Jump to content

SSL made easy


MikeB111

Recommended Posts

BAlGaInTl
4 hours ago, vick1982 said:

will emby server ever have ssl built on for free like plex ? even if for premiere only 

Probably not since that would involve everything going through Emby's servers I believe.  

The fact that it doesn't have to do that is one of the reasons I choose Emby over Plex.

Link to comment
Share on other sites

tekfranz
4 hours ago, Riggs said:

Thanks for share this.

However Acme and Cerboot do the job by you, at least in non Windows environments.

--------------------------------------------------------------------------------------

Step 1 — Installing Certbot

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.

First, add the repository:

  • 
    sudo add-apt-repository ppa:certbot/certbot

    You’ll need to press ENTER to accept.

Install Certbot’s Apache package with apt:

  • 
    sudo apt install python-certbot-apache

     

Certbot is now ready to use, but in order for it to configure SSL for Apache, we need to verify some of Apache’s configuration.

 

Step 2 — Set Up the SSL Certificate

Certbot needs to be able to find the correct virtual host in your Apache configuration for it to automatically configure SSL. Specifically, it does this by looking for a ServerName directive that matches the domain you request a certificate for.

If you followed the virtual host set up step in the Apache installation tutorial, you should have a VirtualHost block for your domain at /etc/apache2/sites-available/your_domain.com.conf with the ServerName directive already set appropriately.

To check, open the virtual host file for your domain using nano or your favorite text editor: 

  • 
    sudo nano /etc/apache2/sites-available/your_domain.conf

     

Find the existing ServerName line. It should look like this:


/etc/apache2/sites-available/your_domain.conf

...
ServerName your_domain;
...

If it does, exit your editor and move on to the next step.

If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:

  • 
    sudo apache2ctl configtest

     

If you get an error, reopen the virtual host file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Apache to load the new configuration:

  • 
    sudo systemctl reload apache2

     

Certbot can now find the correct VirtualHost block and update it.

Next, let’s update the firewall to allow HTTPS traffic.

 

Step 3 — Allowing HTTPS Through the Firewall

If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Apache registers a few profiles with ufw upon installation.

You can see the current setting by typing:

  • 
    sudo ufw status

     

It will probably look like this, meaning that only HTTP traffic is allowed to the web server:

Output

Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache (v6) ALLOW Anywhere (v6)

To additionally let in HTTPS traffic, allow the Apache Full profile and delete the redundant Apache profile allowance: 

  • 
    sudo ufw allow 'Apache Full'
    sudo ufw delete allow 'Apache'

Your status should now look like this:

  • 
    sudo ufw status

    Output

Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Apache Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Apache Full (v6) ALLOW Anywhere (v6)

Next, let’s run Certbot and fetch our certificates.

 

Step 4 — Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Apache plugin will take care of reconfiguring Apache and reloading the config whenever necessary. To use this plugin, type the following: 

  • 
    sudo certbot --apache -d your_domain -d www.your_domain

     

This runs certbot with the --apache plugin, using -d to specify the names you’d like the certificate to be valid for.

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings: 

Output

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit ENTER. The configuration will be updated, and Apache will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored: 

Output

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Let’s finish by testing the renewal process.

 

Step 5 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot

  • 
    sudo certbot renew --dry-run

     

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Apache to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

To save time I copied this from an online tutorial that is frankly very well explained, of course better than I would have. It applies to Linux servers with Apache in general.

Source: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

Is a similar guide available for Windows?

Link to comment
Share on other sites

tekfranz
6 minutes ago, BAlGaInTl said:

@jachin99, @tekfranz

 

Is there a reason for buying a cert rather than using an automated method like @Riggs outlined?  Or even better... using Cloudflare (which is my preference)?

 

The Cloudflare looks interesting if its anything like their 1.1.1.1 VPN service. Do you have a link or instructions for setting up SLL with Clouflare? 

Link to comment
Share on other sites

BAlGaInTl
2 minutes ago, tekfranz said:

The Cloudflare looks interesting if its anything like their 1.1.1.1 VPN service. Do you have a link or instructions for setting up SLL with Clouflare? 

I cobbled it together from what I found. 

Cloudflare gives you a first level of protection against attacks for free. It also comes with a multi-year SSL certificate.

If you use a reverse proxy (really easy instructions for windows in this thread... search for Caddy), you don't need to use CF, and you can set it up to auto-renew certs.  You also don't have to create the PFX for Emby since your proxy can pass everything to your server. 

