Luke 42397 Posted April 8 Posted April 8 5 hours ago, renefw said: How is this link supposed to help me? I pinged @sa2000to jump in and provide his expertise.
sa2000 729 Posted April 8 Posted April 8 (edited) On 04/04/2026 at 10:15, renefw said: Do you mean via SSH terminal? I don't even know how to debug. what Luke meant was running the script command lines manually in an ssh terminal session So you would login and then do cd /share/SSL-Certificate So in that folder if there is a new certificate crt file it would use it So assuming there is a valid crt file you need to pick up, you would execute the next command manually in the ssh session and see what gets output back as there may be clues You are still in this directory following the cd (note - the orifinal script was referencing this directory " cd /etc/config/QcloudSSLCertificate/cert" you would execute manually this command line in the ssh session openssl pkcs12 -export -out emby.p12 -inkey key -in cert -passout pass: you would have your password for the certificate after the "pass:" This should create a new "emby.p12" file (adding a note from the original script notes: Quote if you are not root/admin user you'll need to put sudo before the command Edited April 8 by sa2000
sa2000 729 Posted April 8 Posted April 8 Just adapting the command to what you have cd /share/SSL-Certificate suggest you rename the exisiting emby.p12 file - to check that a new emby.p12 is created by the next command openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:mykey
renefw 5 Posted April 10 Posted April 10 Please tell me how to do that? I don't know how! Do you mean via SSH terminal? I don't even know how to debug.
sa2000 729 Posted April 10 Posted April 10 (edited) 1 hour ago, renefw said: Do you mean via SSH terminal? I don't even know how to debug. sorry - may be i missed reading some posts. I assumed that if you knew how to run the script then you would have known how to login through ssh So let us start first by getting putty downloaded and installed on a PC Then you need to enable SSH on the QNAP NAS - see qnap info here How Do I Access My QNAP NAS using ssh After you enable ssh, you can logon to the QNAP NAS through ssh using putty and login with QNAP admin account Once logged in then you can cd to the directory and execute commands and see what errors / info gets displayed To rename the emby.p12 you just execute the linux command for doing that - you can do this after the "cd" to the directory A web search would show that you need to do something like "mv emby.p12 emby.p12.old" so assuming this is the path, command would be first cd /share/SSL-Certificate then either mv emby.p12 emby.p12.old" or sudo mv emby.p12 emby.p12.old" depending on login priviliges then openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:mykey where mykey is your certificate password to set Edited April 10 by sa2000
renefw 5 Posted April 10 Posted April 10 Thank you for the detailed reply, Sa2000. So, I know how to log in via SSH and I can also execute certain commands. Lukas wrote that I should run the script in a terminal to debug it. My questions were whether by "terminal" he meant access via SSH or how I can open a terminal on the QNAP NAS? Also, I'm not familiar with the term "debugging." I don't know what I'm supposed to do in that regard. Now, regarding Sa2000: I have SSH enabled and I use it to some extent. Somehow I missed the messages from last Wednesday... I also understand the basics of using PuTTY. Do I absolutely have to rename emby.p12? When I renewed the SSL certificate about two months ago, I manually executed the `openssl pkc12 -export ...` line. The certificate was then updated. That would probably work again now. However, I don't want to do it that way again because my original problem would remain. This means that my script, which is described in the quoted section of my message from March 29th, still isn't working as intended, and I won't be able to continue troubleshooting for another two months, because that's when the SSL certificate will be renewed. The problem is that it runs every hour, but it doesn't recognize that the SSL certificate has been renewed, and therefore the `openssl pkcs12 ...` command apparently isn't being executed. My question is, why is this happening? Is there still a small error in the script? If so, what is it?
sa2000 729 Posted April 10 Posted April 10 (edited) well, we wanted to establish when it is run manually, if it fails or renews the emby.p12 cert. my suggestion to rename was to ensure you are looking at the new emby.p12 file and not one that existed before when checking its expiry date Running in terminal is just another name for running it in a linux shell session using tools such as putty Debugging is just looking at what commands return and output when executed breaking it up into indivdual commands in my suggest test was to check the result of each command you could run the script manually as well instead of breaking it up you could also change the openssl line to direct the output to a file e.g. changing the openssl line to something like openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:mykey > opensslout.txt and then after the script runs, you would inspect the opensslout.txt file to see if it has any clues that help work out why the emby.p12 file is wrong Edited April 10 by sa2000
renefw 5 Posted April 12 Posted April 12 I renamed the existing emby.p12 file to emby-old.p12 using PuTTY. Then I entered the line including my password. Quote openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:mykey > opensslout.txt There was no error message. The opensslout.txt file was also empty. Then a new emby.p12 file was created with a current certificate. That is, the SSLcertificate.crt file shows "Valid from March 26, 2026 to June 24, 2026". Why doesn't it work via the script? What's wrong with my script that it thinks the content of SSLcertificate.crt hasn't changed, even when the above command line isn't executed, and the check-p12.log file always shows that the certificate key hasn't changed? What can I do to make it work this way?
