Emby, SSL, DDns - very confused

[gattaca-mcs 3]

Hi All,

 

I'm a long time user of Plex, I used to pay monthly for it before I got fed up with the cost vs the benefits. 

 

I think I like the look of Emby, what I don't like is the added complications of how you're supposed to make it accessible externally?

 

With Plex I tell my friends to create a free account, then I share my libraries to them.

 

My network is as follows,

 

Virgin Broadband (200mb down, 20mb up)

pfSense firewall (hardware)

HP Gen8 microserver,

ESXi hypervisor

linux ubuntu vm running emby

 

I've successfully configured DDNS on my pfsense box between it and no-ip with a random free host name.

I've rather unsuccessfully destroyed my 'lets encrypt' chances and tried too many times and failed to install the SSL.

 

I also happen to own 2 paid for domains I'm happy to use if it helps - hosted with Fasthosts. 

 

I'm just at a complete loss, this was much easier in Plex.

 

The reason for wanting to move is a) Emby seems quicker the plex interface is so clunky c) I want to use Kodi devices as streamers, and then multiple devices/users.

 

Any help appreciated.

@@cayars

[Luke 37056]

Hi there, what exactly are you struggling with? Have you explored the network settings in emby server?

[gattaca-mcs 3]

Hi there, what exactly are you struggling with? Have you explored the network settings in emby server?

trying to install an ssl and have external access with a dynamic IP

[Q-Droid 640]

trying to install an ssl and have external access with a dynamic IP

 

Were you able to obtain the certs from Lets Encrypt?

[gattaca-mcs 3]

Were you able to obtain the certs from Lets Encrypt?

No I got in a right mess and it says I've exceeded some limit and have to wait a week.

[Carlo 4330]

Curious, do you have https working with port 8096 with your free domain?

Just to clear up a couple of things which could be causing you issues.

 

Are you using a domain name tht you registered such as "carloemby.com" or are you doing something like "carloemby.freedns.com"

One YOU can get a SSL for and one you can't.

 

Now assuming I had registered carloemby.com for my own use I'd be able to setup dns for it and could point the domain to my home router/IP or could use a host name in DNS such as emby.carloemby.com.

 

Depending on which way I go carloemby.com vs emby.carloemby.com would require the SSL to be generate differently.  It's important and maybe best to get your domain (sub domain) working first in Emby with non SSL just to make sure of the URL you'll use to access your box.  Then you know exactly what the URL is and what the domain is to get the SSL for.

 

I tried to keep this generic and maybe you knew all this already.  Feel free to reach out to me via PM with any personal info for help.

 

PS I agree with what you said in your op message.  Emby IS harder to setup than Plex for SSL but it's so much more powerful once you've done it.  No 3rd party servers in the way.  You "own" the users and passwords on your server, no tunneling done that will limit bitrate, etc

[Q-Droid 640]

No I got in a right mess and it says I've exceeded some limit and have to wait a week.

 

If you're using certbot you can run it against Letsencrypt's staging servers using the --test-cert option, it has much higher rate limits. The cert wouldn't be valid but you can get the commands sorted out before hitting the prod servers for the real cert. But to me, if you hit their weekly limit then it sounds like they did issue the cert. And if you have one then the installation is pretty easy.

 

There are other free cert options out there but I haven't tried them. 

[mastrmind11 717]

cloudflare will also give you a free cert that you can configure for your domain.

[cmacfarlane93 10]

I was struggling also and found this guide to be extremely useful: https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

[gattaca-mcs 3]

I was struggling also and found this guide to be extremely useful: https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

Thanks to those of you that mentioned Cloudflare.

 

I can't say I was too happy about having to change my name servers from my domain registrar to Cloudflare, but it is what it is.

