SSL made easy

[Carlo 4330]

On 4/14/2023 at 3:08 PM, xibinim said:

Thanks, I'll prepare a log. Will it require a lot of effort to strip of personal information? 

Edit - a quick scan, all I can see that's worth replacing is my name (username for this PC). 

If you like, send me a PM with the information to review vs publicly posting it.
If you send me a screen shot of your DNS entries that would be a plus as well.

Carlo

PS you can send me a private message by hovering over my avatar.

[xibinim 7]

Thank you all again. I had to revert as it completely buggered access to my clients, particularly those running it through a TV app. Will go back to the drawing board and follow up on your suggestions :). 

[ITGuy1024 13]

Is this still a valid option? I followed the steps and my domain is now flagged as "Deceptive site ahead"

[Luke 37063]

2 hours ago, ITGuy1024 said:

Is this still a valid option? I followed the steps and my domain is now flagged as "Deceptive site ahead"

You might be running into this issue:

So please follow that topic. Thanks.

[Blackstar1988 0]

On 7/6/2021 at 3:10 PM, MEB said:

Using duckdns with home assistant so it creates the cert with letsencrypt any way to use that setup and the cert it creates automictically? 

did you find any answer to it im doing the same now pls share knowledge  

[ITGuy1024 13]

What am I missing? The WAN address won't update to https or the correct port.
ZeroSSL successfully reached the _acme-challenge on my domain.

 

 

[Q-Droid 642]

This is usually an indication that it couldn't open or use the cert and bind to the HTTPS port. Restart your Emby server and look through the new log to see if there are errors related to the cert file (pfx).

 

 

 

[ITGuy1024 13]

4 minutes ago, Q-Droid said:

This is usually an indication that it couldn't open or use the cert and bind to the HTTPS port. Restart your Emby server and look through the new log to see if there are errors related to the cert file (pfx).

 

 

 

I restarted a few times. 

I see this in the log in relation to port 8920.

2023-08-19 20:18:20.986 Debug PortMapper: Creating port map on local port 8920 to public port 8920 with device 172.30.1.109

I see this in relation to pfx.
"The specified network password is not correct." Is this reffering to the cert password or something else? I copied the cert password directly into emby from the batch file. I double checked, no added blank spaces.

2023-08-19 20:07:35.516 Error App: Error loading cert from C:\ZeroSSL\certificate.pfx
	*** Error Report ***
	Version: 4.7.13.0
	Command line: C:\Users\Administrator\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp
	Operating system: Microsoft Windows 10.0.14393
	Framework: .NET 6.0.16
	OS/Process: x64/x64
	Runtime: C:/Users/Administrator/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll
	Processor count: 4
	Data path: C:\Users\Administrator\AppData\Roaming\Emby-Server\programdata
	Application path: C:\Users\Administrator\AppData\Roaming\Emby-Server\system
	Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.
	   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
	   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
	   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
	   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
	   at Emby.Server.Implementations.ApplicationHost.GetCertificate(CertificateInfo info)
	Source: System.Security.Cryptography.X509Certificates
	TargetSite: Internal.Cryptography.Pal.Native.SafeCertContextHandle FilterPFXStore(System.ReadOnlySpan`1[System.Byte], Microsoft.Win32.SafeHandles.SafePasswordHandle, Internal.Cryptography.Pal.Native.PfxCertStoreFlags)

[Q-Droid 642]

The request to restart is to make sure the log has all of the details. The server only tries to open the cert and bind to the HTTPS port on startup. If the log rotates or is rotated manually the new log won't have any info.

And yes, it can't open the cert file. Most likely password but the messages might be misleading and it could be other reasons. Start by verifying that password.

[ITGuy1024 13]

Are there suppose to be quotes around the password in the batch file?

I'm guessing no?

Taking a closer look at the zerossl script it looks like it added this character ô to the beginning and end of the password I have. I'm guessing that character is from the quotations?

*Fixed* the quotations and added symbol were the issue

Edited August 20, 2023 by ITGuy1024

[Teknician 3]

If you're referring to the batch file to generate your certificate, no there is no quotation marks. 

 

cd c:\ZeroSSL
@[member="Echo"] off
le64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains myserveraddress.com --generate-missing --handle-as dns --export-pfx 12345678 --live
pause

[hawaiizfynest 0]

On 1/13/2020 at 9:19 AM, BAlGaInTl said:

Great guide.

 

The only comment that I would make is that I've been steering people more towards using Cloudflare's free service for the certificate.

