Saberoz 4 Posted October 9, 2024 Posted October 9, 2024 (edited) Thought this might help everyone. It is by far the easiest and simplest way I have found to get my SSL setup. (not my video) You do need to have a Docker installed and your own domain as you will be using cloudflare but after banging my head trying to get SSL working. I had this up and running in like 10 mins. the cost - $10 bucks a year for a custom domain. Best $10 bucks I ever spent. Works a treat. Edited October 9, 2024 by Saberoz
JulesC 50 Posted October 9, 2024 Posted October 9, 2024 (edited) This sounds very interesting. Thanks for sharing. I just have a couple questions: 1. Do the remote users who I have accessing my Emby server have to do anything different on their end? 2. Did you have to do any additional steps not covered in this video for your setup? Thanks again UPDATE Here is another video on this topic you might find interesting Edited October 9, 2024 by JulesC Added another YouTube video
JulesC 50 Posted October 10, 2024 Posted October 10, 2024 On 10/8/2024 at 9:55 PM, Saberoz said: Thought this might help everyone. It is by far the easiest and simplest way I have found to get my SSL setup. (not my video) You do need to have a Docker installed and your own domain as you will be using cloudflare but after banging my head trying to get SSL working. I had this up and running in like 10 mins. the cost - $10 bucks a year for a custom domain. Best $10 bucks I ever spent. Works a treat. @SaberozI have seen some posts that suggest Cloudflare Tunnels don’t support running videos. Are you or anyone else having problems? Just checking before I implement Cloudflare Tunnels. Thanks
Saberoz 4 Posted October 11, 2024 Posted October 11, 2024 @JulesC At the moment I am the only user. However the only thing I would expect they might have to do is just set the url of where you are hosting. eg emby.yourdomain.com There was nothing else I had to do. I can confirm video works. I haven't done extensive testing as yet. I am about 1 week into using Emby - exploring it as a Plex alternative
darkassassin07 603 Posted October 11, 2024 Posted October 11, 2024 https://blog.cloudflare.com/updated-tos/ TL;DR, if you are not hosting your server directly on cloudflares system's, you're not permitted to stream media files through them. I ran cloudflare in front of my server for several years, but eventually got throttled and was unable to get streams to play anymore.
JulesC 50 Posted October 11, 2024 Posted October 11, 2024 @Saberozthanks for your response. Please share your Cloudflare Tunnels / Emby learnings and I'll do the same. Thanks.
alfredasixta 0 Posted October 29, 2024 Posted October 29, 2024 On 1/11/2020 at 11:23 AM, MikeB111 said: Hey Everyone, My journey from Plex to Emby has been pretty smooth with the exception of setting up SSL encryption. There are lots of great posts on this forum and elsewhere on how to do this, and I consider myself pretty computer literate. But I'll be honest, this was a bit overwhelming for me as I have no experience at all in hosting web servers, DNS, or encryption certificates. After many hours, I've got it all working, so I thought I'd share what I've learned. I'm going to try to write this for the newbie, so don't be offended if it seems like I'm explaining lots of simple stuff. That's really what I needed a week ago, so maybe it'll help someone else in my shoes. Also, this is for Windows, although most of it applies to any OS. There's lots of text, but it's really very easy. Let me also say, I understand that a reverse proxy gives you lots of benefits and flexibility for securing your server. But that was a step too far for me. If you want a reverse proxy this post is not for you, but there are many posts in this forum to help you. If you want to access your Emby server from outside your home network you will want to require secure connection mode for all remote connections (see "Network" tab in Emby server configuration). To do this you need an SSL certificate. To get an SSL certificate you must have your own registered domain name. Here's a step-by-step. Domain Name Registration A domain name is the readable text part of a web address. So emby.media, or google.com, or media.yourdomain.net. Most home users don't have one, but you need one to get an encryption certificate. While there are many options for purchasing a domain (godaddy.com being very popular), I chose to buy my domain from domains.google. It cost me $12/year, and this is the only cost to getting your Emby server working with encryption. Go to https://domains.google, pick a domain, pay your money, and you're ready to go. For the rest of this discussion let's say you registered the domain name yourdomain.net. Now you need to associate your new domain with your home IP address. Most home users get their IP address assigned to them by their internet provider and it is "dynamic," meaning it can change. So you need to be able to tell your domain provider what your address is and update it when it changes. This can be done automatically, and is called dynamic DNS (DDNS). Google domains supports this easily, here is the help page explaining how to set it up. Fortunately, my ASUS router has this capability