willvincent 3 Posted February 18, 2019 Share Posted February 18, 2019 The only relevant fix I can think of would be exposing the ability to set a custom SSL cert for internal connections, which is only currently possible if you enable external connections.What I did was enable external connections so that I could populate my custom self-signed cert, but I'm not actually forwarding any external traffic to emby, so it's not possible to hit the server from outside my local network anyway, but enabling external connections within the emby server config allowed defining the certificate to use for https.The only other thing I could think of that would ease this a bit would be providing a tool to generate and/or obtain a cert to use (letsencrypt, for example)I've read that it is at least theoretically possible to generate a letsencrypt cert for internal network usage, but you'd have to have a domain to associate it with that is publicly accessible, so that's not super straightforward/easy and not an emby-specific issue. The only emby specific issue is how one actually defines what cert to use. Which I believe Luke has already stated would be addressed Link to comment Share on other sites More sharing options...
Luke 36999 Posted February 18, 2019 Share Posted February 18, 2019 The only relevant fix I can think of would be exposing the ability to set a custom SSL cert for internal connections Yes that would be fine. Also for those who may have missed it, you can also use the web app over localhost, or our android mobile app, or iOS app. Link to comment Share on other sites More sharing options...
willvincent 3 Posted February 18, 2019 Share Posted February 18, 2019 you can also use the web app over localhost Doesn't that necessitate that the server be running on the local machine? Link to comment Share on other sites More sharing options...
Luke 36999 Posted February 18, 2019 Share Posted February 18, 2019 Yes but for some that will be the case. Link to comment Share on other sites More sharing options...
Eddie 10 Posted February 19, 2019 Share Posted February 19, 2019 Well i was hoping that magically this could be addressed by an update on emby's end but if that is not possible then i will look into setting up a cert for https.... i should of prob set one up anyways ... any guides you recommend to follow... I know i can use android app or ios app but in my current situation i do not have acceess to that and only have a ubuntu client so i cant install the home theater program for windows.. im forced into using the chrome browser to cast it.. thanks for the reply Link to comment Share on other sites More sharing options...
Netbug 26 Posted February 19, 2019 Share Posted February 19, 2019 If anyone can recommend a good step-by-step guide for setting up a cert, it would be very much appreciated. This is causing me a great deal of grief. Link to comment Share on other sites More sharing options...
Joe Farmer 2 Posted February 25, 2019 Share Posted February 25, 2019 @@Eddie this is a Chrome requirement. What fix are you hoping for? Hi Luke, Can you help me to understand why this is not an Emby issue? Other sites that I use to stream from my daughter's laptop to her Chromecast still work fine ie. Netflix and Youtube but Emby does not. On a very basic level that would seem to me to be something that Emby needs to fix. Link to comment Share on other sites More sharing options...
Luke 36999 Posted February 26, 2019 Share Posted February 26, 2019 Because those sites are running under https. It's not easy for is to just provide that for your server because first you need a domain name to attach the certificate to. Link to comment Share on other sites More sharing options...
willvincent 3 Posted February 26, 2019 Share Posted February 26, 2019 For what it's worth.. a self-signed certificate does work just fine. It's not strictly necessary to expose the server to the net.Chrome of course will complain that you're accessing an untrusted site:But after clicking 'proceed' everything will work just fine, you'll see "Not secure" in the address bar, otherwise it's all good.If you need/want it accessible outside your local network, then yes you'll need a domain, and a proper certificate like those available freely via letsencrypt (note they need frequent refreshing as they're only valid for a few months at a time) Link to comment Share on other sites More sharing options...
Joe Farmer 2 Posted February 26, 2019 Share Posted February 26, 2019 For what it's worth.. a self-signed certificate does work just fine. It's not strictly necessary to expose the server to the net. Thanks, guess I'll have to look into how to create a self-signed cert then hey! Link to comment Share on other sites More sharing options...
Netbug 26 Posted February 26, 2019 Share Posted February 26, 2019 (edited) For what it's worth.. a self-signed certificate does work just fine. It's not strictly necessary to expose the server to the net. Chrome of course will complain that you're accessing an untrusted site: But after clicking 'proceed' everything will work just fine, you'll see "Not secure" in the address bar, otherwise it's all good. If you need/want it accessible outside your local network, then yes you'll need a domain, and a proper certificate like those available freely via letsencrypt (note they need frequent refreshing as they're only valid for a few months at a time) How do you get to this point, willvincent? Edited February 26, 2019 by Netbug Link to comment Share on other sites More sharing options...
