Jump to content

Enabling secure connections with SSL


ursusltd
Go to solution Solved by notla49285,

Recommended Posts

ursusltd
post-59801-0-46540900-1560777733_thumb.jpg

After several days of frustration, I have managed to setup SSL far enough to get a connection but the browser does not like like the certificate - see attached. I tried to follow the various sets of instructions around the site, the only config I could get to work is as follows;

 

Static IP address on my router

setup sub domain on my domain DNS with a forward to the router address and port

 

My question is emby instructions say the server will create it's own SSL cert but I cannot get this to work. If I leave the field for the path to cert blank then I am unable to save - this is why I went the create your own cert route (which I cant get to work!).

 

I have found an SSL folder in the emby folder structure (windows 10) but nothing is in there.

 

I have read up all I can find but cannot get the inbuilt cert to work.

 

Any suggestions?

post-59801-0-46540900-1560777733_thumb.jpg

Edited by ursusltd
Link to comment
Share on other sites

neik

Afaik there are no inbuilt certs in Emby, you will have to provide one yourself e.g. Let'sEncrypt (I'm using).

Link to comment
Share on other sites

That is correct. You can set it up under the Advanced section. Please let us know if this helps. Thanks !

Link to comment
Share on other sites

ursusltd

That is correct. You can set it up under the Advanced section. Please let us know if this helps. Thanks !

 

I can't work out how to use the Emby cert though! If I enable Secure Connection mode, I cannot save the selection unless I enter a path to a .pfx file

Link to comment
Share on other sites

ursusltd

The pfx file is the cert you have to provide. ;-)

 

 

Yes, that's what I have done but web browsers do not like it (see screenshot posted)

Link to comment
Share on other sites

pwhodges

The screenshot says the name is invalid.  Is the name specified in the certificate exactly the same as the name you are typing into the browser?  If not, it won't work - that's one of the things certificates are intended to check.

Link to comment
Share on other sites

ursusltd

The screenshot says the name is invalid.  Is the name specified in the certificate exactly the same as the name you are typing into the browser?  If not, it won't work - that's one of the things certificates are intended to check.

Hi,

 

Yes I believe I am: further text is;

 

This server could not prove that it is media.ikwig.com; its security certificate is from shortener.secureserver.net. This may be caused by a misconfiguration or an attacker intercepting your connection.

Link to comment
Share on other sites

pwhodges

Sometimes certificates need intermediate certificates to link to the trusted source which the browser knows about, and without that link the browser will not be satisfied with just your certificate.  These may be separate or can be combined with the server certificate (or you can install them as trusted certificates in your OS or browser).  You may find information on this from the help pages of your certificate supplier.

Edited by pwhodges
Link to comment
Share on other sites

ursusltd

Sometimes certificates need intermediate certificates to link to the trusted source which the browser knows about, and without that link the browser will not be satisfied with just your certificate.  These may be separate or can be combined with the server certificate (or you can install them as trusted certificates in your OS or browser).  You may find information on this from the help pages of your certificate supplier.

 

 

Thanks for the replies but it's all proving too complicated for me so I'm giving up on it. Remote access is a rarely used feature for me so not a deal breaker but I wish it were simpler to setup.

 

Thanks again.

Link to comment
Share on other sites

  • Solution
notla49285

Ignore the concept of Emby providing it's own certificate. You need to provide Emby with the certificate if it's on your own domain. Also, another note, AFAIK you can't specify a port along with your IP on a DNS service. If you can, please let me know how as this is an issue I currently have!

 

1. Login to your domain and get onto whichever page it is where you can add files/redirects e.g. for me, I use Namecheap so use the Namecheap Dashboard -> select my domain -> Advanced DNS. Don't know who your domain provider is so can't say exactly where to go. You will need to add a TXT record however you do that. Keep your domain dashboard open whilst you run through the next steps.

