JuJuJurassic 49 Posted March 15, 2024 Posted March 15, 2024 (edited) I've implemented SSL on Emby, my server runs Ubuntu, but it should be similar for Windows, and automated the generation of the PFX file. I must hasten, I had a lot of help from the Let Encrypt community, MikeMcQ in particular, but here's how to do it. Use the snap install, you have more options, which, as you'll see is important. Watch out for typos, I typed a - instead of a _ Once it was pointed out it all worked perfectly. You can cheat, which is what I did, I installed certbot using the script from the post "SSL made Easy", which got me working with SSL, I then removed the installed certbot and installed the snap version, as that has the "post_hook" option we need. See here https://certbot.eff.org/instructions?ws=other&os=ubuntufocal The problem is certbot will auto-renew, but it won't create the .PFX file, you need it to do that afterwards for emby The command in ubuntu to to this is openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:******* -passout pass:****** Check the file names, mine are the default for Ubuntu. I don't know what they are for Windows This generates the pkcs12.pfx file But Emby can't see it in Ubuntu, so you need to change the owner using chown emby:root pkcs12.pfx I created a script file, remember to flag it as executable, called convert-to-pfs.sh literally just this openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:***** -passout pass:***** chown emby:root pkcs12.pfx I put it in the /etc/letsencrypt/live/Yourdomain I should move it, it's not good practice, but I didn't want any path problems Once certbot is installed, it creates a conf file in /etc/letsencrypt/live/Yourdomain, called yourdomain.conf in the renewals section it will say something like # Options used in the renewal process [renewalparams] account = ********* authenticator = standalone server = https://acme-v02.api.letsencrypt.org/directory You need to add the line post_hook = /etc/letsencrypt/live/your domain/convert-to-pfs.sh You can do this with the reconfigure command, but you can cut and paste from this post. Remember to change the path. That will then call the conversion AFTER the certificate has been renewed. Hey presto you have the pfx file updated To test use certbot renew --dry-run --run-deploy-hooks This will not renew the certificates, but will call the script. Just make sure you've renamed the original pfx file so you can see the date and time changes. If you get "certbot: error: unrecognized arguments: --run-deploy-hooks", you're not using the snap version of certbot. Apart from that, that's it Have fun juju Edited March 15, 2024 by JuJuJurassic 2
njiska 8 Posted February 10, 2025 Posted February 10, 2025 On 15/03/2024 at 15:24, JuJuJurassic said: I've implemented SSL on Emby, my server runs Ubuntu, but it should be similar for Windows, and automated the generation of the PFX file. I must hasten, I had a lot of help from the Let Encrypt community, MikeMcQ in particular, but here's how to do it. Use the snap install, you have more options, which, as you'll see is important. Watch out for typos, I typed a - instead of a _ Once it was pointed out it all worked perfectly. You can cheat, which is what I did, I installed certbot using the script from the post "SSL made Easy", which got me working with SSL, I then removed the installed certbot and installed the snap version, as that has the "post_hook" option we need. See here https://certbot.eff.org/instructions?ws=other&os=ubuntufocal The problem is certbot will auto-renew, but it won't create the .PFX file, you need it to do that afterwards for emby The command in ubuntu to to this is openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:******* -passout pass:****** Check the file names, mine are the default for Ubuntu. I don't know what they are for Windows This generates the pkcs12.pfx file But Emby can't see it in Ubuntu, so you need to change the owner using chown emby:root pkcs12.pfx I created a script file, remember to flag it as executable, called convert-to-pfs.sh literally just this openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:***** -passout pass:***** chown emby:root pkcs12.pfx I put it in the /etc/letsencrypt/live/Yourdomain I should move it, it's not good practice, but I didn't want any path problems Once certbot is installed, it creates a conf file in /etc/letsencrypt/live/Yourdomain, called yourdomain.conf in the renewals section it will say something like # Options used in the renewal process [renewalparams] account = ********* authenticator = standalone server = https://acme-v02.api.letsencrypt.org/directory You need to add the line post_hook = /etc/letsencrypt/live/your domain/convert-to-pfs.sh You can do this with the reconfigure command, but you can cut and paste from this post. Remember to change the path. That will then call the conversion AFTER the certificate has been renewed. Hey presto you have the pfx file updated To test use certbot renew --dry-run --run-deploy-hooks This will not renew the certificates, but will call the script. Just make sure you've renamed the original pfx file so you can see the date and time changes. If you get "certbot: error: unrecognized arguments: --run-deploy-hooks", you're not using the snap version of certbot. Apart from that, that's it Have fun juju This looks super helpful. I've been struggling to find a solution to automate this and have been putting off scripting my own. Given the easy and popularity of LetsEncrypt, I with this was just natively supported or at least available as an addon. 1
toooo 8 Posted August 23, 2025 Posted August 23, 2025 I am suddenly having a problem getting my certificate to work. Everything was working fine, then the cert got automatically renewed (certbot) and the pfx version causes Emby to show up as "Not Secured" in a browser. All my other services use the same source key/cert/chain files and show as "secure" just fine. In Microsoft Edge and Brave I get "net::ERR_CERT_AUTHORITY_INVALID". I have tried creating the pfx certificate with different options, with and without password, blank password, etc. I have not found a combination that secures my https and does not trigger a browser problem. Using the below command, my server is accessible, but always shows as "Not Secured" in a browser openssl pkcs12 -export -out /path_to_dir/{mydomain}.pfx -inkey /etc/letsencrypt/live/{mydomain}/privkey.pem -in /etc/letsencrypt/live/{mydomain}/cert.pem -certfile /etc/letsencrypt/live/{mydomain}/chain.pem -name {mydomain} -passout pass:whatever Other versions I have tried: with "-nodes", the emby page just sits showing the logo, never loads anything else with "-nocerts", page does not load at all (does not seem to make any connection) "-passout pass: -nokeys" page does not load have passed fullchain.pem to "-in" and for "-certfile" passed fullchain.pem to "-certfile" OpenSSL version 3.0.17 1 Jul 2025 Does anyone have tips or ideas to troubleshoot this?