Joe Farmer 2 Posted February 26, 2019 Share Posted February 26, 2019 How do you get to this point, willvincent? You will need to create a self-signed certificate. From what I understand it is not a simple task and something that you would need to research and figure out how to do as although several people have mentioned doing it, no one has yet given any information on how to do it or where to get information on how to do it. I'm considering whether or not I take the time to try to figure it out myself, haven't had time to do it yet. Would be good if someone who has already done it could give us some direction on how to do it or even just a link to some resources that would help us to figure it out ourselves *hint hint* Link to comment Share on other sites More sharing options...
willvincent 3 Posted February 28, 2019 Share Posted February 28, 2019 (edited) I've mentioned it earlier, but for me cert generation is built into my router, so I'm not sure how much help I can provide.. I'll see if I can track down some linkage.Within emby, when managing the server -- on the 'Expert > Advanced' settings form, you must tick the box to enable remote connections so that you can provide your custom self-signed cert. I think it'll also require that you populate the "External Domain" field, but if you're not going to actually forward external traffic to the emby server, what you put there isn't entirely important as far as I can figure.Once you've done that, you simply access your server via the https port, 8920 by default... so for me, I hit: https://emby:8920/web/index.html Edited February 28, 2019 by willvincent Link to comment Share on other sites More sharing options...
willvincent 3 Posted February 28, 2019 Share Posted February 28, 2019 (edited) Try this: https://stackoverflow.com/a/20445432/1972101 On linux/mac commands should be the same, but just be openssl ...whatever... instead of C:\Openssl\bin\openssl.exeOnce you've got the cert, you'll need to put it onto the server OR a network path that you can access via emby.EDIT:The last comment on that stackoverflow claims it's doable in two steps.. haven't tested. openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem Edited February 28, 2019 by willvincent 1 Link to comment Share on other sites More sharing options...
Joe Farmer 2 Posted February 28, 2019 Share Posted February 28, 2019 Try this: https://stackoverflow.com/a/20445432/1972101 On linux/mac commands should be the same, but just be openssl ...whatever... instead of C:\Openssl\bin\openssl.exe Once you've got the cert, you'll need to put it onto the server OR a network path that you can access via emby. EDIT: The last comment on that stackoverflow claims it's doable in two steps.. haven't tested. openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem Crikey! This all seems way too complicated for me! The sad thing is I actually work for RSA but I'm no coder or engineer so this all goes over my head.....a bit like an aeroplane! If/when I have time I'll try to read through what you provided so thank you. I did also find this topic https://emby.media/community/index.php?/topic/42315-creating-a-letsencrypt-ssl-certificate-for-emby/ but not sure if it's relevant as it dates back to 2016. Link to comment Share on other sites More sharing options...
Sp3kt3r 13 Posted February 28, 2019 Share Posted February 28, 2019 (edited) Try this: https://stackoverflow.com/a/20445432/1972101 On linux/mac commands should be the same, but just be openssl ...whatever... instead of C:\Openssl\bin\openssl.exe Once you've got the cert, you'll need to put it onto the server OR a network path that you can access via emby. EDIT: The last comment on that stackoverflow claims it's doable in two steps.. haven't tested. openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout mykey.key -out mypem.pem openssl pkcs12 -export -out myp12.p12 -inkey mykey.key -in mypem.pem I had the same issue and just found this thread... and Thx ! this was easy and its work... Just need to install the openSSL from http://slproweb.com/products/Win32OpenSSL.html , I used the version Win64 OpenSSL v1.1.1b Light Once installed, I used the 2 step provided from stackoverflow and it works. UPDATE: I spoke to fast, the custom SSL works fine, I can see my chromecast but I can't play anything, when I click the PLAY button it doesn't do anything. I rebooted my emby server and chromecast. I will continue investigation and look at the log. Edited March 1, 2019 by Sp3kt3r Link to comment Share on other sites More sharing options...
Netbug 26 Posted March 1, 2019 Share Posted March 1, 2019 I've mentioned it earlier, but for me cert generation is built into my router, so I'm not sure how much help I can provide.. I'll see if I can track down some linkage. Within emby, when managing the server -- on the 'Expert > Advanced' settings form, you must tick the box to enable remote connections so that you can provide your custom self-signed cert. I think it'll also require that you populate the "External Domain" field, but if you're not going to actually forward external traffic to the emby server, what you put there isn't entirely important as far as I can figure. Once you've done that, you simply access your server via the https port, 8920 by default... so for me, I hit: https://emby:8920/web/index.html This is extremely helpful. Thank you. I'm stuck at what is probably a simple point though; where do I place the file on my server? I grew up in a windows environment, so I can't figure out which directory I need to put the certificate in. Link to comment Share on other sites More sharing options...
willvincent 3 Posted March 1, 2019 Share Posted March 1, 2019 This is extremely helpful. Thank you. I'm stuck at what is probably a simple point though; where do I place the file on my server? I grew up in a windows environment, so I can't figure out which directory I need to put the certificate in. Anywhere really.. emby provides a file picker in the ui so that you can navigate to and select the file.. so anywhere accessible is sufficient. Easiest would be in your home directory `/home/your_user_name` Link to comment Share on other sites More sharing options...