Link to comment
Share on other sites

Riggs

LetsEncrypt allow you to use Cloudfare DNS's

 

Edit: LetsEncrypt is sponsored for the Linux Foundation with support of many other companies like Cisco, is secure like any other commercial certificate

Is a good take the time to read a little

SSL give you the change of use hhtp/2 which is lot of faster than http/1

Can be used in any environment Ningx, Apache, whatever 

https://letsencrypt.org/

Edited by Riggs
Link to comment
Share on other sites

Riggs

For Windows 10

https://medium.com/beyond-the-helpdesk/lets-encrypt-for-windows-10-e07556c811b4

 

That two guides are very easy to follow.

Of course, own your own domain is mandatory. And is better use a static IP.

For home use if you are behind a good router, make sure setup your router to always get the same IP for your server.

SSL certificate has no sense if your network is private.

Link to comment
Share on other sites

Riggs

With certbot auto renew will work with this command

sudo certbot renew --dry-run

You can run Ubuntu inside windows now with WSL2  Windows update 20.04

Link to comment
Share on other sites

tekfranz
18 minutes ago, Riggs said:

With certbot auto renew will work with this command


sudo certbot renew --dry-run

You can run Ubuntu inside windows now with WSL2  Windows update 20.04

Thats neat. Kind of like Homebrew for Windows. Also forget I have an Ubuntu VM to use for this stuff.

Link to comment
Share on other sites

pwhodges
1 hour ago, BAlGaInTl said:

Probably not since that would involve everything going through Emby's servers I believe.

No it wouldn't; it would merely mean Emby having an automated certificate client built in.  But rather than take up the developers' time doing that, you can use a forward proxy that does it automatically for you.  By far the easiest is Caddy, which was developed specifically for the purpose of doing that.

Paul

Link to comment
Share on other sites

tekfranz

Side Note...If Emby doesn't load remotely make sure you are not using Edge Chromium with https.

Edge Chromium has a problem loading Emby that regular Google Chrome does not.

Nice red herring when you are troubleshooting a certificate issue.

Link to comment
Share on other sites

BAlGaInTl
1 minute ago, pwhodges said:

No it wouldn't; it would merely mean Emby having an automated certificate client built in.  But rather than take up the developers' time doing that, you can use a forward proxy that does it automatically for you.  By far the easiest is Caddy, which was developed specifically for the purpose of doing that.

Paul

I meant that in order to do it "the way Plex does" which I'm not a big fan of.

If you did it with a built in automated client, wouldn't each user still have to have their own domain and all the setup that goes along with that?

Caddy does seem like an easy solution for Windows servers, which is why I mentioned it in my post. 

Personally, I still think that Cloudflare is a better/easier path.  It adds an extra layer of security, and doesn't rely on any recurring automated updates.

 

Link to comment
Share on other sites

BAlGaInTl
11 minutes ago, tekfranz said:

Side Note...If Emby doesn't load remotely make sure you are not using Edge Chromium with https.

Edge Chromium has a problem loading Emby that regular Google Chrome does not.

Nice red herring when you are troubleshooting a certificate issue.

Really?

I'll have to try that tonight.

Link to comment
Share on other sites

Riggs
49 minutes ago, tekfranz said:

Thats neat. Kind of like Homebrew for Windows. Also forget I have an Ubuntu VM to use for this stuff.

Yes, well WSL2 is there too... "Microsoft load Canonical into the devil"

Link to comment
Share on other sites

tekfranz

Certbot also has a Windows Version. I had tried that earlier and it did a nice job generating the cert files. However, the PFX I created crashed EMBY so I id not go that route, but maybe it wasn't certbot but MS Edge.

  • Like 1
Link to comment
Share on other sites

jachin99
20 hours ago, tekfranz said:

The text record is to verify your DNS Ownership. You that after you submit your CSR and they ask you to verify your domain,

This PFX I was not working either....I might need to convert it from a different format. But paid Namecheap one does.

Oh wait I just tried clearing my remote browsers cache and it works (as well as restarting EMBY Server and enabling and disabling secure connections required. Also a a complete computer restart as well.)

Just to confirm, adding a new certificate seems to require aa restart of the EBMY Server, a disabling /re-enabling of Secure Connections under Secure Connection Mode and also a reboot of the machine and the clearing of the Remote Browser Cache.