built in so it was easy, but it's easy even if your router doesn't (follow google's directions). That's it for domain name registration. Now yourdomain.net points to your home network IP address. SSL Certificate Now you need to get an SSL certificate. This has the encryption keys you need, and must be issued by a recognized certificate authority or it gets blocked by your browser. Lets Encrypt will give you a free SSL certificate but it has to be renewed every 90 days. This was the part I was most confused by, but it's actually really easy. The part to understand is that Lets Encrypt must have some way of proving you own your domain name before they can issue you a certificate. There are two options, 1) they give you a little text file to place on your web server in a certain location. I don't have a web server so this is a no-go. 2) They give you a text string to add to your DNS registration in what is called a "TXT Record." You do this with google domains, it's very easy. To get a certificate you need an ACME client program that knows how to talk to the lets encrypt server. They recommend certbot, but it doesn't work in windows. Dig enough and you'll find ZeroSSL, they have a nice downloadable program that does it all and is really easy. Download here. Make a directory on your computer (I used c:\ZeroSSL). Put the le64 (or 32) exe in this directory. A single command will create your certificate. I think the easiest way to do this is create a text file in the same folder as the program, call it "get_cert.bat" and put the following three lines of text in the file. Edit the second line to have your actual domain name (instead of "yourdomain.net"), and to have your actual password for your PFX file (whatever you want it to be, just replace "yourpasswordhere" in the code below. @[member="Echo"] off le64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains "yourdomain.net" --generate-missing --handle-as dns --export-pfx “yourpasswordhere” --live pause Save the text file as get_cert.BAT and then double click it to run. This runs the le64 program, creates the public/private key pair, asks lets encrypt to generate a certificate, saves that certificate, and converts it to a PFX file format that Emby requires. All in one command! When you run this, a command window will appear and you can see what it's doing. After a few seconds it'll pause and ask you to place the TXT record in your domain. It gives you a name and value, the name will be something like _acme-challenge.yourdomain.net, and the value will be a bunch of random letters and numbers. The program pauses here for you to put this into your domain. So now you just log in to your google domain again, go to "DNS" on the left menu, scroll all the way down and enter a "Custom Resource Record." The type is TXT, the name and value are what le64 gave you. Put them in, wait a few minutes for the change to take effect (took just a couple of minutes for me). Then go back to the command window where le64 is running and press enter to continue. It'll then verify your TXT record is there and issue your certificate. You'll find a file certificate.pfx in the le64 directory, that's it! Emby Setup Now log in to your Emby server setup. Go to "Network," in the field "External Domain" you put your domain name, so yourdomain.net or whatever you chose. For "Custom SSL certificate path," browse to the .pfx file that was created by the le64 program. In the "Certificate Password" field put whatever password you used in the .BAT file above when you created your certificate. Then for "Secure Connection Mode" I recommend you choose "Required for all remote connections." You also have to log in to your home router and forward port 8920 to the computer running your Emby server. I'm not going to give directions on how to do this, it depends on your router, but it's super easy. That's it. You need to restart your Emby Server, and then you're done! You can now access your server remotely and securely at https://yourdomain.net:8920. Certificate Renewal Now, I mentioned before that the Lets Encrypt certificates are only good for 90 days. So every 90 days you have to renew the certificate. Take that "get_cert.bat" file you made earlier and make a copy of it called renew_cert.bat. At the end of the second line, just add the text "--renew 20" (without the double quotes). When you are within 20 days of your expiration date run this file, it'll renew your certificate. I believe it'll ask you to place a new TXT record in your domain, so certificate renewal cannot be made fully automatic. You'll have to run it manually and add this TXT record into your google domain just like when you created the certificate in the first place. But it takes just a few minutes and then your certificate is renewed. You'll have to restart your Emby server for it to take. The file locations all stay the same, so you don't have to update anything in the Emby setup, just restart Emby. That's it! Well, I hope this helps someone. Sorry for the long post. I would have benefited from this level of detail a week ago, so maybe it'll be good for someone. If anyone sees something wrong here, feel free to correct me. Thanks a lot for providing this information.