sa2000 729 Posted April 13 Posted April 13 (edited) 18 hours ago, renefw said: Why doesn't it work via the script? What's wrong with my script that it thinks the content of SSLcertificate.crt hasn't changed, even when the above command line isn't executed, and the check-p12.log file always shows that the certificate key hasn't changed? What can I do to make it work this way? I don't know how the script is executed automatically and what user account it runs under. So your test confirms that running the script individual commands manually in an ssh session works ok but not when it did not when it runs automatically. We have confirmed that individual commands in the script work ok. You could repeat your test again - renaming the emby.p12 once more and instead of running the commands one by one, you just execute the script in the ssh session If that works, then the next troubleshooting would be in looking into how the script is configured to run automatically. Edited April 13 by sa2000
renefw 5 Posted April 13 Posted April 13 Was muss ich in Putty eingeben um mein Script auf diese Weise manuell ausführen zu lassen? I set it up as a crontab. echo "0 * * * * /bin/sh share/SSL-Certificate/CertRenew.sh" >> /mnt/HDA_ROOT/.config/crontab
renefw 5 Posted April 13 Posted April 13 What do I need to enter in PuTTY to run my script manually in this way? Sorry, since I don't speak English, I'm using a translator. Unfortunately, I accidentally copied the first question in German instead of English into the window above. Therefore, here it is again in English.
sa2000 729 Posted April 13 Posted April 13 can you paste the contents of the script file and can you give the absolute filesystem path for the script file is the filepath for the script this /share/SSL-Certificate/CertRenew.sh in putty after you login, can you type these commands pwd ls -ail /share/SSL-Certificate and paste here what is on the screen after typing these commands If you created the script on windows, you will need to run the dos2unix command - did you do that? See section D in the first post in this topic here There is a missing slash character in your command that you pasted for the crontab here I think it should be echo "0 * * * * /bin/sh /share/SSL-Certificate/CertRenew.sh" >> /mnt/HDA_ROOT/.config/crontab To run manually, I would type the following in putty /bin/sh /share/SSL-Certificate/CertRenew.sh but do rename the emby.p12 before you run it so we know if a new one was created
renefw 5 Posted April 18 Posted April 18 In PuTTY I entered the following and the output shown here was displayed: [~] #pwd [~] # ls -ail /share/SSL-Certificate total 559 32 drwxrwxrwx 2 Rene everyone 13 2026-04-18 20:41 ./ 11 drwxrwxrwx 7 admin administrators 45 2026-01-14 05:56 ../ 71 -rwxrwxrwx 1 Rene everyone 816246 2024-04-03 00:48 Anleitung – SSL-Qnap-Zertifikat und Emby (manuell und automatisch) – QNAP – Emby Community.pdf* 70 -rwxrwxrwx 1 Rene everyone 4665 2026-01-21 18:34 Anleitung - SSL-Qnap-Zertifikat und Emby.txt* 81 -rwxrwxrwx 1 admin administrators 498 2026-03-29 18:08 Certificate_Installation.sh* 87 -rwxrwxrwx 1 admin administrators 314 2026-03-29 18:29 CertRene_aktualisiert.sh* 90 -rwxrwxrwx 1 admin administrators 464 2026-03-29 20:14 CertRenew.sh* 75 -rwxrwxrwx 1 admin administrators 31417 2026-04-17 14:00 check-p12.log* 17 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt.p12 78 -rw-rw-rw- 1 Rene everyone 3059 2026-01-22 17:15 emby.p12 79 -rw-rw-rw- 1 Rene everyone 1822 2026-03-26 21:52 SSLcertificate.crt 80 -rw-rw-rw- 1 Rene everyone 3001 2026-03-26 21:52 SSLIntermediateCertificate.crt 82 -rw-rw-rw- 1 Rene everyone 1700 2026-03-26 21:52 SSLprivatekey.key Rene has the rights to the scripts. However, I belong to the administrators group and am also an administrator. I also entered the following command: /bin/sh /share/SSL-Certificate/CertRenew.sh As with the automatic hourly cron job, the only message appearing in the check-p12.log file is that the certificate key has not changed. By the way, thank you so much for your support! What can I try next?