What do I use for my text record to prove my dns ownership on Google domains?  In other words what text doni use and where do I get it from

Link to comment
Share on other sites

BAlGaInTl
6 hours ago, tekfranz said:

Side Note...If Emby doesn't load remotely make sure you are not using Edge Chromium with https.

Edge Chromium has a problem loading Emby that regular Google Chrome does not.

Nice red herring when you are troubleshooting a certificate issue.

 

Emby loaded just fine via https for me on Edge (Chromium)

 

5 hours ago, Riggs said:

Edge: another Microsoft fail

 

Really? It's not a bad browser.  Not sure why it's a fail.

Link to comment
Share on other sites

tekfranz
3 hours ago, BAlGaInTl said:

 

Emby loaded just fine via https for me on Edge

3 hours ago, BAlGaInTl said:

 

Emby loaded just fine via https for me on Edge (Chromium)

 

Yeah Edge Chromium suddenly works for me to again. Wonder if I confused it with all my PFX swapping between ZeroSSL and Comodo.

Edited by tekfranz
Link to comment
Share on other sites

tekfranz
4 hours ago, jachin99 said:

What do I use for my text record to prove my dns ownership on Google domains?  In other words what text doni use and where do I get it from

The instructions might be a little lengthy, but which tool do want to use? Generally, there will a point in the process after you submit your CSR when your Tool will try to connect to something on your domain. It might offer to send you an email, have you place CNAME record with your DNS provider or place a verification file on the web server. Which tool are using presently? Still ZeroSSL? 

Link to comment
Share on other sites

seanbuff
9 hours ago, BAlGaInTl said:

Personally, I still think that Cloudflare is a better/easier path.  It adds an extra layer of security, and doesn't rely on any recurring automated updates.

Can you remember how you generated a valid cert from CF, when I try, the option to download a PKCS12 format cert is greyed out

image.png.a53b6e784593eb8e7f6703c71417a0aa.png

and as far as I can tell, Emby is expecting only a PKCS #12 cert.

I have tried 'converting' from other formats but Emby doesn't like any of them.

Is there something special I need to do on the CF side?

Link to comment
Share on other sites

5 hours ago, seanbuff said:

Can you remember how you generated a valid cert from CF, when I try, the option to download a PKCS12 format cert is greyed out

image.png.a53b6e784593eb8e7f6703c71417a0aa.png

and as far as I can tell, Emby is expecting only a PKCS #12 cert.

I have tried 'converting' from other formats but Emby doesn't like any of them.

Is there something special I need to do on the CF side?

How can you tell if you have a PKCS12 or not... I am using win-acme-v2 to generate the certificate, there is 2 different pfx options...
as follows:

 

```

 Password to use for the .pfx files or <ENTER> for none:

 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store
 5: No (additional) store steps
```

Anyways I've tried both, i know the certs are valid, and my domain and router are setup correctly.  Port 8096 works fine but it's like it is not hosting on 8920... Nothing at all in the logs, almost like it isn't starting the ssl.  I wish i could figure out what i'm doing wrong.  let me know if you figure anything out!

Link to comment
Share on other sites

BAlGaInTl
6 hours ago, seanbuff said:

Can you remember how you generated a valid cert from CF, when I try, the option to download a PKCS12 format cert is greyed out

image.png.a53b6e784593eb8e7f6703c71417a0aa.png

and as far as I can tell, Emby is expecting only a PKCS #12 cert.

I have tried 'converting' from other formats but Emby doesn't like any of them.

Is there something special I need to do on the CF side?

I'm pretty sure that I've converted the default certificates to PFX for Emby before using openssl (linux). 

I don't have to do that anymore though, because I run a reverse proxy that can use the default PEM certs.

 

Link to comment
Share on other sites

Riggs
10 hours ago, BAlGaInTl said:

Really? It's not a bad browser.  Not sure why it's a fail.

Plain and simple.

I don't like the telemetry inside my devices.

So, If you pay for something, software in this case (in fact, by a complete operating system), your payment justifies the use of that software, that is precisely why you pay it.
America's monstrous data collectors make double use of it, they take your data, use it for their own benefit, and also sell it to third parties, the government, and so on. Microsoft includes telemetry without any shame, as if it were the most normal thing.
What I am writing is not a conspiracy theory, it is easy to check it on your own computer. If you still have doubts, everything is well documented and the evidence is irrefutable.
So, why the government does not intervene as it happened and continues to increase in the European Union? The answer is in the second paragraph.
Remember: Information is power and they know it, but the user ignores it.

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...