Pottie 0 Posted October 29, 2017 Share Posted October 29, 2017 Hello. I've been trying to create an SSL certificate for my Emby Server for hours. I have a Linux Arch root server with static IP... And a domain at namecheap. com. This instruction Link does not work for me. From Part 3 on "Click on the Verify links to check that the TXT records are working", there is always an error. No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain. Are there any alternatives for me? Link to comment Share on other sites More sharing options...
Luke 37095 Posted October 29, 2017 Share Posted October 29, 2017 hi there @@Pottie, i have alerted the creator of that document so that the url can be fixed. Please let us know if this helps. Thanks ! Link to comment Share on other sites More sharing options...
Swynol 375 Posted October 29, 2017 Share Posted October 29, 2017 Hi @@Pottie the guide is a little out of date. My Fault, i will work on a newer version. The error you are having is fairly common with sslforfree. I now recommned going to zeroSSL instead. https://zerossl.com/ The issue is caused by a number of variables. First one being sslforfree website not working correctly. Another reason is sometimes with namecheap, i have had to contact their support a few times when their DNS records arent updating. So when you enter the record on namecheap it fails to replicated on their servers and when you click "verify" on SSLforFree it cant find the records. To test this open a command prompt and type the following but using your domain name i.e. _acme-challenge.emby.mydomain.com nslookup -q=TXT _acme-challenge.MYDOMAIN.com not sure on the command for linux sorry. If is fails to come back with the TXT then the DNS is failing to replicate, contact Namecheap and let them know that their DNS isnt updating your records. If its successful then click the "verify" button on SSLforFree or the alternative ZEROSSL. The other reason is slow DNS replication, i found after adding the TXT records to namecheap i had to wait 15+ mins before verifying would work. See the command above to check the record has worked before clicking verify. If none of the above works, there are alternative ways which may be better suited for you as you use linux, although never used them myself. For us windows users its a bit more complicated. Link to comment Share on other sites More sharing options...
Pottie 0 Posted October 30, 2017 Author Share Posted October 30, 2017 (edited) Danke für die Antworten Was wäre den eine bessere und einfachere Methode? Thanks for the answers. oem@fieserfettsack ~ $ nslookup -q=TXT _acme-challenge.fettsack.xyz Server: 127.0.1.1 Address: 127.0.1.1#53 ** server can't find _acme-challenge.fettsack.xyz: NXDOMAIN I have also tried zerossl and DNS verifikation, but the same problem What would be a better and simpler method? Edited October 30, 2017 by Pottie Link to comment Share on other sites More sharing options...
Luke 37095 Posted October 30, 2017 Share Posted October 30, 2017 LetsEncrypt is also a great option. Link to comment Share on other sites More sharing options...
Pottie 0 Posted November 2, 2017 Author Share Posted November 2, 2017 Thanks for the tip. I have created a certificate. I can't reach the server via the https port I have already tested different ports. But in the browser, always the note "This website is unavailable." do you have another idea? Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted November 2, 2017 Share Posted November 2, 2017 Thanks for the tip. I have created a certificate. I can't reach the server via the https port I have already tested different ports. But in the browser, always the note "This website is unavailable." do you have another idea? Set up a reverse proxy and let the proxy handle https, let emby handle http via the redirect. Tons of documentation on these forums on how to accomplish that. Link to comment Share on other sites More sharing options...
Pottie 0 Posted November 2, 2017 Author Share Posted November 2, 2017 Created a configuration tonight. And that kept very short and closed the standard port 443. Do you have any suggestions for improvement? worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 443 ssl; listen [::]:443 ssl; server_name server.url; ssl_certificate /etc/letsencrypt/live/server.url/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.url/privkey.pem; rewrite ^ https://server.url:5487$request_uri?redirect; } server { listen 5487 ssl; listen [::]:5487 ssl; server_name server.url; ssl_certificate /etc/letsencrypt/live/server.url/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/server.url/privkey.pem; location / { proxy_pass http://localhost:8096; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } } Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted November 2, 2017 Share Posted November 2, 2017 (edited) Created a configuration tonight. And that kept very short and closed the standard port 443. Do you have any suggestions for improvement? Why not just use 443 if you are accepting connections on it anyway? You are missing some important options in your reverse proxy script. See this post for some ideas: https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/?p=457670 Edited November 2, 2017 by pir8radio Link to comment Share on other sites More sharing options...
puithove 208 Posted November 4, 2017 Share Posted November 4, 2017 (edited) I know you're getting suggestions taking you in different directions, and the reverse proxy is definitely a valid solution with additional benefits. If however you prefer a simpler setup, it's definitely possible to get a LetsEncrypt cert to work directly in Emby, on Arch - that is my setup and it's worked well. You do have to do an extra step to convert it into a different cert format that Emby understands - you do that by passing it through openssl. openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out embycert.pfx -passout pass: Make sure to place the resulting .pfx somewhere that the emby user can access, and with permissions that allow read. I like to put it inside Emby's data dir. Then when it's time to renew and letsencrypt pulls a new cert, you just have to re-run the conversion to the same output path and restart emby server so it sees the renewed cert. Here's a script I use for the renewal (found one somewhere I can't remember and modified it heavily for my own purposes) - I run it weekly via cron, it checks the expiration date and if it's within a certain date range before expiration (I have it set for 30 days) then it'll run the renewal, convert it to pfx, and restart emby server. #!/bin/bash SSLPORT="8920" HOST="dns.host.name.on.cert" RENEWDAY="30" CMDCERTBOT="/usr/bin/" CMDRENEW=$CMDCERTBOT"certbot renew --force-renewal --non-interactive" CMDLETSENCRYPT="/etc/letsencrypt/" CMDSVCSTOP="/usr/bin/systemctl stop emby-server.service" CMDSVCSTART="/usr/bin/systemctl start emby-server.service" CMDSSLDEST="/var/lib/emby/certs/" LOGPATH="/var/log/certbot/" LOGFILE="renew.log" if [ ! -e $LOGPATH ] then mkdir "$LOGPATH" touch "$LOGPATH$LOGFILE" fi EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $HOST:$SSLPORT 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'` #echo $EXPIRYDATE EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s) CURRENT_DATE_epoch=`date +%s` epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc` ### Get difference of days dayDiff=`echo "$epochDiff"/86400|bc` if [ "$dayDiff" -le "$RENEWDAY" ] then $CMDSVCSTOP $CMDRENEW > $LOGPATH$LOGFILE 2>&1 openssl pkcs12 -inkey "$CMDLETSENCRYPT"live/"$HOST"/privkey.pem -in "$CMDLETSENCRYPT"live/"$HOST"/fullchain.pem -export -out "$CMDSSLDEST""$HOST".pfx -passout pass: $CMDSVCSTART else echo "There is "$dayDiff" days left for the certificate of "$HOST" and the autorenew is allowed at "$RENEWDAY" days or less" > "$LOGPATH$LOGFILE" 2>&1 fi Edited November 4, 2017 by puithove Link to comment Share on other sites More sharing options...
Luke 37095 Posted November 4, 2017 Share Posted November 4, 2017 Great info, thanks ! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now