Setting up SSL for Emby (WIP)

[zigzagtshirt 55]

I think it's working now.  I changed both local and external ports in Emby to 443 and restarted server.  Windows gave me a popup to allow a process and I allowed it.  I think it said "Windows Command Process" or something.  Once I hit that it started working.

[rice1 1]

Thanks for this. I've been wanting to setup HTTPS for a long time. 

[Swynol 375]

I think it's working now. I changed both local and external ports in Emby to 443 and restarted server. Windows gave me a popup to allow a process and I allowed it. I think it said "Windows Command Process" or something. Once I hit that it started working.

Glad you got it working. It's very rare that isp block port 443 as if that port was blocked on a large scale it would break the Internet. You can probably change your internal port back to 8096 or 8920 if https. It sounds like emby needed to be restarted in order to start listening on port 443.

 

Now you know port 443 works you could look at nginx reverse proxy. I find nginx much easier to manage and it might look like a lot of work but it takes 5 mins to setup

 

 

Sent from my iPhone using Tapatalk

[Swynol 375]

@@Swynol Where does it say on the site that the certs expire after 90 days? I don't see it on there anywhere. Is there a way to automate a regeneration of them once they expire?

It doesn't say directly on the website but all lets encrypt Certs are only valid for 90 days. If you look at the cert it has an expiry date.

 

 

Sent from my iPhone using Tapatalk

[Swynol 375]

Also another heads up. I found a better site to do the ssl certs. It's called zerossl. I find it better because it allows you to renew Certs without having to re-verify your domain ownership. It knows a good 10-20mins off renewing time

 

 

Sent from my iPhone using Tapatalk

Edited February 18, 2017 by Swynol

[zigzagtshirt 55]

Also another heads up. I found a better site to do the ssl certs. It's called zerossl. I find it better because it allows you to renew Certs without having to re-verify your domain ownership. It knows a good 10-20mins off renewing time

 

I'll check this out- thanks!

 

 

Glad you got it working. It's very rare that isp block port 443 as if that port was blocked on a large scale it would break the Internet. You can probably change your internal port back to 8096 or 8920 if https. It sounds like emby needed to be restarted in order to start listening on port 443.

 

Now you know port 443 works you could look at nginx reverse proxy. I find nginx much easier to manage and it might look like a lot of work but it takes 5 mins to setup

 

 

Sent from my iPhone using Tapatalk

 

For now I think I'll stick with what I have set up since it's working and that's all I care about at this point.  Not sure I understand the benefits of having a reverse proxy though as I am not running any other services that would need port 443?  Also, is there a security benefit?

[Swynol 375]

Benefits of using nginx is mainly due to having many services all listening on port 443 so all other ports on my firewall are closed. The other reason I prefer nginx option is because when you create a pfx cert for emby you combine your cert and private key into one file with no password. This is a security risk. However how bothered are hackers with doing a man in he middle attack to see your emby login page. To me it wasn't a huge concern but if your going through all the hassle of setting up https access then going the extra step of using nginx with secure certs was just as easy.

 

The main reason I used nginx was because all my services now use port 443 and rather than updating my certs in 15 places I only have to update it once for nginx.

 

 

Sent from my iPhone using Tapatalk

[zigzagtshirt 55]

Benefits of using nginx is mainly due to having many services all listening on port 443 so all other ports on my firewall are closed. The other reason I prefer nginx option is because when you create a pfx cert for emby you combine your cert and private key into one file with no password. This is a security risk. However how bothered are hackers with doing a man in he middle attack to see your emby login page. To me it wasn't a huge concern but if your going through all the hassle of setting up https access then going the extra step of using nginx with secure certs was just as easy.

 

The main reason I used nginx was because all my services now use port 443 and rather than updating my certs in 15 places I only have to update it once for nginx.

 

 

Sent from my iPhone using Tapatalk

 

This is very helpful, thanks!

 

This does seem like a great idea if you have a lot of services running.

 

The only other port I have open in my network firewall is for my openvpn server.  Would I be able to make that run through port 443 as well if I went down the nginx road?

[Swynol 375]

Yes you can configure openvpn to use port 443. It requires more configuration in nginx which I managed to get working however I wasn't able to connect with other machines on my lan. I then ran out of time and haven't looked at it again since

 

 

Sent from my iPad using Tapatalk

Edited February 18, 2017 by Swynol

[pr3dict 33]

does this work with our lovely android tv devices that only work with particular CA's? I know this was the issue awhile back instead of using a self signed cert.

 

Also, can you post a photo of your webpage that you created that links to the other services you have listed? I've been looking to create something like that for awhile!

[feerlessleadr 154]

Thanks for the guide - I'm not sure what I'm doing wrong, but when I go to https://emby.mydomain.com, I get a self signed cert error (I followed your instructions on adding the dns address to the cert), and when I click proceed anyway, it takes me to my router's login screen.

 

I'm trying to access this using nginx.  Any idea what the heck I'm doing wrong?

