Jump to content

Let's Encrypt for Emby


hatharry

Recommended Posts

tyr_88

it reads my IP totally different than what it is or emby reads it for login even that one I have to force through my (HTTP) IP as https:// for it to even work my WAN will not work

 

DUC is as far I can get

 

 

 

We are not allowed to modify or replace Routers this is strict I have never needed modification anyways we have the fastest up to date net in State on 100mb now it is the lowest package

 

I made firewall rules TCP UDP no go

 

The noip talks about port 80 it is open and fine

 

Port attached to emby is dead link

 

 

I will do video of it when I get time to install editing software I think they help much more than explaining in text

Edited by tyr_88
Link to comment
Share on other sites

jordy

@@jordy, must be a *.ddns.net issue i will look it to it

tks. If it makes any difference, it is a "Free" account, as in, it needs to be confirmed every 30 days to keep it valid & active.

Link to comment
Share on other sites

ToddSexington

Thanks for attempting to help Luke, I appreciate it. Hopefully I can get this up and running so that I can make a meaningful comparison to Plex.

 

I can't even get the ports forwarded yet. 

 

When trying to forward to ending port 8096 on the LAN from starting port 80, I get the error message Remote port range [80-8920] is in used. Please select other ports

 

When trying to forward starting port 80 to ending port 8920 with the WAN URL, I get the error: Remote port range [80-8920] is in used. Please select other ports.

 

  591b66fbee6ed_20170516_145036.png

 

Should I be setting the public ports to 80 in the Advanced settings area instead of 8096 and 8920?

 

591b68d1a3c6d_20170516_150107.png

Link to comment
Share on other sites

Why not just leave the ports at default? If you want to use port 80 externally when away from home, then you need to configure that as public port number, but you can't use the same values for both http and https. 

 

But in addition to that, you may also need to configure port forwarding in your router. Emby Server will try to do this automatically, but port 80 always brings additional complication so you may need to review it manually in your router setup.

Link to comment
Share on other sites

Tur0k

Yea, I would not do port translations if at all possible.

 

I would recommend leaving the port configuration in your Emby server alone.

 

To start I would recommend either setting up a static IP address on your Emby server or, if your router supports it DHCP reserve an IP address on your Emby server. This will ensure that your Emby server always gets the same IP address.

 

If you are running on Windows, ensure that you are unblocking access on port 8096 and 8920 in your inbound rules of the advanced firewall rules menu.

Let us know if you need help with this.

At this point you should be able to access your Emby install within your home network.

 

To allow access from the public Internet to your Emby server you would need to decide whether you want to allow unencrypted traffic through your firewall or only secured traffic. If you want to allow unencrypted traffic through your firewall you will need to create a port forwarding rule to forward traffic from port 8096 coming into your router to port 8096 of the IP address assigned to your Emby server.

For secured traffic forwarding create a port forwarding rule for incoming port 8920 into your router to port 8920 of the IP address assigned to your Emby server.

Let us know which router you own and someone on these forums likely has a similar unit and can help.

 

This should be the basic steps to get you up and running.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

ToddSexington

Thanks guys, 

 

I set up port forwarding on the router using the default ports, 8096 for http and 8920 for https. Settings in Emby are unchanged, 8096 to 8096 and 8920 to 8920. I manually connected with an Android client over cell data, so that's a success. As part of connecting by Android, it accepted an Emby certificate. Everything looks golden there. 

 

Now back to the iOS problem. I was trying to follow the script procedure at the top of this thread, but the port 80 part wasn't working. 

 

I'll switch to trying the method posted in the link. https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows

Link to comment
Share on other sites

Tur0k

Thanks guys,

 

I set up port forwarding on the router using the default ports, 8096 for http and 8920 for https. Settings in Emby are unchanged, 8096 to 8096 and 8920 to 8920. I manually connected with an Android client over cell data, so that's a success. As part of connecting by Android, it accepted an Emby certificate. Everything looks golden there.