 

2. Go to sslforfree.com, type in the name of your subdomain (without https:// because that's already filled out for you) and click Create Free SSL Certificate. It might be a safe option to add the domain as well, you can add as many subdomains as you want separated by a space so for example you can enter "emby.mydomain.com https://embyother.mydomain.com https://mydomain.com" (as the first https:// will be filled out for you). On the next page click Manual Verification (DNS) and then Manually Verify Domain. The site will then give you a TXT record to add to your domain, follow the instructions regarding host, details and TTL.

 

3. This is where you return to your domain dashboard to add the TXT record, as per the details that the above site gave you. Once this is saved, leave it a few minutes whilst your domain host "propagates" the new record.

 

4. Return to sslforfree.com and click "Verify _acmechallenge.yourdomain.com" or whatever it says there. You need the site to be able to find the TXT record, otherwise they won't give you a certificate. You should get a new page open saying "TXT Record(s) Found". If it doesn't say this, leave it a bit longer and click the verify link again. Make sure your TTL is 1 second or as close to it as you can get (e.g. Namecheap only goes down to 1 minute).

 

5. Once you get the "TXT Record(s) Found" message, click Download SSL Certificate. You should get a zipped file containing ca_bundle.crt, certificate.crt and private.key, save these somewhere accessible.

 

6. Next, I'd strongly recommend you protect the certificate with a password. I use https://www.sslshopper.com/ssl-converter.html. Others have OpenSSL installed on their machines. For the site I use, upload the certificate.crt file, set the type of current certificate to Standard PEM and the type to convert to as PFX/PKCS#12. You will get a few other upload fields that appear, upload the private.key file to the Private Key File field and ignore the others.

 

7. Set a password under PFX Password, your choice, make it something good and make sure you keep temorary note of it as you'll need to enter it into Emby. Once you've entered the password, click Convert Certificate. The site should give you a certificate.pfx or something similar.

 

8. Personal tip, rename the certificate to include the date it's created. When you come to renew the certificate, Emby seems to have an issue with replacing the current certificate with a new one of the same name. So if I created it today for example I'd name it "certificate_2019-06-19.pfx".

 

9. Go back to the Advanced section of Emby Dashboard (where you currently are), upload this .pfx file, enter the password into the "Certificate password" box, I personally set the Secure Connection Mode to "Required for all remote connections", then hit Save.

 

Only issue is Let's Encrypt certificates only last 3 months, I'd recommend you set yourself a reminder somewhere as Emby won't remind you and will just stop access when your certificate expires. When it comes to renewing, follow the above steps again. When I first set mine up, I used this guide as a reference (though some of it may not apply to you depending on your setup/desires) >> Emby SSL

Edited by notla49285
  • Like 1
Link to comment
Share on other sites

ursusltd

Many thanks for that - I have removed everything for now and may have another go soon!!

 

In the meantime, I assume I have to create the sub-domain in DNS first?

 

 

Ignore the concept of Emby providing it's own certificate. You need to provide Emby with the certificate if it's on your own domain. Also, another note, AFAIK you can't specify a port along with your IP on a DNS service. If you can, please let me know how as this is an issue I currently have!

 

1. Login to your domain and get onto whichever page it is where you can add files/redirects e.g. for me, I use Namecheap so use the Namecheap Dashboard -> select my domain -> Advanced DNS. Don't know who your domain provider is so can't say exactly where to go. You will need to add a TXT record however you do that. Keep your domain dashboard open whilst you run through the next steps.

 

2. Go to sslforfree.com, type in the name of your subdomain (without https:// because that's already filled out for you) and click Create Free SSL Certificate. It might be a safe option to add the domain as well, you can add as many subdomains as you want separated by a space so for example you can enter "emby.mydomain.com https://embyother.mydomain.com https://mydomain.com" (as the first https:// will be filled out for you). On the next page click Manual Verification (DNS) and then Manually Verify Domain. The site will then give you a TXT record to add to your domain, follow the instructions regarding host, details and TTL.

 

3. This is where you return to your domain dashboard to add the TXT record, as per the details that the above site gave you. Once this is saved, leave it a few minutes whilst your domain host "propagates" the new record.

