MBSki 1114 Posted June 14, 2023 Posted June 14, 2023 (edited) On 6/5/2023 at 9:05 AM, ebr said: There is more than one way to skin this cat but, yes: Secure Your Server Is this guidance still correct? I'm on the SSL For Free site and I see a DNS (CNAME) verification, but nothing about TXT. And copying the info to my domain registrar I'm getting a record data is invalid error. Edit: Well, on the 5th try it seems like it took, but I had to use CNAME, not TXT. Edited June 14, 2023 by MBSki
rbjtech 5284 Posted June 14, 2023 Posted June 14, 2023 2 minutes ago, MBSki said: Is this guidance still correct? I'm on the SSL For Free site and I see a DNS (CNAME) verification, but nothing about TXT. And copying the info to my domain registrar I'm getting a record data is invalid error. It's a way to verify you are the owner of that domain - you need to add a TXT record with the unique 'key' which is then queried by the registrar allowing you to create the TLS cert. CNAME has nothing to do with this as that's just an alias to the A-Record - that cannot contain any manually added 'key' and won't proove anything. Look up Certbot, as this may be able to automate this old method, or provide some alternatives such as just hosting suitable files via the web server to verify ownership without relying on DNS.
MBSki 1114 Posted June 14, 2023 Author Posted June 14, 2023 1 hour ago, rbjtech said: It's a way to verify you are the owner of that domain - you need to add a TXT record with the unique 'key' which is then queried by the registrar allowing you to create the TLS cert. CNAME has nothing to do with this as that's just an alias to the A-Record - that cannot contain any manually added 'key' and won't proove anything. Look up Certbot, as this may be able to automate this old method, or provide some alternatives such as just hosting suitable files via the web server to verify ownership without relying on DNS. Ok, thanks. Digging into it now. Seems the article needs an update at least. Another quick question. The article mentions "make sure your external IP is correct". Where do I make sure that's correct? I assume with my domain registrar, but do I basically just change the A type to include my external IP in the value? Right now the value is "parked". Sorry for the newbie questions.
Painkiller88 249 Posted June 14, 2023 Posted June 14, 2023 (edited) 32 minutes ago, MBSki said: Where do I make sure that's correct? https://www.whatismyip.com/ this will return your public ipv4 or ipv6 address, and this is your external ip Edited June 14, 2023 by Painkiller8818 1
pwhodges 2012 Posted June 14, 2023 Posted June 14, 2023 40 minutes ago, Painkiller8818 said: this will return your public ipv4 or ipv6 address, and this is your external ip This will return your current IP address - if your ISP changes it from time to time, that's why you may need to check. Paul 1
MBSki 1114 Posted June 15, 2023 Author Posted June 15, 2023 I knew my external IP, I just wasn't sure how to make sure it was attached to my domain. So, I changed the A type value to my external IP and used the DNS (CNAME) verification and it appears to be working. I'd say the article definitely needs to be updated. @CarloNot sure who wrote the article, but can you update or identify someone that could?
rbjtech 5284 Posted June 15, 2023 Posted June 15, 2023 6 hours ago, MBSki said: I knew my external IP, I just wasn't sure how to make sure it was attached to my domain. So, I changed the A type value to my external IP and used the DNS (CNAME) verification and it appears to be working. I'd say the article definitely needs to be updated. @CarloNot sure who wrote the article, but can you update or identify someone that could? The article is good - the usual way is by using a TXT record. By using a CNAME within the same domain - you proove ownership - but that is a very limited use of a CNAME. What you have done will work, but it's likely your public IP will be dynamic - ie it changes over time - and thus you'll need to use a ddns (dynamic dns) service to automatically change this. You may have got this 'service' as part of your domain package - in which case, just configure that service to do it for you and it will change your main DNS A-Record. If it doesn't, then you can use a free ddns service - which will use THEIR domain name - so you then just need to create an CNAME Record (Alias) under YOUR domain to point to the DDNS domain name. for example your domain is mbski.com - so you have a DNS A-Record of lets say 1.2.3.4 which points to hosted web-space you got with the domain name your setup a DDNS account - mbski.dyndns.com - and it has been configured to use your public IP - 5.6.7.8 Now when you want to connect to emby via TLS - you a) need to use mbski.com and b) you don't want to use the dyndns - so you create a CNAME to re-direct the query so you create a c-name as follows emby.mbski.com > mbski.dyndns.com You don't need to use a sub-domain - so you could just do mbski.com > mbski.dyndns.com if you like. if you have a FIXED IP - then changing the value of the A-Record (or CNAME if you want to call it something different) is the correct way to do this (and infact what I do), there is no need to use ddns. 1
