Jump to content

How to connect Emby through Qnap LetsEncrypt Certificate ?


ade05fr
 Share

Recommended Posts

ade05fr

Hi

 

i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ?

i tried to put the path of the cert certificate but its not working.

 

here is what i have

Custom SSL certificate path:
/mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert

error after restarting EmbyServer

2019-01-05 12:05:44.470 Info AuthenticationRepository: PRAGMA synchronous=1
2019-01-05 12:05:44.526 Error App: No private key included in SSL cert /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert.
2019-01-05 12:05:44.737 Info ActivityRepository: Default journal_mode for /share/CACHEDEV1_DATA/.qpkg/EmbyServer/programdata/data/activitylog.db is wal

and in my web page

Secure Connection Failed

The connection to xxxxxxxxxxxxxxx.myqnapcloud.com:yyyyyy was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

thanks for your help

ade05fr

Link to comment
Share on other sites

jillybean

Hi

 

i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ?

i tried to put the path of the cert certificate but its not working.

 

ade05fr

Emby requires a PKCS#12 file (combined cert & key) rather than the individual files so you need to create this first (and EVERY time your certificate renews it seems).  I am no expert, but I used the info here https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ to create the necessary file and it seems to be working. 

Edited by jillybean
Link to comment
Share on other sites

ade05fr

Emby requires a PKCS#12 file (combined cert & key) rather than the individual files so you need to create this first (and EVERY time your certificate renews it seems). I am no expert, but I used the info here https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ to create the necessary file and it seems to be working.

I followed this and it worked!

Here the command that I used

openssl pkcs12 -export -out certificate.pfx -inke key -in crt
Now next step is to create a crontab job to be sure that the renewal of the certificate is taking account.

 

Thanks a lot

 

Sent from my LEX820 using Tapatalk

Edited by ade05fr
Link to comment
Share on other sites

  • 2 weeks later...

@@PenkethBoy I just noticed "Let's Encrypt" & had the same idea. I've a few questions though.

 

It requests a password when exporting the key, how have you automated this so Crontab can do this without input?

How often did you set yours to re-create the PFX?

 

As the cert lasts about 90 days and the app says it will attempt to renew when 30 days remain what would happen if it renewed before you then re-create the PFX for example would everything still work for the last 30 days before the current cert expires?

 

Also there was a couple of typos in your cmd but the following worked:

 

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert

Link to comment
Share on other sites

I've managed to answer most of those questions myself. You can automate the password when running the cmd by using -passout in the cmd.

To have no password add the following:

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :pass

if you want a password then use

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :passmypassword

 

I've decided to re-generate the PFX twice a month to avoid it expiring but need to wait and see if there are any issues. To do this I wrote a simple script to run the cmd and then added the following to Crontab:

0 0 */15 * 6 /share/CE_CACHEDEV6_DATA/Files/Scripts/Create_Cert.sh

 

Touch wood this will now take care if itself.

Link to comment
Share on other sites

jillybean

I've managed to answer most of those questions myself. You can automate the password when running the cmd by using -passout in the cmd.

To have no password add the following:

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :pass

if you want a password then use

openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout :passmypassword

 

I've decided to re-generate the PFX twice a month to avoid it expiring but need to wait and see if there are any issues. To do this I wrote a simple script to run the cmd and then added the following to Crontab:

0 0 */15 * 6 /share/CE_CACHEDEV6_DATA/Files/Scripts/Create_Cert.sh

 

Touch wood this will now take care if itself.

Check your cron entry.  I think what you have above will run at 00:00 (midnight) on the 15th of each month, but only if it is a Saturday.  I use https://crontab.guru/ to check my cron entries as I can never remember how they work.

 

I also think that the key file may change when the certificate renews, and if so you could have up to 2 weeks without secure access before the .pfx with the new key is created with your approach.

 

I have the script below that checks the date/time of the key file and recreates the .pfx if the key file is less than 60 minutes old (hopefully).  My cron job runs the script every 30 minutes.

