ideas? 

Thanks in advance

[leungalv 6]

Seems as though sslforfree has been purchased by ZeroSSL - can no longer verify by TXT Record.  Which means that can no longer verify duckdns.org dynamic host without an actual domain it seems  

[MachineLearning 0]

Thank you swynol for such a comprehensive, noob friendly guide. It works pretty well for me up to part 4. 

Part 5 nginx setup got me stuck because im my local emby server runs on ubuntu, an old desktop which i use as file/NAS server 2 be exact. 

While im researching nginx setup for emby on linux, i came across this https://gist.github.com/LukeCarrier/7cda1c5143ebc35f4a1b9329b999b181. Now would this setup work for ubuntu emby server stationed in home network where nginx run on the same server?

Also, if i enable nginx, can i still access my emby server on my local network without detouring to external one?

Edited December 12, 2020 by MachineLearning

[MachineLearning 0]

The above approach aint working for my ubuntu server. Other than that, access from local network can indeed be whitelisted from ufw.

What i did was sudo ufw allow from 192.168.0.0/24 and that's it