Jump to content


Photo

Emby SSL certificates on Raspberry Pi

dietpi raspberry pi ssl

Best Answer Q-Droid , 28 March 2020 - 10:11 AM

Emby and your router are separate and perform different functions. With secure remote access enabled Emby will listen on both of the ports designated for HTTP (default 8096) and HTTPS (default 8920). 

Your router manages traffic between LAN and WAN. You have the option to allow only 8920 or both with port forwarding on the router and it does not affect LAN access to the Emby server. LAN devices can reach both ports on the server but it's best and easier to use HTTP (8096). Without more advanced setup like local DNS the certificate validation would fail on the LAN and secure connection is not needed locally. You can try it with the web app, the browser should warn about the cert but let you continue to Emby on HTTPS using the LAN name. Phones, apps and other devices will fail because they don't offer the option to click through.

 

Certificate renewal does not involve the Emby ports and certbot only allows port 80 for HTTP-01 challenge and only supports standard ports (80,443) during the renewal process. LetsEncrypt has options such as DNS-01 challenge and APIs for many DDNS providers which eliminates the need to open port 80 (and 443). If you're using HTTP-01 then you would have to open port 80 on the router for renewal to work.

Go to the full post


  • Please log in to reply
6 replies to this topic

#1 Przemek OFFLINE  

Przemek

    Advanced Member

  • Members
  • 36 posts

Posted 27 March 2020 - 03:04 PM

Hello, I install Emby server on Raspberry pi 4 with Dietpi distro. I have also installed there Nextcloud as my NAS server. There's very easy way to install SSL certificate for Nextcloud. I make a domain myserver.ddns.net on NO-IP website, install certbot and run letsencrypt from dietpi-software.
Now I want to add SSL for my Emby Server. I see there's tutorial but I don't know nothing about certificates and don't want to brake something. @pir8radio @Swynol Can somebody tell me do I have to make another domain with ddns? There's also information on the tutorial beginning to kill all process on port 80. When I enable https for nextcloud I delete rule for port forwarding on my router for port 80 but when I make command:
`netstat -nlp | grep :80`
```
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1191/kodi.bin_v8
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1032/lighttpd
tcp6 0 0 :::8096 :::* LISTEN 26999/EmbyServer
tcp6 0 0 :::8080 :::* LISTEN 1191/kodi.bin_v8
tcp6 0 0 :::80 :::* LISTEN 1032/lighttpd
```

Regards Przemek

Edited by Przemek, 27 March 2020 - 04:09 PM.


#2 Przemek OFFLINE  

Przemek

    Advanced Member

  • Members
  • 36 posts

Posted 28 March 2020 - 06:55 AM

OK, I made it work but I can also login from http://myserver.ddns.net:8096 even if I have port 8920 for SSL enabled in settings. I can't see option to redirect connections from http.

Regards Przemek

 

 



#3 Q-Droid OFFLINE  

Q-Droid

    Advanced Member

  • Members
  • 505 posts
  • Local time: 07:41 AM

Posted 28 March 2020 - 07:53 AM

If you remove port forwarding for 8096 then you shouldn't be able to reach the http URL even if the host was listening. Same for the other ports, you don't have to worry about or kill the other listening processes on the host if the router is not allowing traffic to reach them.



#4 Q-Droid OFFLINE  

Q-Droid

    Advanced Member

  • Members
  • 505 posts
  • Local time: 07:41 AM

Posted 28 March 2020 - 08:07 AM

Also, if you set Secure connection mode to "Required for all remote connections" in the Network settings and leave port 8096 forwarded on your router then Emby redirects the connection to HTTPS.



#5 Przemek OFFLINE  

Przemek

    Advanced Member

  • Members
  • 36 posts

Posted 28 March 2020 - 09:07 AM

So I need to set port 8920 also on LAN connections? What about renew certificate when I close port forwarding for port 8096. Do I have to open port everytime?



#6 Q-Droid OFFLINE  

Q-Droid

    Advanced Member

  • Members
  • 505 posts
  • Local time: 07:41 AM

Posted 28 March 2020 - 10:11 AM   Best Answer

Emby and your router are separate and perform different functions. With secure remote access enabled Emby will listen on both of the ports designated for HTTP (default 8096) and HTTPS (default 8920). 

Your router manages traffic between LAN and WAN. You have the option to allow only 8920 or both with port forwarding on the router and it does not affect LAN access to the Emby server. LAN devices can reach both ports on the server but it's best and easier to use HTTP (8096). Without more advanced setup like local DNS the certificate validation would fail on the LAN and secure connection is not needed locally. You can try it with the web app, the browser should warn about the cert but let you continue to Emby on HTTPS using the LAN name. Phones, apps and other devices will fail because they don't offer the option to click through.

 

Certificate renewal does not involve the Emby ports and certbot only allows port 80 for HTTP-01 challenge and only supports standard ports (80,443) during the renewal process. LetsEncrypt has options such as DNS-01 challenge and APIs for many DDNS providers which eliminates the need to open port 80 (and 443). If you're using HTTP-01 then you would have to open port 80 on the router for renewal to work.


  • Przemek likes this

#7 Przemek OFFLINE  

Przemek

    Advanced Member

  • Members
  • 36 posts

Posted 28 March 2020 - 01:00 PM

Thank You very much for answer.







Also tagged with one or more of these keywords: dietpi, raspberry pi, ssl

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users