Setting up SSL for Emby (WIP)

[messiah1095 3]

I'm trying to set up external https access for my Emby setup at home but after going through the guide, it tells me the cert isn't trusted. When I go to continue, I get this error (changed domain name for this post):

 

Access to emby.domain.com was denied

You don't have authorization to view this page.

HTTP ERROR 403

 

I've been able to access Emby fine externally through the standard 8096 port but would prefer to use 443. I've got the 443 port forwarded in my modem and wireless router and have allowed 443 inbound thorugh Windows Firewall on my Emby machine. Any ideas what could be causing this? Running Emby on a Win 10 machine btw.

Edited May 18, 2017 by messiah1095

[Tur0k 143]

I'm trying to set up external https access for my Emby setup at home but after going through the guide, it tells me the cert isn't trusted. When I go to continue, I get this error (changed domain name for this post):

 

Access to emby.domain.com was denied

You don't have authorization to view this page.

HTTP ERROR 403

 

I've been able to access Emby fine externally through the standard 8096 port but would prefer to use 443. I've got the 443 port forwarded in my modem and wireless router and have allowed 443 inbound thorugh Windows Firewall on my Emby machine. Any ideas what could be causing this? Running Emby on a Win 10 machine btw.

Did you set the https port to 443 instead of 8920 in Emby server's configuration (manage server - advanced - HTTPS internal/https public).

 

Note that it also helps to: setup your external domain in (manage server - advanced - external domain) if you have one.

 

Lastly, many smart devices and operating systems are starting to block the use of self signed certificates. You may need to either work on purchasing a cert ($10-$40 annually) or using a free certificate service (Let's Encrypt). You will likely need to converting the P7B cert to a private .PFK cert and map the location of the exported PFK file to your Emby server (manage server - advanced - custom certificate path/ certificate password).

 

 

 

Sent from my iPhone using Tapatalk

Edited May 18, 2017 by Tur0k

[messiah1095 3]

Hi Tur0k,

 

Yes I have 443 set as both the https internal and external ports in advanced settings. I also have the external domain name set up under the external domain option.

 

I've created a lets encrypt cert based on the guide using the sslforfree.com website for these domains - domain.com, emby.domain.com and dns.domain.com (again these aren't my domains, i've just changed them for this post).

 

I've then used the ssl converter site listed in the guide to create a pfx cert with a password. I've added that into the emby certificate settings with the correct password and rebooted the server.

 

I've also checked to make sure port 443 is unblocked on my modem and wireless router which it is.

 

It's getting through but tells me that the cert is not trusted, then when I try to go further I get the error message in my last post.

 

Using the same domain name, I can access the site through the 8096 port (http) with no issues.

 

Anything else I should try?

Edited May 18, 2017 by messiah1095

[Tur0k 143]

Hi Tur0k,

 

Yes I have 443 set as both the https internal and external ports in advanced settings. I also have the external domain name set up under the external domain option.

 

I've created a lets encrypt cert based on the guide using the sslforfree.com website for these domains - domain.com, emby.domain.com and dns.domain.com (again these aren't my domains, i've just changed them for this post).

 

I've then used the ssl converter site listed in the guide to create a pfx cert with a password. I've added that into the emby certificate settings with the correct password and rebooted the server.

 

I've also checked to make sure port 443 is unblocked on my modem and wireless router which it is.

 

It's getting through but tells me that the cert is not trusted, then when I try to go further I get the error message in my last post.

 

Using the same domain name, I can access the site through the 8096 port (http) with no issues.

 

Anything else I should try?

Ok, error 403 is usually a resource permission issue protocol issue, or could be related to Windows firewall and either entirely blocking the port or blocking edge traversal (blocking non-local LAN source IP address).

 

Have you tested with windows firewall off entirely?

 

Also have you tested https connectivity from a computer on your local LAN?

