Jump to content

Generate SSL certificate with ASUS router for enabling https on Emby server


Recommended Posts

teddybear75
Posted (edited)

So, i needed to enable remote connections for Emby server, and i wanted to secure it with https.

 

I have seen quite a few guides on how to enable https on emby server, but i find this to be an easier way if you own an asus router that supports Lets Encrypt.

Im not sure which models that support this, but my AC-86U did.

 

All i did to get a hold of the ssl ceritifactes was to enable this in the WAN-DDNS section in the router, then export files like this:

 

5e032d675777e_asusdnsssl.jpg

 

 

 

 

Then i converted the cert and key file to a pfx file with "Win64OpenSSL_Light-1_1_0L" https://slproweb.com/products/Win32OpenSSL.html and imported this in to Emby:

 

I used this command:

 

"openssl pkcs12 -inkey key.pem -in cert.pem -export -out output.pfx"

 

 

Of course you also have to port forward the needed ports to make this work.

 

Thats it, so if you own an ASUS router with this option you can save a lot of time, and a bonus, the router also automaticly renews the certificates.

 

If this already has been posted i apologize, and feel free to leave comments if there are things i have missed or if this method seems like a bad idea.

Edited by teddybear75
  • Like 2
Posted

I think alternatively you could have also not imported it into Emby and just selected the "handled by reverse proxy" option for secure connections.

teddybear75
Posted (edited)

Hi, that's very interesting, thanks for the tip !

 

@@Happy2Play

@

 

:)

 

 

I think alternatively you could have also not imported it into Emby and just selected the "handled by reverse proxy" option for secure connections.

 

With "handled by reverse proxy", will it then also force a secure connection, or would one be able to connect with both http and https?

I am now using "requiered for all remote connections"

 

5e04798dcfe11_asusrevprox.jpg

Edited by teddybear75
WilhelmStroker
Posted

This is a good tip as I have a similar router and didn't know that this feature existed.

teddybear75
Posted (edited)

This is a good tip as I have a similar router and didn't know that this feature existed.

Great :)

 

 

Now im trying to find a way to only allow spesific ips to connect via the open port in the router, but it seems i might need a custom router firmware to make this happen, and thats not an option right now.

For now i have only allowed connections to Emby server from one device from this spesific remote user, but it would nice to be able to ban and ip after 3 or so failed password attempts or block all other ips than the one i want to allow in, i see there might be something like this in Linux (fail2ban or something) but i did not see anything like this in Windows. Yes i know, tinfoil hat............

Edited by teddybear75
Guest asrequested
Posted

You can whitelist IPs in the emby server.

Posted

Disappointing that all Asus routers do not support this.

Posted

If any of you guys have a T-Mobile asus Router, you can do that as well by putting RT-AC68u on it. 

teddybear75
Posted (edited)

You can whitelist IPs in the emby server.

 

Thanks, did not know this! Im all set then :)

Edited by teddybear75
teddybear75
Posted

Disappointing that all Asus routers do not support this.

 

From asus website:

 

"This article shows how to enable HTTPS connection on ASUSWRT without any warning message popping up in the browser by using Let’s Encrypt function to automatically obtain a free SSL/TLS certificates.

(Firmware currently supports GT-AC5300, RT-AC5300, RT-AC88U, RT-AC3100)"

 

Obviously RT-AC86U also supports this.

Posted

Hi Everyone,

 

This is my first post on the forum, but I've read a lot so far, thanks to everyone for all the great help.

 

I've got an ASUS router that supports this as the original poster indicated.  Two questions:

 

1.  If you set this up as described in the original post so that the router is renewing the certificate, and then you export it, convert to .pfx, and import into Emby, do you have to re-export it every 3 months as it is renewed?  Or is the exported certificate always the same and the renewal is only on the Lets Encrypt side?

2.  Can anyone confirm Luke's comment that the certificate doesn't have to be installed in Emby as long as "handled by reverse proxy" is enabled?  This would imply that the ASUS router is acting like a reverse proxy, which surprises me a little.  So the SSL encryption would be between the router and the internet client, and traffic between the router and the Emby server on my local network would be unencrypted?  Is that right?  If so, what ports do I forward between the router and the Emby server?

 

Thanks in advance.  This could really simplify SSL setup for me if I can get it working!

pwhodges
Posted

(1) The certificate contains its expiry date, so if you use it outside the router, then yes, you'd have to copy it every now and then.

 

(2) A NAT router is not unlike some aspects of a reverse proxy, so there's no need to be surprised.  I don't know this router's exact capabilities, but I presume it can forward unencrypted (otherwise you'd need another certificate for the additional encrypted link!).  You set the required port in Emby, but the default setting is 8096 for http.

 

Paul

  • 1 month later...
AviatorBimmer
Posted

@@teddybear75 @@Luke

 

What a find! So much simpler and easier to get a DDNS and SSL going. Of course in my world, nothing ever goes smooth LOL

 

 

I went ahead and created a new SSL certificate and DDNS (I already had a domain name which I had purchased from Google Domains). As you can see below, the SSL certifcate has been verified and it's active.

 

post-576558-0-62338400-1582849734_thumb.png

 

 

 

I then went to the network page of Emby Server, set the external domain name and selected Handled By Reverse Proxy as the Secure Connection Mode:

 

post-576558-0-05004500-1582849841_thumb.png

 

 

 

I then went to my router and made sure the ports were forwarded to my PC where Emby Server is running, using the default ports as they were in the network page:

 

post-576558-0-80811700-1582849913_thumb.png

 

 

Finally in the dashboard, it shows my domain name as the link for Remote (WAN) Access:

 

post-576558-0-67851900-1582849987_thumb.png

 

 

 

I opened up my cell phone, disabled my WiFi so that I wa snot connected to my local network, opened up Chrome and when I tried to visit the HTTPS page as shown on the dashboard, I keep getting the "The site can't be reached, took too long to respond" error.