Nathanjohnston 0 Posted November 8, 2024 Posted November 8, 2024 Can you help me you create my own server
bandit8623 116 Posted November 8, 2024 Posted November 8, 2024 (edited) 57 minutes ago, Nathanjohnston said: Can you help me you create my own server http for local network. no need for ssl. https for external network need ssl. search forums there are diff guides for diff methods. start with getting http working locally first. once thats working then you can try to set up https and ssl Cert. Edited November 8, 2024 by bandit8623 1
pwhodges 1814 Posted November 8, 2024 Posted November 8, 2024 2 hours ago, Nathanjohnston said: Can you help me you create my own server https://emby.media/support/articles/Quick-Start.html Paul
Jefki 0 Posted November 17, 2024 Posted November 17, 2024 (edited) So this is what is called "practicality"? Reading 11 pages of a forum to "try" to configure a server... Hours trying to figure out how to make what should be simple work... joke. If I were a developer, I would be very ashamed. I won't even try, going back to the plex. Edited November 18, 2024 by Jefki
Luke 39624 Posted November 18, 2024 Posted November 18, 2024 41 minutes ago, Jefki said: So this is what is called "practicality"? Reading 11 pages of a forum to "try" to configure a server... Hours trying to figure out how to make what should be simple work... joke. If I were a developer, I would be very ashamed. I won't even try, going back to the plex. Hi, don't you want a personal media server and not one that stores all of your information in the cloud? 1
pwhodges 1814 Posted November 18, 2024 Posted November 18, 2024 9 hours ago, Jefki said: So this is what is called "practicality"? Reading 11 pages of a forum to "try" to configure a server... Hours trying to figure out how to make what should be simple work... joke. If I were a developer, I would be very ashamed. I won't even try, going back to the plex. This thread isn't even about that... Paul
EkoOne 5 Posted November 18, 2024 Posted November 18, 2024 I'm using a custom domain (e.g. somesite.me) and a ZeroSSL cert. as recommended in these instructions. I added the domain to my hosting cPanel as a subdomain and it's publicly accessible and displays the "lock" icon so I know the SSL cert. is properly installed. Back in Emby > Network I configured the remote connection settings to use the custom domain and certificate.pfx file (no password). The Remote (WAN) access shows the correct url and port: https://somesite.me:8920 . However, when I try to connect from outside the home network I get a warning that the site can't be reached because a secure connection couldn't be established. I have several other domains and subdomains (same hosting provider, same server) and those sites all run through Cloudflare (free plan, default settings). However, the custom Emby subdomain is not setup with Cloudflare. Also, when I bought the (Emby) domain it included a SSL cert. which I activated but never installed on the server. I opted to use a ZeroSSL cert. instead because there were issues converting the other cert./key files to PKCS #12. Any ideas as to why the remote connection is failing?
Q-Droid 854 Posted November 18, 2024 Posted November 18, 2024 Check your Emby server log to see if it's listening on 8920 for https. Might also find SSL errors on startup if there's a problem. My guess is it might not work without password for the pfx file. You should try https connection from LAN using IP addr to see if it's listening.
bandit8623 116 Posted November 18, 2024 Posted November 18, 2024 3 hours ago, EkoOne said: I'm using a custom domain (e.g. somesite.me) and a ZeroSSL cert. as recommended in these instructions. I added the domain to my hosting cPanel as a subdomain and it's publicly accessible and displays the "lock" icon so I know the SSL cert. is properly installed. Back in Emby > Network I configured the remote connection settings to use the custom domain and certificate.pfx file (no password). The Remote (WAN) access shows the correct url and port: https://somesite.me:8920 . However, when I try to connect from outside the home network I get a warning that the site can't be reached because a secure connection couldn't be established. I have several other domains and subdomains (same hosting provider, same server) and those sites all run through Cloudflare (free plan, default settings). However, the custom Emby subdomain is not setup with Cloudflare. Also, when I bought the (Emby) domain it included a SSL cert. which I activated but never installed on the server. I opted to use a ZeroSSL cert. instead because there were issues converting the other cert./key files to PKCS #12. Any ideas as to why the remote connection is failing? https://www.geocerts.com/ssl-checker does this tell you anything?