sa2000 729 Posted April 20 Posted April 20 On 18/04/2026 at 21:46, renefw said: In PuTTY I entered the following and the output shown here was displayed so the emby.p12 file showing is old and you did not rename it before running the script? Can you let me see the results of this mv emby.p12 emby.p12.old" ls -ail /share/SSL-Certificate /bin/sh /share/SSL-Certificate/CertRenew.sh ls -ail /share/SSL-Certificate sudo cat /share/SSL-Certificate/check-p12.log if a new emby.p12 is not being created, repeat the steps with "sudo " in front of /bin/sh /share/SSL-Certificate/CertRenew.sh
sa2000 729 Posted April 20 Posted April 20 You have a mixture of different user and group and ownership for files within /share/SSL-Certificate Suggest you are consistent and have either all as being admin:administrators or Rene and everyone access
renefw 5 Posted April 23 Posted April 23 I have now entered the commands. The following was output: Quote 32 drwxrwxrwx 2 Rene everyone 15 2026-04-23 23:00 ./ 11 drwxrwxrwx 9 admin administrators 49 2026-04-22 21:24 ../ 71 -rwxrwxrwx 1 admin administrators 816246 2024-04-03 00:48 Anleitung – SSL-Qnap-Zertifikat und Emby (manuell und automatisch) – QNAP – Emby Community.pdf* 70 -rwxrwxrwx 1 admin administrators 4665 2026-01-21 18:34 Anleitung - SSL-Qnap-Zertifikat und Emby.txt* 81 -rwxrwxrwx 1 admin administrators 498 2026-03-29 18:08 Certificate_Installation.sh* 87 -rwxrwxrwx 1 admin administrators 314 2026-03-29 18:29 CertRene_aktualisiert.sh* 90 -rwxrwxrwx 1 admin administrators 464 2026-03-29 20:14 CertRenew.sh* 75 -rwxrwxrwx 1 admin administrators 36682 2026-04-23 23:00 check-p12.log* 93 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt1.p12 17 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt.p12 78 -rw-rw-rw- 1 admin administrators 3043 2026-04-18 20:57 emby-neu.p12 72 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby.p12 79 -rw-rw-rw- 1 admin administrators 1822 2026-03-26 21:52 SSLcertificate.crt 80 -rw-rw-rw- 1 admin administrators 3001 2026-03-26 21:52 SSLIntermediateCertificate.crt 82 -rw-rw-rw- 1 admin administrators 1700 2026-03-26 21:52 SSLprivatekey.key /bin/sh /share/SSL-Certificate/CertRenew.sh [~] # ls -ail /share/SSL-Certificate total 572 32 drwxrwxrwx 2 Rene everyone 15 2026-04-23 23:00 ./ 11 drwxrwxrwx 9 admin administrators 49 2026-04-22 21:24 ../ 71 -rwxrwxrwx 1 admin administrators 816246 2024-04-03 00:48 Anleitung – SSL-Qnap-Zertifikat und Emby (manuell und automatisch) – QNAP – Emby Community.pdf* 70 -rwxrwxrwx 1 admin administrators 4665 2026-01-21 18:34 Anleitung - SSL-Qnap-Zertifikat und Emby.txt* 81 -rwxrwxrwx 1 admin administrators 498 2026-03-29 18:08 Certificate_Installation.sh* 87 -rwxrwxrwx 1 admin administrators 314 2026-03-29 18:29 CertRene_aktualisiert.sh* 90 -rwxrwxrwx 1 admin administrators 464 2026-03-29 20:14 CertRenew.sh* 75 -rwxrwxrwx 1 admin administrators 36763 2026-04-23 23:13 check-p12.log* 93 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt1.p12 17 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt.p12 78 -rw-rw-rw- 1 admin administrators 3043 2026-04-18 20:57 emby-neu.p12 72 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby.p12 79 -rw-rw-rw- 1 admin administrators 1822 2026-03-26 21:52 SSLcertificate.crt 80 -rw-rw-rw- 1 admin administrators 3001 2026-03-26 21:52 SSLIntermediateCertificate.crt 82 -rw-rw-rw- 1 admin administrators 1700 2026-03-26 21:52 SSLprivatekey.key The certificate key has not changed, however. What should I try in this case? I didn't understand that.