rbjtech 5284 Posted June 15, 2023 Posted June 15, 2023 6 minutes ago, rbjtech said: The article is good - the usual way is by using a TXT record. By using a CNAME within the same domain - you proove ownership - but that is a very limited use of a CNAME. What you have done will work, but it's likely your public IP will be dynamic - ie it changes over time - and thus you'll need to use a ddns (dynamic dns) service to automatically change this. You may have got this 'service' as part of your domain package - in which case, just configure that service to do it for you and it will change your main DNS A-Record. If it doesn't, then you can use a free ddns service - which will use THEIR domain name - so you then just need to create an CNAME Record (Alias) under YOUR domain to point to the DDNS domain name. for example your domain is mbski.com - so you have a DNS A-Record of lets say 1.2.3.4 which points to hosted web-space you got with the domain name your setup a DDNS account - mbski.dyndns.com - and it has been configured to use your public IP - 5.6.7.8 Now when you want to connect to emby via TLS - you a) need to use mbski.com and b) you don't want to use the dyndns - so you create a CNAME to re-direct the query so you create a c-name as follows emby.mbski.com > mbski.dyndns.com You don't need to use a sub-domain - so you could just do mbski.com > mbski.dyndns.com if you like. if you have a FIXED IP - then changing the value of the A-Record (or CNAME if you want to call it something different) is the correct way to do this (and infact what I do), there is no need to use ddns. @MBSki @GrimReaper- MBSki - we should take this into another thread - as it's not really related to the Botnet incident. Grim - could you kindly move the last 7 posts into a new thread pls if MBSki is ok with that ? 1
rbjtech 5284 Posted June 15, 2023 Posted June 15, 2023 1 hour ago, rbjtech said: @MBSki @GrimReaper- MBSki - we should take this into another thread - as it's not really related to the Botnet incident. Grim - could you kindly move the last 7 posts into a new thread pls if MBSki is ok with that ? Thanks @GrimReaper 1
Q-Droid 989 Posted June 15, 2023 Posted June 15, 2023 I don't know how old that KB article is but I do agree with @MBSki that it's somewhat limited and only covers one of the ACME challenge methods and the most complicated one at that. I guess it was written for one SSL cert service and as @ebr posted there are many ways to skin this cat. 1
MBSki 1114 Posted June 15, 2023 Author Posted June 15, 2023 39 minutes ago, Q-Droid said: I don't know how old that KB article is but I do agree with @MBSki that it's somewhat limited and only covers one of the ACME challenge methods and the most complicated one at that. I guess it was written for one SSL cert service and as @ebr posted there are many ways to skin this cat. Yea, I'm not following how the article is still accurate. There is no option for a TXT record on the SSL For Free site. And there's only 1 record not too. I'm obviously a newbie to this, but @rbjtech there seems to be something missing in the article. 4 hours ago, rbjtech said: if you have a FIXED IP - then changing the value of the A-Record (or CNAME if you want to call it something different) is the correct way to do this (and infact what I do), there is no need to use ddns. This is what I did with my domain registrar, so at least I got that part right.
rbjtech 5284 Posted June 15, 2023 Posted June 15, 2023 (edited) 15 minutes ago, MBSki said: This is what I did with my domain registrar, so at least I got that part right. So you have a fixed public IP address ? If not, then while it works at the moment, if that IP changes (maybe a router reboot, or sometimes they change on their own), then you'll need to manually update the DNS record again. Edited June 15, 2023 by rbjtech
MBSki 1114 Posted June 15, 2023 Author Posted June 15, 2023 5 minutes ago, rbjtech said: So you have a fixed public IP address ? If not, then while it works at the moment, if that IP changes (maybe a router reboot, or sometimes they change on their own), then you'll need to manually update the DNS record again. Yes, I do. So I should be good for that part. I think it's the cert creation that I'm not too clear on. I believe that just needs to be updated every year though since I got the 1 year cert rather than the 90 day.
rbjtech 5284 Posted June 15, 2023 Posted June 15, 2023 1 minute ago, MBSki said: Yes, I do. So I should be good for that part. I think it's the cert creation that I'm not too clear on. I believe that just needs to be updated every year though since I got the 1 year cert rather than the 90 day. ok cool - so yes, ignore all my ddns ramblings .. For a 1 year cert, then a manual renewal is not a great hardship, but for a 90 day thought letsencyypt for example, then it becomes arduous - so using something like certbot ,which automatically renews it for you (via ACME), is an obvious thing to invest a little time upfront to setup.