EkoOne 5 Posted November 18, 2024 Posted November 18, 2024 @Q-DroidLooking at the logs I can find nothing to indicate that emby is (or isn't) listening on port 8920. Connecting via IP over LAN throws an SSL error but I'm able to manually bypass it and connect, albeit with warnings. @bandit8623The SSL checker was positive across the board.
Q-Droid 854 Posted November 18, 2024 Posted November 18, 2024 Yeah, I just tested without password for the pfx and that works fine. A good connection (with warnings) using IP on LAN means the internal config is good. You could try the WAN IP next and if that's good (with warnings) then check DNS for your Emby domain to make sure it's resolving to the correct WAN IP.
EkoOne 5 Posted November 18, 2024 Posted November 18, 2024 @bandit8623Correction: Using the SSL checker connections on port 8920 are refused but on port 443 it's all good.
bandit8623 116 Posted November 22, 2024 Posted November 22, 2024 On 11/18/2024 at 4:21 PM, EkoOne said: @bandit8623Correction: Using the SSL checker connections on port 8920 are refused but on port 443 it's all good. my guess is a router config problem not pointing to the correct place. i use 8920 internal external no issues.
Luke 39624 Posted November 22, 2024 Posted November 22, 2024 On 11/18/2024 at 5:21 PM, EkoOne said: @bandit8623Correction: Using the SSL checker connections on port 8920 are refused but on port 443 it's all good. Did you setup port forwarding to 8920? 1
EkoOne 5 Posted November 23, 2024 Posted November 23, 2024 @LukeYes I did but I think @bandit8623might be on to something, though I'm fairly certain it's not a configuration error on my part. My network hardware is not great and the bare-bones router settings have always been somewhat... unreliable, port-forwarding included. It's all being replaced in the next couple weeks so I'll have to wait to sort this out. Thanks.
Luke 39624 Posted November 23, 2024 Posted November 23, 2024 3 hours ago, EkoOne said: @LukeYes I did but I think @bandit8623might be on to something, though I'm fairly certain it's not a configuration error on my part. My network hardware is not great and the bare-bones router settings have always been somewhat... unreliable, port-forwarding included. It's all being replaced in the next couple weeks so I'll have to wait to sort this out. Thanks. OK please let us know how things go. Thanks.
Carlo 4543 Posted November 25, 2024 Posted November 25, 2024 On 11/18/2024 at 1:16 PM, EkoOne said: I'm using a custom domain (e.g. somesite.me) and a ZeroSSL cert. as recommended in these instructions. I added the domain to my hosting cPanel as a subdomain and it's publicly accessible and displays the "lock" icon so I know the SSL cert. is properly installed. Back in Emby > Network I configured the remote connection settings to use the custom domain and certificate.pfx file (no password). The Remote (WAN) access shows the correct url and port: https://somesite.me:8920 . However, when I try to connect from outside the home network I get a warning that the site can't be reached because a secure connection couldn't be established. Hi, Try configuring the SSL cert with a password. I believe ZeroSSL doesn't work correctly without a password in Emby. If that doesn't work, turn on debugging in the logs and restart your server. Wait about 3 minutes, turn off debug logging, send us the emby server log file. BTW, you mentioned cPanel. Is your server hosted outside your home LAN? If so, does it have a public IP or a private IP address? Carlo
Teknician 4 Posted November 25, 2024 Posted November 25, 2024 Your script to generate your key should include your password and added to the network settings in your Emby server. Here's my batch file script to generate my key for my domain and Emby. cd c:\ZeroSSL @[member="Echo"] off le64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains DOMAINHERE.com --generate-missing --handle-as dns --export-pfx PASSWORDHERE --live pause The capped domain and password, you would add yourself. Then in your settings in Emby 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now