SSL help for an SSL noob

[vaise 324]

So I have swapped my dd-wrt router around with my asus-merlin access point so I am now running the Asus for the internet connection.  I notice it has a free asus with lets encrypt supplied.

 

FYI - I dont wish to expose anything else outside - just emby.

 

I figured I would use this instead of duckdns and it works fine so I through I would venture into the ssl side of the woods for emby if this is possible.

 

So I ticked letsencrpt and the router says it is all working.  I have a cert.pem and key.pem I have downloaded from there.  They do NOT have a password (which I think is letsencrypt default). 

 

I have to convert these to pfx for emby I am told. I have given it a go but am a bit out of my depth.   So........

 

1 - Can someone point me in the right direction for this conversion using windows (openssl pkcs12 -export something something something).

2 - Once I have this file, I guess I add it to the advanced section of emby, Custom ssl certificate path.  No password, and change dropdown to allow secure connections ?

3 - Do I port forward the router for 8920 to my emby server (same as I have for 8096 ?).  I have set the external domain, and I confirm that I can access this over the wan on http.

4 - I assume I am missing some other stuff to get this working. 

 

If there is a kind person out there that can give me some instructions, that would be great.  I checked the wiki, but I think it assumes I already know this certificate stuff.

 

Thanks,

Vaise.

[Luke 37994]

This doesn't fully answer your question, but I would suggest giving the cert a password.

[vaise 324]

thats beyond my knowledge.  The certs were given by letsencrypt by my asus router automatically.  They work to the router.  I will read other sll posts and see what I can figure out.

[afullmark 20]

This doesn't fully answer your question, but I would suggest giving the cert a password.

This is why I’d advocate emby doing ssl just as easy as plex do, and discussed here: https://emby.media/community/index.php?/topic/54586-security-101-secure-connections/page-9&do=findComment&comment=566424

[ebr 15186]

This is why I’d advocate emby doing ssl just as easy as plex do, and discussed here: https://emby.media/community/index.php?/topic/54586-security-101-secure-connections/page-9&do=findComment&comment=566424

 

We understand, but what are you willing to give up for that convenience? Everything you do on your Plex server goes through Plex - the company.  We aren't setup that way right now and would prefer not to change it so making simple SSL becomes a lot more difficult.

[mastrmind11 717]

thats beyond my knowledge.  The certs were given by letsencrypt by my asus router automatically.  They work to the router.  I will read other sll posts and see what I can figure out.

If the router holds the certs, and assuming you have SSL enabled, etc on your router (though I've not heard of this before), then you should probably just open up port 443 on your router and point it to emby-server-ip:8096.  Once you do this, a simple test is to connect from externally to your external IP/hostname and point to 443.  If your browser displays the SSL padlock icon, you're good to go.  If not, I'd look into how you're supposed to use SSL on your router.

[KMBanana 96]

If the router holds the certs, and assuming you have SSL enabled, etc on your router (though I've not heard of this before), then you should probably just open up port 443 on your router and point it to emby-server-ip:8096.  Once you do this, a simple test is to connect from externally to your external IP/hostname and point to 443.  If your browser displays the SSL padlock icon, you're good to go.  If not, I'd look into how you're supposed to use SSL on your router.

I'm pretty sure this won't work, I don't think his router's doing reverse proxy or anything with the SSL cert, just making the router's built in webUI and FTP services use a properly signed SSL cert.

 

@@vaise

For converting to a .pfx I haven't done personally, but the top voted response here looks right.  https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key 

 

Your other steps do look right.  I would turn off port 8096 forwarding once you get this working to stop unencrypted connections.  Also keep in mind that LetsEncrypt certs expire in 3 months, so you'll need to repeat this process pretty often.  This is annoyingly short by design to try to get more sites and services to automate renewals.  

[mastrmind11 717]

I'm pretty sure this won't work, I don't think his router's doing reverse proxy or anything with the SSL cert, just making the router's built in webUI and FTP services use a properly signed SSL cert.

 

@@vaise

For converting to a .pfx I haven't done personally, but the top voted response here looks right.  https://stackoverflow.com/questions/6307886/how-to-create-pfx-file-from-certificate-and-private-key 

 

Your other steps do look right.  I would turn off port 8096 forwarding once you get this working to stop unencrypted connections.  Also keep in mind that LetsEncrypt certs expire in 3 months, so you'll need to repeat this process pretty often.  This is annoyingly short by design to try to get more sites and services to automate renewals.  

You're most likely right.  I've never seen a router implement SSL so it makes sense that it only applies to the UI/FTP on the router end.

 

@@vaise, there is a pretty extensive SSL/Lets Encrypt/Proxy post in the Windows section that's literally a hand hold step by step to get this up and running.  I'd block out a couple hours on a weekend and just step through it...  assuming you're truly interested in getting this working.  GL

 

edit:  Of course, there are several posts on how to get it working w/ a cert directly inserted into Emby as well.

Edited April 12, 2018 by mastrmind11

[Tur0k 143]

The use of Let’s Encrypt has some requirements:

1. Let’s Encrypt needs to validate you own the domain.

2. requires an Acme client to request, issue and renew certificates.

 

Emby has a requirement for TLS encryption. a password protected PFX formatted certificate.

 

 

Using your firewall as the let’s Encrypt Acme client you will need to:

1. download the certificate from the firewall to the Emby server.

2. convert the certificate to something that Emby server can use (PFX with a password).

