Missing Steps in "Secure Your Server" Guide

[ChrisB92 0]

I am trying to follow the "Secure Your Server" guide on the knowledge base, but it appears the guide is missing some steps when it comes to the SSL certificate. I run into a problem when I get to step 2 in the guide pasted below. I used "SSL for free" to create my certificate. I entered my domain and selected the manual verification option. However it DOES NOT give you 2 TXT records. It gives you one CNAME record, which it uses to do the verification. After the verification I believe your supposed to delete that CNAME record since it is not used again (per the instructions on SSL for Free). So from this point on nothing works since I dont have txt records to upload to my domain provider. When I added my CNAME record SSL for Free did successful verify it, and I downloaded the certificates. I followed the directions to convert the certificate to PKCS#12 and pointed emby to that certificate. Everything seems to work fine except cannot connect via https (I believe because I'm missing the 2 TXT files on my domain provider. The connections just timeout. 

Can someone please help me fill in the gap between the SSL for Free step and obtaining the 2 Txt records needed??

SSL certificate

We will now create Let's encrypt ssl certificates and add it to your domain. Here is a free service to help with this SSL for free.

1. Enter your domain on the site. i.e. yourdomain.com and create a free SSL certificate

2. Select Manual Verification (DNS) > Manually verify domain. We now have 2 TXT records (step 2 on the SSL for free website). We will copy back the TXT records to the domain provider. Leave the SSL for free page open. We will come back to it.

[Luke 42078]

@cayars

[ChrisB92 0]

Update, after doing more research it looks like this guide may have been made prior to SSL For Free merging with ZeroSSL. I dont believe ZeroSSL produces the TXT DNS records required to secure an Emby servers anymore. Looks like their certificates are for securing websites hosted through Domain providers. I am not sure how to translate this to a private Emby server. 

[Carlo 4561]

I've not actually used ZeroSSL so let me ask you. When they provide the cert what is the format give to you?
Do they provide separate info for the cert and key?

If so it should be easy to convert to PK#12 format with password that is required for Emby use.

I think most people around here use https://letsencrypt.org/ or a cert from Cloudflared, so it's easier to get feedback from other users.

I know I've used both of those, but for the most part a cert is a cert it's just a UI difference to get to the info. 

Did you convert the cert to PK#12 format for Emby use?
 

[ChrisB92 0]

They give you a zip file with ca_bundle.crt, certificate.crt, and private.key. I was able to successfully convert these to a certificate.pfx by supplying SSL Converter with those 3 files.

I pointed Emby to the certificates and supplied the password. Emby switched to https://mydomain.com:8920, like explained in the guide.

However I'm missing the public key to add to my domain (im using godaddy.com). Thats where i get stuck. I'm a little new to domains and how to set them up but I believe without a TXT file in my domain with the public key, no one can connect to my Emby server using https. Seems to simply time out on every browser and app.

In reading the guide it seems like i should be getting the public key (for the DNS records) during step 2, but its not working.

[Q-Droid 989]

DNS is for name to IP resolution. The certs are what you need for HTTPS. As long as your cert subject CN or SAN matches your domain name in GoDaddy that's all you need. The TXT records are for domain validation during certificate issuance, used only once and not after that. Nothing ties your system or the certs to the TXT record, it's temporary.

 

[Carlo 4561]

Did you create a subdomain like media.domain.ext and then generate the cert for it?

Did you setup a wild card cert for the whole domain?

I would try this.  Turn on Debug mode from the log menu and then restart Emby Server.
Give it a minute or two to load up everything and write out all the log.  Debug mode is very verbose with lots of write active so the startup will take a couple minutes before it settles down.. Turn debug mode back off as we only wanted it for the startup.

Look through it for any errors related to the cert or your domain.  You can use the browser find function (CTRL-F) and search for "cert" or your domain name.

Carlo
 

[ChrisB92 0]

Do you need a subdomain for it to work? Right now I just have it pointing to my main domain (since I dont have any other servers on the domain) and I can log in using http. No joy on the logs. I've tried it several times and it doesn't include "cert" anywhere. 

I gave up on ZeroSSL and tried openssl using the following guide. https://www.adamintech.com/how-to-configure-emby-for-https/

sudo openssl req -newkey rsa:2048 -keyout emby_key.pem -sha256 -nodes -x509 -days 700 -out emby_crt.pem

sudo openssl pkcs12 -export -inkey emby_key.pem -in emby_crt.pem -out emby.p12

emby_key.pem and emby.p12 did not look right to me. I changed it to emby_key.key and emby.pfx. Then tried various combinations of the .pem .pfx with no joy. I tired changing the owner of the emby.pfx and also chmod 777 but those didn't work either. Also tried port forwarding 443 and 8920 along with moving the server outside my firewall. None of these made any different. Browsers still timeout when using https. 

Starting to think Emby doesn't actually support https. 

I found another guide in a different language that contains these commands for letsEncrypt

./letsencrypt-auto certonly -a standalone -d emby.domain.fr

cd /etc/letsencrypt/live/emby.domain.fr/
openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx

Looks like they are using an emby subdomain? Is this necessary? 

[Q-Droid 989]

Go back to where you were in your third post. Put that pfx file back in place. Then restart your server and attach the newest embyserver log to this thread.

 

[ChrisB92 0]

Okay original certs converted, and linked to emby.

embyserver.txt

[Luke 42078]

29 minutes ago, ChrisB92 said:

Okay original certs converted, and linked to emby.

embyserver.txt 47.64 kB · 1 download

Are you all set now?

[Q-Droid 989]

The server is happy with the certs and binding on the HTTPS port.

2022-09-13 17:52:04.582 Info App: Adding HttpListener prefix http://+:8096/
2022-09-13 17:52:04.583 Info App: Adding HttpListener prefix https://+:8920/

So now from a browser on your LAN and using your local server IP/hostname go to https://<your server IP or hostname>:8920

If it responds then click through any security errors in the browser. Advanced -> proceed to site... or the like.

Then click on the Not Secure icon in the nav bar and view/open the cert. Verify the CN (common name) is correct for your domain.

If that looks good then try to open Emby in a browser using https://<your domain>:8920. If you can't from your LAN you can try a mobile browser not on Wifi, using mobile data. If these don't work then look through the Remote Setup guide (https://support.emby.media/support/solutions/articles/44002137137-remote-setup) because you may need to get the network connectivity sorted next.

[ChrisB92 0]

Doesnt connect from LAN or WAN wifi or no wifi. Same problem http connects https times out. Wondering if it has to do with the fact this machine is a virtual machine. I did a bridge though so its got its own IP on the LAN and its own firewall rules.

[Q-Droid 989]

Are those firewall rules allowing port 8920 the same way 8096 is allowed?

You could try these from an ssh/terminal session on the host to make sure Emby is responding at least locally to https requests.

openssl s_client -connect `hostname`:8920   <--- those are backticks `

Hit enter to close the connection after "---" on the screen. The important thing is to see if it connects and your certs look right.

You're looking for something like:
subject=/CN=<your domain>
issuer=<probably zerossl or something>

Can also try wget.

wget https://`hostname`:8920 --no-check-certificate      <--- also backticks `

If these work then you'll have to get the VM/networking/firewall fixed so that you can connect from within your LAN then move out to the WAN.

Edit: Or use localhost:8920 instead of `hostname`:8920.

Edited September 14, 2022 by Q-Droid