 

It's a couple of extra steps in the beginning, but then you don't have to worry about updating every 90 days.  You get the added bonus of some protections that Cloudflare builds in to its service.

mind sharing the walk through for this? i personally love using CF stuff so this would be great for me.

[xibinim 7]

Apologies for the long delay, lots of responses - thank you. We may be moving house and getting new network equipment so will read through replies and try and get a working solution in preparation :). 

[jonwalton19 0]

This almost was a great transition from Plex.......except that setting up the [redacted] server so I access it on phone is pure garbage. your software [redacted]. 

Edited December 25, 2023 by GrimReaper
Wording

[Teknician 3]

What's the issue with your connecting? Are you trying to access by your WAN address?

[Luke 37063]

@jonwalton19?

[xnappo 1593]

@MikeB111Just wanted to thank you for this post.  I had been putting it off too long and got it working, though with squarespace since they took over from Google.

As a bonus, I got to use the information at work for something semiconductor certificate related - I was able to say 'Oh, kinda like how SSL CSAs work?' and get an enthusiastic 'Yes exactly!' lol

[bandit8623 48]

On 12/24/2023 at 10:57 PM, jonwalton19 said:

This almost was a great transition from Plex.......except that setting up the [redacted] server so I access it on phone is pure garbage. your software [redacted]. 

the whole point on why emby is better is none of your stuff goes through their servers.  plex has access to all your stuff.  

[Zerok 0]

For those on Google Domains which is now moving over to Squarespace in the next 30 days, which DNS solution are you going with?

[RDSII64 4]

7 minutes ago, Zerok said:

For those on Google Domains which is now moving over to Squarespace in the next 30 days, which DNS solution are you going with?

That is a good question. Unfortunately I don't know the answer yet. 

[JulesC 44]

 

2 hours ago, Zerok said:

For those on Google Domains which is now moving over to Squarespace in the next 30 days, which DNS solution are you going with?

I was just getting ready to post the same question. Looking forward to any guidance here. Thanks

[darkassassin07 423]

3 hours ago, Zerok said:

For those on Google Domains which is now moving over to Squarespace in the next 30 days, which DNS solution are you going with?

Cloudflares nameservers. Google/SquareSpace only handles the registration, cloudflare does the dns and WAF/Proxy for non-emby services. (don't proxy Emby with CFs WAF, it's against their ToS and will be throttled)

 

I was worried and asked on Lemmy before realizing I'm already using CF name servers so I won't have to do anything.

Edited January 26 by darkassassin07

[MikeB111 48]

On 1/25/2024 at 3:01 PM, Zerok said:

For those on Google Domains which is now moving over to Squarespace in the next 30 days, which DNS solution are you going with?

Since I'm running my server from my house on a dynamic IP from my internet provider, support for Dynamic DNS was a requirement.  Google domains had worked great for me for a long time, but with the change to Squarespace with no DDNS support it's a no go for me now. 

I just transferred my domain name registration from Squarespace/Google to Namecheap.  Cost me $13 for the transfer, and was super easy, all done in a few minutes.  The namecheap interface for managing the domain was simple and actually very similar to Google, so it was familiar and easy.  With google domains, my ASUS router directly supported DDNS which was very convenient (although it didn't always work 100% reliably).  Namecheap isn't supported by my router directly, but they have a Windows dynamic DNS client that I set up to run on my Emby server which is always on anyways, and it seems to be working just fine. For those with more experience than I, namecheap dynamic DNS also works with DDClient (primarly a linux tool, but there is apparently also a windows install).

I'm by no means an expert and make no claim that this is the best solution, but I did just make this change and it seems to be working well so at least this is one working option to consider.

[bandit8623 48]

no-ip offers free cert with the free monthly dynamic service.  just have to click 3 times once a month.   0$  but if you dont want to confirm in monthly then you wouldnt like it.  throwing that out there for people.

***Wow i spoke too soon. they just stopped offering the free cert now.  

im guessing im good for the rest of the year possibly since i just set up my cert last week.  darn

sorry about that folks

looks like no ip is no longer the best option for free,  although with coupon in the fall they offer this stuff 50% off

Edited January 29 by bandit8623
ssl not included anymore

[Q-Droid 642]

For DDNS users switching providers or with multiple providers this can simplify things. Supported on Windows, Mac, Linux and routers running Tomato, DD-WRT and I think Merlin.

https://www.dnsomatic.com/docs/supportedservices