Jump to content

Setting up SSL for Emby (WIP)


Swynol

Recommended Posts

No, on most devices there is no way to force it to accept it. On some devices you can take the cert and import the cert into the device and then it will work, but there is no way for us to automate that process. You have to handle it.

 

Using the web browser as an example, when you enter your url into the address bar, some browsers will display a prompt and allow you to accept the SSL cert. However, if you are using http://app.emby.media and you enter your https address into the app, it will just fail to connect and there is no way for us to force it to accept it.

Link to comment
Share on other sites

KMBanana

A lot of the time the rejection of the SSL cert is handled by the device platform itself, it's not something you can control in the app.  

 

Couldn't you accomplish the same thing as forcing https by leaving the non-SSL port closed/unforwarded by the way?

Link to comment
Share on other sites

Most applications/servers opensource etc all use self signed certs and unless you want to pay the money for a public certificate a self signed one works fine.

LetsEncrypt is a great free option.

Link to comment
Share on other sites

A lot of the time the rejection of the SSL cert is handled by the device platform itself, it's not something you can control in the app.  

 

Couldn't you accomplish the same thing as forcing https by leaving the non-SSL port closed/unforwarded by the way?

 

If you don't want it to forward then just uncheck the box "require https". Does that answer your question?

Link to comment
Share on other sites

KMBanana

If you don't want it to forward then just uncheck the box "require https". Does that answer your question?

Sorry Luke, I wasn't asking you a question.  I was suggesting that someone who wants to only allow https connections not make the Emby http port accessible outside of their local network.  

Link to comment
Share on other sites

A lot of the time the rejection of the SSL cert is handled by the device platform itself, it's not something you can control in the app.  

 

Pretty much all of the time except for a couple exceptions. That's the part that most people don't get when they ask "can't you just make it accept it".

Link to comment
Share on other sites

Swynol

SSL is a bit of a mindfield before lets encrypt you had to jump through hoops to get a cert so alot of people used self signed. To be fair to emby the way they allow you to use a custom cert cant be any easier. The hardest part is getting the cert which on most OS's is fairly easy, its only Microsoft OS's which make it more complicated.

 

The way i mention in this thread to get a cert is more for NGINX server which then covers all your 'services'. if you want just a cert for emby it is slightly less work and less steps. 

 

If anyone is having issues getting a cert or getting it to work, drop me a PM or post in here with the @Swynol tag and i will do my best to help. It takes around 15 mins from scratch to fully working HTTPS.

Link to comment
Share on other sites

ToddSexington

SSL is a bit of a mindfield before lets encrypt you had to jump through hoops to get a cert so alot of people used self signed. To be fair to emby the way they allow you to use a custom cert cant be any easier. The hardest part is getting the cert which on most OS's is fairly easy, its only Microsoft OS's which make it more complicated.

 

The way i mention in this thread to get a cert is more for NGINX server which then covers all your 'services'. if you want just a cert for emby it is slightly less work and less steps.

 

If anyone is having issues getting a cert or getting it to work, drop me a PM or post in here with the @@Swynol tag and i will do my best to help. It takes around 15 mins from scratch to fully working HTTPS.

@@Swynol I had it working at one point, but it failed when I moved to Win 10. Is there still hope?

Link to comment
Share on other sites

Swynol

Ye of course, what did you move from? If it is Linux then the config is slightly different.

 

I run my setup on win10

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Andy777

Because if you unclick that box, the server no longer announce the https address and some clients take that literally.

 

I hope you look at my feature request and the thread in Kodi client forum.

 

I want emby to tell the world that https is OK (and better yet preferred) but still accept unencrypted connections (e.g. from reverse proxy).

 

So the check/uncheck is really different than what it was. Creates a world of difference.

Link to comment
Share on other sites

ToddSexington

Ye of course, what did you move from? If it is Linux then the config is slightly different.

 

I run my setup on win10

 

 

Sent from my iPhone using Tapatalk

I moved from win 7 to win 10. It immediately wrecked my ability to https into my rig via emby. Doing the ssl cert process is at the very limit of my skill set and I needed help to get it going originally...

 

I have just been using plex in the meantime.

