HOWTO: create .pfx to use for https

[34626 0]

Im using Linux Ubuntu 16.04 64 bit and Asustor AS-604T ADM 3.2.1

This requires you do own a domain and have create a Lets Encrypt certificate!

Following ports should be open: 80, 443, 8096 and 8920

1. Login to ADM web interface > Settings > Certificate Manager - Click on Export Certificate.

2. Extract certificate.zip and open the folder certifiate

3. right click in the folder - select open terminal

4. enter the command:
* Please change the name of the give-me-a-name.pfx
* After execution of this command you will be prompted to create a password, this is recommanded!

openssl pkcs12 -export -out give-me-a-name.pfx -inkey ssl.key -in ssl.crt

5. Save the new create give-me-a-name.pfx file on your NAS in a shared folder of own choice

6. go to:
http://local.ip.of.nas:8096/

7. Go to Advanced and do the following

Check that Allow remote connection to this Emby Server is marked.
* add external domain name
* Custon ssl certificate path (Click on the magnifier right to the text field and navigate to where the .pfx file is.
* Certificate password - Add the password you entered after execution of step 4.
* Secure connection mode - Set to preferred, but not required.

8. Hit save and navigate to Controlpanel > Restart - Now you should be able to access the Emby Media Server from outside.

[Luke 40126]

Great info, thanks !

[fgs 0]

Just to append what I did to my Asustor + Emby install, where it says above " * add external domain name ", I filled the complete NAS URL which is hostname + domain name. As opposed to what may lead to most to just insert the domain name, again, I inserted the full URL.

 

One quick note, for all the woes Asustor certainly has in terms of its software, for example, they can't ship a proper working WebDAV service on the NAS (gosh! Directly contacted Asustor as customer and nothing; only silence!), in turn, the Emby server seems to be working right and I'm pleased.

Edited November 11, 2018 by fgs

[notkaa 1]

Work like a charm on my QNAP System, thank you

[Luke 40126]

Thanks for the feedback !

[Jägs 85]

Ditto.  Worked for me, thanks!

 

I'm very new to this, but I assume you'd need to update the pfx file any time the certificate is updated.  That being the case, I modified this a bit to be completely automated and created a cron job that handles the password, too:

0 1 * * * [path to openssl binary]/openssl pkcs12 -export -out [path to certificate]/ssl.pfx -inkey [path to certificate]/ssl.key -in [path to certificate]/ssl.crt -passout pass:[password]

Obviously you need to replace the parts in brackets to match your needs.

 

This runs the command to create the pfx file at 1:00 AM every morning.

 

NOTE:  for anyone else running an ASUSTOR, the path to the LE certificate on my machine is:

/volume0/usr/builtin/etc/certificate

Your mileage may vary.

[freeflight29 2]

On 3/25/2020 at 3:18 AM, Jägs said:

Ditto.  Worked for me, thanks!

 

I'm very new to this, but I assume you'd need to update the pfx file any time the certificate is updated.  That being the case, I modified this a bit to be completely automated and created a cron job that handles the password, too:

0 1 * * * [path to openssl binary]/openssl pkcs12 -export -out [path to certificate]/ssl.pfx -inkey [path to certificate]/ssl.key -in [path to certificate]/ssl.crt -passout pass:[password]

Obviously you need to replace the parts in brackets to match your needs.

 

This runs the command to create the pfx file at 1:00 AM every morning.

 

NOTE:  for anyone else running an ASUSTOR, the path to the LE certificate on my machine is:

/volume0/usr/builtin/etc/certificate

Your mileage may vary.

Hello jags, 

i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? 

Thanks for your help 

[Luke 40126]

4 hours ago, freeflight29 said:

Hello jags, 

i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? 

Thanks for your help 

Hi, are you able to update your pfx manually? Becoming familiar with that process is the first step. Then after that you can look at automating it with a cron job.

[freeflight29 2]

18 hours ago, Luke said:

Hi, are you able to update your pfx manually? Becoming familiar with that process is the first step. Then after that you can look at automating it with a cron job.

hello luke that ok for the pfx now. i would to undersatand how to automating it,  i don't know where to put the script to make it work as cron job... So if you have some suggestion of link?  thank you.

[Jägs 85]

On 3/21/2021 at 5:07 PM, freeflight29 said:

Hello jags, 

i'm not familiar with "linux", could you help me to create this cron job above ? i have an asustor. or tell me if there is any documentation on this subject ? 

Thanks for your help 

The exact syntax is going to differ from system to system, but here's what I have on my ASUSTOR AS5304T:

0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/ssl.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:##########

Where "##########" is the password you want to use.  You will enter this password into the Network settings under "Certificate password."

Edited March 23, 2021 by Jägs

[freeflight29 2]

On 3/23/2021 at 3:26 AM, Jägs said:

The exact syntax is going to differ from system to system, but here's what I have on my ASUSTOR AS5304T:

0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/ssl.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:##########

Where "##########" is the password you want to use.  You will enter this password into the Network settings under "Certificate password."