 

EDIT - Just to be more clear, I have followed the guide using both sslforfree & zerossl, both give me the insecure message when accessing https://emby.mydomain.com. Additionally, I have tried everything I can to get the nginx reverse proxy to point to my internal emby instance, but everything I do redirects to my router's login page. 

Edited February 23, 2017 by feerlessleadr

[Swynol 375]

does this work with our lovely android tv devices that only work with particular CA's? I know this was the issue awhile back instead of using a self signed cert.

 

Also, can you post a photo of your webpage that you created that links to the other services you have listed? I've been looking to create something like that for awhile!

 

I dont have any android TV boxes to test with but it does work fine with my Android tablet. I cant see why it wouldnt work as Lets Encrypt has been around for a while now and uses the DST CA root.

 

I use something called HTPC Manager. it runs on Python for windows. Here are some screenshots of what i have.

 

 

 

 

 

 

[Swynol 375]

Thanks for the guide - I'm not sure what I'm doing wrong, but when I go to https://emby.mydomain.com, I get a self signed cert error (I followed your instructions on adding the dns address to the cert), and when I click proceed anyway, it takes me to my router's login screen.

 

I'm trying to access this using nginx.  Any idea what the heck I'm doing wrong?

 

EDIT - Just to be more clear, I have followed the guide using both sslforfree & zerossl, both give me the insecure message when accessing https://emby.mydomain.com. Additionally, I have tried everything I can to get the nginx reverse proxy to point to my internal emby instance, but everything I do redirects to my router's login page. 

 

 

i've seen this happen before and it was something to do with nginx config. We know your DDNS is working as you get your router page. Also what router do you have? wonder if that is listening on port 443. 

 

So just to be clear. when you created the cert. did you add the top level domain name and all the subdomains. i.e. mydomain.com    emby.mydomain.com     ddns.mydomain.com etc?

 

also can you post your NGINX config (remove the domain name and any external IP info)

Edited February 24, 2017 by Swynol

[feerlessleadr 154]

i've seen this happen before and it was something to do with nginx config. We know your DDNS is working as you get your router page. Also what router do you have? wonder if that is listening on port 443. 

 

So just to be clear. when you created the cert. did you add the top level domain name and all the subdomains. i.e. mydomain.com    emby.mydomain.com     ddns.mydomain.com etc?

 

also can you post your NGINX config (remove the domain name and any external IP info)

 

When I created the cert I added mydomain.com emby.mydomain.com dns.mydomain.com. 

 

I have Verizon Fios, and am using their router (MI424WR-GEN3I). I can access all of my services outside my network when I forward the appropraite ports and use my ddns addres (i.e. ddns.myddnsservice.com:8096). 

 

Here is my NGINX conf:

#user  nobody;
# multiple workers works !
worker_processes  2;



events {
    worker_connections  8192;
}


http {
    #include      /nginx/conf/naxsi_core.rules;
    include       mime.types;
    default_type  application/octet-stream;


    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##

    #gzip  on;

	

	##EMBY Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://192.168.1.17:8096;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
	

}

}

 It is a straight copy/paste from the conf you posted on page 1 (with my details added in obviously).

 

Do I need to do any port port forwarding on my router/change any emby settings with the NGINX method?

[Swynol 375]

at a glance it all looks ok. One thing that i didnt mention in the How To part is changing the location of your certs. so this line in NGINX 

 

        ssl_certificate SSL/cert.pem;
        ssl_certificate_key SSL/private.key;

 

should point to your certs. so SSL/cert.pem is acctually pointing to C:\nginxlion\conf\SSL\cert.pem  

What you need to do is create a folder called SSL in the conf folder where your NGINX is. then copy the cert.pem and private.key into that folder.

 

And yes you need to port forward 443 and 80 to your NGINX server. - this is likely the reason you see your router login page as it doesnt know what to do when it sees data on port 443 coming in.

[feerlessleadr 154]

at a glance it all looks ok. One thing that i didnt mention in the How To part is changing the location of your certs. so this line in NGINX 

 

        ssl_certificate SSL/cert.pem;

        ssl_certificate_key SSL/private.key;

 

should point to your certs. so SSL/cert.pem is acctually pointing to C:\nginxlion\conf\SSL\cert.pem  

What you need to do is create a folder called SSL in the conf folder where your NGINX is. then copy the cert.pem and private.key into that folder.

 

And yes you need to port forward 443 and 80 to your NGINX server. - this is likely the reason you see your router login page as it doesnt know what to do when it sees data on port 443 coming in.

 

Hot Damn that did it! Thank you!

 

I didn't realize I still needed to port forward 443 on my router to my nginx server, and once I did that, everything worked, including the certs (all green!).

 

Question though, if I don't forward port 80, does that essentially mean that https is the only option to connect externally? Is there a way that I can direct http://emby.mydomain.com to https://emby.mydomain.com?

[Swynol 375]

you can now close all other ports if you want. so close 8096 and 8920 as emby will use 443. At the moment NGINX has a rule to automatically change any http requests to https

 

        if ($scheme = http) {
return 301 https://$server_name$request_uri;

 

If you remove that line from the NGINX config then you can forward port 80 to your NGINX box aswell. that wa you can connect to emby using either HTTP or HTTPS. I prefer that all my clients connect using HTTPS so i force them to use it even if they type http://emby.mydomain.com it will forward to HTTPS://emby.mydomain.com

[gjviii 48]

Following the instructions up to post 04, when i click to test the txt records i get this error

 

"No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain."