  • Like 1
Link to comment
Share on other sites

You will likely need to create a new request and have the cert re-issued. I can help shortly if you need.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Swynol

I moved from win 7 to win 10. It immediately wrecked my ability to https into my rig via emby. Doing the ssl cert process is at the very limit of my skill set and I needed help to get it going originally...

 

I have just been using plex in the meantime.

 

are you using NGINX or just straight access to your Emby server? 

 

start with getting a new certificate. if you are not running NGINX then use https://zerossl.com/ to get your cert.

 

You now need to covert the the certificate and key to a PFX. I use https://www.sslshopper.com/ssl-converter.html 

Type of current cert - Standard Pem

Type to covert to - PFX/PKCS#12

upload your cert to the first box

upload your private.key to the second box

upload the chain or CA root cert to the third box

create a PFX password. 

 

 

Then reconfigure emby.

 

Head to Server Management > Advanced 

 

Depending how you have it setup but i recommend changing Public HTTPS port to 443 that way you can use https://emby.mydomain.com  rather than https://emby.mydomain.com:8920  It also means you dont have to open port 8920 on your router. You will now need to forward port 443 from your router to your windows 10 machine.

 

Fill in external domain

 

custom cert path - point it to your PFX file you create above

Cert Password - is the PFX password used above.

 

save and restart. 

Link to comment
Share on other sites

feerlessleadr

Sort of follow on from this thread - https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy/ and this thread - https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/ 

 

 

This is an alternate way to get a SSL cert, this replaces Part 3 on this thread.

 

Ok so SSLforFree and ZeroSSL both offer a way to get a cert using your browser and DNS verification. The problem with DNS verification which I and others have experienced is that it can take long time to setup depending on how many subdomains you have, DNS replication and other third party factors also contributed to issues. This guide will show you how to use NGINX for Windows and ZeroSSL le.exe tool. This uses HTTP verification and is almost automated and only takes a few mins to run after its been initially setup.

 

ZeroSSL - https://zerossl.com/ and the Windows Tool is available on github -  https://github.com/do-know/Crypt-LE/releases

 

Download above and extract it. I recommend C:\LE64

 

We now have to amend our NGINX config to include the below in each of our server blocks.

location ^~ /.well-known/acme-challenge/ {
}

here is my emby example block

##EMBY Server##
	
	server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mydomain.com; 
	
	include ssl.conf;
    	
     location / {
        proxy_pass http://127.0.0.1:8096;  

	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		proxy_buffering off;
		}
	location ^~ /.well-known/acme-challenge/ {
}
	

}

Notice my SSL settings are missing. they are included in a separate file, i will post the contents below for anyone interested.

include ssl.conf;

Now we have the .well-known\acme-challenge location set we can run the le64.exe tool.

 

Open a cmd prompt (run as administrator)

le64.exe --key account.key --email "admin@mydomain.com" --csr domain.csr --csr-key domain.key --crt domain.crt --domains "mydomain.com,emby.mydomain.com,www.mydomain.com,plex.mydomain.com" --generate-missing --unlink --path E:\NGINX\html\.well-known\acme-challenge

from the above you need to change

 

--email "admin@mydomain.com" - to your email address keeping the ""

--domains "mydomain.com,emby.mydomain.com"   (list all your domains you want the cert to cover - i think max is 50~)

--path E:\NGINX\html\.well-known\acme-challenge   (change E:\NGINX to your NGINX locaiton, keeping the html\.well-known....

 

when you hit enter it will test your setup for the correct files and config, it basically gets a fake certificate. if this completes with no errors you now need to add the argument --live to the end of the script above, like so 

le64.exe --key account.key --email "admin@mydomain.com" --csr domain.csr --csr-key domain.key --crt domain.crt --domains "mydomain.com,emby.mydomain.com,www.mydomain.com,plex.mydomain.com" --generate-missing --unlink --path E:\NGINX\html\.well-known\acme-challenge --live

hit enter and it should go off an fetch your real domain.csr account.key and domain.crt and domain.key. these will be downloaded into the le64 folder. Keep the csr and account.key safe, you will need these for renewal.

 

Now you have all this setup you can re-run the above le64.exe script come renew and its all done.

 

 

My next plan is to somehow automate coverting crt to pem and pfx. which would then mean the whole SSL renwal process is completely automated.

 

 @@Swynol Thanks for this updated guide, this will make my life so much easier

 

You mention in here that you've moved your SSL settings to ssl.conf - any reason for that? If so, would you be willing to share your conf?