Hello Jägs, 

i try to do the same on my nas asustor AS6404T, everything is ok, the cert is correctly generate but i have a issue, when i restart emby server to save modification,  i can't connect anymore. I have to renew the pfx cert and it's working again.

 There is the line i add to my crontab: 

0 1 * * * /usr/builtin/bin/openssl pkcs12 -export -out /volume1/home/MyUserName/MyCERT.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin/etc/certificate/ssl.crt -passout pass:MyPassword

And the path i fill under emby interface is: 

/volume1/home/MyUserName/MyCERT.pfx

Thanks in advance for your help 

[Jägs 85]

On 5/31/2021 at 4:22 PM, freeflight29 said:

when i restart emby server to save modification,  i can't connect anymore

When you restart Emby, are you trying to connect via your local network or remotely and having a problem?  If local, can you connect via the non-SSL port (i.e. localhost:8096)?

After you restart, can you verify that the pfx file still exists in the path?  It's unlikely to disappear, but just to eliminate a possibility.

The only other thing I can think of is your pfx path is different—on volume1 vs volume0—and while it really shouldn't matter, if you continue to have problems, can you place the pfx in the same folder as the rest and see if you still have the same problems?

[Luke 40126]

@freeflight29 has this helped?

[freeflight29 2]

Hello, 

Sorry for the delay i was a little busy.....

So here what i'm doing :

When you restart Emby, are you trying to connect via your local network or remotely and having a problem?  If local, can you connect via the non-SSL port (i.e. localhost:8096)?
When i restart it, remotely not working, and  local acces is ok

After you restart, can you verify that the pfx file still exists in the path?  It's unlikely to disappear, but just to eliminate a possibility.
i use mobaXterm to connect to the nas via SSH with root account. Then i generate the certificate  with that command (i modify  the path like you suggest):

/usr/builtin/bin/openssl pkcs12 -export -out /volume0/usr/builtin/etc/certificate/MyCert.pfx -inkey /volume0/usr/builtin/etc/certificate/ssl.key -in /volume0/usr/builtin
/etc/certificate/ssl.crt -passout pass:MyPassword

i confirm that the pfx certificate is present and the path is correct under Emby interface (/volume0/usr/builtin/etc/certificate/MyCert.pfx)

root@MyNAS:/volume0/usr/builtin/etc/certificate # ls -la
total 48
drwxr-xr-x    4 root     root          4096 Jun  9 00:00 ./
drwxr-xr-x   48 root     root          4096 Jun  8 00:08 ../
-rw-r--r--    1 root     root           765 Jun  9 00:00 certificate.json
-rw-r--r--    1 root     root          5717 Jun 10 21:45 MyCert.pfx
drwxr-xr-x    3 root     root          4096 Jul 16  2019 letsencrypt/
drwxr-xr-x    4 root     root          4096 May 16 19:11 ssl/
-rw-r--r--    1 root     root          5630 May 16 19:11 ssl.crt
-rw-r--r--    1 root     root          1675 Dec 28  2019 ssl.key
-rw-r--r--    1 root     root          7306 May 16 19:11 ssl.pem

 

The only other thing I can think of is your pfx path is different—on volume1 vs volume0—and while it really shouldn't matter, if you continue to have problems, can you place the pfx in the same folder as the rest and see if you still have the same problems?
I still have the problem even if i change the the path at the same place as the rest.
 

I don't have any error message during the generation of the pfx, and i also check the password side. So i don't know what can be wrong

 

After all the only way is working for me, but without automation (and it's what i want to have) , it's when i generate  the certificate manually with that command with openssl 

openssl pkcs12 -export -out MyCert.pfx -inkey ssl.key -in ssl.crt 

And fill the password twice to generate the password.

  

@Jägs Just in case.... have you try to make it working with reverse proxy? During the configuration i don't encounter any pb when i'm doing the test. But when i validate the configuration, i have a message like "folder not exist" 

In short, thanks a lot to having taking time and try to help me

EDIT: 

i tried this directly via mobaxterm manually , and it's working

root@MyNas:/volume0/usr/builtin/etc/certificate # openssl pkcs12 -export -out MyCert.pfx -inkey ssl.key -in ssl.crt
Enter Export Password:
Verifying - Enter Export Password:
root@MyNas:/volume0/usr/builtin/etc/certificate # ls
certificate.json  MyCert.pfx        letsencrypt/      ssl/              ssl.crt           ssl.key           ssl.pem
root@MyNas:/volume0/usr/builtin/etc/certificate # ls -la
total 48
drwxr-xr-x    4 root     root          4096 Jun  9 00:00 ./
drwxr-xr-x   48 root     root          4096 Jun  8 00:08 ../
-rw-r--r--    1 root     root           765 Jun  9 00:00 certificate.json
-rw-r--r--    1 root     root          5717 Jun 10 23:05 MyCert.pfx
drwxr-xr-x    3 root     root          4096 Jul 16  2019 letsencrypt/
drwxr-xr-x    4 root     root          4096 May 16 19:11 ssl/
-rw-r--r--    1 root     root          5630 May 16 19:11 ssl.crt
-rw-r--r--    1 root     root          1675 Dec 28  2019 ssl.key
-rw-r--r--    1 root     root          7306 May 16 19:11 ssl.pem
 

@Luke so when the certificate is renew via crontab, i can't reach the url with my laptop in https. But i can join the emby server with the emby android app....even if in the dashboard i choose that https is required for external connexion. Can you tell me a little more about how the app working ?  

