Simple way to use SSL on Linux Arch

[Pottie 0]

Hello.

I've been trying to create an SSL certificate for my Emby Server for hours. I have a Linux Arch root server with static IP...

And a domain at namecheap. com.

This instruction Link does not work for me. From Part 3 on "Click on the Verify links to check that the TXT records are working", there is always an error.

No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain.

 

Are there any alternatives for me?

[Luke 37095]

hi there @@Pottie, i have alerted the creator of that document so that the url can be fixed. Please let us know if this helps. Thanks !

[Swynol 375]

Hi @@Pottie

 

the guide is a little out of date. My Fault, i will work on a newer version. The error you are having is fairly common with sslforfree. I now recommned going to zeroSSL instead. https://zerossl.com/

 

The issue is caused by a number of variables.

 

First one being sslforfree website not working correctly.

 

Another reason is sometimes with namecheap, i have had to contact their support a few times when their DNS records arent updating. So when you enter the record on namecheap it fails to replicated on their servers and when you click "verify" on SSLforFree it cant find the records. To test this open a command prompt and type the following but using your domain name i.e. _acme-challenge.emby.mydomain.com

nslookup -q=TXT _acme-challenge.MYDOMAIN.com

not sure on the command for linux sorry.

 

If is fails to come back with the TXT then the DNS is failing to replicate, contact Namecheap and let them know that their DNS isnt updating your records.

 

If its successful then click the "verify" button on SSLforFree or the alternative ZEROSSL.

 

The other reason is slow DNS replication, i found after adding the TXT records to namecheap i had to wait 15+ mins before verifying would work. See the command above to check the record has worked before clicking verify.

 

 

 

If none of the above works, there are alternative ways which may be better suited for you as you use linux, although never used them myself. For us windows users its a bit more complicated. 

[Pottie 0]

Danke für die Antworten

 

Was wäre den eine bessere und einfachere Methode?

 

 

 

Thanks for the answers.

 

 

oem@fieserfettsack ~ $ nslookup -q=TXT _acme-challenge.fettsack.xyz

Server: 127.0.1.1

Address: 127.0.1.1#53

 

** server can't find _acme-challenge.fettsack.xyz: NXDOMAIN

 

I have also tried zerossl and DNS verifikation, but the same problem

 

 

What would be a better and simpler method?

Edited October 30, 2017 by Pottie

[Luke 37095]

LetsEncrypt is also a great option.

[Pottie 0]

Thanks for the tip. I have created a certificate.

I can't reach the server via the https port

I have already tested different ports. But in the browser, always the note "This website is unavailable."

do you have another idea?

[mastrmind11 717]

Thanks for the tip. I have created a certificate.

I can't reach the server via the https port

I have already tested different ports. But in the browser, always the note "This website is unavailable."

do you have another idea?

Set up a reverse proxy and let the proxy handle https, let emby handle http via the redirect.  Tons of documentation on these forums on how to accomplish that.

[Pottie 0]

Created a configuration tonight. And that kept very short and closed the standard port 443. Do you have any suggestions for improvement?

 

 

 

 

worker_processes  1;

 

events {

    worker_connections  1024;

}

 

 

http {

    include       mime.types;

    default_type  application/octet-stream;

 

 

    sendfile        on;

     keepalive_timeout  65;

 

    server {

         listen       443 ssl;

         listen [::]:443 ssl;

         server_name  server.url;

 

         ssl_certificate /etc/letsencrypt/live/server.url/fullchain.pem;

         ssl_certificate_key /etc/letsencrypt/live/server.url/privkey.pem;

         rewrite ^ https://server.url:5487$request_uri?redirect;

     }

 

         server {

         listen       5487 ssl;

         listen [::]:5487 ssl;

         server_name  server.url;

 

         ssl_certificate /etc/letsencrypt/live/server.url/fullchain.pem;

         ssl_certificate_key /etc/letsencrypt/live/server.url/privkey.pem;

 

 

       location / {

        proxy_pass http://localhost:8096;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection 'upgrade';

        proxy_set_header Host $host;

        proxy_cache_bypass $http_upgrade;

    }

    }

 

}

[pir8radio 1292]

 

Created a configuration tonight. And that kept very short and closed the standard port 443. Do you have any suggestions for improvement?

 

 

Why not just use 443 if you are accepting connections on it anyway?     You are missing some important options in your reverse proxy script. 

See this post for some ideas:  https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/?p=457670

Edited November 2, 2017 by pir8radio

[puithove 208]

I know you're getting suggestions taking you in different directions, and the reverse proxy is definitely a valid solution with additional benefits.  If however you prefer a simpler setup, it's definitely possible to get a LetsEncrypt cert to work directly in Emby, on Arch - that is my setup and it's worked well. You do have to do an extra step to convert it into a different cert format that Emby understands - you do that by passing it through openssl.

openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out embycert.pfx -passout pass:

Make sure to place the resulting .pfx somewhere that the emby user can access, and with permissions that allow read. I like to put it inside Emby's data dir.

 

Then when it's time to renew and letsencrypt pulls a new cert, you just have to re-run the conversion to the same output path and restart emby server so it sees the renewed cert.

 

Here's a script I use for the renewal (found one somewhere I can't remember and modified it heavily for my own purposes) - I run it weekly via cron, it checks the expiration date and if it's within a certain date range before expiration (I have it set for 30 days) then it'll run the renewal, convert it to pfx, and restart emby server.

#!/bin/bash

SSLPORT="8920"
HOST="dns.host.name.on.cert"
RENEWDAY="30"
CMDCERTBOT="/usr/bin/"
CMDRENEW=$CMDCERTBOT"certbot renew --force-renewal --non-interactive"
CMDLETSENCRYPT="/etc/letsencrypt/"
CMDSVCSTOP="/usr/bin/systemctl stop emby-server.service"
CMDSVCSTART="/usr/bin/systemctl start emby-server.service"
CMDSSLDEST="/var/lib/emby/certs/"
LOGPATH="/var/log/certbot/"
LOGFILE="renew.log"

if [ ! -e $LOGPATH ]
then
        mkdir "$LOGPATH"
        touch "$LOGPATH$LOGFILE"
fi

EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $HOST:$SSLPORT 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'`
#echo $EXPIRYDATE

EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s)

CURRENT_DATE_epoch=`date +%s`

epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc`

### Get difference of days
dayDiff=`echo "$epochDiff"/86400|bc`

if [ "$dayDiff" -le "$RENEWDAY" ]
then
        $CMDSVCSTOP
        $CMDRENEW > $LOGPATH$LOGFILE 2>&1
        openssl pkcs12 -inkey "$CMDLETSENCRYPT"live/"$HOST"/privkey.pem -in "$CMDLETSENCRYPT"live/"$HOST"/fullchain.pem -export -out "$CMDSSLDEST""$HOST".pfx -passout pass:
        $CMDSVCSTART
else
        echo "There is "$dayDiff" days left for the certificate of "$HOST" and the autorenew is allowed at "$RENEWDAY" days or less" > "$LOGPATH$LOGFILE" 2>&1
fi

Edited November 4, 2017 by puithove

[Luke 37095]

Great info, thanks !