ginjaninja 537 Posted March 6, 2021 Share Posted March 6, 2021 Couldnt find guidance for configuring auto SSL renewal without a webservice/reverse proxy, so this experience may help,. its not step by step but does show whats possible, to prevent early throw in of towel. The certifytheweb client seems very robust and flexible and supports export in Embys PKCS#12 format with a few authorities and a multitude of dynamics dns providors (for validating certificate requests on domains). I used Dynu DDNS and ZeroSSL. and this guide for getting started The linked guide and other posts left me thinking that free certificates with 90 day expiry are a ball ache to manage without a webservice; the certifytheweb client (CTW) makes certificate autorenewal and export in an Emby compatible format much more appetising even without a webservice.. General Considerations Dynu and ZeroSSL provide api keys in their respective UI which need to be added to CTW. add your dynamics dns domain here Specify Password for pfx here and here add you ddns credentials for domain validation here no deployment necessary export tasks can export in Emby's preferred PKCS#12 format and use the password from above note the above is more about getting it to work than any "recommendation on best certificate / security practice" - i cant speak to that. 1 1 Link to comment Share on other sites More sharing options...
AgostinoMedia 3 Posted April 24, 2021 Share Posted April 24, 2021 Emby should make it so I can just connect to Alexa without all this hassle of creating an SSL certificate. Like Plex does, for example. What a headache! 1 Link to comment Share on other sites More sharing options...
Luke 37113 Posted April 24, 2021 Share Posted April 24, 2021 26 minutes ago, AgostinoMedia said: Emby should make it so I can just connect to Alexa without all this hassle of creating an SSL certificate. Like Plex does, for example. What a headache! They're able to do that by routing requests through their own servers, whereas we're taking a more privatized/personal approach to your media server. Link to comment Share on other sites More sharing options...
AgostinoMedia 3 Posted April 24, 2021 Share Posted April 24, 2021 I do understand and appreciate that, but it is a little disappointing especially if I signed up for Premiere. Thanks Link to comment Share on other sites More sharing options...
ginjaninja 537 Posted April 25, 2021 Author Share Posted April 25, 2021 (edited) Technically couldnt emby provide a dns service and a wildcard certificate supporting subdomains to premier customers (without intruding into customer privacy) at startup/intermittently, "Emby server with premier subscription" could register/update an IP address (public ip of emby server) for an emby.media subdomain via a [to be developed) embyserver function. eg, embyconnectname.customerservers.emby.media = 62.75.35.212 the process could fetch emby's latest wildcard certificate (pfx) for the customerservers subdomain. the wildcard certificate would be valid for embyconnectname.customerservers.emby.media and the dns service would ensure the customer's server is publicly resolvable. All customers could use the same wildcard certificate. and that wildcard certificate could be specific for the customerservers subdomain (so as to not interfere/compromise other areas of emby business) I think a certificate provider whos root and intermediate CAs are generally already in clients trusted authorities would be <$200 per annum. The only information the customer would be handing over would be the IP of their server (already provided by embyconnect?) and trusting emby with its knowledge of the private key on the wildcard certificate the customer server was now using. Customers using the service may have to accept that the private key was probably not that private being installed on 1000s of customer servers secured by some internal emby function. Personally i would settle for insecure but simple function and maybe a more secure way to store the private key could be found in time. Maybe marking the key as non exportable might be good enough...maybe a certificate expert can vouch for certificate security when you have access to it on the local machine. Running your own DNS or finding a provider that would let your service update a hosted DNS for 1000s of records via an api, might be an area of challenge. Edited April 25, 2021 by ginjaninja Link to comment Share on other sites More sharing options...
Carlo 4330 Posted April 26, 2021 Share Posted April 26, 2021 On 4/25/2021 at 11:16 AM, ginjaninja said: Technically couldnt emby provide a dns service and a wildcard certificate supporting subdomains to premier customers (without intruding into customer privacy) That type of thing is highly frowned upon. Besides if everyone has the "key" then how security do you think it is? Link to comment Share on other sites More sharing options...
rbjtech 4288 Posted April 26, 2021 Share Posted April 26, 2021 A different and more secure take is using delegated authority on the emby owned TLD domain to create a unique certificate for any other subdomains. ie the opposite of a wildcard or multi-domain cert.. ie emby own - embyserver.com user has selected their subdomain via an emby app/plugin - whatever - to be 'fredflix' emby can create a unique SSL cert (from say from letsencrypt) for fredflix.embyserver.com - as they own the TLD. emby would also need to act as a DDNS server to update fledflix.embyserver.com to their home WAN IP. Obviously emby LLC ultimately control the creation and renewal of this cert - I get that, but if you want an automated SSL connection out the box, there is no other way unless you want to create one yourself. 1 1 Link to comment Share on other sites More sharing options...
AgostinoMedia 3 Posted April 11, 2023 Share Posted April 11, 2023 (edited) I tried finding the guide to set this whole thing up again recently, but couldn't find it. can anyone point me to it? for macOS Edited April 11, 2023 by AgostinoMedia Link to comment Share on other sites More sharing options...
Luke 37113 Posted April 12, 2023 Share Posted April 12, 2023 On 4/11/2023 at 7:51 AM, AgostinoMedia said: I tried finding the guide to set this whole thing up again recently, but couldn't find it. can anyone point me to it? for macOS Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now