Guide - SSL Qnap certificate and Emby (manual and automatic)

[renefw 5]

I saved the script as CertRenew.sh:

#!/bin/sh

now="$(date)"

# Password for exported PFX
PFX_PASSWORD="my password"

# Output file
PFX_FILE="/share/SSL-Certificate/emby.p12"

# Log file
PFX_Log="/share/SSL-Certificate/check-p12.log"

# Search filesystem for latest QNAP cert file

CRT_FILE=$(find /mnt -type f -name "cert" 2>/dev/null \
| while read -r file; do
	stat -c "%Y %n" "$file"
  done \
| sort -nr \
| head -n 1 \
| cut -d' ' -f2-)
	
if [ -z "$CRT_FILE" ]; then
	echo "$now - No certificate file found." >> $PFX_Log
	exit 1
fi

CERT_DIR=$(dirname "$CRT_FILE")
KEY_FILE="$CERT_DIR/key"

echo "CERT_DIR: $CERT_DIR" >> $PFX_Log
echo "CRT_FILE: $CRT_FILE" >> $PFX_Log
echo "KEY_FILE: $KEY_FILE" >> $PFX_Log

if [ ! -f "$KEY_FILE" ]; then
	echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log 
	exit 1
fi

if ! find "$CRT_FILE" -mtime -1 | grep -q .; 
then
	echo "$now - Certificate key has not changed" >>$PFX_Log
else

	echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log
	echo "$now - Certificate: $CRT_FILE" >> $PFX_Log
	echo "$now - Private Key: $KEY_FILE" >> $PFX_Log

	# Build the OpenSSL command
	OPENSSL_CMD="openssl pkcs12 -export \
		-out \"$PFX_FILE\" \
		-inkey \"$KEY_FILE\" \
		-in \"$CRT_FILE\" \
		-passout pass:$PFX_PASSWORD"

	# rename existing pfx file
	mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null
		
	# Execute
	eval "$OPENSSL_CMD"

	if [ $? -eq 0 ]; then
		echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log
	else
		echo "$now - PFX creation failed." >> $PFX_Log
		exit 1
	fi
fi

 

[renefw 5]

How can I tell if Emby needs to be restarted if the emby.p12 file has been updated? The only thing I can think of is to leave Emby and the NAS running until the old certificate expires. Since that would take about a month, it's probably not feasible, as I either update the NAS firmware in the meantime, if an update is available, or Emby automatically restarts during an unused moment when a plugin is updated. How would I be able to see this in Emby, or compare the before and after?

29 minutes ago, sa2000 said:

Ok – Ihre emby.p12 wurde also manuell von Ihnen aktualisiert und läuft im Juni 2026 ab. Wenn dies der Fall ist, müssen Sie jetzt nichts tun, um es zu aktualisieren

No, it was updated by the script that I was supposed to undo.

 

32 minutes ago, sa2000 said:

Ich bin mir sicher, dass es bei viel komplexeren Skripten möglich sein könnte, es ganz anders zu machen - das Ablaufdatum des Zertifikats zu vergleichen und die emby pfx-Datei zu aktualisieren, wenn sie im Rückstand ist - Sie können Starten Sie einen Dialog mit chatGPT und erkunden Sie diese Idee

I'll wait until the end of the month to see if the script works as intended.

In any case, thank you very much for your expert support. If it works, I can try extending it via chatGPT, as you suggested...

Thank you so much!

[renefw 5]

Did I understand you correctly that I could theoretically set the cron job to run every 6 hours? However, on the days the certificate was updated, wouldn't it then be created 3 or 4 times (as with a daily cron job) and recorded 4 times in the check-p12.log file? Could this cause any other problems?

[sa2000 729]

7 minutes ago, renefw said:

I could theoretically set the cron job to run every 6 hours? However, on the days the certificate was updated, wouldn't it then be created 3 or 4 times (as with a daily cron job)

you could

7 minutes ago, renefw said:

Could this cause any other problems?

I don't think so - not sure how often the certificate pfx file is read by emby server and if only on launch. Each time the file is replaced, it will not exist for a very short time 

[sa2000 729]

@renefwFYI I am working on a new script that will cover QTS and QuTS and will only update emby server pfx file once and will have option to tell Emby Server to use the updated file rather than wait for next server restart

 

[renefw 5]

Thanks a lot for the info! That sounds absolutely fantastic!

You mention that "the Emby server's PFX file is updated only once." Do you mean that the PFX file is updated just a single time whenever the certificate is renewed? That appears to be exactly what I suggested the day before yesterday as a potential improvement for the current script.

Assuming you manage to have it ready by May 25, 2026, I would be happy to install it on my system and provide you with feedback once I have updated both of my NAS systems to QuTS hero.

The only crucial question for me is: where will I be able to find the finished script? Will you post it within this thread, link to it here, or could you please send it to me via private message?

[sa2000 729]

13 minutes ago, renefw said:

You mention that "the Emby server's PFX file is updated only once." Do you mean that the PFX file is updated just a single time whenever the certificate is renewed? That appears to be exactly what I suggested the day before yesterday as a potential improvement for the current script.

Assuming you manage to have it ready by May 25, 2026, I would be happy to install it on my system and provide you with feedback once I have updated both of my NAS systems to QuTS hero.

The only crucial question for me is: where will I be able to find the finished script? Will you post it within this thread, link to it here, or could you please send it to me via private message?

It will remember the UTC modfied date/time of the QNAP cert file and only convert to pfx if that is higher from last update - it does mean the first time you run the script it will convert the cert file but after that it should not do any  unnecessary updates

I am limited in testing it because my QNAP is ancient and I am trying to see if I can get it to have a cert file ! (It is using legacy .pem file)

[renefw 5]

That is exactly what I suggested the day before yesterday! I am absolutely delighted that you have decided to go ahead with it after all. I am sure many other Emby users will be thrilled once it is finished!

Since I am extremely grateful to you, I don't view it as a major issue that you only have a very old QNAP device available for testing. I have two current models—a TS-264 and a TS-664—both running QuTS hero, as I mentioned previously. Unfortunately, I won't have quite as much time tomorrow (Friday) as I did yesterday; however, on Monday, my availability should be just as open as it was yesterday. I still have the expired .p12 certificate on hand. Therefore, I would be more than happy to assist: if you could send me the scripts for testing—along with instructions on what information you need me to extract via PuTTY or the log files—I would be delighted to do so as quickly as possible.

You are welcome to decide whether you would prefer to handle this via this thread or via a private message.

What do you think?

[sa2000 729]

10 minutes ago, renefw said:

Since I am extremely grateful to you, I don't view it as a major issue that you only have a very old QNAP device available for testing. I have two current models—a TS-264 and a TS-664—both running QuTS hero, as I mentioned previously. Unfortunately, I won't have quite as much time tomorrow (Friday) as I did yesterday; however, on Monday, my availability should be just as open as it was yesterday. I still have the expired .p12 certificate on hand. Therefore, I would be more than happy to assist: if you could send me the scripts for testing—along with instructions on what information you need me to extract via PuTTY or the log files—I would be delighted to do so as quickly as possible.

Thank you for your offer. My old QNAP is on QTS 3.3.4 and version 4.2 onwards is required 

I will continue through private messaging until we get the script working and then i will post it here

Thank you

 

[renefw 5]

How do I delete ".last_processed_time"?

[sa2000 729]

4 hours ago, renefw said:

How do I delete ".last_processed_time"?

The "rm" command is what you use in linux to delete a file

so it would be "rm" followed by a space and the full path to the file. Ihave given you the exact command in Private Message