 

So as mentioned above I have a dynamic external IP. and I use pfsense as a firewall/router. I found this guide quite helpful - https://computersandsecurity.wordpress.com/2017/08/08/pfsense-cloudflare-and-dynamic-dns/

 

I have successfully moved my name servers to Cloudflare, setup an A record of emby.customdomain.house and on my pfsense firewall configure 'Dynamic DNS' to link into the API of Cloudflare and update that A record. 

 

I've purchased an SSL cert from my domain registrar which is useless, so that was a waste of £30. it's locked to customdomain.house with no wildcard or no subdomain seemingly allowed.

 

Looking at Cloudflare it seems they include a nice SSL option. however I'm struggling to set it up.  I'm also using the HAProxy on pfSense to try and route the traffic through, which seems to work, but I'm getting a lot of SSL errors 'insecure' etc.

 

I 'think' it will be nice when it's set up, but this is crazy complicated. (I appreciated to a degree that is down to my setup)

[Carlo 4330]

Cloudflare without pfsense is pretty easy to setup.

 

Maybe get it working without pfsense first then put that back in the middle once you've figured out both the Cloudflare and Emby side of SSL ?

[Q-Droid 640]

Thanks to those of you that mentioned Cloudflare.

 

I can't say I was too happy about having to change my name servers from my domain registrar to Cloudflare, but it is what it is.

 

So as mentioned above I have a dynamic external IP. and I use pfsense as a firewall/router. I found this guide quite helpful - https://computersandsecurity.wordpress.com/2017/08/08/pfsense-cloudflare-and-dynamic-dns/

 

I have successfully moved my name servers to Cloudflare, setup an A record of emby.customdomain.house and on my pfsense firewall configure 'Dynamic DNS' to link into the API of Cloudflare and update that A record. 

 

I've purchased an SSL cert from my domain registrar which is useless, so that was a waste of £30. it's locked to customdomain.house with no wildcard or no subdomain seemingly allowed.

 

Looking at Cloudflare it seems they include a nice SSL option. however I'm struggling to set it up.  I'm also using the HAProxy on pfSense to try and route the traffic through, which seems to work, but I'm getting a lot of SSL errors 'insecure' etc.

 

I 'think' it will be nice when it's set up, but this is crazy complicated. (I appreciated to a degree that is down to my setup)

 

You're taking yourself down an overly complicated rabbit hole and getting deeper. Now that you've chosen Cloudflare let that be your proxy and get some of the other stuff out of the way. HAProxy is good TCP load balancer but to use it as an HTTP proxy you have to account for everything, unlike others like Nginx which is a native HTTP server and proxy options are simpler.

 

Use Cloudflare DNS, proxy and SSL. If you can get an origin cert from Cloudflare you should also use that to encrypt your entry point.

[gattaca-mcs 3]

Cloudflare without pfsense is pretty easy to setup.

 

Maybe get it working without pfsense first then put that back in the middle once you've figured out both the Cloudflare and Emby side of SSL ?

 

So ignoring HAProxy for a moment.

 

I've set up a pfsense NAT rule:

 

 

and when accessing externally I'm getting an SSL error still:

 

 

I feel very silly not being able to get this to work, but SSL certs were never my strong point.

[Carlo 4330]

Did you take the cloudflare cert and convert it to the proper format?

[gattaca-mcs 3]

Did you take the cloudflare cert and convert it to the proper format?

I chucked it through https://www.sslshopper.com/ssl-converter.html and got something else....

[Carlo 4330]

If you want a hand send me a PM and we can setup a TeamViewer session.  I can likely help you get this fixed up in just a few minutes assuming you have most of Cloudflare already setup.

 

Carlo

[Q-Droid 640]

To make sure the topology is clear to you:

 

Internet <--> Cloudflare SSL (your public domain) <--> Your public IP (WAN) <--> Emby (LAN) SSL origin cert for HTTPS

 

IF you choose to have a reverse proxy on the pfSense side then the origin cert could go there instead. But keep it simple for now.

 

The origin cert is to encrypt your WAN entry point and only for Cloudflare to use. You have origin in the correct place but also need configure the public domain SSL cert on the Cloudflare public side.