 

Thanks

Link to comment
Share on other sites

Swynol

I moved them to make things easier. I run around 15 services through nginx. Before if I changed any ssl settings I would have to update it in 15 places. Now with the sslconfig I only have to update it once for all 15 services. Ye I will share he config when I get home.

 

And yes the tool makes it a lot easier to get and renew the certs now. I am working on getting it to automatically create pfx certs aswell for anyone not using nginx and just wanting a very for emby alone.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

feerlessleadr

I moved them to make things easier. I run around 15 services through nginx. Before if I changed any ssl settings I would have to update it in 15 places. Now with the sslconfig I only have to update it once for all 15 services. Ye I will share he config when I get home.

 

And yes the tool makes it a lot easier to get and renew the certs now. I am working on getting it to automatically create pfx certs aswell for anyone not using nginx and just wanting a very for emby alone.

 

 

Sent from my iPhone using Tapatalk

 

Thanks - 1 more question. I have been able to successfully verify my subdomains (emby.mydomain.com, get.mydomain.com, etc.), however, I get an error back for my root domain (mydomain.com), since I don't have an entry for that in my nginx.conf.

 

I don't have anything running on the root level domain. Is it unwise/unsafe for me to create an entry in my nginx.conf to proxy my root domain to my server and a port that no service is running on (i.e. mydomain.com points to 192.168.1.100:1234, which I currently do not have any apps/services running out of that port)?

 

If it is not safe to do that, will I run into any problems using your le64 method to verify all of my subdomains, but to let my root domain fail?

Edited by feerlessleadr
Link to comment
Share on other sites

Swynol

You can either remove the root domain from the lets encrypt script or you can add the domain to your nginx config. If you add it to your nginx config you can make mydomain.com go to the same place as emby.mydomain.com or you can make a 404 error page and point it to that. When I get home I’ll post my config, I have it going to a 404 error page.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Swynol

found this on my phone

#404 ERROR##
	
	server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name mydomain.com ombi.mydomain.com requests.domain.com; 
		
        	include ssl.conf;
			
	location ^~ /.well-known/acme-challenge/ {
}
				
    location / {
            index  404.html 404.htm;

			proxy_set_header Range $http_range;
			proxy_set_header If-Range $http_if_range;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			}
}

so you can see above i created a new server block. 

 

i have mydomain.com   ombi.mydomain.com  and requests.mydomain.com  reason i have all these is i wanted my SSL cert to cover these subdomains but currently i dont have them running. if you browse to any of them you will get a 404 error.

 

you can see in my location block i have it pointing to an index file call 404.html    i have a file in my nginx folder  (C:\NGINX\html\404.html). 

 

here is the contents of the 404.html file, you can copy it for a basic 404 error

<!DOCTYPE html>
<html>
<head>
<title>WTF! BRO</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>WTF! Bro!</h1>
<p>Sorry, the page you are looking for is currently unavailable.<br/>
Please try again later.</p>
<p></p>
<p><em>Error</em></p>
</body>
</html>

and finally here is the contents of my sslconfig file

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    
		
proxy_hide_header X-Powered-By;
add_header x-xss-protection 1;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com anothersubdomain.com;";
add_header X-Frame-Options "ALLOW-FROM URI";
		
		
		

there are some security headers here that arent the norm.

 

firstly x-xss-protection is usually "X-XSS-Protection: 1; mode=block"  i had to change this for organizr to work correctly with mobile devices

referrer-policy is usually "strict-origin" but again this gave me issues in organizr with custom themes

Content-Security-Policy "frame-ancestors  here you need to lost all subdomains on your SSL cert

x-frame-options is usually "same-origin" but again organizr had issues with iframe. 

 

if your not using organizr i can post a stricter security config.

Link to comment
Share on other sites

feerlessleadr

found this on my phone

#404 ERROR##
	
	server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name mydomain.com ombi.mydomain.com requests.domain.com; 
		
        	include ssl.conf;
			
	location ^~ /.well-known/acme-challenge/ {
}
				
    location / {
            index  404.html 404.htm;

			proxy_set_header Range $http_range;
			proxy_set_header If-Range $http_if_range;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			}
}

so you can see above i created a new server block. 

