Jump to content

LetsEncrypt Certs and Reverse Proxies

jon_

By jon_
in General/Windows

 Share

Recommended Posts

jon_

jon_   23

Posted
Posted (edited)

Hi All

 

I've been scratching my head as to why sync wouldn't work via reverse proxy for the past few weeks, and with Luke and Pir8Radio's help we finally figured it out. 

 

If you are using a LetsEncrypt certificate, then you need to follow some additional steps for it to fully work:

 

For Apache Reverse Proxy, you need to make sure you have the SSLCertificateChainFile defined (where domain.tld is your domain)

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem

For nginx, you need to cat the main certificate and the chain file together:

cat /etc/letsencrypt/live/domain.tld/cert.pem /etc/letsencrypt/live/domain.tld/chain.pem > /etc/letsencrypt/live/domain.tld/certbundle.pem

(you will need to redo this step every time your letsencrypt certificate renews)

 

In your nginx config, use the fullchain.pem bundle file in your SSL server definition in your config file:

ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem

If you don't do this Android clients (maybe others) will prompt you to accept a certificate at first login. Everything will then work (streaming, UI etc) *apart* from sync, which will fail with 'Download Unsuccessful'. Following the above steps should fix this. 

Edited by jon_
  • Like 1
Link to comment
Share on other sites
  • 1 month later...
neik

neik   837

Posted
Posted

First of all thanks for writing this is up.

 

I will have to check once I'm back home but iirc I don't have to this and sync works flawlessly on Android (Mi8 Pro / S7) and iOS (iPhone X).

 

I'm on Ubuntu 18.04.2 LTS with nginx and my nginx config points directly to the Let's Encrypt folder.

After renewing the certificates only think I have to do is reload them in nginx but no bundling is needed.

 

Just as an information.

Link to comment
Share on other sites
  • 2 weeks later...
parasven

parasven   2

Posted
Posted

You dont need to build the certbundle yourself with letsencrypt there already is a "fullchain.pem" file which inherits everything you need.

 

To be precise it is exacly what you are building with this command:

cat /etc/letsencrypt/live/domain.tld/cert.pem /etc/letsencrypt/live/domain.tld/chain.pem > /etc/letsencrypt/live/domain.tld/certbundle.pem
  • Like 1
Link to comment
Share on other sites
pwhodges

pwhodges   1538

Posted
Posted (edited)

Another way to get LetsEncrypt certs is to use the free Caddy Server as your reverse proxy.  Caddy does it for you completely automatically, including updating certs silently as required.  I use it to serve or proxy all my web sites, but to give an idea of how easy it is, this is the entire configuration for proxying Emby:

emby.xxxxxx.org {
	proxy / http://streamer.xxxx.dom:8096
	log .\Logs\EMaccess.log
	errors .\Logs\EMerror.log
}

And two of the four lines are defining logs (which are optional)!  Also, contact using http:// will automatically be redirected to https:// as a built-in function of Caddy.

Edited by pwhodges
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...