 

4. Return to sslforfree.com and click "Verify _acmechallenge.yourdomain.com" or whatever it says there. You need the site to be able to find the TXT record, otherwise they won't give you a certificate. You should get a new page open saying "TXT Record(s) Found". If it doesn't say this, leave it a bit longer and click the verify link again. Make sure your TTL is 1 second or as close to it as you can get (e.g. Namecheap only goes down to 1 minute).

 

5. Once you get the "TXT Record(s) Found" message, click Download SSL Certificate. You should get a zipped file containing ca_bundle.crt, certificate.crt and private.key, save these somewhere accessible.

 

6. Next, I'd strongly recommend you protect the certificate with a password. I use https://www.sslshopper.com/ssl-converter.html. Others have OpenSSL installed on their machines. For the site I use, upload the certificate.crt file, set the type of current certificate to Standard PEM and the type to convert to as PFX/PKCS#12. You will get a few other upload fields that appear, upload the private.key file to the Private Key File field and ignore the others.

 

7. Set a password under PFX Password, your choice, make it something good and make sure you keep temorary note of it as you'll need to enter it into Emby. Once you've entered the password, click Convert Certificate. The site should give you a certificate.pfx or something similar.

 

8. Personal tip, rename the certificate to include the date it's created. When you come to renew the certificate, Emby seems to have an issue with replacing the current certificate with a new one of the same name. So if I created it today for example I'd name it "certificate_2019-06-19.pfx".

 

9. Go back to the Advanced section of Emby Dashboard (where you currently are), upload this .pfx file, enter the password into the "Certificate password" box, I personally set the Secure Connection Mode to "Required for all remote connections", then hit Save.

 

Only issue is Let's Encrypt certificates only last 3 months, I'd recommend you set yourself a reminder somewhere as Emby won't remind you and will just stop access when your certificate expires. When it comes to renewing, follow the above steps again. When I first set mine up, I used this guide as a reference (though some of it may not apply to you depending on your setup/desires) >> Emby SSL

Edited by ursusltd
Link to comment
Share on other sites

notla49285

In the meantime, I assume I have to create the sub-domain in DNS first?

 

You don't have to, you can have your base domain pointing to the Emby server, but I wouldn't recommend it, so I'd advise creating a subdomain yes. Keep it to a simple naming standard e.g. emby.yourdomain.com.

Link to comment
Share on other sites

pwhodges

Only issue is Let's Encrypt certificates only last 3 months, I'd recommend you set yourself a reminder somewhere as Emby won't remind you and will just stop access when your certificate expires

 

I run a reverse proxy in front of Emby, using the Caddy server.  Caddy is extraordinarily easy to set up; my config for Emby is:

emby.c******d.org {
    proxy / http://streamer.c***.dom:8096
    log .\Logs\EMaccess.log
    errors .\Logs\EMerror.log
}

and the log and errors lines are optional!  You can use an IP address in the proxy statement, of course - I use a name as I happen run a Windows domain.

 

Caddy will get a certificate from Let's Encrypt automatically, and will keep it renewed automatically.  It will also redirect automatically from http on port 80 to https on port 443.

 

You may need to give Caddy a parameter on the command line (e.g. email address for errors), but that varies with OS.

Link to comment
Share on other sites

notla49285

 

I run a reverse proxy in front of Emby, using the Caddy server.  Caddy is extraordinarily easy to set up; my config for Emby is:

emby.c******d.org {
    proxy / http://streamer.c***.dom:8096
    log .\Logs\EMaccess.log
    errors .\Logs\EMerror.log
}

and the log and errors lines are optional!  You can use an IP address in the proxy statement, of course - I use a name as I happen run a Windows domain.

 

Caddy will get a certificate from Let's Encrypt automatically, and will keep it renewed automatically.  It will also redirect automatically from http on port 80 to https on port 443.

 

You may need to give Caddy a parameter on the command line (e.g. email address for errors), but that varies with OS.

 

 

Everything I've read on reverse proxies has confused the s**t out of me hence sticking to the above method.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...