Automate PFX Certificate deployment from LetsEncrypt!

[icsy7867 8]

Hey guys!  I was just fiddling around with my emby server currently running on Ubuntu.  I was getting annoyed at having to convert my pem encoded certificates to a PFX format, so I made a little bash script.

 

pretty simple scripting, but maybe it can help others.  Keep in mind, this assumes that you have a folder called "certs" at your root, as well as a folder called "old" inside.  So you have

 

/certs/

and

/certs/old

 

The script is pretty simple and does three things ...

• moves and appends the date to your current PFX certificate called emby.pfx to a directory called old
• Assigns variables to the correct path and converts the cert to a PFX to the directory /certs
• restarts the emby server to load the new certificate.

 

A couple things to note as well...

 

• Make sure to chain emby.domain.com to the correct domain name
• I am also using Ubuntu 16.04, so you may have "certbot" instead of "Letsencrypt"
• This needs to be ran AFTER your letsencrypt/certbot renew (Can also be easily added to this script)
• Would recommend a cronjob to run every so often
• Make sure to create the /certs and /certs/old directories
• Finally make sure the advanced portion of emby is set to use /certs/emby.pfx

#!/bin/bash

today=`date +%Y-%m-%d`
mv /certs/emby.pfx /certs/old/emby.$today

privkey=/etc/letsencrypt/live/emby.domain.com/privkey.pem
cert=/etc/letsencrypt/live/emby.domain.com/cert.pem
chain=/etc/letsencrypt/live/emby.domain.com/chain.pem

openssl pkcs12 -export -out /certs/emby.pfx -inkey $privkey -in $cert -certfile $chain -password pass:

service emby-server restart

Edited May 25, 2018 by icsy7867

[Luke 37099]

Great stuff, thanks !

[mastrmind11 717]

well done.

[chowbok 77]

Thanks for this. It'd be cool, though, if Emby could be made to accept separate PEM files, so that this wasn't necessary.

Edited June 8, 2018 by chowbok

[chowbok 77]

By the way, I haven't tried it yet, but I think you can just drop that script in /etc/letsencrypt/renewal-hooks/post and it will automatically run whenever the cert is renewed.