Jump to content


Photo

How to connect Emby through Qnap LetsEncrypt Certificate ?

qnap letsencrypt ssl https

  • Please log in to reply
12 replies to this topic

#1 ade05fr OFFLINE  

ade05fr

    Newbie

  • Members
  • 6 posts
  • Local time: 10:52 AM

Posted 05 January 2019 - 07:22 AM

Hi

 

i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ?

i tried to put the path of the cert certificate but its not working.

 

here is what i have

Custom SSL certificate path:
/mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert

error after restarting EmbyServer

2019-01-05 12:05:44.470 Info AuthenticationRepository: PRAGMA synchronous=1
2019-01-05 12:05:44.526 Error App: No private key included in SSL cert /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert.
2019-01-05 12:05:44.737 Info ActivityRepository: Default journal_mode for /share/CACHEDEV1_DATA/.qpkg/EmbyServer/programdata/data/activitylog.db is wal

and in my web page

Secure Connection Failed

The connection to xxxxxxxxxxxxxxx.myqnapcloud.com:yyyyyy was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

thanks for your help

ade05fr



#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 142291 posts
  • Local time: 03:52 AM

Posted 05 January 2019 - 02:21 PM

@PenkethBoy have you ever tried this?



#3 PenkethBoy ONLINE  

PenkethBoy

    Advanced Member

  • Members
  • 3432 posts
  • Local time: 08:52 AM
  • LocationWarrington,UK

Posted 05 January 2019 - 04:41 PM

@Luke Sorry no not tried this as do not have any external access setup in Emby as i don't need it



#4 jillybean OFFLINE  

jillybean

    Member

  • Members
  • 25 posts
  • Local time: 06:52 PM

Posted 05 January 2019 - 08:50 PM

Hi

 

i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ?

i tried to put the path of the cert certificate but its not working.

 

ade05fr

Emby requires a PKCS#12 file (combined cert & key) rather than the individual files so you need to create this first (and EVERY time your certificate renews it seems).  I am no expert, but I used the info here https://www.ssl.com/...-using-openssl/ to create the necessary file and it seems to be working. 


Edited by jillybean, 05 January 2019 - 08:52 PM.


#5 ade05fr OFFLINE  

ade05fr

    Newbie

  • Members
  • 6 posts
  • Local time: 10:52 AM

Posted 07 January 2019 - 12:20 AM

Emby requires a PKCS#12 file (combined cert & key) rather than the individual files so you need to create this first (and EVERY time your certificate renews it seems). I am no expert, but I used the info here https://www.ssl.com/...-using-openssl/ to create the necessary file and it seems to be working.

I followed this and it worked!
Here the command that I used
openssl pkcs12 -export -out certificate.pfx -inke key -in crt
Now next step is to create a crontab job to be sure that the renewal of the certificate is taking account.

Thanks a lot

Sent from my LEX820 using Tapatalk

Edited by ade05fr, 07 January 2019 - 12:24 AM.


#6 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 142291 posts
  • Local time: 03:52 AM

Posted 07 January 2019 - 01:58 AM

Great, thanks for the info !



#7 Jibest OFFLINE  

Jibest

    Advanced Member

  • Members
  • 110 posts
  • Local time: 08:52 AM

Posted 21 January 2019 - 11:31 AM

@PenkethBoy I just noticed "Let's Encrypt" & had the same idea. I've a few questions though.

 

It requests a password when exporting the key, how have you automated this so Crontab can do this without input?

How often did you set yours to re-create the PFX?

 

As the cert lasts about 90 days and the app says it will attempt to renew when 30 days remain what would happen if it renewed before you then re-create the PFX for example would everything still work for the last 30 days before the current cert expires?

 

Also there was a couple of typos in your cmd but the following worked:

 

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert



#8 Jibest OFFLINE  

Jibest

    Advanced Member

  • Members
  • 110 posts
  • Local time: 08:52 AM

Posted 21 January 2019 - 07:09 PM

I've managed to answer most of those questions myself. You can automate the password when running the cmd by using -passout in the cmd.

To have no password add the following:

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :pass

if you want a password then use

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :passmypassword

 

I've decided to re-generate the PFX twice a month to avoid it expiring but need to wait and see if there are any issues. To do this I wrote a simple script to run the cmd and then added the following to Crontab:

0 0 */15 * 6 /share/CE_CACHEDEV6_DATA/Files/Scripts/Create_Cert.sh

 

Touch wood this will now take care if itself.



