Jump to content

Lets Encrypt Help


Kimballslice1890
 Share

Recommended Posts

Kimballslice1890

So I recently bought a domain and anticipated using Lets Encrypt. I had an extremely difficult time following their tutorials on how to acquire and validate a certificate but I found a YouTube video in which I created a certificate via a LAMP server on Ubuntu. The cert works fine and is verified on the LAMP server but when tried to compile the pem files in the pfx and set it up in advanced settings in my emby server, I cannot connect to my server when the settings are applied. When I remove the cert and the domain in advanced, it works again perfectly with the self signed certificate.

 

Looking for a little help on how to get this working, maybe I didn't approach this correctly? I force all connections to HTTPS and would like to get this working so basically every other device other than a web browser and android OS can access the server.

Link to comment
Share on other sites

Kimballslice1890

Followed Doofus' first link, even used namecheap provider so it was exactly the same. Zerossl cant find the TXT record.

Edited by mtait4893
Link to comment
Share on other sites

Kimballslice1890

So I was able to get the certificate working. The issue before was if I added the fullchain.pem file to the pfx converter it wont work for some reason... my next issue is on google chrome it is coming up as not secure. When I click it it does tell me my certificate is valid and trusted.... when using the same certificate on the LAMP server it is secure... I tried to chromecast with the current certificate in place and it did not work, I am assuming because it is "Not Secure" ?

Link to comment
Share on other sites

Kimballslice1890

So i got it "secured" but it still can't chromecast. chromecast continuously spins and does not connect... Emby theater now works. I am going to test other devices. Any thoughts on why the chromecast will not work? I know they require a signed cert which I now have.

Link to comment
Share on other sites

  • 2 weeks later...
Canaletto

I confirm a problem with LetsEncrypt certificates and ChromeCast:

 
EMBY hosted with public IP and Let'sEncryp certificate: No Chromecast playback
 
EMBY hosted with a public IP and a Comodo (free on gogetssl.com) certificate: Play OK on Chromecast
 
It's a shame that Let'sEncrypt is poorly supported on ChromeCast !
Link to comment
Share on other sites

 

I confirm a problem with LetsEncrypt certificates and ChromeCast:

 
EMBY hosted with public IP and Let'sEncryp certificate: No Chromecast playback
 
EMBY hosted with a public IP and a Comodo (free on gogetssl.com) certificate: Play OK on Chromecast
 
It's a shame that Let'sEncrypt is poorly supported on ChromeCast !

 

 

Have you tried host name? That's probably the issue. Just so you're aware, we can't control what certs Chromecast will accept, but I know LetsEncrypt has been verified to work in the past.

Link to comment
Share on other sites

Canaletto

Have you tried host name? That's probably the issue. Just so you're aware, we can't control what certs Chromecast will accept, but I know LetsEncrypt has been verified to work in the past.

 

Of course the hostname xxx.zzz.yyy corespond in both cases to certifiat, this CSR having been created with OpenSSL ...

Link to comment
Share on other sites

KMBanana

My letsencrypt cert works with Chromecast.  

Chromecast can be weird if your advertised WAN address isn't set just right, make sure your public https port number and external domain are set properly under advanced settings.  

I had my public https port wrong and it broke chromecast, but other apps worked fine (since on most you can manually enter a port).  Verify the settings are actually changed by looking at Remote (WAN) access under Emby dashboard.  

Link to comment
Share on other sites

Canaletto

My letsencrypt cert works with Chromecast.  

Chromecast can be weird if your advertised WAN address isn't set just right, make sure your public https port number and external domain are set properly under advanced settings.  

I had my public https port wrong and it broke chromecast, but other apps worked fine (since on most you can manually enter a port).  Verify the settings are actually changed by looking at Remote (WAN) access under Emby dashboard.  

All these parameters are perfectly correct, that's why I do not understand. I'm running out of time these days and in any case Let'sEncript will become interesting on EMBY only when the automatic renewal is integrated, for now it's too tedious to change the certificates every 3 months ...