sa2000 729 Posted April 24 Posted April 24 9 hours ago, renefw said: The certificate key has not changed, however. I am not clear as to what script / commands you are running and if you did what I suggested about renaming (mv) of the emby,p12 file so that w see if a new one is created by the script What is emby-new.p12 ? it has a different datestamp showing in the "ls -ail" output I think in each results you give here, it would be best to show each time what commands and what script was run and what the contents of the script file is - by including the output of a "cat " command to show content and also any output / log file content Lets recap - I thought from previous tests we had when manually executing the commands one by one, you did get the emby.p12 file updated with the new certificate data from the new SSLcertificate.crt file and it was only when running the automated script job that this did not true. Did I misunderstand that ? Looking at the ls -ail output above, is the SSLcertifcate.crt which has date stamp of 26 March 2026 correct and new ? and the emby.p12 having datestamp 22 January 2026 suggests it is still the original file
sa2000 729 Posted April 24 Posted April 24 (edited) I have just run a manual one command at a time test on an old QNAP that I have where the certificate path is here /etc/config/QcloudSSLCertificate/cert and the directory contains these 2 files [/etc/config/QcloudSSLCertificate/cert] # ls -ail 1949 drwxrwxrwx 2 admin administ 4096 Apr 24 12:20 ./ 1847 drwxr-xr-x 4 admin administ 4096 Apr 6 2019 ../ 1965 -rw-r--r-- 1 admin administ 1655 Apr 24 12:20 SSLcertificate.crt 1962 -rw-r--r-- 1 admin administ 1704 Apr 24 12:20 SSLprivatekey.key Using putty and executing these 2 commands after logging into the QNAP admin account cd /etc/config/QcloudSSLCertificate/cert openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:abcdef A new emby.p12 file was created and it matches the SSLcertificate.crt and has a pfx password of abcdef So the issue you have is with automating that in a cron job on the QNAP and to execute a script like this. I am going to try and run the .sh script on QNAP and will post the results of my test later today Edited April 24 by sa2000
sa2000 729 Posted April 24 Posted April 24 (edited) 18 hours ago, renefw said: The certificate key has not changed, however. I have now gone through the complete setup on a QNAP including having the script run in a cronjob and it appears to be creating a new emby.p12 file from the crt file I will outline the steps in detail here and they will need adapting. All Tests were done using the QNAP admin login user I modified the script to rename emby.p12 so that we can see if it fails to create a new file. The script is baded on the paths that i chose for the location of the script and has a pfx password of abcdef-change-me So first creating the script file in windows and i have two versions - one with your german text and one with the english text. I called the script files my-qnap-script-de.sh and my-qnap-script-en.sh - which should be changed to have appropriate name German script now="$(date)" cd /etc/config/QcloudSSLCertificate/cert [[ -z `find SSLcertificate.crt -mtime -1` ]] if [ $? -eq 0 ] then echo "Zertifikatschlüssel hat sich nicht geändert - $now" >> /share/HDA_DATA/Public/Scripts/check-p12.log else mv -f emby.p12 emby.p12.old 2>/dev/null openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:abcdef-Ändern-Sie-dies echo "Neues pfx Zertifikat: emby.p12 bei $now erstellt" >> /share/HDA_DATA/Public/Scripts/check-p12.log fi English script now="$(date)" cd /etc/config/QcloudSSLCertificate/cert [[ -z `find SSLcertificate.crt -mtime -1` ]] if [ $? -eq 0 ] then echo "Certificate key has not changed - $now" >> /share/HDA_DATA/Public/Scripts/check-p12.log else mv -f emby.p12 emby.p12.old 2>/dev/null openssl pkcs12 -export -out emby.p12 -inkey SSLprivatekey.key -in SSLcertificate.crt -passout pass:abcdef-Change-This echo "Created new pfx certificate: emby.p12 at $now" >> /share/HDA_DATA/Public/Scripts/check-p12.log fi The path I used for the script in these tests is "/share/HDA_DATA/Public/Scripts/" After creating the files on windows, I then downloaded dos2unix and in a command line window ran this for each of the 2 sh files On windows lines terminate with CR LF as you can see in Notepad++ with view / Show Symbols and after running dos2unix view in Notepad++ The scripts were then copied to the qnap - for my tests, I copied them to Public/Scrips On the QNAP i used