 

Also, have you tested your SSL config using web SSL scanning tool? I use https://www.ssllabs.com/ssltest/

 

 

Sent from my iPhone using Tapatalk

[messiah1095 3]

Tried disabling Windows Firewall, still get the same message.

 

I can't access the site via another computer on my network using https, but using port 8096 works fine.

 

I've also ran an ssltest and it tells me the certificate name is a mismatch. But when I import it into certificates and check the name, it's the same domain name as my DNS name and what I have in Emby.

[Tur0k 143]

If you can't navigate to:

https://<LANIPAddress>:443

From another computer on your local LAN Then there is something wrong. Let's get that working before we start working on access from the outside world.

There is the possibility that your Emby server isn't listening on port 443 or the Emby server didn't take the new port config change from 8920

It is possible that there is something wrong with your PFK private key cert

There is also the possibility that another service is actively listening on port 443.

 

My recommendation is to turn off the firewall return Emby server https LAN and public connections to port 8920, and wipe the cert field in Emby server. Bounce the Emby server service. Then see if navigating to: https://<LANIPAddress>:8920 works from another computer on your LAN.

 

 

Sent from my iPhone using Tapatalk

Edited May 18, 2017 by Tur0k

[Swynol 375]

Hi Tur0k,

 

Yes I have 443 set as both the https internal and external ports in advanced settings. I also have the external domain name set up under the external domain option.

 

I've created a lets encrypt cert based on the guide using the sslforfree.com website for these domains - domain.com, emby.domain.com and dns.domain.com (again these aren't my domains, i've just changed them for this post).

 

I've then used the ssl converter site listed in the guide to create a pfx cert with a password. I've added that into the emby certificate settings with the correct password and rebooted the server.

 

I've also checked to make sure port 443 is unblocked on my modem and wireless router which it is.

 

It's getting through but tells me that the cert is not trusted, then when I try to go further I get the error message in my last post.

 

Using the same domain name, I can access the site through the 8096 port (http) with no issues.

 

Anything else I should try?

 

noticed here you said you created a PFX file with a password. for emby to work you need to have no password on the file. 

 

Also after changing the port from 8920 to 443 make sure that you restart Emby.

 

How is your domain registrar setup? Do you have a Dynamic DNS setup with a AAAA name and then have a CNAME setup to point emby.domain.com to dns.domain.com?

 

As Tur0k says if you cant access emby on you LAN using https://LANIP:443 then emby isnt listening on port 443 or something is blocking it. What OS are you running Emby on? If its windows 10. open up Resource Monitor, go to network tab and there should be a window that says Listening ports, Check that emby is in the list and listenning on 443, or if another program is using port 443.

 

Strange about the missmatch cert error. are you using Chrome? if so navigate to emby.domain.com again. if the https logo turns red then in chrome go to settings top right corner, More Tools > Developer Tools > Security Tab > View Certificate.

On the details tab of the certificate look for > Subject Alternative Name and see what subdomains it lists.

Edited May 18, 2017 by Swynol

[zigzagtshirt 55]

Just renewed my sslforfree certificate for the first time today.  Ugh.  That was painful.  Took an hour of re-entering things over and over again.  Finally got it to give me cert files but then the expiration date did not change.  Deleting it and renewing it again finally worked.

 

Anyone here have a similar experience?  Not looking forward to this again in 3 months...

[messiah1095 3]

If you can't navigate to:

https://<LANIPAddress>:443

From another computer on your local LAN Then there is something wrong. Let's get that working before we start working on access from the outside world.

There is the possibility that your Emby server isn't listening on port 443 or the Emby server didn't take the new port config change from 8920

It is possible that there is something wrong with your PFK private key cert

There is also the possibility that another service is actively listening on port 443.

 

My recommendation is to turn off the firewall return Emby server https LAN and public connections to port 8920, and wipe the cert field in Emby server. Bounce the Emby server service. Then see if navigating to: https://<LANIPAddress>:8920 works from another computer on your LAN.