MBSki 1114 Posted June 15, 2023 Author Posted June 15, 2023 3 minutes ago, rbjtech said: ok cool - so yes, ignore all my ddns ramblings .. LOL...done. 3 minutes ago, rbjtech said: For a 1 year cert, then a manual renewal is not a great hardship, but for a 90 day thought letsencyypt for example, then it becomes arduous - so using something like certbot ,which automatically renews it for you (via ACME), is an obvious thing to invest a little time upfront to setup. Yea, I can always set a 1 year recurring task so I renew in advance, but automatic is still better. Even if I had an automatically renewing cert though, I still need to install the renewed cert on my Emby server manually every year right?
pwhodges 2012 Posted June 15, 2023 Posted June 15, 2023 For even more automation, use a reverse proxy in front of Emby instead. You can usually set up certbot to handle certificates for them, or if you opt for Caddy, that gets and renews your certificate completely automatically by default. Paul 1
MBSki 1114 Posted June 15, 2023 Author Posted June 15, 2023 1 minute ago, pwhodges said: For even more automation, use a reverse proxy in front of Emby instead. You can usually set up certbot to handle certificates for them, or if you opt for Caddy, that gets and renews your certificate completely automatically by default. Paul Yea, I was thinking about that because I see that at least in the current settings you can do 1 or the other, but not both. So, is it the same level of security using either cert or reverse proxy? Btw, what is Caddy? I like the sound of "completely automatically".
Painkiller88 249 Posted June 15, 2023 Posted June 15, 2023 24 minutes ago, MBSki said: Btw, what is Caddy? I like the sound of "completely automatically". Caddy is a webserver like apache or nginx 1
ebr 16178 Posted June 15, 2023 Posted June 15, 2023 1 hour ago, MBSki said: Btw, what is Caddy? I like the sound of "completely automatically".
MBSki 1114 Posted June 16, 2023 Author Posted June 16, 2023 Well, I had this working yesterday, now nothing is working. I can't even hit my server with the cert disabled. Anyone have a clue how that would happen? It's been fine for years, now I try to setup a cert and nothing works. Seems strange. 1
MBSki 1114 Posted June 16, 2023 Author Posted June 16, 2023 So, it seems, that I coincidentally had a network port on my motherboard give up at the same time I was testing the new cert setup. WTH Is there any chance that the cert config somehow shut down my network port on my motherboard? I'm hesitant to test on another port and risk shutting that one down too. I'm bitting my fingernails debating whether or not I should try again. Just seems really odd that my hardware would give up at the exact same time I was testing this out.
rbjtech 5284 Posted June 16, 2023 Posted June 16, 2023 5 minutes ago, MBSki said: So, it seems, that I coincidentally had a network port on my motherboard give up at the same time I was testing the new cert setup. WTH Is there any chance that the cert config somehow shut down my network port on my motherboard? I'm hesitant to test on another port and risk shutting that one down too. I'm bitting my fingernails debating whether or not I should try again. Just seems really odd that my hardware would give up at the exact same time I was testing this out. Are you 100% sure it's the port ? If using a fix local IP, have you checked there is not a duplicate IP somewhere on the network ? What is the error message ?
MBSki 1114 Posted June 16, 2023 Author Posted June 16, 2023 2 minutes ago, rbjtech said: Are you 100% sure it's the port ? If using a fix local IP, have you checked there is not a duplicate IP somewhere on the network ? What is the error message ? 99.999999% certain. I couldn't even ping the port locally from command prompt and it's an IP that I've used for YEARS. I switched to the 2nd port on my motherboard, changed the 2nd port to the SAME IP address, and voila! It worked! So, I couldn't ping the PC, nor could I connect to the Emby Server even locally.
rbjtech 5284 Posted June 16, 2023 Posted June 16, 2023 2 minutes ago, MBSki said: 99.999999% certain. I couldn't even ping the port locally from command prompt and it's an IP that I've used for YEARS. I switched to the 2nd port on my motherboard, changed the 2nd port to the SAME IP address, and voila! It worked! So, I couldn't ping the PC, nor could I connect to the Emby Server even locally. Check the local ip stack (reset that port), check the firewall settings incl public/private etc - it's highly unlikely the actual hardware is the issue here.
MBSki 1114 Posted June 16, 2023 Author Posted June 16, 2023 1 minute ago, rbjtech said: Check the local ip stack (reset that port), check the firewall settings incl public/private etc - it's highly unlikely the actual hardware is the issue here. Yea, it feels strange to me that it would be hardware. Firewall settings haven't changed, so that can't be it. How do you reset the port? I already unplugged, but can't do a reboot since i'm in the middle of my media backup right now.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now