My adventures getting an SSL cert for HTTPS access, problems I ran into and how to deal with them

[cn0r 0]

Hey everyone, I wanted to post this due to what I feel is a lack of simple/easy to access posts on the topic. 

Other people with much more knowledge than I have posted on it before, but I want to post for people who have 0 interest in buying/maintaining a private domain, a private website, are relatively uncomfortable with command line tools, and just want to achieve an SSL cert with minimal effort possible. 

So I repeat: this guide is for people who are migrating from plex (which automatically grants SSL certs) and who want to achieve an SSL cert on Emby as quick as humanly possible with minimal effort, without purchasing a domain name, only using free SSL certs, and minimal/no costs elsewhere. 

The overall easiest solution is if you have an ASUS router, having that router function as a "reverse proxy" and handle the SSL cert for you after getting an ASUS DDNS. The overall cost is free, assuming you have an ASUS router, and it auto-renews.  This option won't work for everyone unfortunately as it requires you having an ASUS router. 

The second cheapest/quickest option I've found is zeroSSL, combined with a DDNS service with an email forwarding option. I don't use anything other than Asus and no-ip for my DDNS services so I can't comment on how others function price-wise, but no-ip allows email forwarding services for $10/year, a cost that can be reduced to a few dollars once you add on a coupon.  

You can attach your free DDNS no-IP domain (one that you renew every 30 days) to this service and get forwarded emails to verify your domain from zeroSSL, as they offer a domain verification via email, and then you can get a certificate from them renewed every 30 days. Once you get your cert from zeroSSL, you can easily convert it to an emby-friendly pfx format. 

Last option I've used was creating a test website using Windows IIS alongside my DDNS as a way to get the cert. This option assumes you have Windows 10 pro, so that you have access to Windows IIS. 

You need to make sure ahead of time you have the correct ports forwarded from your router, and those ports are open in your firewall, but I'm going to assume everyone has done that. Something that I've seen very few people comment on online is that Windows IIS is not configured to do ACME challenges by default. I kept trying to do this with a test site and Certifytheweb's GUI client, only for it to see the site, but not be able to read the ACME challenge. 

You have to manually add in a new "MIME Type" for the ACME challenge to be visible and certify properly. Add the MIME type where you enter "." in the file name extension field, then for MIME type add in "text/plain ." (the period at the end of 'text/plain .' is important, don't do 'text/plain'). 

 

After fixing this issue, I was thrilled to finally get the cert!

 

If/when I feel like doing this test-site and SSL cert test with a virtual machine program or website stack like VirtualBox with Bitnami, I'll post about that as well if anyone is interested. 

 

 

 

[Luke 37008]

Hi, thanks for sharing.