 

 

Sent from my iPhone using Tapatalk

 

Got it working

 

I could access the port via 8920 using https locally on another machine but 443 was coming up with the same error as before.

 

I followed Swynol's advice and had a look at the processes in Resource Monitor. There was a vmware process using port 443 also so this is where the problem was occuring. I've now changed the port in VMWare Workstation to a different port.

 

Redid the certs (just in case), plugged all the details in and rebooted Emby. Tried the remote address and success!

 

Also FYI, there is an option in Emby now to include a certificate password. I can confirm this works as well.

[Luke 37064]

Also FYI, there is an option in Emby now to include a certificate password. I can confirm this works as well.

 

Thanks for the feedback.

[messiah1095 3]

No worries. Thank you for Emby

[Swynol 375]

Just renewed my sslforfree certificate for the first time today.  Ugh.  That was painful.  Took an hour of re-entering things over and over again.  Finally got it to give me cert files but then the expiration date did not change.  Deleting it and renewing it again finally worked.

 

Anyone here have a similar experience?  Not looking forward to this again in 3 months...

 

yes this is a major pain. I have since found a much easier way come renewal time. rather than use sslforfree use zeroSSL

 

With ZeroSSL when you first create your cert using lets encrypt it also gives you the options of saving a CSR and key. When it comes time for renewal all you need is to enter the CSR and key and its done in a few seconds. no more re-entering the txt _acme  challenges.

 

If you want to use ZeroSSL you will have to re-create your cert. I will update the guide soon. 

[Swynol 375]

Got it working

 

I could access the port via 8920 using https locally on another machine but 443 was coming up with the same error as before.

 

I followed Swynol's advice and had a look at the processes in Resource Monitor. There was a vmware process using port 443 also so this is where the problem was occuring. I've now changed the port in VMWare Workstation to a different port.

 

Redid the certs (just in case), plugged all the details in and rebooted Emby. Tried the remote address and success!

 

Also FYI, there is an option in Emby now to include a certificate password. I can confirm this works as well.

 

excellent i'm glad you got it sorted. sorry it took so long to trouble shoot. 

 

Also great news that Emby now supports Certs with a password. that negates the security issues of using a pfx with no password.

[zigzagtshirt 55]

yes this is a major pain. I have since found a much easier way come renewal time. rather than use sslforfree use zeroSSL

 

With ZeroSSL when you first create your cert using lets encrypt it also gives you the options of saving a CSR and key. When it comes time for renewal all you need is to enter the CSR and key and its done in a few seconds. no more re-entering the txt _acme  challenges.

 

If you want to use ZeroSSL you will have to re-create your cert. I will update the guide soon. 

 

That sounds awesome, thanks!

[feerlessleadr 155]

yes this is a major pain. I have since found a much easier way come renewal time. rather than use sslforfree use zeroSSL

 

With ZeroSSL when you first create your cert using lets encrypt it also gives you the options of saving a CSR and key. When it comes time for renewal all you need is to enter the CSR and key and its done in a few seconds. no more re-entering the txt _acme  challenges.

 

If you want to use ZeroSSL you will have to re-create your cert. I will update the guide soon. 

 

I must be doing something wrong, because even after entering my key and csr using zerossl, I am still being prompted to do the acme challenges.

[Tur0k 143]

sooo Does that mean there is no way to protect it? Like do I hav eto do something wrong for it to be vulnerable or is that by design.

Latest version of Emby supports a password protected PFX files, so there is some built in security. I would refrain from using a wildcard SSL. Create a third level domain with an a+ record (DDNS). Many domain registration services (google domains, namecheap) give you this feature out of the box. set your SSL for the third level domain instead.

 

Also, if you use a reverse proxy you will only need to support and host the SSL at the reverse proxy not inside Emby.