Netbug 26 Posted March 2, 2019 Share Posted March 2, 2019 Anywhere really.. emby provides a file picker in the ui so that you can navigate to and select the file.. so anywhere accessible is sufficient. Easiest would be in your home directory `/home/your_user_name` Got it. I can access it now, and Chromecast shows up, but for some reason, it won't actually cast. No error, just won't cast. Seems to be the same issue that Sp3ct3r is having. Link to comment Share on other sites More sharing options...
willvincent 3 Posted March 2, 2019 Share Posted March 2, 2019 (edited) Hmm... so the only significant difference I can think of is that for my cert I first made a custom signing cert for my internal network, and signed with that. Could be that makes a difference.All of that too was through my OPNsense router, but here's info about doing it manually: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ As much of a hassle as all of this is, the better solution might be to get a device other than a chromecast that is less particular about how you can use it. There have to be other options that are easier to work with Edited March 2, 2019 by willvincent Link to comment Share on other sites More sharing options...
Netbug 26 Posted March 3, 2019 Share Posted March 3, 2019 Hmm... so the only significant difference I can think of is that for my cert I first made a custom signing cert for my internal network, and signed with that. Could be that makes a difference. All of that too was through my OPNsense router, but here's info about doing it manually: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ As much of a hassle as all of this is, the better solution might be to get a device other than a chromecast that is less particular about how you can use it. There have to be other options that are easier to work with You're right. This is getting mighty difficult. I'm thinking I might just use it from the devices like my iPad and Android as they seem to continue to function. Might be worth looking in to down the road though. Link to comment Share on other sites More sharing options...
denkuy 2 Posted March 14, 2019 Share Posted March 14, 2019 (edited) I'm currently setting the "unsafely-treat-insecure-origin-as-secure" flag in chrome so that I can use my chromecast with a local server without https - go to chrome://flags/#unsafely-treat-insecure-origin-as-secure - enable unsafely-treat-insecure-origin-as-secure - add http://<EMBY_SERVER_IP>:8096 - restart browser Edited March 14, 2019 by denkuy 1 Link to comment Share on other sites More sharing options...
z3ndra 7 Posted March 14, 2019 Share Posted March 14, 2019 finally it's so easy to create a certificate for Emby, I can make a tuto on ubuntu if you want Link to comment Share on other sites More sharing options...
z3ndra 7 Posted March 14, 2019 Share Posted March 14, 2019 Tutorial make emby to https I make that under Ubuntu and with a fix ip, but if you have a dynamic ip, get a dds (dynamic domain name) make sure that you are root on your server, with this command : sudo -i it is imperative that you obtain a domain name redirect your domain name to your server, for that go to the dns parameter and create a record and enter the IP address of your server. 3 ) make sure that there is not a single iptables rule that concerns port 80, which is very important for lets encrypt get certified to your domain name. Verify with : iptables -L -t nat --line-number Install open ssl on your server with the command : apt-get install openssl Install let’s encrypt a free certificate for that, place you in the root folder with : cd /root/ And install let’s encrypt with : git clone https://github.com/letsencrypt/letsencrypt install git if install if this is not the case with : apt-get git Place you in the let’s encrypt folder with : cd letsencrypt Generate your certificate with : ./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly choose the choice 1, enter your mail address and accept conditions and enter your domain name and valid go to the folder : cd / /etc/letsencrypt/live/mydomainname.xx/ (replace mydomainname.xx to your domain name of course) (There you will find 3 files : cert.pem chain.pem fullchain.pem privkey.pem Convert this files to pfx for compatible with emby with : openssl pkcs12 -export -out mydomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass: move this file to the opt / emby-server / ssl folder in emby : enter your domain name, selec your certificate and choose “required for all connections” in secure connection mode redirect your ports 443 and 80 with : iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8920 and : iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8096 restart your server Link to comment Share on other sites More sharing options...
willvincent 3 Posted March 15, 2019 Share Posted March 15, 2019 I'm currently setting the "unsafely-treat-insecure-origin-as-secure" flag in chrome so that I can use my chromecast with a local server without https - go to chrome://flags/#unsafely-treat-insecure-origin-as-secure - enable unsafely-treat-insecure-origin-as-secure - add http://<EMBY_SERVER_IP>:8096 - restart browser Seems nice and easy, but doesn't work for me. Thus all the hoop jumping. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now