Best Answer Q-Droid , 28 March 2020 - 10:11 AM
Emby and your router are separate and perform different functions. With secure remote access enabled Emby will listen on both of the ports designated for HTTP (default 8096) and HTTPS (default 8920).
Your router manages traffic between LAN and WAN. You have the option to allow only 8920 or both with port forwarding on the router and it does not affect LAN access to the Emby server. LAN devices can reach both ports on the server but it's best and easier to use HTTP (8096). Without more advanced setup like local DNS the certificate validation would fail on the LAN and secure connection is not needed locally. You can try it with the web app, the browser should warn about the cert but let you continue to Emby on HTTPS using the LAN name. Phones, apps and other devices will fail because they don't offer the option to click through.
Certificate renewal does not involve the Emby ports and certbot only allows port 80 for HTTP-01 challenge and only supports standard ports (80,443) during the renewal process. LetsEncrypt has options such as DNS-01 challenge and APIs for many DDNS providers which eliminates the need to open port 80 (and 443). If you're using HTTP-01 then you would have to open port 80 on the router for renewal to work.Go to the full post