 

 

Sent from my iPhone using Tapatalk

[Tur0k 143]

excellent i'm glad you got it sorted. sorry it took so long to trouble shoot.

 

Also great news that Emby now supports Certs with a password. that negates the security issues of using a pfx with no password.

Additionally, when hosting Emby in Windows and receiving a P7B private key users who have configured Emby server to handle their SSL (no reverse proxy) can use Microsoft's certificate MMC to convert it to a password protected PFX file.

 

 

Sent from my iPhone using Tapatalk

[Tur0k 143]

I must be doing something wrong, because even after entering my key and csr using zerossl, I am still being prompted to do the acme challenges.

I run a Let's Encrypt ACME Client package from my PFSense firewall. It does a really good job and handles all my certificate renewals automatically, the only thing I think I would like addrd is a notification email if it ever fails.

 

 

Sent from my iPhone using Tapatalk

[pr3dict 33]

Latest version of Emby supports a password protected PFX files, so there is some built in security. I would refrain from using a wildcard SSL. Create a third level domain with an a+ record (DDNS). Many domain registration services (google domains, namecheap) give you this feature out of the box. set your SSL for the third level domain instead.

 

Also, if you use a reverse proxy you will only need to support and host the SSL at the reverse proxy not inside Emby.

 

 

Sent from my iPhone using Tapatalk

 

Well thats exciting. I will have to update this weekend possibly. I still havent setup the reverse proxy and I'm not 100% sure how I'm going to do it yet. 

Also, if I was using the reverse proxy to just encrypt data on the public side of the proxy wouldnt that cause issues with some services? Shouldn't I have it set to pass through the SSL as to not break any headers and what not?

[Tur0k 143]

I setup my squid reverse proxy package hosted on PFSENSE to ignore internal certificate errors. I did this because I don't really want to have to manage sub certificates for each system behind the reverse proxy on my local LAN and I don't want a bunch of holes punched in my firewall for all the different services I want to host. Additionally, some of my resources don't natively support secured connections. I have not noticed any header problems. Granted, I have been running for about 3 weeks now, so maybe I haven't noticed yet. I would imagine that NGINX and other reverse proxy alternatives can do that too.

 

My config is as follows:

1. I purchased a domain

2. I created a subdomain custom public DDNS record.

3. I use a dynamic DNS client package hosted on PFSENSE and have it configured to automatically update my above DDNS record using the vendors API.

4. I have my local LAN DNS bound to my DDNS subdomain.

5. I use a Let's Encrypt ACME package hosted on PFSENSE. It works automatically using custom TXT records I added to my public DNS. It automatically renews.

6. I use a squid reverse proxy package hosted on PFSENSE. It is using the SSL certificate created by the above ACME package.

 

The only thing I need to work out is finding a way to get the reverse proxy to restart and use the new cert in 90 days.

 

Sent from my iPhone using Tapatalk

Edited May 24, 2017 by Tur0k

[pr3dict 33]

Squid reverse proxy? I thought the general consensus was to use haproxy if using packages from pfsense. Also can you give me an example. If you got site1.yourdomain.com it will redirect to the correct ip address on the inside. If you go to site1.yourdomain.com it goes to a different ip address?

 

Sent from my VS987 using Tapatalk

[Tur0k 143]

I don't have my personal laptop with me on vacation, so I can't remote in and view. Squid works like a champ for me. I haven't tested it versus HA proxy.

 

I only make port 443 available in squid reverse proxy's config. For example my DDNS is: my_ddns.my_domain.com.

 

I have DHCP reservation configured to ensure the Emby server host always receives the same IP address. In Emby server's setting/advanced menu I have:

1. The external domain configured to:

my_ddns.my_domain.com

2. Both local and public HTTPS port set to 8920

3. Using the default self-signed certificate.

 

In my reverse proxy's website list I entered an alias, peer IP and port number for my Emby server. In mappings I created a new URI and selected my peer that I created in the web sites list and created a new URI that looked like:

my_ddns.my_domain.com/emby

 

Let me know if this is what you are looking for or if you need more instruction.