Edited June 11, 2021 by freeflight29
add "edit"

[Luke 40126]

Quote

 

@Luke so when the certificate is renew via crontab, i can't reach the url with my laptop in https. But i can join the emby server with the emby android app....even if in the dashboard i choose that https is required for external connexion. Can you tell me a little more about how the app working ?  

The android app has that override dialog that lets you approve the certificate even if the device by default rejects it. But it's not possible for us to do that for all apps on all devices, so the important thing is, use a certificate that your devices will trust if you want to always just work.

[freeflight29 2]

 

On 6/12/2021 at 9:56 PM, Luke said:

The android app has that override dialog that lets you approve the certificate even if the device by default rejects it. But it's not possible for us to do that for all apps on all devices, so the important thing is, use a certificate that your devices will trust if you want to always just work.

Thanks for your précision about that.

[barraxas 1]

Hello, in my case all the first steps are ok :

1) Create domain name (blablabla.myasustor.com) : ✔

2) Generate a certificate with asustor/let's encrypt : ✔

3) Force https : ✔

4) Accessing to asustor from external in https and ssl : ✔

 

Here, steps about emby securisation :

5) activate ssh, install kitty (on windows) and connect to asustor from external / ✔

6) myPseudo@ASUSTOR:/volume0/usr/builtin/etc/certificate $ openssl pkcs12 -export -out ssl.pfx -inkey ssl.key -in ssl.crt : ✔ (console ask me to define a password : ✔)

7) Configuration of "networks params" in emby.... it's here I had some problems..

 

Firstly, one time on 2, when i select ssl.pfx file from params's emby interface, the root writed is sometimes "/volume0/usr/builtin/etc/certificate/ssl.pfx" and sometimes just "/usr/builtin/etc/certificate/ssl.pfx". Is it a serious problem ? Maybe solve it at next update ? In twice case, the saving don't throw any errors.

Secondly, (and it's my main problem) emby dont care about this new configuration. He continue to allow http connexions and refuse https connexions. Look my screenshot to see what I mean.

I precise the redirecting of port are ok and i can join emby by http port.
I precise too I had try to restart only emby and restart all asustor, but emby continue to ignore the config (see screenshots)

Thanks for your help.

[barraxas 1]

Here I detect an error in log file :

Quote

2024-05-22 12:31:32.858 Error App: Error loading cert from /volume0/usr/builtin/etc/certificate/ssl.pfx
    *** Error Report ***
    Version: 4.8.6.0
    Command line: /volume1/.@plugins/AppCentral/emby-server/system/EmbyServer.dll -programdata /home/emby -ffdetect /usr/local/AppCentral/emby-server/bin/ffdetect -ffmpeg /usr/local/AppCentral/emby-server/bin/ffmpeg -ffprobe /usr/local/AppCentral/emby-server/bin/ffprobe -defaultdirectory /volume1/Public -updatepackage emby-server-asustor_{version}_x86-64.apk -noautorunwebapp
    Operating system: Linux version 5.13.x (root@sw1-dailybuild) (x86_64-asustor_x64_g3_2020.12.24-linux-gnu-gcc (crosstool-NG 1.24.0) 7.4.0, GNU ld (crosstool-NG 1.24.0) 2
    Framework: .NET 6.0.25
    OS/Process: x64/x64
    Runtime: volume1/.@plugins/AppCentral/emby-server/system/System.Private.CoreLib.dll
    Processor count: 4
    Data path: /home/emby
    Application path: /volume1/.@plugins/AppCentral/emby-server/system
    Interop+Crypto+OpenSslCryptographicException: Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib
       at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle)
       at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
       at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
       at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
       at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info)
    Source: System.Security.Cryptography.X509Certificates
    TargetSite: Void CheckValidOpenSslHandle(System.Runtime.InteropServices.SafeHandle)

But I don't understand what it mean.

 

I had try 5 different location including (/share/Public) but it's always the same result.

 

EDIT (& SOLUCE) !

The path was not the problem.

So it's more simple to keep the same path then "/volume0/usr/builtin/etc/certificate/ssl.pfx"

After generating the pfx file, you just need to execute "chmod 644 ssl.pfx" and restart emby server

So happy, all works well now !

Edited May 22, 2024 by barraxas