Jump to content

Let's Encrypt for Emby


hatharry
 Share

Recommended Posts

We're using the wkwebview for iOS and it does not offer an API to manually accept certificates. There is an open ticket with webkit about this so hopefully it gets resolved for iOS11.

 

However, even if this gets done, accepting self signed certs is not the direction we want to go in because there will still be lots of there platforms where it just isn't possible to force it to be accepted.

Link to comment
Share on other sites

with how easy it is to get a lets encrypt cert these days I dont think its really an issue. 

 

To the average user, using HTTP will be fine for them. If some is more security conscious then enabling HTTPS starts with getting your own cert not by using a self signed cert.

Link to comment
Share on other sites

  • 1 month later...

I've installed this and has been running smoothly for 60+ days.

Today I received notification from let's encrypt that certificates will expire in 19 days.

Running the script gives this output:

 
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier     : xxxxx.ddns.net
Uri            : 
Status         : pending
Expires        : 8/18/2017 6:52:11 AM
Challenges     : {, , }
Combinations   : {0, 1, 2}
An item with the same key has already been added.
 
 
I will go on holiday in a week and I need this for my chromecast that I will take with me.
Any suggestions?
What should I do ?
Edited by milanp
Link to comment
Share on other sites

@@milanp I've updated the script to make a new cert everytime the identifier expires. This should allow the creation of a new cert before the old one expires.

Edited by hatharry
Link to comment
Share on other sites

Many thanks for your effort and prompt response Hatharry.

Unfortunately, I am facing the same output with the updated script:

An item with the same key has already been added.

This is what I did:

0. Reboot the server to stop any powershell scripts running

1. Started command prompt as administrator

2. Started powershell

3. Started Emby-Acme.ps1 with emby server running

and got the message:

An item with the same key has already been added.

After that I rebooted the server, to avoid any powershell scripts running,

and stopped the emby server.

Tried the script again, and got the same message

The folder c:\users\..\AppData\Roaming\Emby-Server\ssl has the old pfx file.

What should I try next ?

Link to comment
Share on other sites

Meanwhile I renamed the old certificate in ssl folder of Emby-Server.

Reran the script and got this output:

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier     : xxxxx.ddns.net
Uri            : 
Status         : pending
Expires        : 8/18/2017 10:38:42 AM
Challenges     : {, , }
Combinations   : {0, 2, 1}
An item with the same key has already been added
The Combinations line is different:
With the old script:
Combinations   : {0, 1, 2}
With the new script:: {0, 2, 1}
Any ideas ?
Edited by milanp
Link to comment
Share on other sites

Hatharry,

The script works as it should.

The problem was my configuration of Microsot IIS.

Thanks.

What was wrong with your IIS config? I'm running into the same "an item with the same key has already been added" error

Link to comment
Share on other sites

I have been trying to get this to work all afternoon on my 2012 R2 server. I can seem to get it to get past the verification challenge. I keep getting "an item with the same key has already been added" at that part. 

Link to comment
Share on other sites

All the information I found on internet about LetsEncrypt was stating that windows implementation relies heavily on MS IIS.

The script from Hatharry was perfect for me,it configured everything and I never bothered to learn more, until I ran into problem.

Looking through the web, especially here:

https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows

I checked the IIS server manager, and found out that I have not configured IIS fo emby at all.

I added the website for Emby server in IIS, and the certificate problem was gone.

If you need details, follow the excellent guide in the link, Step 2: IIS, 11. Configure the web site ...

Link to comment
Share on other sites

My 

 

All the information I found on internet about LetsEncrypt was stating that windows implementation relies heavily on MS IIS.

The script from Hatharry was perfect for me,it configured everything and I never bothered to learn more, until I ran into problem.

Looking through the web, especially here:

https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows

I checked the IIS server manager, and found out that I have not configured IIS fo emby at all.

I added the website for Emby server in IIS, and the certificate problem was gone.

If you need details, follow the excellent guide in the link, Step 2: IIS, 11. Configure the web site ...

Thanks for the reply but my problem is different. ACMESharp is not loading the IIS handler for some reason which is breaking the script. I finally gave up last night and did what I should have months ago. I added a second Letsencrypt cert for emby to my Synology nas. I setup a scheduled task to renew it monthly so I know exactly when it renews instead of the "about a month before it expires". The script then exports the cert to a share and emby loads that one. No need to have a useless IIS install. 

Edited by totalhavoc
Link to comment
Share on other sites

SilentException

Thanks for the script @@hatharry
 
As I recently struggled to get this thing working, here are some insights on what I needed to do and add in the script to get things working.
 
1. Don't forget to run PowerShell as Administrator :)
 
2. Don't touch port configuration under Emby Advanced settings. ACMESharp doesn't use Emby HTTP server to authenticate your server but built-in Windows IIS HTTP server.
 
3. You will need to forward port on your router while first running or renewing your certificate. Forward port 80 to your server IP port 80 (or whatever port your IIS is running on). Important part is that external port should be 80.
 
