Guide - SSL Qnap certificate and Emby (manual and automatic)

[renefw 7]

I saved the script as CertRenew.sh:

#!/bin/sh

now="$(date)"

# Password for exported PFX
PFX_PASSWORD="my password"

# Output file
PFX_FILE="/share/SSL-Certificate/emby.p12"

# Log file
PFX_Log="/share/SSL-Certificate/check-p12.log"

# Search filesystem for latest QNAP cert file

CRT_FILE=$(find /mnt -type f -name "cert" 2>/dev/null \
| while read -r file; do
	stat -c "%Y %n" "$file"
  done \
| sort -nr \
| head -n 1 \
| cut -d' ' -f2-)
	
if [ -z "$CRT_FILE" ]; then
	echo "$now - No certificate file found." >> $PFX_Log
	exit 1
fi

CERT_DIR=$(dirname "$CRT_FILE")
KEY_FILE="$CERT_DIR/key"

echo "CERT_DIR: $CERT_DIR" >> $PFX_Log
echo "CRT_FILE: $CRT_FILE" >> $PFX_Log
echo "KEY_FILE: $KEY_FILE" >> $PFX_Log

if [ ! -f "$KEY_FILE" ]; then
	echo "$now - Private key not found: $KEY_FILE" >> $PFX_Log 
	exit 1
fi

if ! find "$CRT_FILE" -mtime -1 | grep -q .; 
then
	echo "$now - Certificate key has not changed" >>$PFX_Log
else

	echo "$now - Using certificate directory: $CERT_DIR" >> $PFX_Log
	echo "$now - Certificate: $CRT_FILE" >> $PFX_Log
	echo "$now - Private Key: $KEY_FILE" >> $PFX_Log

	# Build the OpenSSL command
	OPENSSL_CMD="openssl pkcs12 -export \
		-out \"$PFX_FILE\" \
		-inkey \"$KEY_FILE\" \
		-in \"$CRT_FILE\" \
		-passout pass:$PFX_PASSWORD"

	# rename existing pfx file
	mv -f $PFX_FILE $PFX_FILE.old 2>/dev/null
		
	# Execute
	eval "$OPENSSL_CMD"

	if [ $? -eq 0 ]; then
		echo "$now - PFX successfully created: $PFX_FILE" >> $PFX_Log
	else
		echo "$now - PFX creation failed." >> $PFX_Log
		exit 1
	fi
fi

 

[renefw 7]

How can I tell if Emby needs to be restarted if the emby.p12 file has been updated? The only thing I can think of is to leave Emby and the NAS running until the old certificate expires. Since that would take about a month, it's probably not feasible, as I either update the NAS firmware in the meantime, if an update is available, or Emby automatically restarts during an unused moment when a plugin is updated. How would I be able to see this in Emby, or compare the before and after?

29 minutes ago, sa2000 said:

Ok – Ihre emby.p12 wurde also manuell von Ihnen aktualisiert und läuft im Juni 2026 ab. Wenn dies der Fall ist, müssen Sie jetzt nichts tun, um es zu aktualisieren

No, it was updated by the script that I was supposed to undo.

 

32 minutes ago, sa2000 said:

Ich bin mir sicher, dass es bei viel komplexeren Skripten möglich sein könnte, es ganz anders zu machen - das Ablaufdatum des Zertifikats zu vergleichen und die emby pfx-Datei zu aktualisieren, wenn sie im Rückstand ist - Sie können Starten Sie einen Dialog mit chatGPT und erkunden Sie diese Idee

I'll wait until the end of the month to see if the script works as intended.

In any case, thank you very much for your expert support. If it works, I can try extending it via chatGPT, as you suggested...

Thank you so much!

[renefw 7]

Did I understand you correctly that I could theoretically set the cron job to run every 6 hours? However, on the days the certificate was updated, wouldn't it then be created 3 or 4 times (as with a daily cron job) and recorded 4 times in the check-p12.log file? Could this cause any other problems?

