Jump to content

Question about my reverse proxy ssl


notla49285

Recommended Posts

notla49285

As a bit of background, I had two Emby servers on two different subdomains of a domain I own, whilst testing moving from one to another. For the sake of this post, the old server was running on emby.mydomain.com and the new one running on emby-test.mydomain.com. This was using a reverse proxy running on my DS918+. The reverse proxy was sending emby.mydomain.com to the IP address of the old server on port 8096 and sending emby-test.mydomain.com to localhost:8096 (so, forwarding to itself on Emby's designated port). This all worked with no problems with both subdomains.

 

The old server (which was running on emby.mydomain.com) has now been shut down, so I changed the Emby advanced settings on the new one to use the subdomain emby.mydomain.com. Router is still set up to forward traffic on port 443 to my new server's IP (which is then handled by the reverse proxy and redirected accordingly), and the server itself (Synology DS918+) has had it's reverse proxy settings changed so that emby.mydomain.com gets forwarded to localhost:8096.

 

I generated a new certificate for emby.mydomain.com, converted it to PKCS #12 format with password, added it to DS918+ file system, pointed Emby advanced settings to it and updated the certificate password in Emby settings. Saved new settings and restarted Emby.

 

Now, when I visit emby.mydomain.com, I get a certificate error returned due to mismatch of domain and an expired certificate. The certificate that's being sent back to my web client is for emby-test.mydomain.com - the old certificate that expired on 18/09/2019. I have had this error even after updating the certificate on Emby TWICE.

 

I don't think this is due to propagation or caching because it's been nearly two days and I'm still being sent the wrong certificate.

 

I was using cache drives in the DS918+ but have now removed these, restarted the DS (and therefore Emby) and am still having the same problem. The old certificate isn't even on the DS anymore so I've no idea where this is coming from??

 

Edit: And I've made a typo in the title and can't change it, can any admins change "updating" to "updated"?

 

Edit 2: I've just removed remote access and restarted the server, enabled remote access again and I see that my previous settings are already there. Firstly, this should not happen, because for one thing it's storing a password when I don't want it to, and in any case if I say to remove remote access then there is no need to retain the settings for it. Secondly, does this mean that Emby has cached the SSL certificate somewhere? Or does it just store a file path to the certificate? The old certificate file has been deleted from the file system and there aren't any other servers involved, so I don't understand how this is actually possible unless Emby has kept a version of the certificate for itself??

Edited by notla49285
  • Like 1
Link to comment
Share on other sites

notla49285

I found the answer. It's the reverse proxy that holds and issues the certificate, not Emby. Therefore, when selecting reverse proxy option in Emby, there's no point adding a certificate file.

 

I looked at the DSM control panel and found that it was holding the old certificate still. Replaced it there and now it's all fine.

 

I'm not sure if this is Synology-specific, but if not, maybe it would be an idea to hide the certificate options when selecting reverse proxy option?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...