Jump to content

Emby SSL certificates on Raspberry Pi


Przemek
Go to solution Solved by Q-Droid,

Recommended Posts

Przemek

Hello, I install Emby server on Raspberry pi 4 with Dietpi distro. I have also installed there Nextcloud as my NAS server. There's very easy way to install SSL certificate for Nextcloud. I make a domain myserver.ddns.net on NO-IP website, install certbot and run letsencrypt from dietpi-software.

Now I want to add SSL for my Emby Server. I see there's tutorial but I don't know nothing about certificates and don't want to brake something. @@pir8radio @@Swynol Can somebody tell me do I have to make another domain with ddns? There's also information on the tutorial beginning to kill all process on port 80. When I enable https for nextcloud I delete rule for port forwarding on my router for port 80 but when I make command:

`netstat -nlp | grep :80`

```

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1191/kodi.bin_v8

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1032/lighttpd

tcp6 0 0 :::8096 :::* LISTEN 26999/EmbyServer

tcp6 0 0 :::8080 :::* LISTEN 1191/kodi.bin_v8

tcp6 0 0 :::80 :::* LISTEN 1032/lighttpd

```

 

Regards Przemek

Edited by Przemek
Link to comment
Share on other sites

Q-Droid

If you remove port forwarding for 8096 then you shouldn't be able to reach the http URL even if the host was listening. Same for the other ports, you don't have to worry about or kill the other listening processes on the host if the router is not allowing traffic to reach them.

Link to comment
Share on other sites

Q-Droid

Also, if you set Secure connection mode to "Required for all remote connections" in the Network settings and leave port 8096 forwarded on your router then Emby redirects the connection to HTTPS.

Link to comment
Share on other sites

Przemek

So I need to set port 8920 also on LAN connections? What about renew certificate when I close port forwarding for port 8096. Do I have to open port everytime?

Link to comment
Share on other sites

  • Solution
Q-Droid

Emby and your router are separate and perform different functions. With secure remote access enabled Emby will listen on both of the ports designated for HTTP (default 8096) and HTTPS (default 8920). 

Your router manages traffic between LAN and WAN. You have the option to allow only 8920 or both with port forwarding on the router and it does not affect LAN access to the Emby server. LAN devices can reach both ports on the server but it's best and easier to use HTTP (8096). Without more advanced setup like local DNS the certificate validation would fail on the LAN and secure connection is not needed locally. You can try it with the web app, the browser should warn about the cert but let you continue to Emby on HTTPS using the LAN name. Phones, apps and other devices will fail because they don't offer the option to click through.

 

Certificate renewal does not involve the Emby ports and certbot only allows port 80 for HTTP-01 challenge and only supports standard ports (80,443) during the renewal process. LetsEncrypt has options such as DNS-01 challenge and APIs for many DDNS providers which eliminates the need to open port 80 (and 443). If you're using HTTP-01 then you would have to open port 80 on the router for renewal to work.

  • Like 1
Link to comment
Share on other sites

  • 1 year later...
jonyskids

Przemek in your second post you said you made it work? Can you explain?

(Tutorial is no longer there.)

Edited by jonyskids
Forgot to mention.
Link to comment
Share on other sites

Przemek

Hi, I get help on dietpi forum for that. 

That was only thing I need to do:

sudo su

cd /etc/letsencrypt/live/myserver.ddns.net/

openssl pkcs12 -export -out mydomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:
cp mydomain.pfx /opt/emby-server/ssl/myserver.ddns.net.pfx

But that was working on dietpi. I don't know how about other district.

Now I don't use Rpi4 but MiniPC that has more power. 

Second thing was that I have to manually renew SSL like above and some android devices don't work with Emby. I decide to install Nginx proxy manager that handles certificates for me. Everything works better now.

Regards.

Link to comment
Share on other sites

jonyskids

Thanks for responding! To be clear:  myserver.ddns.net = mydomain in mydomain.pfx?

Do I then need to go to network on my emby server settings and add the path to mydomain.pfx?

Link to comment
Share on other sites

Przemek

Yes, I just paste that. You add Your own domain name everywhere. Like:
 

sudo su
cd /etc/letsencrypt/live/your_domain_name.ddns.net/
openssl pkcs12 -export -out your_domain_name.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:
cp your_domain_name.pfx /opt/emby-server/ssl/your_domain_name.ddns.net.pfx

Then in Emby settings add path to that .pfx file.
Regards.

Link to comment
Share on other sites

Przemek

I don't remember but after some time dietpi auto renew future make it better and it just work but was some problems with SSL.. Now I'm on Nginx Proxy Manager and don't have to do anything.

Regards.

Link to comment
Share on other sites

jonyskids

LetsEncrypt takes care of renewals now.  One just needs to create a hook to convert Emby cert on renewal.

I know you have moved on to other options but your help here is much appreciated!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...