Link to comment
Share on other sites

Canaletto
I think I have found the solution! The problem is not Let'sEncript or whatever, but seems to come from Emby Connect. Sorry for my meadow

 

When I first installed, I did not have a certificate or host name and I used the public IP address of the server for my tests.

This is how I logged in with my Connect account associated with my administrator account. And so Connect knew only the IP address of the server and not its host name. So when we send a video to Chromecast the Chromecast tries to play the video on https://1.2.3.4:8920 and of course the certificate is not valid because it is associated with a hostname.

 

So it's Connect that redirects Chromecast requests to the server's IP address and not its host name.

 



2018-03-23 00:06:40.972 Info HttpServer: HTTP GET https://1.2.3.4:8920/emby/Playback/BitrateTest?Size=1000000. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G950F Build/R16NW; wv) 


Since the host name can not be edited anywhere in the Connect service, the only solution is to remove the Connect account from the server administrator account and then reregister it again so that the Connect service knows the host name of the server. server that is associated with the certificate.

 

Simple!

 

PS: It would be nice if this host name could be configured somewhere in the server configuration, or better than the external domain name that is given in the advanced configuration goes back to the Emby Connect service.

Edited by Canaletto
Link to comment
Share on other sites

 

 

PS: It would be nice if this host name could be configured somewhere in the server configuration, or better than the external domain name that is given in the advanced configuration goes back to the Emby Connect service.

 

@@Canaletto, they are the same thing. What are you thinking that the difference is?

PS: It would be nice if this host name could be configured somewhere in the server configuration, or better than the external domain name that is given in the advanced configuration goes back to the Emby Connect service.

Link to comment
Share on other sites

Canaletto

@@Canaletto, they are the same thing. What are you thinking that the difference is?

PS: It would be nice if this host name could be configured somewhere in the server configuration, or better than the external domain name that is given in the advanced configuration goes back to the Emby Connect service.

 

It would be more obvious and it would have saved me from spending two nights and incriminating certificates ...

Link to comment
Share on other sites

  • 2 weeks later...
Kimballslice1890

I guess it took a day or 2 to actually go through. But my chromecast streaming works. I think where my issue is something to do with NAT Loopback. It works out of network but when I do it from within my network it doesnt work (I block any local connections and HTTP connections to my Server, force everything over the internet via HTTPS with the cert) so essentially I am going out to the internet and coming back in to connect back to my server.

Link to comment
Share on other sites

moviefan

I block any local connections and HTTP connections to my Server, force everything over the internet via HTTPS with the cert so essentially I am going out to the internet and coming back in to connect back to my server.

 

This is called hairpinning.  Does it work for any other network traffic in your home?  A lot of routers/FWs need to be explicitly configured to permit this type of traffic flow.

Link to comment
Share on other sites

Swynol

i havent got a chromecast to test with, but what others have said about NAT loopback/hairpinning makes sense. I use static-hostname-mapping on my router to accomplish this. So from within my LAN if i ping emby.domain.com it resolves to a local IP rather than going out to the internet to come back in.

 

At the moment there is no way to automatically renew your cert without using a reverse proxy (nginx/apache/iis). Alternatively you could put your emby server behind Cloudflare, you will then get a 20 year cert from them.

Link to comment
Share on other sites

Kimballslice1890

Yeah it does. I also host a Crush FTP server and connect to it with my WAN IP also. Worked on my FiOS Gateway which was then replaced with a DLINK DIR 868L and worked fine on that, which is now replaced with a Unifi USG and it works flawlessly on that as well. 

 

I block all HTTP connections just to be safe regardless if it is on the WAN or LAN. But I did test again last night. My chromecast does not like the setup with NAT Loopback, I'll work on redirecting connections over the LAN at some point but its not very high on my priority list right now. Also unless I unblock HTTP, the cert wont necessarily work over the LAN as being signed no?

 

Swynol can you explain about cloudfare a little more? What's the requirement for that cert? Definitely interested in a 20 year cert versus Lets Encrypts 3 month cert...

Link to comment
Share on other sites

KMBanana

As of March 1st the maximum allowable age for a valid TLS cert is 2 years.

I don't think blocking local http connections is protecting you from anything really, but if you could try moving the Emby server to a separate vlan if your router supports it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...