The script worked in testing on a dummy file but my certificate doesn't renew again until April so it hasn't been tested "in anger" - use at your own risk  :D
#!/bin/sh

now="$(date)"
cd /path/to/certificate/folder
[[ -z `find key -mmin -60` ]]
if [ $? -eq 0 ]
then 
  echo "Certificate key has not changed - $now" > /path/to/logfile/location/check-pfx.log
else
  /usr/bin/openssl pkcs12 -export -out certificate.pfx -inkey key -in cert -passout pass:mypassword
  echo "Created new certificate.pfx at $now" > /path/to/logfile/location/create-pfx.log
fi
Edited by jillybean
Link to comment
Share on other sites

Hi Jillybean. You're bang on about the crontab (last time I just trust google with Crontab!). Thats a great site you've listed, definitely bookmarking that.

 

I did fear something might break when the certifcate renewed.

 

I've just done the following test:

 

Backed up the PFX

Released "Let's Encrypt" This removed all cert files including the PFX

Re-installed "Lets Encrypt" & moved the old PFX back

Restarted Emby

 

Surprisingly everything still works fine so the Key file may not be an issue after all.

 

Think i'll change the crontab to 0 0 14,29 * * to generate on the 14th & 29th of each month & wait and see what happens in April.

Edited by Jibest
Link to comment
Share on other sites

jillybean

I guess to test it you could perform a release on the Let's Encrypt app and then re-install it? Assuming that then generates a fresh cert we would be able to tell if it broke?

 

Would probably need to backup the pfx first to copy back across to the dir when the new cert is generated just in case it gets deleted.

Yep, releasing the current cert and getting a new one would test it.  I'm not sure that you can re-install though - I think once released a new one gets created, so backing up the old .pfx wouldn't help.  If the script doesn't work as expected you would just need to run the openssl command again to manually recreate the .pfx and then back to the drawing board for a script.

 

You could just have cron job running your script more often than you had planned.  I was originally doing this (it ran every hour) but I decided to try to find a more elegant approach.  

 

Edit:  Looks like you tested while I was composing my reply.  Nice!

Edited by jillybean
Link to comment
Share on other sites

Yep, releasing the current cert and getting a new one would test it.  I'm not sure that you can re-install though - I think once released a new one gets created, so backing up the old .pfx wouldn't help.  If the script doesn't work as expected you would just need to run the openssl command again to manually recreate the .pfx and then back to the drawing board for a script.

 

You could just have cron job running your script more often than you had planned.  I was originally doing this (it ran every hour) but I decided to try to find a more elegant approach.  

See above (edited the last post with new info)

Link to comment
Share on other sites

  • 2 years later...
schogobong

@jillybean I just added my QNAP Let's Encrypt certificate to Emby and am thus in need of a cron job to automate the re-creation of the pkcs12 file.

You mentioned in your post that you weren't sure if your script was going to work beyond the dummy - can you confirm that it works "in the wild"? :)

If so: I have never set up a cron job, so I have no idea what to do with that script after I SSHd into my NAS. Would you mind giving me a quick rundown? My level of experience: assume I'm a two year old kid with a Fisher Price Doodle as a laptop and a blindfold on...

Your help would be much appreciated :)

Link to comment
Share on other sites

jillybean

@shogobong  I no longer have my QNAP exposed to the web so haven't used this for some time.  It did work while I had it running but I don't know whether any firmware updates will have changed that.  The basic process is:

1  Create your script and save it making sure is it executable (permissions 0755 maybe).

2  SSH to your QNAP (I use PuTTy) and use a text editor (I use nano) to edit crontab to set up the script to run.  A good starting place for how to do this is https://wiki.qnap.com/wiki/Add_items_to_crontab  The line you add will look something like  */30 * * * * /bin/sh /path/to/your/script (this would run the script every 30 minutes for example)

You will probably need to have Entware installed to be able to install nano.  If you don't already have Entware this is a good starting place https://forum.qnap.com/viewtopic.php?f=320&t=132373&hilit=sherpa

 

 

 

Link to comment
Share on other sites

schogobong

Thanks for the info @jillybean! I installed Entware directly through the QNAP Community store as I didn't want the other things included into sherpa. However, even after doing a quick google search, I can't seem to figure out how to install nano. All I can find are forum entries from 2009, 2013 and similar. I tried to follow this: https://forum.qnap.com/viewtopic.php?t=116284, but I just get the following message:

-sh: opkg: command not found

any hints?
 

Link to comment
Share on other sites

jillybean

@schogobong  That Entware qpkg is the same one as sherpa installs I think so in PuTTY you should just need to use 'opkg install nano'.  This is what I get when I do that. 