 

What could I be doing wrong?

Posted

Don't know but first i would try it without https just to reduce the number of variables.

AviatorBimmer
Posted

Don't know but first i would try it without https just to reduce the number of variables.

What you mean? It has been working all along as HTTP.

 

I am just trying to make it work in HTTPS.

 

 

Sent from my iPhone using Tapatalk

Happy2Play
Posted (edited)

What you mean? It has been working all along as HTTP.

 

I am just trying to make it work in HTTPS.

 

 

Sent from my iPhone using Tapatalk

 

Since you know port 8096 is open, does port 8920 show open a site like canyouseeme.org?

 

Can you have multiple ports in one port forwarding rule?

 

Would appear so looking at here.  So the above question applies.  I don't have this router but do my ports separately.

If you are forwarding a single port number, enter it into the External Port box. If you are forwarding a range of ports, enter the lowest number of that range into the External Port box followed by a colon followed by the largest number. For example a range of port numbers might look like this: 1000:2000. Or you can forward a list containing both single ports and port ranges, separated by commas. An example of a list would look something like this: 1000:2000,3000,4000:5000.

Edited by Happy2Play
Posted

Have you checked to make sure your router can work as a reverse proxy? It might only support SSL termination for services running on the router itself and everything else is passthru.

AviatorBimmer
Posted (edited)

Have you checked to make sure your router can work as a reverse proxy? It might only support SSL termination for services running on the router itself and everything else is passthru.

 

I think this was the issue indeed. I did like the OP (@@teddybear75) did, which was to convert the exported files from the router into a .pfx certificate, edited the Emby Server to read that .pfx file, entered the domain name, forwarded the SSL ports and finally selected "Required for all connections" as the Secure Connection mode and now it works!

 

I am now able to securely connect to Emby!

 

Thanks @@teddybear75 and @@Q-Droid

 

PS. I also removed the port forward to the HTTP port, thus making everyone connect securely. Awesome!

Edited by AviatorBimmer
  • Like 1
  • 2 weeks later...
eskimos20
Posted

This was great news for all with asus router. I have one and I wrote a script that uses expect to login to the router and runs openssl in the router and then sends the .pfx file back to localhost. 

 

I use this script to always have an updated version of the certificate. 

 

I´ll share it with you :D

 

 #!/usr/bin/expect -f

 
spawn ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null myuser@myip
expect "myuser@myip's password:"
send "mypassword\n"
expect "myuser@RT-AC88U-07E8:/tmp/home/root#"
send "cd /jffs/.le/mydnsentry\n"
expect "myuser@RT-AC88U-07E8:/jffs/.le/mydnsentry#"
send "openssl pkcs12 -inkey /jffs/.le/mydnsentry/my.key -in /jffs/.le/mydnsentry/my.cer -export -out /jffs/.le/mydnsentry/my.pfx\n"
expect "Enter Export Password:"
send "mypass\n"
expect "Verifying - Enter Export Password:"
send "mypass\n"
send "scp /jffs/.le/mydnsentry/my.pfx myuser@myip:/certPath\n"
expect "myuser@myip's password:"
send "mypassword\n"
expect "myuser@RT-AC88U-07E8:/jffs/.le/mydnsentry#"
send "exit\n"
interact
 
Hope that this helps for someone :D
  • 7 months later...
Posted

@teddybear75 Thanks for the tip, I did all your steps but when connecting externally it still uses http and not https. How can I fix this? When looking at the dashboards it shows th ddns on external acces but with the https port at the end, not the https port

  • Like 1
  • 2 weeks later...
teddybear75
Posted
On 10/11/2020 at 15:03, MSI2017 said:

@teddybear75 Thanks for the tip, I did all your steps but when connecting externally it still uses http and not https. How can I fix this? When looking at the dashboards it shows th ddns on external acces but with the https port at the end, not the https port

Not really sure, but have you enabled secure connection mode to be requiered for all remote connections?embytest.thumb.JPG.2143fd5f7012f299722ea4ed5532e7a1.JPG

Posted

Yes, I required it. But still only shows http. Maybe @Luke can help? This feature can be super useful for all Asus router users. 

2 minutes ago, teddybear75 said:

Not really sure, but have you enabled secure connection mode to be requiered for all remote connections?embytest.thumb.JPG.2143fd5f7012f299722ea4ed5532e7a1.JPG

 

Screenshot_20201119-204358__01.jpg

Screenshot_20201119-204408.jpg

teddybear75
Posted (edited)

I use 4 diefferent ports in the settings, this is how my setup looks like, not sure if that would help, but maybe something to try, as i see your server only is running on one http port.

Also, i dont use automatic port mapping. Manually in the router, i forward external port 4 to local port 2. (No upnp enabled in router)

Yeah, even better, ask Luke, he probably has a good answer :)

embytest.thumb.JPG.f3813cb0e41b4bc988f9c083fd51345d.JPG

 

embytest.thumb.JPG.1ffbb25b7f80c2148a8e13ae0f47df79.JPG

Edited by teddybear75
Posted (edited)

I don't see a cert password listed in the settings and most setups will need this.
Go to Logs and turn on DEBUG then restart Emby.

Give it time to load up then post the server log or PM it to take a look at.

If Emby is not able to setup SSL properly then it will default back to http (non SSL) mode.

Edited by cayars

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...