Przemek 54 Posted March 27, 2020 Share Posted March 27, 2020 (edited) Hello, I install Emby server on Raspberry pi 4 with Dietpi distro. I have also installed there Nextcloud as my NAS server. There's very easy way to install SSL certificate for Nextcloud. I make a domain myserver.ddns.net on NO-IP website, install certbot and run letsencrypt from dietpi-software. Now I want to add SSL for my Emby Server. I see there's tutorial but I don't know nothing about certificates and don't want to brake something. @@pir8radio @@Swynol Can somebody tell me do I have to make another domain with ddns? There's also information on the tutorial beginning to kill all process on port 80. When I enable https for nextcloud I delete rule for port forwarding on my router for port 80 but when I make command: `netstat -nlp | grep :80` ``` tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1191/kodi.bin_v8 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1032/lighttpd tcp6 0 0 :::8096 :::* LISTEN 26999/EmbyServer tcp6 0 0 :::8080 :::* LISTEN 1191/kodi.bin_v8 tcp6 0 0 :::80 :::* LISTEN 1032/lighttpd ``` Regards Przemek Edited March 27, 2020 by Przemek Link to comment Share on other sites More sharing options...
Przemek 54 Posted March 28, 2020 Author Share Posted March 28, 2020 OK, I made it work but I can also login from http://myserver.ddns.net:8096 even if I have port 8920 for SSL enabled in settings. I can't see option to redirect connections from http. Regards Przemek Link to comment Share on other sites More sharing options...
Q-Droid 633 Posted March 28, 2020 Share Posted March 28, 2020 If you remove port forwarding for 8096 then you shouldn't be able to reach the http URL even if the host was listening. Same for the other ports, you don't have to worry about or kill the other listening processes on the host if the router is not allowing traffic to reach them. Link to comment Share on other sites More sharing options...
Q-Droid 633 Posted March 28, 2020 Share Posted March 28, 2020 Also, if you set Secure connection mode to "Required for all remote connections" in the Network settings and leave port 8096 forwarded on your router then Emby redirects the connection to HTTPS. Link to comment Share on other sites More sharing options...
Przemek 54 Posted March 28, 2020 Author Share Posted March 28, 2020 So I need to set port 8920 also on LAN connections? What about renew certificate when I close port forwarding for port 8096. Do I have to open port everytime? Link to comment Share on other sites More sharing options...
Solution Q-Droid 633 Posted March 28, 2020 Solution Share Posted March 28, 2020 Emby and your router are separate and perform different functions. With secure remote access enabled Emby will listen on both of the ports designated for HTTP (default 8096) and HTTPS (default 8920). Your router manages traffic between LAN and WAN. You have the option to allow only 8920 or both with port forwarding on the router and it does not affect LAN access to the Emby server. LAN devices can reach both ports on the server but it's best and easier to use HTTP (8096). Without more advanced setup like local DNS the certificate validation would fail on the LAN and secure connection is not needed locally. You can try it with the web app, the browser should warn about the cert but let you continue to Emby on HTTPS using the LAN name. Phones, apps and other devices will fail because they don't offer the option to click through. Certificate renewal does not involve the Emby ports and certbot only allows port 80 for HTTP-01 challenge and only supports standard ports (80,443) during the renewal process. LetsEncrypt has options such as DNS-01 challenge and APIs for many DDNS providers which eliminates the need to open port 80 (and 443). If you're using HTTP-01 then you would have to open port 80 on the router for renewal to work. 1 Link to comment Share on other sites More sharing options...
Przemek 54 Posted March 28, 2020 Author Share Posted March 28, 2020 Thank You very much for answer. Link to comment Share on other sites More sharing options...
jonyskids 1 Posted January 26, 2022 Share Posted January 26, 2022 (edited) Przemek in your second post you said you made it work? Can you explain? (Tutorial is no longer there.) Edited January 26, 2022 by jonyskids Forgot to mention. Link to comment Share on other sites More sharing options...
Przemek 54 Posted January 26, 2022 Author Share Posted January 26, 2022 Hi, I get help on dietpi forum for that. That was only thing I need to do: sudo su cd /etc/letsencrypt/live/myserver.ddns.net/ openssl pkcs12 -export -out mydomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass: cp mydomain.pfx /opt/emby-server/ssl/myserver.ddns.net.pfx But that was working on dietpi. I don't know how about other district. Now I don't use Rpi4 but MiniPC that has more power. Second thing was that I have to manually renew SSL like above and some android devices don't work with Emby. I decide to install Nginx proxy manager that handles certificates for me. Everything works better now. Regards. Link to comment Share on other sites More sharing options...
jonyskids 1 Posted January 26, 2022 Share Posted January 26, 2022 Thanks for responding! To be clear: myserver.ddns.net = mydomain in mydomain.pfx? Do I then need to go to network on my emby server settings and add the path to mydomain.pfx? Link to comment Share on other sites More sharing options...
Przemek 54 Posted January 27, 2022 Author Share Posted January 27, 2022 Yes, I just paste that. You add Your own domain name everywhere. Like: sudo su cd /etc/letsencrypt/live/your_domain_name.ddns.net/ openssl pkcs12 -export -out your_domain_name.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass: cp your_domain_name.pfx /opt/emby-server/ssl/your_domain_name.ddns.net.pfx Then in Emby settings add path to that .pfx file. Regards. Link to comment Share on other sites More sharing options...
jonyskids 1 Posted January 27, 2022 Share Posted January 27, 2022 Got it. I had to forward the emby https port on my router. How often do you need to renew the cert? Link to comment Share on other sites More sharing options...
Przemek 54 Posted January 27, 2022 Author Share Posted January 27, 2022 I don't remember but after some time dietpi auto renew future make it better and it just work but was some problems with SSL.. Now I'm on Nginx Proxy Manager and don't have to do anything. Regards. Link to comment Share on other sites More sharing options...
jonyskids 1 Posted January 27, 2022 Share Posted January 27, 2022 LetsEncrypt takes care of renewals now. One just needs to create a hook to convert Emby cert on renewal. I know you have moved on to other options but your help here is much appreciated! Link to comment Share on other sites More sharing options...
Przemek 54 Posted January 27, 2022 Author Share Posted January 27, 2022 No problem. If I can help You more just ask. Regards. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now