[sa2000 757]

7 minutes ago, renefw said:

I could theoretically set the cron job to run every 6 hours? However, on the days the certificate was updated, wouldn't it then be created 3 or 4 times (as with a daily cron job)

you could

7 minutes ago, renefw said:

Could this cause any other problems?

I don't think so - not sure how often the certificate pfx file is read by emby server and if only on launch. Each time the file is replaced, it will not exist for a very short time 

[sa2000 757]

@renefwFYI I am working on a new script that will cover QTS and QuTS and will only update emby server pfx file once and will have option to tell Emby Server to use the updated file rather than wait for next server restart

 

[renefw 7]

Thanks a lot for the info! That sounds absolutely fantastic!

You mention that "the Emby server's PFX file is updated only once." Do you mean that the PFX file is updated just a single time whenever the certificate is renewed? That appears to be exactly what I suggested the day before yesterday as a potential improvement for the current script.

Assuming you manage to have it ready by May 25, 2026, I would be happy to install it on my system and provide you with feedback once I have updated both of my NAS systems to QuTS hero.

The only crucial question for me is: where will I be able to find the finished script? Will you post it within this thread, link to it here, or could you please send it to me via private message?

[sa2000 757]

13 minutes ago, renefw said:

You mention that "the Emby server's PFX file is updated only once." Do you mean that the PFX file is updated just a single time whenever the certificate is renewed? That appears to be exactly what I suggested the day before yesterday as a potential improvement for the current script.

Assuming you manage to have it ready by May 25, 2026, I would be happy to install it on my system and provide you with feedback once I have updated both of my NAS systems to QuTS hero.

The only crucial question for me is: where will I be able to find the finished script? Will you post it within this thread, link to it here, or could you please send it to me via private message?

It will remember the UTC modfied date/time of the QNAP cert file and only convert to pfx if that is higher from last update - it does mean the first time you run the script it will convert the cert file but after that it should not do any  unnecessary updates

I am limited in testing it because my QNAP is ancient and I am trying to see if I can get it to have a cert file ! (It is using legacy .pem file)

[renefw 7]

That is exactly what I suggested the day before yesterday! I am absolutely delighted that you have decided to go ahead with it after all. I am sure many other Emby users will be thrilled once it is finished!

Since I am extremely grateful to you, I don't view it as a major issue that you only have a very old QNAP device available for testing. I have two current models—a TS-264 and a TS-664—both running QuTS hero, as I mentioned previously. Unfortunately, I won't have quite as much time tomorrow (Friday) as I did yesterday; however, on Monday, my availability should be just as open as it was yesterday. I still have the expired .p12 certificate on hand. Therefore, I would be more than happy to assist: if you could send me the scripts for testing—along with instructions on what information you need me to extract via PuTTY or the log files—I would be delighted to do so as quickly as possible.

You are welcome to decide whether you would prefer to handle this via this thread or via a private message.

What do you think?

[sa2000 757]

10 minutes ago, renefw said:

Since I am extremely grateful to you, I don't view it as a major issue that you only have a very old QNAP device available for testing. I have two current models—a TS-264 and a TS-664—both running QuTS hero, as I mentioned previously. Unfortunately, I won't have quite as much time tomorrow (Friday) as I did yesterday; however, on Monday, my availability should be just as open as it was yesterday. I still have the expired .p12 certificate on hand. Therefore, I would be more than happy to assist: if you could send me the scripts for testing—along with instructions on what information you need me to extract via PuTTY or the log files—I would be delighted to do so as quickly as possible.

Thank you for your offer. My old QNAP is on QTS 3.3.4 and version 4.2 onwards is required 

I will continue through private messaging until we get the script working and then i will post it here

Thank you

 

[renefw 7]

How do I delete ".last_processed_time"?

[sa2000 757]

4 hours ago, renefw said:

How do I delete ".last_processed_time"?

