FR - Native lets encrypt support.

[darkassassin07 428]

Im not sure how feasible this is, but having the ability to acquire and renew letsencrypt certificates would make setting up ssl for us noobs sooo much easier.

This probably wouldn't be an out of the box one click solution, but at least being able to punch in a domain name, open port 80 (or configure dns records) and have emby take care of the CSR and receiving, converting, and installing the .pfx

(with either emby hosting a server on 80, being pointed at your own server dir, or providing you with dns record entries) would be so appreciated.

 

 

After taking three days to get and correctly configure an ssl cert on my own server, I think better support for this really needs to be sorted out

Edited July 29, 2017 by darkassassin07

[Luke 37099]

It's a nice idea for the future.

[sjpotter 12]

So my FR was closed and pointed to this. (almost 3 years old, so who knows if progress will be made on it)

It's not 100% the same.  To me, this reads as setup issue, while even for those who do get it up up (took me all of 5-10 minutes to do), the way Emby deals with the certificates would require manual intervention every couple of months (i.e. to regenerate the pkcs12 file).  It would seem better if Emby could just use the raw files produced by certbot/letsencrypt directly as users already have mechanism in place to generate updates certificates.

Now, I think its possible to solve this outside of Emby (i.e. perhaps using the hooks mechanism that certbot/letsencrypt has built in.  One would add a hook to generate the pkcs12 file into the proper location and to restart emby (or better yet, kick emby so that it doesn't restart, just uses the updates file for future tls connections).

 

Edited April 12, 2020 by sjpotter

[darkassassin07 428]

I responded to another thread that fits here too.

 

I get the appeal from an end-user perspective, hell it's my feature request from 3 years ago when I just started; but from the emby teams point of view I get why it's just not worth implementing for the time being.

 

There are plenty of people on the forums happy to help others with their own implementations for those that actually care about setting up ssl.

 

The time required to implement this into emby, then support those that complain to emby about it inevitably failing on edge-cases like no port 80, no dns api access, or just straight up user-error is just not worth it when that time could be spent on more useful improvements/requests.

[sjpotter 12]

which is why I proposed a workaround.

1) enable emby to "restart" without killing existing connections (probably a valuable feature as it is)

2) we end users can work on figuring out how to add the proper letencrypt hooks to rebuild what emby needs and to "restart" emby when it's ready