for this tests (an old one) - the actual path on the device was "/share/HDA_DATA/Public/Scripts/" Then execute permissions needed to be added chmod +x my-qnap-script-de.sh chmod +x my-qnap-script-en.sh this shows "ls -ail" before and after [/share/HDA_DATA/Public/Scripts] # pwd /share/HDA_DATA/Public/Scripts [/share/HDA_DATA/Public/Scripts] # ls -ail 22315296 drwxrwxrwx 2 SA everyone 4096 Apr 24 15:40 ./ 10485761 drwxrwxrwx 15 SA everyone 4096 Apr 24 12:53 ../ 22315298 -rw-rw-rw- 1 SA everyone 508 Apr 24 15:48 my-qnap-script-de.sh 22315299 -rw-rw-rw- 1 SA everyone 486 Apr 24 15:48 my-qnap-script-en.sh [/share/HDA_DATA/Public/Scripts] # chmod +x my-qnap-script-de.sh [/share/HDA_DATA/Public/Scripts] # chmod +x my-qnap-script-en.sh [/share/HDA_DATA/Public/Scripts] # ls -ail 22315296 drwxrwxrwx 2 SA everyone 4096 Apr 24 15:40 ./ 10485761 drwxrwxrwx 15 SA everyone 4096 Apr 24 12:53 ../ 22315298 -rwxrwxrwx 1 SA everyone 508 Apr 24 15:48 my-qnap-script-de.sh* 22315299 -rwxrwxrwx 1 SA everyone 486 Apr 24 15:48 my-qnap-script-en.sh* Before running the scripts, i made sure the cert directory had the QNAP cert and key files [/share/HDA_DATA/Public/Scripts] # ls -ail /etc/config/QcloudSSLCertificate/cert 1949 drwxrwxrwx 2 admin administ 4096 Apr 24 15:59 ./ 1847 drwxr-xr-x 4 admin administ 4096 Apr 6 2019 ../ 1965 -rw-r--r-- 1 admin administ 1655 Apr 24 12:20 SSLcertificate.crt 1962 -rw-r--r-- 1 admin administ 1704 Apr 24 12:20 SSLprivatekey.key Then testing the script - I tested it in 2 ways, executing the following ./my-qnap-script-de.sh and also tested this way by executing this /bin/sh /share/HDA_DATA/Public/Scripts/my-qnap-script-de.sh The first time, an emby.p12 was created. On subsequent tests, the emby.p12 was moved to emby.p12.old and a new emby.p12 was created - as you can see from the file timestamps showing in "ls -ail" from various test runs [/share/HDA_DATA/Public/Scripts] # ls -ail /etc/config/QcloudSSLCertificate/cert 1949 drwxrwxrwx 2 admin administ 4096 Apr 24 15:59 ./ 1847 drwxr-xr-x 4 admin administ 4096 Apr 6 2019 ../ 1965 -rw-r--r-- 1 admin administ 1655 Apr 24 12:20 SSLcertificate.crt 1962 -rw-r--r-- 1 admin administ 1704 Apr 24 12:20 SSLprivatekey.key 1807 -rw-r--r-- 1 admin administ 2781 Apr 24 15:59 emby.p12 1966 -rw-r--r-- 1 admin administ 2781 Apr 24 15:58 emby.p12.old [/share/HDA_DATA/Public/Scripts] # /bin/sh my-qnap-script-en.sh [/share/HDA_DATA/Public/Scripts] # ls -ail /etc/config/QcloudSSLCertificate/cert 1949 drwxrwxrwx 2 admin administ 4096 Apr 24 16:00 ./ 1847 drwxr-xr-x 4 admin administ 4096 Apr 6 2019 ../ 1965 -rw-r--r-- 1 admin administ 1655 Apr 24 12:20 SSLcertificate.crt 1962 -rw-r--r-- 1 admin administ 1704 Apr 24 12:20 SSLprivatekey.key 1966 -rw-r--r-- 1 admin administ 2781 Apr 24 16:00 emby.p12 1807 -rw-r--r-- 1 admin administ 2781 Apr 24 15:59 emby.p12.old [/share/HDA_DATA/Public/Scripts] # /bin/sh /share/HDA_DATA/Public/Scripts/my-qnap-script-en.sh [/share/HDA_DATA/Public/Scripts] # ls -ail /etc/config/QcloudSSLCertificate/cert 1949 drwxrwxrwx 2 admin administ 4096 Apr 24 16:01 ./ 1847 drwxr-xr-x 4 admin administ 4096 Apr 6 2019 ../ 1965 -rw-r--r-- 1 admin administ 1655 Apr 24 12:20 SSLcertificate.crt 1962 -rw-r--r-- 1 admin administ 1704 Apr 24 12:20 SSLprivatekey.key 1807 -rw-r--r-- 1 admin administ 2781 Apr 24 16:01 emby.p12 1966 -rw-r--r-- 1 admin administ 2781 Apr 24 16:00 emby.p12.old Next I added a line to crontab to run the script at 16:10 daily - the time was just to make sure I did not wait long to check the results echo "10 16 * * * /bin/sh /share/HDA_DATA/Public/Scripts/my-qnap-script-en.sh" >> /etc/config/crontab This should have added a line to /etc/config/crontab which you can verify by doing a "cat /etc/config/crontab" Then restarted crontab crontab /etc/config/crontab && /etc/init.d/crond.sh restart and after it stops and restarts, veryifying as per the original post crontab -l and you can at 16:10 a new emby.p12 was created [/share/HDA_DATA/Public/Scripts] # ls -ail /etc/config/QcloudSSLCertificate/cert 1949 drwxrwxrwx 2 admin administ 4096 Apr 24 16:01 ./ 1847 drwxr-xr-x 4 admin administ 4096 Apr 6 2019 ../ 1965 -rw-r--r-- 1 admin administ 1655 Apr 24 12:20 SSLcertificate.crt 1962 -rw-r--r-- 1 admin administ 1704 Apr 24 12:20 SSLprivatekey.key 1807 -rw-r--r-- 1 admin administ 2781 Apr 24 16:01 emby.p12 1966 -rw-r--r-- 1 admin administ 2781 Apr 24 16:00 emby.p12.old [/share/HDA_DATA/Public/Scripts] # ls -ail /etc/config/QcloudSSLCertificate/cert 1949 drwxrwxrwx 2 admin administ 4096 Apr 