The "rm" command is what you use in linux to delete a file

so it would be "rm" followed by a space and the full path to the file. Ihave given you the exact command in Private Message

 

[sa2000 757]

Thanks to @renefwfor helping me develop the QNAP script further by running a lot of tests for me. And of course great thanks to @dieffe70who provided the original script.

The new script should work on QuTS as well as QTS

It allows for specifying a fixed path for the QNAP renewed certificate (QTS) or no path specified and the filesystem is searched for the latest certificate (QuTS)

Emby Server is notified and updated with the new certificate (and password) when a new QNAP Certificate is detected, The conversion and emby server update happens only once after renewal. Emby Server would automatically restart when idle time is detected after the update.

There is an option to disable the auto update of Emby Server

The pfx filenames used are unique each time giving as part of the filename, the time (UTC) when QNAP renewed the certificate and the time (UTC) when the converrsion to a pfx file for Emby Server was done.

The script would purge old pfx files created with the same filename syntax when they are found to be over 6 months old.

The new script is here - save it as "RenewCert.sh" on the QNAP

CertRenew_2026-05-11.sh

It has been preset to assume that you will have this share directory available on the QNAP 

/share/Emby-SSL-Certificate

The file as it is, does not have any windows inserted carriage return characters at end of lines - so should be usable on the QNAP directly

Edit the script file to add your pfx password, your emby server local IP address and port - if different from 8096. Also to notify Emby Server, you will need an Api Key which you can obtain through the emby server dashboard, Advaned / Api Keys / +New Api Key

And if you do not know want Emby Server to be updated, flip the setting for AUTO_EMBY_UPDATE to "NO"

Lines to change

PFX_PASSWORD="Replace-This-With-Your-PFX-Password"
AUTO_EMBY_UPDATE="YES"
EMBY_API_KEY="Replace-This-With-Your-an-API-Key-For-EmbyServer"
EMBY_IP="x.x.x.x
EMBY_PORT="8096"

The script will maintain a log file within the same directory

The log file will be named "cert-2-pfx-check.log" and with this path 

/share/Emby-SSL-Certificate/cert-2-pfx-check.log

If you do end up with the sctipt having lines ending with CR LF instead of the Linux LF, then you can use the tool dos2unix to correct that 

You can check what your end of line characters are by viewing the sh file using Notepad++ and selecting View / Show Symbols / View All Characters

On the QNAP ensure ssh is enabled - See QNAP: How Do I Access My QNAP NAS Using ssh

For Windows, use PuTTY

For MacOS, use existing Utility / Terminal tool

Suggest the script is place in the pre-defined directory, so you end up with it named and placed here

/share/Emby-SSL-Certificate/RenewCert.sh

Ensure it has execute permissions, so in your terminal ssh session, enter this command

chmod  +x  /share/Emby-SSL-Certificate/RenewCert.sh

Suggest you first test the script before adding it to the crontab to run daily

To test the script

/bin/sh  /share/Emby-SSL-Certificate/RenewCert.sh

Inspect the cert-2-pfx-check.log after running it to see of completed ok

The first time the script runs, it will update Emby Server and lead to a restart when idle.

To add the script to crontab, read the QNAP Article here QNAP: How to- Add Jobs to crontab to schedule a job

Learn how to edit using the linux editor "vi"  - a good basic guide here Introduction: vi editor

It is suggested that you run the script once daily - at say 1am 

The following line would need adding to the end of the /etc/config/crontab file

0 1 * * * /bin/sh  /share/Emby-SSL-Certificate/CertRenew.sh

It is important that after you edit, you exit the editor and run the following to pick the changes and restart crontab

crontab /etc/config/crontab && /etc/init.d/crond.sh restart

You can now check that your cron tab line was added by executing this command

crontab -l

Check the "cert-2-pfx-check.log the following day. There should be entries at 1am for the check on the QNAP certificate and whethere a change was detected

 

Edited May 11 by sa2000