[gattaca-mcs 3]

To make sure the topology is clear to you:

 

Internet <--> Cloudflare SSL (your public domain) <--> Your public IP (WAN) <--> Emby (LAN) SSL origin cert for HTTPS

 

IF you choose to have a reverse proxy on the pfSense side then the origin cert could go there instead. But keep it simple for now.

 

The origin cert is to encrypt your WAN entry point and only for Cloudflare to use. You have origin in the correct place but also need configure the public domain SSL cert on the Cloudflare public side.

Hi, thanks for comment.

 

I generally get the basic layout (as you've pointed out). and I 'think' I have set that up... 

 

....that's odd - I've just tried it again externally and now that aspect is working.

 

 

progress of sorts I guess

[gattaca-mcs 3]

If you want a hand send me a PM and we can setup a TeamViewer session.  I can likely help you get this fixed up in just a few minutes assuming you have most of Cloudflare already setup.

 

Carlo

 

OK so Carlo Teamviewered over to a virtual machine my side to take a look, and strangely the SSL have all magically fell into place and started working! so that part was quite easy!

 

Carlo was able to setup some page rules in Cloudflare to help with caching and speeding up reloading which was very kind and helpful.

 

Now I can get on testing and learning about other features within Emby!

 

Thanks for everyones comments and help.

[gattaca-mcs 3]

well it broke. I can't for the life of me work out how to make this work again. I really like emby as a product, but these unbearable endless SSL issues are driving me insane. there's beer money up for grabs if someone can remote over and sort this out. I'm just fed up. it's not available externally again.

[cmacfarlane93 10]

6 minutes ago, gattaca-mcs said:

well it broke. I can't for the life of me work out how to make this work again. I really like emby as a product, but these unbearable endless SSL issues are driving me insane. there's beer money up for grabs if someone can remote over and sort this out. I'm just fed up. it's not available externally again.

Did your IP address change? Check your current IP and check the DNS records in CloudFlare

[gattaca-mcs 3]

3 minutes ago, cmacfarlane93 said:

Did your IP address change? Check your current IP and check the DNS records in CloudFlare

It just keeps breaking... like weekly. it's a joke. 

my external IP doesn't really ever change. Cloudflare says my A record is pointing at the correct IP.  if I try and ping it, doesn't work, if I do an nslookup it reply with my externalIP

It could be this time that pfsense has gone wrong. idk its all too complicated for me.

[gattaca-mcs 3]

it's moaning about this stupid cloudflare cert again.

 

[gattaca-mcs 3]

this keeps happening.

[Carlo 4330]

41 minutes ago, gattaca-mcs said:

well it broke. I can't for the life of me work out how to make this work again. I really like emby as a product, but these unbearable endless SSL issues are driving me insane. there's beer money up for grabs if someone can remote over and sort this out. I'm just fed up. it's not available externally again.

Beer, did I hear beer money? LOL
Kidding aside, If I got it working for you previously I'm sure I can do it again. BUT the question I have is what changed on your side?

I help so many people that I don't remember your setup specifically but based on a quick re-read of this thread you have.

DNS->CloudFlare->WAN Router->ESXi->PFSense->Linux/Emby (is this correct?)
So many places for things to break with the slightest change in setup if not really careful.
Just spinning up a new VM if not careful can bring you down or making a change in pfSense that changes a rule!

Refresh me on your setup:
Is your router setup in Bridge mode or NAT?
Does the machine running ESXi have a static IP?
Is PFSense running under ESXi and if so with a Static IP on the same or different LAN segment?
Is Emby running under ESXi and if so with a Static IP on the same or different LAN segment?
Is YES for the previous two questions are they on the same VM or different?

Do you need to run Emby in ESXi (if it's running there)?
Do you actually need to run pfSense and if so for what purpose?

 

 

 

Edited October 9, 2020 by cayars