4. Instructions in first post about changing email were a bit unclear as script contains two "mailto:" parts. Basically, change this line:
New-ACMERegistration -Contacts mailto:mailto:somebody@example.org -AcceptTos
to this (replace red part with your email):
New-ACMERegistration -Contacts mailto:john.doe@example.com -AcceptTos

5. I also had issues because my hostname started with a digit. As alias is created from the hostname and alias cannot start with a digit. I replaced alias creation code:
$alias = "$($address.Split(".")[0])-$(get-date -format yyyy-MM-dd--HH-mm)"
with added string "emby-" on the beginning of the alias. 
$alias = "emby-$($address.Split(".")[0])-$(get-date -format yyyy-MM-dd--HH-mm)
Also keep in mind that total alias length shouldn't exceed 50 characters and it has some other restrictions as well. Basically use alphanumeric characters, _, -, + and you should be fine. Or change alias creation not to include hostname altogether.
 
6. Finally and perhaps most important, AcmeSharp IIS handler was not present on my machine and that was the reason for "An item with the same key has already been added." error. Script needs to be modified (bold lines added):
Install-PackageProvider -Name NuGet -Force
Install-Module -Name ACMESharp -AllowClobber -Force
Install-Module -Name ACMESharp.Providers.IIS -Force
Import-Module ACMESharp
Enable-ACMEExtensionModule -ModuleName ACMESharp.Providers.IIS
if (-not (Get-ACMEVault)){
    Initialize-ACMEVault
}

This will force install and enable the ACMESharp IIS provider.
 
 
OK, Hope that helps someone save couple of hours I wasted. But at least I have certificate now.
 
What would be awesome functionality to add to the script is UPNP or web request to the router to enable port forwarding at script start and disable it on script end.

Edited by SilentException
  • Like 2
Link to comment
Share on other sites

SilentException

Me again. Since I hate doing anything manually and script/schedule as much as I can, I've now found a simple way to open a router port on the router using UPnP and have created a simple wrapper script to

- open a port

- call Let's Encrypt script to get/update certificate

- close a port

 

You need the script from the first post, PortMapper JAR and this wrapper script in the same folder. Also, java. Create a scheduled task calling this wrapper script and forget thinking about refreshing certificate :)

Start-Process -NoNewWindow -FilePath javaw -ArgumentList '-jar', 'portmapper-2.0.0.jar', '-add', '-internalPort', '80', '-externalPort', '80', '-protocol', 'tcp', '-description', 'TempIIS'
& ".\Emby-LetsEncrypt.ps1"
Start-Process -NoNewWindow -FilePath javaw -ArgumentList '-jar', 'portmapper-2.0.0.jar', '-delete', '-externalPort', '80', '-protocol', 'tcp'

Just replace Emby-LetsEncrypt.ps1​ with the filename you have for the script from first post.

Link to comment
Share on other sites

  • 2 months later...
WilhelmStroker

I used the script from the first post to install a LetsEncrypt script a few months back, and as I just got the email to renew, I re-ran the script. I'm getting the following errors:

Name                           Version          Source           Summary
----                           -------          ------           -------
nuget                          2.8.5.208        https://onege...NuGet provider for the OneGet meta-package manager
WARNING: The version '0.9.1.326' of module 'ACMESharp' is currently in use. Retry the operation after closing the
applications.
WARNING: The version '0.9.1.326' of module 'ACMESharp' is currently in use. Retry the operation after closing the
applications.
Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

 

Not sure what to look at to resolve this..anyone any ideas?

Link to comment
Share on other sites

I also go the error

Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

 

Uninstalling the ACMESharp modules prior to running the script seemed to fix that, although took a restart for the uninstall to run without errors.

 

uninstall-module ACMESharp.Providers.IIS

uninstall-module ACMESharp

 

After doing that running the script started giving "failed to resolve extension link" errors. That was caused by the extension link file pointing to the old version. So I edited that file (C:\ProgramData\ACMESharp\sys-exts\ACMESharp.Providers.IIS.extlnk)to point to the new version, and after that it finally seemed happy enough to run.

Link to comment
Share on other sites

  • 3 weeks later...
WilhelmStroker
I kept getting the error `an item with the same key has already been added' when running the script to renew my certificate.
In the end I used the manual steps from https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows
Certify failed with an error that config checks failed to verify IIS can serve extensionless files.
I also got an http 500 error when browsing to the C:\inetpub\Emby\.well-known\acme-challenge website (same from external).
In the end a combination of the steps from the first post here:
https://github.com/ebekker/ACMESharp/issues/15

fixed the issue. 

I'll definitely give the script another go in 3 months to see if the item with the same key error was related to the extensionless files issue.

Link to comment
Share on other sites

 

I kept getting the error `an item with the same key has already been added' when running the script to renew my certificate.

In the end I used the manual steps from https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows

Certify failed with an error that config checks failed to verify IIS can serve extensionless files.

I also got an http 500 error when browsing to the C:\inetpub\Emby\.well-known\acme-challenge website (same from external).

In the end a combination of the steps from the first post here:

https://github.com/ebekker/ACMESharp/issues/15

fixed the issue. 

I'll definitely give the script another go in 3 months to see if the item with the same key error was related to the extensionless files issue.

