Guide - SSL Qnap certificate and Emby (manual and automatic)

[Luke 42286]

5 hours ago, renefw said:

How is this link supposed to help me?

I pinged @sa2000to jump in and provide his expertise.

[sa2000 703]

On 04/04/2026 at 10:15, renefw said:

Do you mean via SSH terminal? I don't even know how to debug.

what Luke meant was running the script command lines manually in an ssh terminal session

So you would login and then do

cd /share/SSL-Certificate

So in that folder if there is a new certificate crt file it would use it 

So assuming there is a valid crt file you need to pick up, you would execute the next command manually in the ssh session and see what gets output back as there may be clues 

You are still in this directory following the cd (note - the orifinal script was referencing this directory " cd /etc/config/QcloudSSLCertificate/cert"

you would execute manually this command line in the ssh session

openssl pkcs12 -export -out emby.p12 -inkey key -in cert -passout pass:

you would have your password for the certificate after the "pass:"

This should create a new "emby.p12"  file

 

(adding a note from the original script notes:

Quote

if you are not root/admin user you'll need to put sudo before the command

 

Edited Wednesday at 05:26 PM by sa2000

[sa2000 703]

Just adapting the command to what you have

cd /share/SSL-Certificate

suggest you rename the exisiting emby.p12 file - to check that a new emby.p12 is created by the next command

 

openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:mykey

 

[renefw 2]

Please tell me how to do that? I don't know how!

Do you mean via SSH terminal? I don't even know how to debug.

[sa2000 703]

1 hour ago, renefw said:

Do you mean via SSH terminal? I don't even know how to debug.

sorry - may be i missed reading some posts. I assumed that if you knew how to run the script then you would have known how to login through ssh

So let us start first by getting putty downloaded and installed on a PC

Then you need to enable SSH on the QNAP NAS - see qnap info here How Do I Access My QNAP NAS using ssh

After you enable ssh, you can logon to the QNAP NAS through ssh using putty and login with QNAP admin account

Once logged in then you can cd to the directory and execute commands and see what errors / info gets displayed

To rename the emby.p12 you just execute the linux command for doing that - you can do this after the "cd" to the directory

A web search would show that you need to do something like "mv emby.p12 emby.p12.old"

so assuming this is the path, command would be first

 

cd /share/SSL-Certificate

then either 

mv emby.p12 emby.p12.old"

or

sudo mv emby.p12 emby.p12.old"

depending on login priviliges

then

openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:mykey

where mykey is your certificate password to set 

Edited 6 hours ago by sa2000

[renefw 2]

Thank you for the detailed reply, Sa2000.

So, I know how to log in via SSH and I can also execute certain commands.

Lukas wrote that I should run the script in a terminal to debug it. My questions were whether by "terminal" he meant access via SSH or how I can open a terminal on the QNAP NAS? Also, I'm not familiar with the term "debugging." I don't know what I'm supposed to do in that regard.

Now, regarding Sa2000: I have SSH enabled and I use it to some extent. Somehow I missed the messages from last Wednesday... I also understand the basics of using PuTTY. Do I absolutely have to rename emby.p12?

When I renewed the SSL certificate about two months ago, I manually executed the `openssl pkc12 -export ...` line. The certificate was then updated. That would probably work again now. However, I don't want to do it that way again because my original problem would remain. This means that my script, which is described in the quoted section of my message from March 29th, still isn't working as intended, and I won't be able to continue troubleshooting for another two months, because that's when the SSL certificate will be renewed.

The problem is that it runs every hour, but it doesn't recognize that the SSL certificate has been renewed, and therefore the `openssl pkcs12 ...` command apparently isn't being executed. My question is, why is this happening? Is there still a small error in the script? If so, what is it?