 

Attached is the screen shot of how my advanced tab is set up.   can anyone see what i have incorrect that is causing the error above?

thanks for any direction.

[gjviii 48]

 

Following the instructions up to post 04, when i click to test the txt records i get this error

 

"No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain."

 

Attached is the screen shot of how my advanced tab is set up.   can anyone see what i have incorrect that is causing the error above?

thanks for any direction.

 

Any thoughts?   thanks

[Overseer 66]

It took me a few times to do that through NameCheap.  After adding the txt records I just waited between 10-15 minutes before doing the verification.  It was pretty madding as I was setting up subdomains for Sonarr, Radarr, Ombi, Sabnzb and Emby and I kept getting that dreaded TXT record not found message and going back required me changing some of those txt records.  Finally got it though along with the nginx proxy and everything works great.

 

I have my www set-up as a CNAME.  I only have one A Record and that is for the @ record.

Edited March 5, 2017 by Overseer

[pr3dict 33]

I'm trying to follow the guide but I'm stuck.

 

Long story short as possible:

 

I have a Wildcard Domain SSL cert from namecheap (comodo).

 

I created it with a CSR in PFsense and exported the private key to namescheap and they sent me back:

 

my domain.CA-bundle

my domain.cert

my domain.p7b

 

So for Emby I need a pfx file and to convert that from what I have that means I need to take the exported private key from PFSEnse and that .cert that namecheap gave me and combined them to a pfx? Does that sound correct?

 

EDIT: Well I it works with the wildcard which is really cool. I now need to get the whole reverse proxy thing going but right now I'm going to pause until I figure out what I want to do. I can either install HA-Proxy on my PFSense firewall box and run the proxy from there orrrr I can spin up another VM and run nginx on that as the reverse proxy. Then from there I can also install a web server for Organizr. So many options so little time. 

 

Thankfully though after doing this I am now able to finally enable HTTPS for all my clients as I just got an A+ rating for my SSL implementation. 

Edited April 1, 2017 by pr3dict

[Swynol 375]

Any thoughts? thanks

Ye it can take 10-15mins for the txt records to replicate over the Internet. You can test it using command prompt and nslookup, can't remover whole command as I'm away from my PC atm. With zerossl if it fails just keep hitting submit until it works.

 

 

 

 

Sent from my iPhone using Tapatalk

[Swynol 375]

I'm trying to follow the guide but I'm stuck.

 

Long story short as possible:

 

I have a Wildcard Domain SSL cert from namecheap (comodo).

 

I created it with a CSR in PFsense and exported the private key to namescheap and they sent me back:

 

my domain.CA-bundle

my domain.cert

my domain.p7b

 

So for Emby I need a pfx file and to convert that from what I have that means I need to take the exported private key from PFSEnse and that .cert that namecheap gave me and combined them to a pfx? Does that sound correct?

 

EDIT: Well I it works with the wildcard which is really cool. I now need to get the whole reverse proxy thing going but right now I'm going to pause until I figure out what I want to do. I can either install HA-Proxy on my PFSense firewall box and run the proxy from there orrrr I can spin up another VM and run nginx on that as the reverse proxy. Then from there I can also install a web server for Organizr. So many options so little time.

 

Thankfully though after doing this I am now able to finally enable HTTPS for all my clients as I just got an A+ rating for my SSL implementation.

Awesome work. Wildcards are good just be careful with using it with emby as the pfx file has your private key with no password. And a Wildcard can be used by attackers to create anything.youdomain.com

 

I would use ha-proxy as its on you pfsense which all traffic hits first, although I find nginx easier to use

 

 

Sent from my iPhone using Tapatalk

Edited April 1, 2017 by Swynol

[Swynol 375]

Following the instructions up to post 04, when i click to test the txt records i get this error

"No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain."

Attached is the screen shot of how my advanced tab is set up. can anyone see what i have incorrect that is causing the error above?

thanks for any direction.

Do you have a static IP?

 

If so you don't need a cname for emby. You need a a record. So emby will point to your IP.

 

If you have a dynamic wan IP. Then you need to create a a+ record using the dynamic ddns section at the bottom of the namecheap page. This will point your IP to your domain name for example ddns.mydomain.com

 

Then create a cname for emby to point to ddns.mydomain.com

 

 

 

 

Sent from my iPhone using Tapatalk

[pr3dict 33]

Awesome work. Wildcards are good just be careful with using it with emby as the pfx file has your private key with no password. And a Wildcard can be used by attackers to create anything.youdomain.com

 

I would use ha-proxy as its on you pfsense which all traffic hits first, although I find nginx easier to use

 

 

Sent from my iPhone using Tapatalk

 

sooo Does that mean there is no way to protect it? Like do I hav eto do something wrong for it to be vulnerable or is that by design.