3. Let’s Encrypt certificate’s need to be renewed every 90 days.

 

My advise would be to develop a system that works automatically Where possible and based on your ability level.

 

I think it may be easier to host a let’s Encrypt Acme client on the server you are running Emby server from. ZeroSSL comes to mind as an Acme that supports PFX with password export. Your workflow would be:

 

1. Setup zerossl on your Emby server.

2. Go through the domain authentication process.

3. Get the certificate issued

4. Export the certificate as a password protected PFX file to a folder on your Emby server.

5. Configure Emby server to use that PFX file with the appropriate password.

 

Once the above is complete you could work work on a script to

1. renew the certificate,

2. re-export the certificate as a PFX file to the same location with the same password.

3. Restart the Emby server service.

4. Schedule this to run every 60 days.

 

 

Sent from my iPhone using Tapatalk

Edited April 12, 2018 by Tur0k

[Tur0k 143]

I will also admit that here I use a reverse proxy and an Acme client on my firewall to automate this.

 

I am currently in the process of building a new image of my firewall and am going through the process of rebuilding my reverse proxy.

 

 

Sent from my iPhone using Tapatalk

Edited April 12, 2018 by Tur0k

[extensive 20]

when you get your SSL cert working, you can join us over here

https://emby.media/community/index.php?/topic/56784-emby-stops-responding-to-connections-every-couple-days/

[vaise 324]

Hi All.

 

Firstly, let me start by saying how heartening it is to get so many constructive replies to this post.  I recently posted a question on the DD-WRT forum and the distinct lack of helpful replies is what led me to this point here - a swap of routers.

 

To answer a few reply questions here re the router and its ssl :  This is an Asus router and has asuswrt Merlin firmware and in the ddns section, they have their own ddns service (free) called asuscomm.com.  so xxx.asuscomm.com is your own ddns.  One you tick that, give it a name (the xxx) and as it knows your router wan IP it is ready to go - updates itself etc etc, and it has letsencrypt on by default, it sets all that up and also updated letsencrypt automatically so the certs stay current.  This was great I thought, but while out last night, I also noticed it had https remote connections activated too - so the asus mobile app would use ssl to connect to my router and show all its info as if I was on my lan (by the way, this is a fantastic mobile app if you have an asus router - get the app).  I have removed remote gui access now as not needed and well.... another hole I guess.  If your interested in merlin : - https://asuswrt.lostrealm.ca/

 

So, thats where I am.  i dont really want to re-invent the wheel with the certs on my server etc so was hoping to just piggy back off the router supplied and updated ones, i.e plug them into emby and port forward. 

I know that the certs in emby will have to be re-converted and re added when they expire from letsencrypt - but I only have two remote family member that will be affected and they can let me know if need be, and hopefully I will have a process in place to do that - once I figure out the process......

 

To answer another reply - I did not know that I could create a password from these letsencrypt certs that can be used in emby.  Will investigate that.

 

I will spend some of the weekend looking at these posts.

 

Thanks again.

[vaise 324]

here is the router section on this - for those that are interested :

 

[vaise 324]

This is the bit that allowed remote iphone app access to the router - but I imagine it would also have allowed remote access to the console on ssl port :

 

 

I just want to piggy back off this on a different port for https for emby.

 

Chomping at the bit so looking at this before the weekend.

 

I did this on the openssl on my pc :

 

PS C:\Users\vaise\ssl> openssl pkcs12 -export -out emby.pfx -inkey key.pem -in cert.pem -certfile cert.pem

WARNING: can't open config file: /etc/ssl/openssl.cnf

Enter Export Password:

Verifying - Enter Export Password:

dir

-a----       12/04/2018  12:55 PM           3806 cert.pem

-a----       13/04/2018   8:46 AM           7189 emby.pfx

-a----       12/04/2018  12:55 PM           1704 key.pem

 

I added the emby.pfx to the emby server and put the password in, forwarded port 8920 to the server.

Still no go yet..... no need to reply, just an update on where i am at.

 

 

 

Edited April 12, 2018 by vaise

[Luke 37994]

Great info, thanks !

[vaise 324]

OK - I have it working, and this may help some others. 

 

I was stumped, it just would not work.  I was using this command as reported above - openssl pkcs12 -export -out emby.pfx -inkey key.pem -in cert.pem -certfile cert.pem, Keying in the password, adding the output cert file to emby and the password in emby also.  Just could not get it to work.  I knew the ports were working, did all the usual tests

 

So... to the fix ?

 

I came across this site : https://www.sslshopper.com/ssl-converter.html

 

I used that site to convert the cert files with the below parameters (see screen shot - dead easy), did the exact same process in emby and it all magically started working.

 

If someone can explain where I was going wrong with that openssl line - ?

 

As I will need to periodically re-download the certs when they expire and get new ones, then re-convert, it would be good to have a command line process.

 

Just one question - if i keep the same cert name. location and password when converting after renewal, then nothing needs to be done in emby as the info is the same ?  Correct ?

 

[vaise 324]

One last thing to report.  I removed the port forwards for 8096.  Rebooted, yet the external IP on http were still able to 'sort of' work. They were throwing a message that the connection is not secure (like when an unsigned ssl), and changing the port to 8920.  Only way to stop them was to disable uPnp on the router and reboot again - now they cant connect.  Only https works and only to port 8920.  All is happy in the world - and I did not need any of the weekend after all.