24 16:10 ./ 1847 drwxr-xr-x 4 admin administ 4096 Apr 6 2019 ../ 1965 -rw-r--r-- 1 admin administ 1655 Apr 24 12:20 SSLcertificate.crt 1962 -rw-r--r-- 1 admin administ 1704 Apr 24 12:20 SSLprivatekey.key 1966 -rw-r--r-- 1 admin administ 2781 Apr 24 16:10 emby.p12 1807 -rw-r--r-- 1 admin administ 2781 Apr 24 16:01 emby.p12.old [/share/HDA_DATA/Public/Scripts] # and these are the last 4 lines in the check-p12.log file which is in the Scripts directory Created new pfx certificate: emby.p12 at Fri Apr 24 15:59:44 BST 2026 Created new pfx certificate: emby.p12 at Fri Apr 24 16:00:51 BST 2026 Created new pfx certificate: emby.p12 at Fri Apr 24 16:01:32 BST 2026 Created new pfx certificate: emby.p12 at Fri Apr 24 16:10:01 BST 2026 Hope this helps you get it to work Edited April 24 by sa2000
renefw 5 Posted April 26 Posted April 26 (edited) So, the second attempt seems to have worked. I have my browser set to automatically translate English text into German. It translated my English text back into German. However, something seems to have gone wrong this time when posting (submitting the reply), and most of my message was posted back in German. My apologies! I just realized I could have changed that in the message itself. So, here it is. My original message follows, in English as it should be. Edited April 26 by renefw When I posted, most of my text was published in German and not in English as requested. 1
renefw 5 Posted April 26 Posted April 26 It seems I misunderstood you due to the translation (I unfortunately don't speak English) and my limited programming knowledge. Before running the test you suggested on April 18, 2026, at 9:46 AM, I renamed the previously manually updated file emby.p12 (as of April 18, 2026) so that the updated file wouldn't block the subsequent test because it was current. However, I also renamed the old file with the now-expired key from January 22, 2026, back to emby.p12 to see if the file would be updated. If I understood your message from April 23, 2026, at 11:22 AM correctly, you meant that there shouldn't be a file named emby.p12 after the renaming and before the test so that the test would create a new one. With that in mind, I'm now repeating the test. I changed the emby.p12 file using WinSCP, because I couldn't get it to work with the "mv emby.p12 emby.p12.old" command in PuTTY. In fact, it wasn't renamed at all, and the changed filename still contained many extra characters. [~] # ls -ail /share/SSL-Certificate total 572 32 drwxrwxrwx 2 Rene everyone 15 2026-04-26 11:50 ./ 11 drwxrwxrwx 9 admin administrators 49 2026-04-22 21:24 ../ 71 -rwxrwxrwx 1 admin administrators 816246 2024-04-03 00:48 Anleitung – SSL-Qnap-Zertifikat und Emby (manuell und automatisch) – QNAP – Emby Community.pdf* 70 -rwxrwxrwx 1 admin administrators 4665 2026-01-21 18:34 Anleitung - SSL-Qnap-Zertifikat und Emby.txt* 81 -rwxrwxrwx 1 admin administrators 498 2026-03-29 18:08 Certificate_Installation.sh* 87 -rwxrwxrwx 1 admin administrators 314 2026-03-29 18:29 CertRene_aktualisiert.sh* 90 -rwxrwxrwx 1 admin administrators 464 2026-03-29 20:14 CertRenew.sh* 75 -rwxrwxrwx 1 admin administrators 38221 2026-04-26 12:00 check-p12.log* 93 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt1.p12 72 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt2.p12 17 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt.p12 78 -rw-rw-rw- 1 admin administrators 3043 2026-04-18 20:57 emby-neu.p12 79 -rw-rw-rw- 1 admin administrators 1822 2026-03-26 21:52 SSLcertificate.crt 80 -rw-rw-rw- 1 admin administrators 3001 2026-03-26 21:52 SSLIntermediateCertificate.crt 82 -rw-rw-rw- 1 admin administrators 1700 2026-03-26 21:52 SSLprivatekey.key [~] # /bin/sh /share/SSL-Certificate/CertRenew.sh [~] # ls -ail /share/SSL-Certificate total 572 32 drwxrwxrwx 2 Rene everyone 15 2026-04-26 11:50 ./ 11 drwxrwxrwx 9 admin administrators 49 2026-04-22 21:24 ../ 71 -rwxrwxrwx 1 admin administrators 816246 2024-04-03 00:48 Anleitung – SSL-Qnap-Zertifikat und Emby (manuell und automatisch) – QNAP – Emby Community.pdf* 70 -rwxrwxrwx 1 admin administrators 4665 2026-01-21 18:34 Anleitung - SSL-Qnap-Zertifikat und Emby.txt* 81 -rwxrwxrwx 1 admin administrators 498 2026-03-29 18:08 Certificate_Installation.sh* 87 -rwxrwxrwx 1 admin administrators 314 2026-03-29 18:29 CertRene_aktualisiert.sh* 90 -rwxrwxrwx 1 admin administrators 464 2026-03-29 20:14 CertRenew.sh* 75 -rwxrwxrwx 1 admin administrators 38302 2026-04-26 12:49 check-p12.log* 93 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt1.p12 