 

i have mydomain.com   ombi.mydomain.com  and requests.mydomain.com  reason i have all these is i wanted my SSL cert to cover these subdomains but currently i dont have them running. if you browse to any of them you will get a 404 error.

 

you can see in my location block i have it pointing to an index file call 404.html    i have a file in my nginx folder  (C:\NGINX\html\404.html). 

 

here is the contents of the 404.html file, you can copy it for a basic 404 error

<!DOCTYPE html>
<html>
<head>
<title>WTF! BRO</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>WTF! Bro!</h1>
<p>Sorry, the page you are looking for is currently unavailable.<br/>
Please try again later.</p>
<p></p>
<p><em>Error</em></p>
</body>
</html>

and finally here is the contents of my sslconfig file

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    
		
proxy_hide_header X-Powered-By;
add_header x-xss-protection 1;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com anothersubdomain.com;";
add_header X-Frame-Options "ALLOW-FROM URI";
		
		
		

there are some security headers here that arent the norm.

 

firstly x-xss-protection is usually "X-XSS-Protection: 1; mode=block"  i had to change this for organizr to work correctly with mobile devices

referrer-policy is usually "strict-origin" but again this gave me issues in organizr with custom themes

Content-Security-Policy "frame-ancestors  here you need to lost all subdomains on your SSL cert

x-frame-options is usually "same-origin" but again organizr had issues with iframe. 

 

if your not using organizr i can post a stricter security config.

 

excellent - thanks so much!

  • Like 1
Link to comment
Share on other sites

  • 3 weeks later...

So... Can't get past the Verification stage for generating a validated SSL cert. Self-signed is in place now but it doesn't work for external connections even though port 8920 is forwarded.

 

Is there no way to get an SSL cert without having access to some DNS or HTTP stuff? I don't have any of that, just a dynamic DNS address pointing to my IP.

 

At https://zerossl.com/free-ssl/#crt my only options are HTTP or DNS verification. I don't have or want an HTTP server (only emby) and I have no idea where one would edit or place a DNS record.

Link to comment
Share on other sites

deiniol39

Anybody got this running on a Qnap server. Could do with some help. I have created the DNS and Website and port forward on my BT Hub. I'm stuck after this. Keep getting a this site can't be reached or the DNS is incorrect. Have copied swyniol instructions to the letter..

 

My DNS passthrough word fine.. if I go direct mydns address:443 (I've pointed it to organizr app for now..)

 

Also using a mac as my main PC to make things harder..

Link to comment
Share on other sites

KMBanana

Anybody got this running on a Qnap server. Could do with some help. I have created the DNS and Website and port forward on my BT Hub. I'm stuck after this. Keep getting a this site can't be reached or the DNS is incorrect. Have copied swyniol instructions to the letter..

 

My DNS passthrough word fine.. if I go direct mydns address:443 (I've pointed it to organizr app for now..)

 

Also using a mac as my main PC to make things harder..

Can you access Emby locally within your network at <QNAPIP:EmbyHttpPort>?  For example 192.168.1.55:8096?    What about the https port?  

 

Edit: Found this post from a while back that seems to indicate the QNAP doesn't like self signed certs, how'd you get your certificate?  https://emby.media/community/index.php?/topic/31955-ssl-certificate-problems/ 

Edited by KMBanana
Link to comment
Share on other sites

deiniol39

Everything works as it should except I can't access the damm thing externally through webpage.. Want to be able to access all my stuff with the reverse proxy.. Not sure where to put the conf file for Nginx in qnap.. I read that you put something here but i'm not sure /opt/qnginx/etc/nginx

 

 

I used SSL for free to get cert..

Link to comment
Share on other sites

KMBanana

Everything works as it should except I can't access the damm thing externally through webpage.. Want to be able to access all my stuff with the reverse proxy.. Not sure where to put the conf file for Nginx in qnap.. I read that you put something here but i'm not sure /opt/qnginx/etc/nginx

 

 

I used SSL for free to get cert..

A few potential things.  

If you haven't setup nginx, nginx won't forward automatically to Emby.  

If organizr is listening on 443, what port is nginx listening on?

A fairly recent change means that if you are using a reverse proxy with the Require "https for external connections" checked you will need to forward traffic from your reverse proxy to Emby's https port.  Earlier instructions said to pass traffic to the regular non-SSL http port.  

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...