[~] # opkg install nano
Package nano (5.3-1) installed in root is up to date.
[~] #

The other possibility is that the location of opkg is not in your PATH.  You could try using the full path for opkg - on my system that is /share/CACHEDEV1_DATA/.qpkg/Entware/bin/opkg but yours may be different.

[~] # /share/CACHEDEV1_DATA/.qpkg/Entware/bin/opkg install nano
Package nano (5.3-1) installed in root is up to date.
[~] #

Link to comment
Share on other sites

schogobong

Allright - so I got nano running, thanks for the explanation @jillybean

  1. nano is running
  2. I have added the following script (see explanation below): 
    now="$(date)"
    cd /etc/config/QcloudSSLCertificate/cert
    [[ -z `find key -mmin -60` ]]
    if [ $? -eq 0 ]
    then 
      echo "Certificate key has not changed - $now" > /share/CustomScripts/check-pfx.log
    else
      /etc/config/QcloudSSLCertificate/cert openssl pkcs12 -export -out emby.p12 -inkey key -in cert -passout pass:mypassword
      echo "Created new certificate.pfx at $now" > /share/CustomScripts/check-pfx.log
    fi

     

  3. I have run 
    chmod +x /share/CustomScripts/CertRenewPKSC12.sh
    based on this site you linked to: https://wiki.qnap.com/wiki/Add_items_to_crontab
  4. I have added the following cron job and then restarted cron tab: 
    */30 * * * * /bin/sh /share/CustomScripts/CertRenewPKSC12.sh

     

Explanation regarding script: I have a different else statement, as I followed this guide to create my initial certificate, which seems to have worked fine: 

 

My current issue: When running the script using the following command (same as in cron job), I get the following errors:

[/] # /bin/sh /share/CustomScripts/CertRenewPKSC12.sh
: No such file or directorynewPKSC12: line 2: cd: /etc/config/QcloudSSLCertificate/cert
/share/CustomScripts/CertRenewPKSC12: line 3: syntax error in conditional expression
'share/CustomScripts/CertRenewPKSC12: line 3: syntax error near `]]
'share/CustomScripts/CertRenewPKSC12: line 3: `[[ -z `find key -mmin -60` ]]

Any idea why this is the case? Directly entering

cd /etc/config/QcloudSSLCertificate/cert

works without any issues

 

Edited by schogobong
Link to comment
Share on other sites

jillybean

The only thing I can suggest is to check the ownership of CertRenewPKSC12.sh.  Cron jobs run as admin so If the owner is not 'admin' then you may need to change the ownership (or set the cron job to use whoever the owner is).  Otherwise just search for something like 'bash script runs manually but not in cron' and work your way through the answers - you are not alone in having this problem.

Link to comment
Share on other sites

schogobong

The thing is, I was running the script manually with this command:

/bin/sh /share/CustomScripts/CertRenewPKSC12.sh

So it doesn't seem to be an issue with the cron job but rather with executing the script itself.

File owner is admin and I ssh into the NAS as admin to run the command above.

Link to comment
Share on other sites

jillybean
14 hours ago, schogobong said:

The thing is, I was running the script manually with this command:


/bin/sh /share/CustomScripts/CertRenewPKSC12.sh

So it doesn't seem to be an issue with the cron job but rather with executing the script itself.

File owner is admin and I ssh into the NAS as admin to run the command above.

Cron runs in a very sparse environment so it looks like there are variables available when you run the script manually that are not available when it runs from cron. 

: No such file or directorynewPKSC12: line 2: cd: /etc/config/QcloudSSLCertificate/cert

This is the problem from cron - it can't find that folder.  In the script try it with the full path for the cd command (on my system it would be cd /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert) rather than the one dependent on a link that you are using.  If that doesn't work maybe ask on the QNAP forum as I don't have any other suggestions.

Link to comment
Share on other sites

schogobong

Allright, so my issue was related to Unix/Dos file endings. I created my script using the built-in Qnap text editor, which has different line endings than unix. I noticed this when running

cat -A /share/CustomScripts/CertRenewPKSC12.sh

 

running the following command resolves this issue:

dos2unix /share/CustomScripts/CertRenewPKSC12.sh

 

The script now runs, if the cron-job and certificate-renewal work remains to be seen ;)

Thanks for your support @jillybean - wouldn't have gotten here without your help :)

Link to comment
Share on other sites

schogobong

had a question, resolved question, can't delete this post..so here we are - sorry for that

Edited by schogobong
question resolved itself
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...