Jump to content

Getting and renewing the letsencrypt certificate

ISkIN

By ISkIN
in General/Windows

 Share
Go to solution Solved by Q-Droid,

Recommended Posts

ISkIN

ISkIN 1

Posted
Posted

Hello! I want to get a letsencrypt certificate for my emby server on windows. I want the certificate to be able to renew automatically without my participation and the need to restart the Emby server. I tried using Certbot and ran into a problem. When using the "--webroot" certificate acquisition method, it is necessary to grant access to the root path of the server, so I specified the path C:\Users\ISkIN\AppData\Roaming\Emby-Server\system\dashboard-ui where is it located index.html. The problem is that the program is trying to request a file at example.com/.well-known/acme-challenge /<...>, while in reality it is in example.com/web/.well-known/acme-challenge /<...>. Is there a way to override the root path of the Emby server? Or maybe there are other ways to get a certificate? I only need a method that does not require stopping my server, as in the case of the "--standalone" method

Abobader Emby Team

Abobader 3464

Posted
Posted

Hello ISkIN,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:


Thank you.

Emby Team

Q-Droid

Q-Droid 989

Posted
Posted

Regardless of the method you use to get the cert you will have to restart Emby. The certs are only loaded on startup. 

And if I read your post correctly the web root needed is certbot's, not Emby's. Certbot controls and validates the http endpoint. 

  • Like 1
Q-Droid

Q-Droid 989

Posted
Posted

I want to clarify that what you're doing only works on well known http ports. The http-01 challenge only works on port 80 so for Emby to be involved it would also have to be reachable on via port 80. It's a security change made to prevent site spoofing and cert hijacking.

 

Neminem

Neminem 1519

Posted
Posted

You can install an reverse proxy to get around that.

The cert is renewed by certbot within the reverse proxy, if it runs in a vm or docker.

Just set Emby "Secure connection mode" to Handled by reverse proxy.

With a reverse proxy you only need to open port 80 and 443 in your router.

The reverse proxy will then " when setup correctly " redirect requests to Emby port 8096 or 8920.

  • Like 1
ISkIN

ISkIN 1

Posted
  • Author
Posted

Thanks for the help. My server is running on port 80 and is accessible through it, the only problem was that Emby provides access to server files through a path like "example.com/web /<file_in_root_folder>". This additional "/web" prevented access to the verification file, because letsencrypt requests the file at "example.com/<file_in_root_folder>" and it doesn't know that the root of the emby server is located at example.com/web/. In any case, if it still requires restarting the server to update the certificate, then I will use another method.

Neminem

Neminem 1519

Posted
Posted

With a reverse proxy Emby do's not need to be restartet. 

The cert. is served by the proxy.

There are some really good guides in the emby forum  in order to find out more :)

 

  • Like 2
  • Solution
Q-Droid

Q-Droid 989

Posted
  • Solution
Posted

I agree with the recommendation of a reverse proxy. On Windows it doesn't get any easier than Caddy which has the added benefit of automatic cert renewal. Pretty much everything you're looking for.

 

  • Like 1
  • Agree 1
ISkIN

ISkIN 1

Posted
  • Author
Posted

Thanks for the tips, I set up using Caddy, this is really the best solution.

  • Like 1
pwhodges

pwhodges 2012

Posted
Posted (edited)

Caddy is not limited to Windows - just saying... (this comment is not for this case, but for other users who might misread Q_Droid's post).

Paul

Edited by pwhodges
  • 1 year later...
mindhive

mindhive 2

Posted
Posted

How/when does the automatic renewal take place with Caddy and how can I confirm my certificate was renewed? I set up Caddy and have been using it for a couple months but just got an upcoming expiration notice email from LetsEncrypt for the first time. I wasn't sure if this is normal to receive the email each time the renewal is approaching and it will take place before the expiration or if I missed something in my setup and will still expire without renewing. I'm new to all this SSL stuff so not sure how to confirm if it's already renewed and I'm good to go.

pwhodges

pwhodges 2012

Posted
Posted

If you got an expiration notice for a certificate that Caddy is handling, something's wrong; Caddy starts trying to renew at about half the lifetime of the cert.  The easiest way to check the cert is to go to the site in a browser and click the padlock - this should enable you to see the expiry date of the cert.

Have you ensured that port 80 remains open through your firewall?  Even though (by default) all connections are redirected to 443, port 80 is used in the default certificate checking.

Paul

  • Like 1
rbjtech

rbjtech 5284

Posted
Posted (edited)

Sorry - just repeated what Paul wrote .. ;)

Edited by rbjtech

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...