 

Now back to the iOS problem. I was trying to follow the script procedure at the top of this thread, but the port 80 part wasn't working.

 

I'll switch to trying the method posted in the link. https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows

Ok, a few questions:

1. which OS version of IOS are you running?

2. Are you attempting to connect from inside your network or outside of it?

3. Are you using a FQDN (ex: mydomain.net)/DDNS (ex: mysubdomain.dyndns.org) or a physical IP address when attempting to connect? If so which type?

 

Have you used Mxtoolbox to confirm the right ports are open?

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

ToddSexington

Ok, a few questions:

1. which OS version of IOS are you running? 10.3.1 (14E304)

2. Are you attempting to connect from inside your network or outside of it? Both. It's fine from inside via wifi, but can't do it from outside on cell data. 

3. Are you using a FQDN (ex: mydomain.net)/DDNS (ex: mysubdomain.dyndns.org) or a physical IP address when attempting to connect? If so which type? I'm trying to use the external IP of the Emby server. It worked fine on Android. Not surprising that it's more difficult for Apple. 

 

Have you used Mxtoolbox to confirm the right ports are open? I think the ports are fine, it's the ssl certificate that seems to be the hangup. 

 

 

Sent from my iPhone using Tapatalk

 

I am trying to follow the link, but it's way deeper than I thought. If I hit any more roadblocks, I might just abandon ship.

Link to comment
Share on other sites

Tur0k

That looks like a lot of work. I think this is doable if we go slow.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

Jdiesel

Question, does the pfx need to be re-generated each time the LetsEncrypt certs are renewed?

Link to comment
Share on other sites

ToddSexington

What step have you reached this far?

 

 

Sent from my iPhone using Tapatalk

I've created a domain name. I've bound it to a directory on my C:. I've forwarded port 80 starting to port 80 ending. Canyouseeme can't seem to see this port. 

 

I've basically finished step 2. 

 

I would literally give you 20 bucks to remote in and help me in this monstrosity haha

 

I think I may have missed something in the IIS part, I'm getting an error Automated configuration checks failed when trying step 3. 

Edited by ToddSexington
Link to comment
Share on other sites

Tur0k

I've created a domain name. I've bound it to a directory on my C:. I've forwarded port 80 starting to port 80 ending. Canyouseeme can't seem to see this port.

 

I've basically finished step 2.

 

I would literally give you 20 bucks to remote in and help me in this monstrosity haha

Ok, that IIS site will sit logically between your router and the EMBY server application. If it is hosted on the same server you will need to do some port translations to get your configuration working. Send me a PM, I am about to leave work on vacation. I have a kindergarten informational meeting tonight for my kid but after that I am free. I am pretty sure we can knock this out pretty quickly.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

tyr_88

Why not just leave the ports at default? If you want to use port 80 externally when away from home, then you need to configure that as public port number, but you can't use the same values for both http and https. 

 

But in addition to that, you may also need to configure port forwarding in your router. Emby Server will try to do this automatically, but port 80 always brings additional complication so you may need to review it manually in your router setup.

 

 

MY default port will only work if I use my HTTP true IP and force HTTPS using its port 8920

 

No other IP including emby stock for my WAN IP nor the IP created from noip will work

 

 

This is using 8920 & 80

 

 

I have the emby cert it makes when forced I don't see a need to open anything else ports are good

 

 

 

Cannot make to the powershell step because of this as mentioned above or did I skip something I removed DUC already though man that thing buries some files and REG keys all in REG

 

 

 

 

If I can figure out more advanced things which I have been studying since I am out of date but it's more new to media serve I would be happy to take on extensive explanations or video tutorials to help the community and bring new people in I find lots of post searching Luke seems to be a mid toss up between here and other Media sources.