#9 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 142291 posts
  • Local time: 03:52 AM

Posted 21 January 2019 - 08:16 PM

Great, thanks for the info !



#10 jillybean OFFLINE  

jillybean

    Member

  • Members
  • 25 posts
  • Local time: 06:52 PM

Posted 22 January 2019 - 06:58 AM

I've managed to answer most of those questions myself. You can automate the password when running the cmd by using -passout in the cmd.

To have no password add the following:

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :pass

if you want a password then use

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :passmypassword

 

I've decided to re-generate the PFX twice a month to avoid it expiring but need to wait and see if there are any issues. To do this I wrote a simple script to run the cmd and then added the following to Crontab:

0 0 */15 * 6 /share/CE_CACHEDEV6_DATA/Files/Scripts/Create_Cert.sh

 

Touch wood this will now take care if itself.

Check your cron entry.  I think what you have above will run at 00:00 (midnight) on the 15th of each month, but only if it is a Saturday.  I use https://crontab.guru/ to check my cron entries as I can never remember how they work.

 

I also think that the key file may change when the certificate renews, and if so you could have up to 2 weeks without secure access before the .pfx with the new key is created with your approach.

 

I have the script below that checks the date/time of the key file and recreates the .pfx if the key file is less than 60 minutes old (hopefully).  My cron job runs the script every 30 minutes.

The script worked in testing on a dummy file but my certificate doesn't renew again until April so it hasn't been tested "in anger" - use at your own risk  :D
#!/bin/sh

now="$(date)"
cd /path/to/certificate/folder
[[ -z `find key -mmin -60` ]]
if [ $? -eq 0 ]
then 
  echo "Certificate key has not changed - $now" > /path/to/logfile/location/check-pfx.log
else
  /usr/bin/openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout pass:mypassword
  echo "Created new certificate.pfx at $now" > /path/to/logfile/location/create-pfx.log
fi

Edited by jillybean, 22 January 2019 - 07:03 AM.


#11 Jibest OFFLINE  

Jibest

    Advanced Member

  • Members
  • 110 posts
  • Local time: 08:52 AM

Posted 22 January 2019 - 08:01 AM

Hi Jillybean. You're bang on about the crontab (last time I just trust google with Crontab!). Thats a great site you've listed, definitely bookmarking that.

 

I did fear something might break when the certifcate renewed.

 

I've just done the following test:

 

Backed up the PFX

Released "Let's Encrypt" This removed all cert files including the PFX

Re-installed "Lets Encrypt" & moved the old PFX back

Restarted Emby

 

Surprisingly everything still works fine so the Key file may not be an issue after all.

 

Think i'll change the crontab to 0 0 14,29 * * to generate on the 14th & 29th of each month & wait and see what happens in April.


Edited by Jibest, 22 January 2019 - 08:18 AM.


#12 jillybean OFFLINE  

jillybean

    Member

  • Members
  • 25 posts
  • Local time: 06:52 PM

Posted 22 January 2019 - 08:31 AM

I guess to test it you could perform a release on the Let's Encrypt app and then re-install it? Assuming that then generates a fresh cert we would be able to tell if it broke?

 

Would probably need to backup the pfx first to copy back across to the dir when the new cert is generated just in case it gets deleted.

Yep, releasing the current cert and getting a new one would test it.  I'm not sure that you can re-install though - I think once released a new one gets created, so backing up the old .pfx wouldn't help.  If the script doesn't work as expected you would just need to run the openssl command again to manually recreate the .pfx and then back to the drawing board for a script.

 

You could just have cron job running your script more often than you had planned.  I was originally doing this (it ran every hour) but I decided to try to find a more elegant approach.  

 

Edit:  Looks like you tested while I was composing my reply.  Nice!


Edited by jillybean, 22 January 2019 - 08:34 AM.


#13 Jibest OFFLINE  

Jibest

    Advanced Member

  • Members
  • 110 posts
  • Local time: 08:52 AM

Posted 22 January 2019 - 08:33 AM

Yep, releasing the current cert and getting a new one would test it.  I'm not sure that you can re-install though - I think once released a new one gets created, so backing up the old .pfx wouldn't help.  If the script doesn't work as expected you would just need to run the openssl command again to manually recreate the .pfx and then back to the drawing board for a script.

 

You could just have cron job running your script more often than you had planned.  I was originally doing this (it ran every hour) but I decided to try to find a more elegant approach.  

See above (edited the last post with new info)







Also tagged with one or more of these keywords: qnap, letsencrypt, ssl, https

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users