34626 0 Posted October 13, 2018 Posted October 13, 2018 Im using Linux Ubuntu 16.04 64 bit and Asustor AS-604T ADM 3.2.1This requires you do own a domain and have create a Lets Encrypt certificate!Following ports should be open: 80, 443, 8096 and 89201. Login to ADM web interface > Settings > Certificate Manager - Click on Export Certificate.2. Extract certificate.zip and open the folder certifiate3. right click in the folder - select open terminal4. enter the command:* Please change the name of the give-me-a-name.pfx* After execution of this command you will be prompted to create a password, this is recommanded!openssl pkcs12 -export -out give-me-a-name.pfx -inkey ssl.key -in ssl.crt5. Save the new create give-me-a-name.pfx file on your NAS in a shared folder of own choice6. go to:http://local.ip.of.nas:8096/7. Go to Advanced and do the followingCheck that Allow remote connection to this Emby Server is marked.* add external domain name* Custon ssl certificate path (Click on the magnifier right to the text field and navigate to where the .pfx file is.* Certificate password - Add the password you entered after execution of step 4.* Secure connection mode - Set to preferred, but not required.8. Hit save and navigate to Controlpanel > Restart - Now you should be able to access the Emby Media Server from outside.
fgs 0 Posted November 11, 2018 Posted November 11, 2018 (edited) Just to append what I did to my Asustor + Emby install, where it says above " * add external domain name ", I filled the complete NAS URL which is hostname + domain name. As opposed to what may lead to most to just insert the domain name, again, I inserted the full URL. One quick note, for all the woes Asustor certainly has in terms of its software, for example, they can't ship a proper working WebDAV service on the NAS (gosh! Directly contacted Asustor as customer and nothing; only silence!), in turn, the Emby server seems to be working right and I'm pleased. Edited November 11, 2018 by fgs
notkaa 1 Posted November 11, 2018 Posted November 11, 2018 Work like a charm on my QNAP System, thank you
Jägs 77 Posted March 25, 2020 Posted March 25, 2020 Ditto. Worked for me, thanks! I'm very new to this, but I assume you'd need to update the pfx file any time the certificate is updated. That being the case, I modified this a bit to be completely automated and created a cron job that handles the password, too: 0 1 * * * [path to openssl binary]/openssl pkcs12 -export -out [path to certificate]/ssl.pfx -inkey [path to certificate]/ssl.key -in [path to certificate]/ssl.crt -passout pass:[password] Obviously you need to replace the parts in brackets to match your needs. This runs the command to create the pfx file at 1:00 AM every morning. NOTE: for anyone else running an ASUSTOR, the path to the LE certificate on my machine is: /volume0/usr/builtin/etc/certificate Your mileage may vary. 1
freeflight29 2 Posted March 21, 2021 Posted March 21, 2021 On 3/25/2020 at 3:18 AM, Jägs said: Ditto. Worked for me, thanks! I'm very new to this, but I assume you'd need to update the pfx file any time the certificate is updated. That being the case, I modified this a bit to be completely automated and created a cron job that handles the password, too: 0 1 * * * [path to openssl binary]/openssl pkcs12 -export -out [path to certificate]/ssl.pfx -inkey [path to certificate]/ssl.key -in [path to certificate]/ssl.crt -passout pass:[password] Obviously you need to replace the parts in brackets to match your needs. This runs the command to create the pfx file at 1:00 AM every morning. NOTE: for anyone else running an ASUSTOR, the path to the LE certificate on my machine is: /volume0/usr/builtin/etc/certificate Your mileage may vary. Hello jags, i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? Thanks for your help
Luke 38499 Posted March 22, 2021 Posted March 22, 2021 4 hours ago, freeflight29 said: Hello jags, i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? Thanks for your help Hi, are you able to update your pfx manually? Becoming familiar with that process is the first step. Then after that you can look at automating it with a cron job.
freeflight29 2 Posted March 22, 2021 Posted March 22, 2021 18 hours ago, Luke said: Hi, are you able to update your pfx manually? Becoming familiar with that process is the first step. Then after that you can look at automating it with a cron job. hello luke that ok for the pfx now. i would to undersatand how to automating it, i don't know where to put the script to make it work as cron job... So if you have some suggestion of link? thank you.
