Best Answer notla49285 , 19 June 2019 - 09:38 AM
Ignore the concept of Emby providing it's own certificate. You need to provide Emby with the certificate if it's on your own domain. Also, another note, AFAIK you can't specify a port along with your IP on a DNS service. If you can, please let me know how as this is an issue I currently have!
1. Login to your domain and get onto whichever page it is where you can add files/redirects e.g. for me, I use Namecheap so use the Namecheap Dashboard -> select my domain -> Advanced DNS. Don't know who your domain provider is so can't say exactly where to go. You will need to add a TXT record however you do that. Keep your domain dashboard open whilst you run through the next steps.
2. Go to sslforfree.com, type in the name of your subdomain (without https:// because that's already filled out for you) and click Create Free SSL Certificate. It might be a safe option to add the domain as well, you can add as many subdomains as you want separated by a space so for example you can enter "emby.mydomain.com https://embyother.mydomain.com https://mydomain.com" (as the first https:// will be filled out for you). On the next page click Manual Verification (DNS) and then Manually Verify Domain. The site will then give you a TXT record to add to your domain, follow the instructions regarding host, details and TTL.
3. This is where you return to your domain dashboard to add the TXT record, as per the details that the above site gave you. Once this is saved, leave it a few minutes whilst your domain host "propagates" the new record.
4. Return to sslforfree.com and click "Verify _acmechallenge.yourdomain.com" or whatever it says there. You need the site to be able to find the TXT record, otherwise they won't give you a certificate. You should get a new page open saying "TXT Record(s) Found". If it doesn't say this, leave it a bit longer and click the verify link again. Make sure your TTL is 1 second or as close to it as you can get (e.g. Namecheap only goes down to 1 minute).
5. Once you get the "TXT Record(s) Found" message, click Download SSL Certificate. You should get a zipped file containing ca_bundle.crt, certificate.crt and private.key, save these somewhere accessible.
6. Next, I'd strongly recommend you protect the certificate with a password. I use https://www.sslshopp...-converter.html. Others have OpenSSL installed on their machines. For the site I use, upload the certificate.crt file, set the type of current certificate to Standard PEM and the type to convert to as PFX/PKCS#12. You will get a few other upload fields that appear, upload the private.key file to the Private Key File field and ignore the others.
7. Set a password under PFX Password, your choice, make it something good and make sure you keep temorary note of it as you'll need to enter it into Emby. Once you've entered the password, click Convert Certificate. The site should give you a certificate.pfx or something similar.
8. Personal tip, rename the certificate to include the date it's created. When you come to renew the certificate, Emby seems to have an issue with replacing the current certificate with a new one of the same name. So if I created it today for example I'd name it "certificate_2019-06-19.pfx".
9. Go back to the Advanced section of Emby Dashboard (where you currently are), upload this .pfx file, enter the password into the "Certificate password" box, I personally set the Secure Connection Mode to "Required for all remote connections", then hit Save.
Only issue is Let's Encrypt certificates only last 3 months, I'd recommend you set yourself a reminder somewhere as Emby won't remind you and will just stop access when your certificate expires. When it comes to renewing, follow the above steps again. When I first set mine up, I used this guide as a reference (though some of it may not apply to you depending on your setup/desires) >> Emby SSLGo to the full post