Configuring free certificate autorenewal for use with Emby SSL on Windows (No IIS/Reverse Proxy)

[ginjaninja 533]

Couldnt find guidance for configuring auto SSL renewal without a webservice/reverse proxy, so this experience may help,. its not step by step but does show whats possible, to prevent early throw in of towel.

The certifytheweb client seems very robust and flexible and supports export in Embys PKCS#12 format with a few authorities and a multitude of dynamics dns providors (for validating certificate requests on domains). I used Dynu DDNS and ZeroSSL. and this guide for getting started

The linked guide and other posts left me thinking that free certificates with 90 day expiry are a ball ache to manage without a webservice; the certifytheweb client (CTW) makes certificate autorenewal and export in an Emby compatible format much more appetising even without a webservice..

General Considerations

Dynu and ZeroSSL provide api keys in their respective UI which need to be added to CTW.

 

 

add your dynamics dns domain here

 

Specify Password for pfx here

 

and here

 

add you ddns credentials for domain validation here

 

no deployment necessary

 

export tasks can export in Emby's preferred PKCS#12 format and use the password from above

 

note the above is more about getting it to work than any "recommendation on best certificate / security  practice" - i cant speak to that.

 

 

[AgostinoMedia 3]

Emby should make it so I can just connect to Alexa without all this hassle of creating an SSL certificate. Like Plex does, for example. What a headache!

[Luke 37057]

26 minutes ago, AgostinoMedia said:

Emby should make it so I can just connect to Alexa without all this hassle of creating an SSL certificate. Like Plex does, for example. What a headache!

They're able to do that by routing requests through their own servers, whereas we're taking a more privatized/personal approach to your media server.

[AgostinoMedia 3]

I do understand and appreciate that, but it is a little disappointing especially if I signed up for Premiere. Thanks

[ginjaninja 533]

Technically couldnt  emby provide a dns service and a wildcard certificate supporting subdomains to premier customers (without intruding into customer privacy)

at startup/intermittently, "Emby server with premier subscription" could register/update an IP address (public ip of emby server)

 for an emby.media subdomain via a [to be developed)  embyserver function. 

eg, embyconnectname.customerservers.emby.media = 62.75.35.212

the process could fetch emby's latest wildcard certificate (pfx) for the customerservers subdomain.

the wildcard certificate would be valid for embyconnectname.customerservers.emby.media and the dns service would ensure the customer's server is publicly resolvable.

 

All customers could use the same wildcard certificate. and that wildcard certificate could be specific for the customerservers subdomain (so as to not interfere/compromise other areas of emby business)

I think a certificate provider whos root and intermediate CAs are generally already in clients trusted authorities would be <$200 per annum.

 

The only information the customer would be handing over would be the IP of their server (already provided by embyconnect?)  and trusting emby with its knowledge of the private key on the wildcard certificate the customer server was now using.

Customers using the service may have to accept that the private key was probably not that private being installed on 1000s of customer servers secured by some internal emby function.

Personally i would settle for insecure but simple function and maybe a more secure way to store the private key could be found in time. Maybe marking the key as non exportable  might be good enough...maybe a certificate expert can vouch for certificate security when you have access to it on the local machine.

Running your own DNS or finding a provider that would let your service update a hosted DNS for 1000s of records  via an api, might be an area of challenge.

 

 

Edited April 25, 2021 by ginjaninja

[Carlo 4330]

On 4/25/2021 at 11:16 AM, ginjaninja said:

Technically couldnt  emby provide a dns service and a wildcard certificate supporting subdomains to premier customers (without intruding into customer privacy)

That type of thing is highly frowned upon.  Besides if everyone has the "key" then how security do you think it is?

[rbjtech 4257]

A different and more secure take is using delegated authority on the emby owned TLD domain to create a unique certificate for any other subdomains.   ie the opposite of a wildcard or multi-domain cert..

ie

emby own - embyserver.com

user has selected their subdomain via an emby app/plugin - whatever - to be 'fredflix'

emby can create a unique SSL cert (from say from letsencrypt) for fredflix.embyserver.com - as they own the TLD.  

emby would also need to act as a DDNS server to update fledflix.embyserver.com to their home WAN IP.

 

Obviously emby LLC ultimately control the creation and renewal of this cert - I get that, but if you want an automated SSL connection out the box, there is no other way unless you want to create one yourself.

 

[AgostinoMedia 3]

I tried finding the guide to set this whole thing up again recently, but couldn't find it.
can anyone point me to it?

for macOS

Edited April 11, 2023 by AgostinoMedia

[Luke 37057]

On 4/11/2023 at 7:51 AM, AgostinoMedia said:

I tried finding the guide to set this whole thing up again recently, but couldn't find it.
can anyone point me to it?

for macOS