Jägs 77 Posted March 23, 2021 Posted March 23, 2021 (edited) On 3/21/2021 at 5:07 PM, freeflight29 said: Hello jags, i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? Thanks for your help The exact syntax is going to differ from system to system, but here's what I have on my ASUSTOR AS5304T: 0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/ssl.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:########## Where "##########" is the password you want to use. You will enter this password into the Network settings under "Certificate password." Edited March 23, 2021 by Jägs
freeflight29 2 Posted May 31, 2021 Posted May 31, 2021 On 3/23/2021 at 3:26 AM, Jägs said: The exact syntax is going to differ from system to system, but here's what I have on my ASUSTOR AS5304T: 0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/ssl.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:########## Where "##########" is the password you want to use. You will enter this password into the Network settings under "Certificate password." Hello Jägs, i try to do the same on my nas asustor AS6404T, everything is ok, the cert is correctly generate but i have a issue, when i restart emby server to save modification, i can't connect anymore. I have to renew the pfx cert and it's working again. There is the line i add to my crontab: 0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume1/home/MyUserName/MyCERT.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:MyPassword And the path i fill under emby interface is: /volume1/home/MyUserName/MyCERT.pfx Thanks in advance for your help
Jägs 77 Posted June 5, 2021 Posted June 5, 2021 On 5/31/2021 at 4:22 PM, freeflight29 said: when i restart emby server to save modification, i can't connect anymore When you restart Emby, are you trying to connect via your local network or remotely and having a problem? If local, can you connect via the non-SSL port (i.e. localhost:8096)? After you restart, can you verify that the pfx file still exists in the path? It's unlikely to disappear, but just to eliminate a possibility. The only other thing I can think of is your pfx path is different—on volume1 vs volume0—and while it really shouldn't matter, if you continue to have problems, can you place the pfx in the same folder as the rest and see if you still have the same problems?
freeflight29 2 Posted June 10, 2021 Posted June 10, 2021 (edited) Hello, Sorry for the delay i was a little busy..... So here what i'm doing : When you restart Emby, are you trying to connect via your local network or remotely and having a problem? If local, can you connect via the non-SSL port (i.e. localhost:8096)? When i restart it, remotely not working, and local acces is ok After you restart, can you verify that the pfx file still exists in the path? It's unlikely to disappear, but just to eliminate a possibility. i use mobaXterm to connect to the nas via SSH with root account. Then i generate the certificate with that command (i modify the path like you suggest): /usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/MyCert.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin /etc/certificate/ssl.crt -passout pass:MyPassword i confirm that the pfx certificate is present and the path is correct under Emby interface (/volume0/usr/builtin/etc/certificate/MyCert.pfx) root@MyNAS:/volume0/usr/builtin/etc/certificate # ls -la total 48 drwxr-xr-x 4 root root 4096 Jun 9 00:00 ./ drwxr-xr-x 48 root root 4096 Jun 8 00:08 ../ -rw-r--r-- 1 root root 765 Jun 9 00:00 certificate.json -rw-r--r-- 1 root root 5717 Jun 10 21:45 MyCert.pfx drwxr-xr-x 3 root root 4096 Jul 16 2019 letsencrypt/ drwxr-xr-x 4 root root 4096 May 16 19:11 ssl/ -rw-r--r-- 1 root root 5630 May 16 19:11 ssl.crt -rw-r--r-- 1 root root 1675 Dec 28 2019 ssl.key -rw-r--r-- 1 root root 7306 May 16 19:11 ssl.pem The only other thing I can think of is your pfx path is different—on volume1 vs volume0—and while it really shouldn't matter, if you continue to have problems, can you place the pfx in the same folder as the rest and see if you still have the same problems? I still have the problem even if i change the the path at the same place as the rest. I don't have any error message during the generation of the pfx, and i also check the password side. So i don't know what can be wrong After all the only way is working for me, but without automation (and it's what i want to have) , it's when i generate the certificate manually with that command with openssl openssl pkcs12 -export -out MyCert.pfx -inkey ssl.key -in ssl.crt And fill the password twice to generate the password. @Jägs Just in case.... have you try to make it working with reverse proxy? During the configuration i don't encounter any pb when i'm doing the test. But when i validate the configuration, i have a message like "folder not exist" In short, thanks a lot to having taking time and try to help me EDIT: i tried this directly via mobaxterm manually , and it's working root@MyNas:/volume0/usr/builtin/etc/certificate # openssl pkcs12 -export -out MyCert.pfx -inkey ssl.key -in ssl.crt Enter Export Password: Verifying - Enter Export Password: root@MyNas:/volume0/usr/builtin/etc/certificate # ls certificate.json MyCert.pfx letsencrypt/ ssl/ ssl.crt ssl.key ssl.pem root@MyNas:/volume0/usr/builtin/etc/certificate # ls -la total 48 drwxr-xr-x 4 root root 4096 Jun 9 00:00 ./ drwxr-xr-x 48 root root 4096 Jun 8 00:08 ../ -rw-r--r-- 1 root root 765 Jun 9 00:00 certificate.json -rw-r--r-- 1 root root 5717 Jun 10 23:05 MyCert.pfx drwxr-xr-x 3 root root 4096 Jul 16 2019 letsencrypt/ drwxr-xr-x 4 root root 4096 May 16 19:11 ssl/ -rw-r--r-- 1 root root 5630 May 16 19:11 ssl.crt -rw-r--r-- 1 root root 1675 Dec 28 2019 ssl.key -rw-r--r-- 1 root root 7306 May 16 19:11 ssl.pem @Luke so when the certificate is renew via crontab, i can't reach the url with my laptop in https. But i can join the emby server with the emby android app....even if in the dashboard i choose that https is required for external connexion. Can you tell me a little more about how the app working ? Edited June 11, 2021 by freeflight29 add "edit"
Luke 38499 Posted June 12, 2021 Posted June 12, 2021 Quote @Luke so when the certificate is renew via crontab, i can't reach the url with my laptop in https. But i can join the emby server with the emby android app....even if in the dashboard i choose that https is required for external connexion. Can you tell me a little more about how the app working ? The android app has that override dialog that lets you approve the certificate even if the device by default rejects it. But it's not possible for us to do that for all apps on all devices, so the important thing is, use a certificate that your devices will trust if you want to always just work.