 

I got the same error "an item with the same key has already been added"

 

I got it working by renaming C:\ProgramData\ACMESharp to ACMESharp.old then running the script again

Think its something with the files in C:\ProgramData\ACMESharp\sysVault

Edited by etrax
Link to comment
Share on other sites

  • 2 months later...
WilhelmStroker

I got the same error "an item with the same key has already been added"

 

I got it working by renaming C:\ProgramData\ACMESharp to ACMESharp.old then running the script again

Think its something with the files in C:\ProgramData\ACMESharp\sysVault

 

That didn't work for me as I received the same error "an item with the same key has already been added" after renaming that folder and rerunning the script. The cert renewed without issues through Certify The Web though.

Link to comment
Share on other sites

  • 3 months later...
FesterHead

Aloha all -

 

Given:

  • Let's Encrypt successfully configured and automated on a Synology NAS
  • Emby Server installed, configured, and operational on a Windows machine
  • Synology NAS and Emby Server on same lan
  • WORKING_FOLDER "Z:\OpenSSL - Let's Encrypt", this is a network share mapped to the Synology drive, it could be anywhere
  • Latest Win64 OpenSSL installed from Shining Light Productions
  • PFX will have no password, add it to the script and Emby if you'd like

Caveat:

  • While Let's Encrypt is automated on the Synology NAS, this procedure is not
  • I set calendar reminders to do this every three months

Disclaimer:

  • This WORKS FOR ME
  • Your mileage, experience, and outcome may vary
  • Not responsible for destroyed systems
  • If in doubt, don't go out; turn around, don't drown

 

Step 01 - Log in to Synology and export Let's Enrypt certificate
Control Panel > Security > Certificate > select DOMAIN that has Let's Encrypt enabled > Export certificate
 
Step 02 - Rename archive.zip to today's date; not really necessary to rename but I keep a historical archive
 
Step 03 - Copy zip file to WORKING_FOLDER and extract overwriting existing files
 
Step 04 - Double-click create_pfx.bat and verify cert.pfx file timestamp updated
 
Step 05 - Log into Emby, enter PFX file path on Expert > Advanced page, and restart to load new certificate; my path looks like:
\\192.168.86.26\home\OpenSSL - Let's Encrypt\cert.pfx
Contents of create_pfx.bat file:
@[member="Echo"] off
pushd "Z:\"
cd "OpenSSL - Let's Encrypt"
C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:
Enjoy and have a great day.

 

Link to comment
Share on other sites

  • 2 months later...
larsonDigital

By chance does somebody have a step-by-step using CertifyTheWeb to create the Let's Encrypt SSL Certificate for Emby?  Please?!   :)

 

Thanks in advance!

James

Link to comment
Share on other sites

larsonDigital

Hello all again,

 

I just saw the tutorial at https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows. :D Looks right on!  So a couple of follow up questions ... I already have a subdomain of my own domain setup for Access Anywhere (VPN & RDP via Essentials Dashboard), which also uses Web Server (IIS), on my Windows Server 2016 Standard server.  As a result, I already have that subdomain setup through nameCheap.com for DDNS and IIS installed and running, so I'm good on the steps in the tutorial up to that point.  To access my server remotely, I go to https://remote.<mydomain>.com/remote.

  1. Will following the tutorial to setup Emby interfere with my existing setup (as explained above)?  I'm thinking not, but trying to be careful.
  2. Following the tutorial, can I use https://remote.<mydomain>.com/mediaas my domain name to separate it from my remote access (as explained above)?

Thank you for any help with this in advance!!

James

Link to comment
Share on other sites

  • 3 months later...

Hello everyone,

 

Fresh noob here - I am trying to setup SSL certificate to use HTTPS. I have run the script and troubleshooted some things but I am stuck with this error now: 

 

Did not receive a completed Identifiter
At C:\Users\administrator\Desktop\Emby-Acme.ps1:78 char:13
+             throw "Did not receive a completed Identifiter"
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Did not receive a completed Identifiter:String) [], RuntimeException
    + FullyQualifiedErrorId : Did not receive a completed Identifiter
 
 
 
Here is what I did so far:
 
1)  I edited the script and added my email to this line: New-ACMERegistration -Contacts mailto:mailto:somebody@example.org -AcceptTos
 
2) I ran the script in powershell as admin (but fails with above error)
 
3) In my emby server settings (Expert -> advanced) , I checked off: allow remote connections to this Emby Server. In the field: "External domain", I added a domain name: www.xxx.com (I don't have to actually own this do I? Can it be any generic domain name that I make up?)
 
Thank you for your help.
 
P.S: I absolutely love Emby! I'll be purchasing a lifetime pass soon ;)
Edited by EmbyMediaz
  • Like 1
Link to comment
Share on other sites

3) In my emby server settings (Expert -> advanced) , I checked off: allow remote connections to this Emby Server. In the field: "External domain", I added a domain name: www.xxx.com (I don't have to actually own this do I? Can it be any generic domain name that I make up?)

 

Well, no, it has to be your domain. How else would people connect to you remotely?

  • Like 1
Link to comment
Share on other sites

  • 3 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...