72 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt2.p12 17 -rw-rw-rw- 1 admin administrators 3059 2026-01-22 17:15 emby-alt.p12 78 -rw-rw-rw- 1 admin administrators 3043 2026-04-18 20:57 emby-neu.p12 79 -rw-rw-rw- 1 admin administrators 1822 2026-03-26 21:52 SSLcertificate.crt 80 -rw-rw-rw- 1 admin administrators 3001 2026-03-26 21:52 SSLIntermediateCertificate.crt 82 -rw-rw-rw- 1 admin administrators 1700 2026-03-26 21:52 SSLprivatekey.key [~] # sudo cat /share/SSL-Certificate/check-p12.log Zertifikatschlüssel hat sich nicht geändert - Sun Apr 26 12:49:26 PM CEST 2026 The only output I received was that the certificate key hadn't changed. Furthermore, no new emby.p12 file was created. The emby-new.p12 file, dated April 18, 2026, was created with the correct certificate. This file was generated by our manual test. The emby-old.p12 files, also with the suffix 1 or 2 and dated January 22, 2026, are the old files with the now-expired certificate. I left these in place so I wouldn't have to wait for the current certificate, dated April 18, 2026, to expire sufficiently to be updated, in order to test whether the script works as intended. This means the SSL certificate is automatically renewed with myQNAPcloud. I download it via the Control Panel/SSL Certificates and Private Keys, extract the ZIP file, and save the contained files in my /share/SSL-Certificate directory. The files SSLcertificate.crt, SSLIntermediateCertificate.crt (which apparently aren't needed for conversion to a .p12 file), and SSLprivatekey.key are given a new date stamp and a new key in their respective files. When the script is then run hourly as a cron job, it should automatically check if the .crt and .key files have changed. If a change has occurred, the new certificate should be automatically converted to a .p12 format (i.e., the emby.p12 file should be updated). If no change has occurred, everything remains as it was. Regarding your second question from April 23, 2026 at 11:22 AM: Yes, the SSLcertificate.crt file (along with the two associated files and the date stamp of March 26, 2026) was created by myQNAPcloud on the same day, is current, and valid until June 24, 2026. The emby-alt*.p12 files are also the old ones, for which the certificate has now completely expired. This means they were not, and are not being, automatically renewed by my scripts as hoped, even though the SSLcertificate.crt file has a new date stamp and is no longer January 22, 2026, and therefore the content, including the keys, has changed. I hope this explanation is now clear and understandable for you. Otherwise, please ask again.
renefw 5 Posted April 26 Posted April 26 (edited) I looked at your tests. As I understand it, you tried it with a QNAP using QTS, not QuTS Hero like I did. With QTS, the script worked fully automatically for me. That is, myQNAPcloud renewed the certificate automatically. The cron job also automatically updated the emby.p12 file. Since QuTS Hero no longer has a fixed path (like QTS's `cd /etc/config/QcloudSSLCertificate/cert`), according to QNAP, I will have to manually download the certificate file via Control Panel/SSL Certificates & Private Keys in the future. Unfortunately, your tests didn't help me get it working. What can I do? As I mentioned, I had it running completely automatically for a long time using the instructions at the beginning of this post when I still had QTS installed on my QNAPs. Then I installed QTS Hero on all of them and adjusted the scripts as described, and it no longer ran automatically, but only if I manually converted the certificate in PuTTY. I'm guessing you don't have a QNAP with QuTS hero where you could try it out. Is that correct? Edited April 26 by renefw Addition
sa2000 729 Posted April 27 Posted April 27 (edited) 23 hours ago, renefw said: The cron job also automatically updated the emby.p12 file. Since QuTS Hero no longer has a fixed path (like QTS's `cd /etc/config/QcloudSSLCertificate/cert`), according to QNAP, I will have to manually download the certificate file via Control Panel/SSL Certificates & Private Keys in the future If the directory for the certificate renewed by QNAP changes each time, then that would make it more difficult to automate. But with help from chatGPT for someone who is not a linux guru - i have come up with the following alternative script - you can adapt this script and cut back on some of the logging. The emby.p12 will be in the directory where the script is #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="YourPFXPassword" # Output file PFX_FILE="/share/HDA_DATA/Public/Scripts/emby.p12" # Log file PFX_Log="/share/HDA_DATA/Public/Scripts/check-p12.log" # Automatically locate the active certificate CERT_DIR=$(getcfg System "Web Certificate" -f /etc/config/uLinux.conf 2>/dev/null) if [ -n "$CERT_DIR" ] && [ -f "$CERT_DIR/SSLcertificate.crt" ] && [ -f "$CERT_DIR/SSLprivatekey.key" ]; then CRT_FILE="$CERT_DIR/SSLcertificate.crt" KEY_FILE="$CERT_DIR/SSLprivatekey.key" else echo "$now - Configured certificate not found, searching for newest certificate..." >> $PFX_Log CRT_FILE=$(find /mnt -type f -name "SSLcertificate.crt" 2>/dev/null \ | xargs ls -t 2>/dev/null \ | head -n 1) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/SSLprivatekey.key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi fi [[ -z `find $CRT_FILE -mtime -1` ]] if [ $? -eq 0 ] then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi 23 hours ago, renefw said: I'm guessing you don't have a QNAP with QuTS hero where you could try it out. Is that correct? Correct. Edited April 27 by sa2000
renefw 5 Posted April 29 Posted April 29 Since the QuTS hero certificate directory changes every time, it no longer works completely on its own. Under these circumstances, it would be sufficient for me to manually download only the updated certificate and save it under /share/SSL-Certificate. The rest should work automatically. Unfortunately, it doesn't. I have now adapted the script as follows and saved it as CertRenew.sh. The emby.p12 file is located in the same directory as the file and the new certificate with its corresponding key. #!/bin/sh now="$(date)" # Password for exported PFX PFX_PASSWORD="My password for emby.p12" # Output file PFX_FILE="/share/SSL-Certificate/emby.p12" # Log file PFX_Log="/share/SSL-Certificate/check-p12.log" # Automatically locate the active certificate CERT_DIR=$(getcfg System "Web Certificate" -f /etc/config/uLinux.conf 2>/dev/null) if [ -n "$CERT_DIR" ] && [ -f "$CERT_DIR/SSLcertificate.crt" ] && [ -f "$CERT_DIR/SSLprivatekey.key" ]; then CRT_FILE="$CERT_DIR/SSLcertificate.crt" KEY_FILE="$CERT_DIR/SSLprivatekey.key" else echo "$now - Configured certificate not found, searching for newest certificate..." >> $PFX_Log CRT_FILE=$(find /mnt -type f -name "SSLcertificate.crt" 2>/dev/null \ | xargs ls -t 2>/dev/null \ | head -n 1) if [ -z "$CRT_FILE" ]; then echo "$now - No certificate file found." >> $PFX_Log exit 1 fi CERT_DIR=$(dirname "$CRT_FILE") KEY_FILE="$CERT_DIR/SSLprivatekey.key" echo "CERT_DIR: $CERT_DIR" >> $PFX_Log echo "CRT_FILE: $CRT_FILE" >> $PFX_Log echo "KEY_FILE: $KEY_FILE" >> $PFX_Log if [ ! -f "$KEY_FILE" ]; then echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log exit 1 fi fi [[ -z `find $CRT_FILE -mtime -1` ]] if [ $? -eq 0 ] then echo "$now - Certificate key has not changed" >>$PFX_Log else echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log echo "$now - Certificate: $CRT_FILE" >> $PFX_Log echo "$now - Private Key: $KEY_FILE" >> $PFX_Log # Build the OpenSSL command OPENSSL_CMD="openssl pkcs12 -export \ -out \"$PFX_FILE\" \ -inkey \"$KEY_FILE\" \ -in \"$CRT_FILE\" \ -passout pass:$PFX_PASSWORD" # rename existing pfx file mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null # Execute eval "$OPENSSL_CMD" if [ $? -eq 0 ]; then echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log else echo "$now - PFX creation failed." >> $PFX_Log exit 1 fi fi Do I need to make any further adjustments? The following messages appear in the check-p12.log file every time the cron job has been executed: Wed Apr 29 08:00:00 PM CEST 2026 - Configured certificate not found, searching for newest certificate... CERT_DIR: . CRT_FILE: @Recycle KEY_FILE: ./SSLprivatekey.key Wed Apr 29 08:00:00 PM CEST 2026 - Private key not found: ./SSLprivatekey.key What do I need to adjust in the script for it to work?
sa2000 729 Posted April 30 Posted April 30 14 hours ago, renefw said: Do I need to make any further adjustments? The following messages appear in the check-p12.log file every time the cron job has been executed: Wed Apr 29 08:00:00 PM CEST 2026 - Configured certificate not found, searching for newest certificate... CERT_DIR: . CRT_FILE: @Recycle KEY_FILE: ./SSLprivatekey.key Wed Apr 29 08:00:00 PM CEST 2026 - Private key not found: ./SSLprivatekey.key It is going wrong when encountering the recycle bin. I will look into it and update the script
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now