 

For now I am piddling with K just for the heck of it I am on standstill I may go talk to Brink on tenF he is a code Windows master

Edited by tyr_88
Link to comment
Share on other sites

ToddSexington

If Plex can run natively no sweat on iphone, there must be a way for Emby to do it seamlessly. An explanation or tutorial would be amazing, but someone at my user level might need a tutorial for the tutorial! I haven't done much deep config and setup stuff, and I'm feeling the pinch on that for sure. 

Link to comment
Share on other sites

If Plex can run natively no sweat on iphone, there must be a way for Emby to do it seamlessly. An explanation or tutorial would be amazing, but someone at my user level might need a tutorial for the tutorial! I haven't done much deep config and setup stuff, and I'm feeling the pinch on that for sure. 

 

Because they provide you with a domain name which they own that points to your ip address and they use that domain name to obtain a trusted cert.

 

Emby works with SSL just fine, but you need a domain name and an SSL cert that your devices will accept, like LetsEncrypt for example.

  • Like 1
Link to comment
Share on other sites

Tur0k

MY default port will only work if I use my HTTP true IP and force HTTPS using its port 8920

Are you attempting to access your Emby server via your local LAN or from the public Internet?

 

Did you assign your Emby server a static IP address or DHCP Reserve an IP address for in your DHCP server on your firewall/router.

 

Is your Emby server hosted on windows? If so you may be blocking inbound requests on 8096 if you didn't setup/enable an inbound advanced firewall rule.

 

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

  • 2 weeks later...
Gronnie

Thanks for the script, got it working great with my existing free DDNS service (duckdns.org).

 

I do have a couple questions though:

 

1. I couldn't get it working until I forwarded Port 80 to my server. Do I have to leave this port open now that the certificate is installed? I am using a different port than 80 for Emby SSL connection.

 

2. Do I need to periodically rerun the script to get a new certificate? How long is it good for and how do I know prior to it expiring to get a new one?

 

Thanks again, this is awesome!!!

Edited by Gronnie
Link to comment
Share on other sites

hatharry

@@Gronnie, port 80 is safe to close while the script is not running. Certs are valid for 90 days. Let's encrypt should hopefully send you an email or you can set a task. Rerun the script after the cert has expired.

Link to comment
Share on other sites

Gronnie

@@Gronnie, port 80 is safe to close while the script is not running. Certs are valid for 90 days. Let's encrypt should hopefully send you an email or you can set a task. Rerun the script after the cert has expired.

 

Great, thanks for the reply.

 

Will setting the script to run automatically every 89 days work, or does the cert have to be expired? If there is any downtime I will lose some WAF (wife approval factor) but I really want to only use SSL externally.

Link to comment
Share on other sites

jordy

@@hatharry, is there any difference between the Emby certificate and one issued by LetsEncrypt?

 

Sent from my HUAWEI MT7-L09 using Tapatalk

Link to comment
Share on other sites

  • 2 weeks later...
Swynol

@@hatharry, is there any difference between the Emby certificate and one issued by LetsEncrypt?

 

Sent from my HUAWEI MT7-L09 using Tapatalk

 

if you mean the cert that emby creates for you then yes there's a difference. emby uses a self signed cert. They both encrypt the traffic however a trusted cert from lets encrypt is verified using a CA (certificate authority) which means its trusted and all browsers trust it.

 

If you use a self signed cert without importing it into your browser then you will get an error when HTTPS connecting to Emby, the error just says its a self signed cert and might not be trusted, you can click to continue to your emby site. 

Link to comment
Share on other sites

  • 3 weeks later...
Gronnie

if you mean the cert that emby creates for you then yes there's a difference. emby uses a self signed cert. They both encrypt the traffic however a trusted cert from lets encrypt is verified using a CA (certificate authority) which means its trusted and all browsers trust it.

 

If you use a self signed cert without importing it into your browser then you will get an error when HTTPS connecting to Emby, the error just says its a self signed cert and might not be trusted, you can click to continue to your emby site. 

Except some of the apps (iOS being one of them) offer you no way of accepting the "untrusted" certificate, meaning you either get a certificate it will use or can't use SSL.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...