Jump to content

Yet another SSL thread


jonomite

Recommended Posts

jonomite

Sorry for posting yet another SSL threadTM, but I'm not sure how to troubleshoot this.

.

I have a subdomain that I've registered through IONOS (formerly 1&1). I have an SSL certificate that IONOS is managing for me at my top-level domain. How do I get my subdomain to direct to my server? Do I just redirect to my server's remote IP address? Also, in reviewing the various other guides I've found on this, it looks like I may need to download my SSL certificate and keys an import those into emby? It doesn't appear I have the option to do that from my IONOS dashboard as I've configured it so that IONOS manages it and not me. Is that a deal breaker? Or is there another way around this?

 

I feel like I have the basic pieces available to setup SSL for remote connections to my server, but I just need to take a few more steps to get to the finish line. 

Link to comment
Share on other sites

jonomite

After some tinkering, I did manage to edit the DNS settings so that the Subdomain points to my ember server. However,I am definitely stuck on the SSL certificate.

 

Sent from my Nexus 7 using Tapatalk

Link to comment
Share on other sites

Jdiesel

@@Jdiesel, any experience with IONOS?

Unfortunately not

 

 

There should be a place to download your private key someplace in the dashboard. Once you have the key and depending of which format it is in you will need to convert it to a pfx for use in Emby. You can do this with OpenSSL or an online tool if you trust it.

 

https://www.sslshopper.com/ssl-converter.html

  • Like 1
Link to comment
Share on other sites

jonomite

Thanks, everyone. Looks like I have to go the users managed route, rather than allow IONOS to manage for me. I'll tinker with it some more.

 

Sent from my Nexus 5X using Tapatalk

Link to comment
Share on other sites

jonomite

Will I need to change the public https port on the server dashboard? I've seen one guide state that it needs to change to 443? So does that mean I need to forward port 80 to 443 on my router config?

 

Sent from my Nexus 5X using Tapatalk

Link to comment
Share on other sites

jonomite

Ug, I'm throwing in the towel on this. For a variety of reasons, it's proving too complicated.

 

Here's a related question: can I just connect to the emby web app via https? I gave that a shot and when I went to click on my server, it said it wasn't available. Could that be because I have secure connections disabled in my server dashboard? If so, is there a guide on how to enable https for the web app?

 

Last but not least, when connecting externally via the android app, is that connection secure? Or do I still have to mess with the SSL certificate business in the dashboard?

Link to comment
Share on other sites

Will I need to change the public https port on the server dashboard? I've seen one guide state that it needs to change to 443? So does that mean I need to forward port 80 to 443 on my router config?

 

Sent from my Nexus 5X using Tapatalk

 

You do not have to.

Link to comment
Share on other sites

Last but not least, when connecting externally via the android app, is that connection secure? 

 

If you have setup SSL, yes.

Link to comment
Share on other sites

Ug, I'm throwing in the towel on this. For a variety of reasons, it's proving too complicated.

Before you throw in the towel I may be able to help you.  If IONOS can supply you a cert of some kind all is not lost yet.

It's just a matter of knowing what/how to use this and to integrate this in Emby if possibly which we don't know yet.

 

If you can get a cert from them (or willing to get a cert elsewhere) then shoot me a PM.  I can help you via TeamViewer or some other remote access mechanism to get this working if at all possible.

 

Certs and converting them to a format Emby requires isn't hard but it's not straightforward either especially if it's your first time doing something like this.  It's kind of par for the course for anyone who's done webserver work however (which probably isn't of help to a lot of people).

 

Shoot me a PM if you want some personal help. We can then see what IONOS has available and what the course of action might be.

 

Carlo

Link to comment
Share on other sites

Looks like ionos supports domain name services subdomains and ssl:

https://www.ionos.com/domains/domain-names?nc=1548168161032

 

The basic process requires 3 separate steps.

 

1. Public domain preparation.

 

Pickup a domain from a domain name service that:

A Supports DDNS records (in the event you do not have a static IP with your ISP (Internet service provider).

B. Allows the use of SSL certificates for the subdomains. (Some DDNS only providers do not support SSL).

 

You will want to setup a DDNS for your new service on the site.

 

Either setup a DDNS client on your Emby server or if your router supports it, setup the DDNS client to keep your new domain up to date.

 

2. Prepare your Emby server and router.

 

A. Setup your Emby server with either a static IP or a DHCP reserved IP on your local LAN.

A. Take care not to use an ip at the beginning of your home’s dhcp pool (preferably you want an IP address that is never going to be used.

 

Dhcp reservation is cleaner and is done on your home router.

 

B. Port forward port 8920 from your router’s wan Interface to your Emby server’s IP address.

 

3. Get an ssl certificate.

 

It is important to note that you do not necessarily need to go with the same vendor you bought your domain name from.

 

Ionos says to do the following to get your ssl certificate:

https://www.ionos.com/help/ssl-certificates/administration-of-user-managed-ssl-certificates/downloading-the-ssl-public-key-and-intermediate-certificates/

 

The weird part is that conventionally you have to create a CSR (certificate signing request on a webservices (microsoft IIS or OpenSSL) upload that to your PKI SSL vendor then they give you a cert and chain that you then can convert to a password protected PFX file you can add to your Emby server.

 

Send me a pm we can start a teamviewer session and I can help.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

jonomite

@@cayars

@@Tur0k

 

Thanks so much for your offer to help. I really appreciate it. I'll do a more detailed write up on where I am tonight and maybe that'll help the troubleshooting without taking up too much of your time.

 

I can definitely get an SSL certificate from IONOS. However, based on my initial troubleshooting, I'm not sure I have sufficient access to the server for my top level domain due to the package I'm on to get secure connections to that domain to work. Maybe there's a way around this. Also, I'm not sure at this point if I am allowed to have different SSL certificates for subdomains. My guess is not .. oye!

 

Sent from my Nexus 5X using Tapatalk

Link to comment
Share on other sites

jonomite

Holy cow, I've had a breakthrough: I'm able to connect to the emby securely! I honestly don't know what did the trick... it seemed like it took some time for my SSL certificate (for which I used DNS verification on my subdomain) to fully propagate... maybe?

 

Now... just one last question. Under secure connection mode, I have enabled "required for all remote connections." But, when I type app.emby.media into my browser, it still defaults to http instead of https. Am I missing something there?

 

Thanks again for all the offers of assistance. Maybe my server got wind that the big guns were taking aim and decided to comply.

Link to comment
Share on other sites

Now... just one last question. Under secure connection mode, I have enabled "required for all remote connections." But, when I type app.emby.media into my browser, it still defaults to http instead of https. Am I missing something there?

 

If you're inside the local network then it will use the lan address as it may perform better. Try actually testing from outside your network.

Link to comment
Share on other sites

jonomite

If you're inside the local network then it will use the lan address as it may perform better. Try actually testing from outside your network.

Thanks for the reply. I'm trying to connect from my phone using my mobile network. Still seeing the same issue.

Link to comment
Share on other sites

jonomite

Why do you feel that it's using http?

In chrome, I'm not getting the secure padlock icon. However, having said that, I checked the server log and it does appear to be that I'm connecting via https. So may it's a non-issue.

 

Sent from my Nexus 5X using Tapatalk

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...