Jump to content

Server won't run on HTTPS


budssgc
Go to solution Solved by budssgc,

Recommended Posts

I migrated my Emby server from a Windows based to an CentOS based, and before the migration, my Emby server would say on the dashboard, "Running on HTTP Port# and HTTPS  Port#, now it only says "Running on HTTP Port# " 

 

I have added both ports used for HTTP and HTTPS to the /etc/firewalld/services/embyserver.xml , and i know the firewall settings have not changed. I have confirmed its not a port issue since i switched the used ports in emby for http and https and both ports are able to get out. At this point I'm not really sure what the problem is.

 

 

Thanks in advance 

Link to comment
Share on other sites

Doesn't the apply button give users a warning about it when they don't have an SSL cert and password entered and the click the force external connections to secured?

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

mastrmind11

THe LetsEncrypt solution is pretty straight forward, as is the auto renewal process.  Perhaps it can be incorporated/integrated into the Emby setup process for those interested but uninitiated.

  • Like 1
Link to comment
Share on other sites

Doesn't the apply button give users a warning about it when they don't have an SSL cert and password entered and the click the force external connections to secured?

 

 

Sent from my iPhone using Tapatalk

 

when I checkbox force https on external, there is still no "server is running on https" in the dashboard, and if I access the site externally I get this " This page uses invalid TLS security settings.

Try this

Contact your site administrator" maybe I did something wrong with the SSL. what is the best way yo create self certs?

Link to comment
Share on other sites

Yes LetsEncrypt would be a much better way. The problem with a self signed cert is that pretty much every device will reject it, and most of the time there isn't any way to override that.

Link to comment
Share on other sites

when I checkbox force https on external, there is still no "server is running on https" in the dashboard, and if I access the site externally I get this " This page uses invalid TLS security settings.

Try this

Contact your site administrator" maybe I did something wrong with the SSL. what is the best way yo create self certs?

So in order for PKI to work ssl certificates have to have a certificate chain that leads back to a root CA (certificate authority). Intermediate and root CAs are then pre-loaded on to the client device's trust store. This is why public secure websites pay money to certificate authorities to get SSL certificates that have a complete certificate chain to a CA.

 

Self-signed certs are not trusted by default on client systems. The client system you are using is telling you that the ssl certificate that the site gave it is not trusted and likely does not match the URL you entered (likely your DDNS domain.

 

The proper way to resolve this is to get a domain that you can have publicly trusted SSL certificates issued for and pickup a fully trusted certificate. SSL Certificates will need to be re-issued on a normal interval.

 

Komodo, godaddy, namecheap have good paid solutions. You can buy them for 1-3 year durations. You don't need to pay he ballooned prices for the extra insured certs unless you really want to feel insured blanket (for whatever that's worth) as this is just video streaming.

 

Let's encrypt (this is the solution I use is a free solution. These SSL certificates will need to be re-issued every 90 day (might be 60 now). To use them you will need to load an Acme client on a system and use one of the appropriate methods to prove you own the domain. Those methods can range from putting a file on a publicly accessible web server that resolves your domain, to adding public DNS entries to your domain's public DNS.

 

Whenever you update the cert you will need to restart the web service. This is generally scriptable.

 

Your other alternative is to import the self-signed SSL cert to the client device. While this will encrypt the traffic it can put your client users at increased risk if they are trained to ignore warnings regarding ssl mismatches or self-signed warnings and are attacked with a MITM attack.

Additionally some devices are further locking themselves down to disallow self-signed certificate imports. If you are going to go this route, I would recommend at least making sure that you import the self-signed cert on your native internal network and not across the Internet.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

  • Solution

Been a few of these questions.  Perhaps the wiki is unclear?

 

Did some more digging after seeing mastrmind11 post, and found this https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/&do=findComment&comment=419089 Followed this process and went to https://my.freenom.com for the domain part., got the cert created and converted it with SSL Converter https://www.sslshopper.com/ssl-converter.html and then imported it into emby, Server is now running on HTTP and HTTPS. Thanks for your help guys. 

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...