freeflight29 2 Posted June 13, 2021 Posted June 13, 2021 On 6/12/2021 at 9:56 PM, Luke said: The android app has that override dialog that lets you approve the certificate even if the device by default rejects it. But it's not possible for us to do that for all apps on all devices, so the important thing is, use a certificate that your devices will trust if you want to always just work. Thanks for your précision about that.
barraxas 1 Posted May 22 Posted May 22 Hello, in my case all the first steps are ok : 1) Create domain name (blablabla.myasustor.com) : ✔ 2) Generate a certificate with asustor/let's encrypt : ✔ 3) Force https : ✔ 4) Accessing to asustor from external in https and ssl : ✔ Here, steps about emby securisation : 5) activate ssh, install kitty (on windows) and connect to asustor from external / ✔ 6) myPseudo@ASUSTOR:/volume0/usr/builtin/etc/certificate $ openssl pkcs12 -export -out ssl.pfx -inkey ssl.key -in ssl.crt : ✔ (console ask me to define a password : ✔) 7) Configuration of "networks params" in emby.... it's here I had some problems.. Firstly, one time on 2, when i select ssl.pfx file from params's emby interface, the root writed is sometimes "/volume0/usr/builtin/etc/certificate/ssl.pfx" and sometimes just "/usr/builtin/etc/certificate/ssl.pfx". Is it a serious problem ? Maybe solve it at next update ? In twice case, the saving don't throw any errors. Secondly, (and it's my main problem) emby dont care about this new configuration. He continue to allow http connexions and refuse https connexions. Look my screenshot to see what I mean. I precise the redirecting of port are ok and i can join emby by http port. I precise too I had try to restart only emby and restart all asustor, but emby continue to ignore the config (see screenshots) Thanks for your help.
barraxas 1 Posted May 22 Posted May 22 (edited) Here I detect an error in log file : Quote 2024-05-22 12:31:32.858 Error App: Error loading cert from /volume0/usr/builtin/etc/certificate/ssl.pfx *** Error Report *** Version: 4.8.6.0 Command line: /volume1/.@plugins/AppCentral/emby-server/system/EmbyServer.dll -programdata /home/emby -ffdetect /usr/local/AppCentral/emby-server/bin/ffdetect -ffmpeg /usr/local/AppCentral/emby-server/bin/ffmpeg -ffprobe /usr/local/AppCentral/emby-server/bin/ffprobe -defaultdirectory /volume1/Public -updatepackage emby-server-asustor_{version}_x86-64.apk -noautorunwebapp Operating system: Linux version 5.13.x (root@sw1-dailybuild) (x86_64-asustor_x64_g3_2020.12.24-linux-gnu-gcc (crosstool-NG 1.24.0) 7.4.0, GNU ld (crosstool-NG 1.24.0) 2 Framework: .NET 6.0.25 OS/Process: x64/x64 Runtime: volume1/.@plugins/AppCentral/emby-server/system/System.Private.CoreLib.dll Processor count: 4 Data path: /home/emby Application path: /volume1/.@plugins/AppCentral/emby-server/system Interop+Crypto+OpenSslCryptographicException: Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle) at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password) at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info) Source: System.Security.Cryptography.X509Certificates TargetSite: Void CheckValidOpenSslHandle(System.Runtime.InteropServices.SafeHandle) But I don't understand what it mean. I had try 5 different location including (/share/Public) but it's always the same result. EDIT (& SOLUCE) ! The path was not the problem. So it's more simple to keep the same path then "/volume0/usr/builtin/etc/certificate/ssl.pfx" After generating the pfx file, you just need to execute "chmod 644 ssl.pfx" and restart emby server So happy, all works well now ! Edited May 22 by barraxas 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now