 

 

Sent from my iPhone using Tapatalk

[pr3dict 33]

See your doing paths after the / to direct what machine to go to. I'm looking to do subdomains. So it would be emby.mydomain.com and site1.mydomain.com, etc. It helps with URL schemes that get added to the end of the URL. My end game is to have a splash page that the proxy goes to and then has links from there to the other sites that get routed through the reverse proxy. I wanted to incorporate it into pfsense but I have have to spin up another VM specifically for the webserver

 

Sent from my VS987 using Tapatalk

[M_Taylor40 7]

Hey everyone,

 

First off I want to thank Swynol for putting in the effort to create this guide!

 

I'm currently trying to set this up so I can finally use my setup externally, but I'm struggling with Part 1a.

 

I bought my domain name via 123-reg, have created an account with no-ip to configure the DynDNS and can do this via my BT Homehub but as stated previously this will result in cert errors due to the domain mismatch.

 

Has anyone managed to complete Part 1a through 123-reg that can give me some help?

 

Also, I'm in the process of creating an AD domain for testing and might eventually host my own web server so what's the best way of implementing a reverse proxy? I have enough hardware to host many VMs on site so you ideally like to have a setup that splits the reverse proxy, web server and any other required systems I need on to their own VMs.

 

I'm comfortable with complicated VM setups as I do this at work, but proxies and firewalls and things are something that I've not done much with outside using pre-configured systems.

 

Will nginx work fine in this config or am I complicating things more than I need?

 

Thanks,

 

M_Taylor40

[Tur0k 143]

See your doing paths after the / to direct what machine to go to. I'm looking to do subdomains. So it would be emby.mydomain.com and site1.mydomain.com, etc. It helps with URL schemes that get added to the end of the URL. My end game is to have a splash page that the proxy goes to and then has links from there to the other sites that get routed through the reverse proxy. I wanted to incorporate it into pfsense but I have have to spin up another VM specifically for the webserver

 

Sent from my VS987 using Tapatalk

Ahh okay. some of the many benefits of a reverse proxy are:

A. All access from the public Internet comes from either port 80 (unsecured) or port 443 (secured).

B. No server aside from the reverse proxy receives transmissions directly from the public Internet (this helps to limit the vulnerable surface area of attack on your network).

C. present web services from different systems as though they are one contiguous directory structure.

D. You only need 1 domain for the reverse proxy.

E. You only need 1 public DNS record for the 1 reverse proxy.

F. You only need 1 signed SSL certificate for the reverse proxy (that matches the above domain).

 

So, to the best of my knowledge, to do what you want to do with sub-domains you would need:

1. A separate A, AAA, CNAME, or A+ record to your Public Internet DNS (this is likely accessible in your domain registrars domain management interface) for each sub-domain (Example: emby.mydomain.com, homeautomation.mydomain.com, etc) this will allow public Internet sources to resolve your subdomains to your publicly accessible IP. these records will need to be configured to point to your WAN IP using some type of DDNS (unless you have a static WAN IP address).

2. You will end up needing an SSL certificate for each sub-domain (Unless you are using a wildcard SSL certificate).

3. If you only have 1 WAN IP address (and not a block of public IP addresses to use) and want to host multiple web services on it, each web service will need a unique TCP port to listen on. You will end up creating firewall rules on your WAN firewall to open and forward each port through to the appropriate systems on your internal network.

4. I don't know that you can configure a single instance of a reverse proxy to listen on different ports in order to: delivering differnet SSL certs depending on listening port, as well as, deliver different content based on listening port. if this isn't the case then you may need to host a separate reverse proxy for each port you are listening on. At this point I don't know that you need a reverse proxy for what you are trying to do with the separate sub-domain structure.

Edited May 28, 2017 by Tur0k