Q-Droid 989 Posted August 23, 2025 Posted August 23, 2025 Restart your Emby server and attach the new server log. It could be something as simple as file ownership or permissions on the keystore. 1
overclockerq955 0 Posted November 4, 2025 Posted November 4, 2025 On 3/15/2024 at 8:24 PM, JuJuJurassic said: I've implemented SSL on Emby, my server runs Ubuntu, but it should be similar for Windows, and automated the generation of the PFX file. I must hasten, I had a lot of help from the Let Encrypt community, MikeMcQ in particular, but here's how to do it. Use the snap install, you have more options, which, as you'll see is important. Watch out for typos, I typed a - instead of a _ Once it was pointed out it all worked perfectly. You can cheat, which is what I did, I installed certbot using the script from the post "SSL made Easy", which got me working with SSL, I then removed the installed certbot and installed the snap version, as that has the "post_hook" option we need. See here https://certbot.eff.org/instructions?ws=other&os=ubuntufocal The problem is certbot will auto-renew, but it won't create the .PFX file, you need it to do that afterwards for emby The command in ubuntu to to this is openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:******* -passout pass:****** Check the file names, mine are the default for Ubuntu. I don't know what they are for Windows This generates the pkcs12.pfx file But Emby can't see it in Ubuntu, so you need to change the owner using chown emby:root pkcs12.pfx I created a script file, remember to flag it as executable, called convert-to-pfs.sh literally just this openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:***** -passout pass:***** chown emby:root pkcs12.pfx I put it in the /etc/letsencrypt/live/Yourdomain I should move it, it's not good practice, but I didn't want any path problems Once certbot is installed, it creates a conf file in /etc/letsencrypt/live/Yourdomain, called yourdomain.conf in the renewals section it will say something like # Options used in the renewal process [renewalparams] account = ********* authenticator = standalone server = https://acme-v02.api.letsencrypt.org/directory You need to add the line post_hook = /etc/letsencrypt/live/your domain/convert-to-pfs.sh You can do this with the reconfigure command, but you can cut and paste from this post. Remember to change the path. That will then call the conversion AFTER the certificate has been renewed. Hey presto you have the pfx file updated To test use certbot renew --dry-run --run-deploy-hooks This will not renew the certificates, but will call the script. Just make sure you've renamed the original pfx file so you can see the date and time changes. If you get "certbot: error: unrecognized arguments: --run-deploy-hooks", you're not using the snap version of certbot. Apart from that, that's it Have fun juju Thanks for the help! Here's my version I used for my Synology NAS (limited access, tools, and rights, compared to a ubuntu), maybe it'll help someone. First of all, I have the server (synology NAS) on my own domain, with self-signed let's encrypt cert. sudo su cd /volumeX/#RandomUserFolder#/synocert/ touch cert_renewal.sh vim cert_renewal.sh (i to edit, then paste the content below, esc to finish edit, :w! to save and :q to close) #####Content of the file######## cd /volumeX/#RandomUserFolder#/synocert && cp "/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)/privkey.pem" /volumeX/#RandomUserFolder#/synocert && cp "/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)/cert.pem" /volumeX/#RandomUserFolder#/synocert && cp "/usr/syno/etc/certificate/_archive/$(cat /usr/syno/etc/certificate/_archive/DEFAULT)/chain.pem" /volumeX/#RandomUserFolder#/synocert && echo "File copy was successful!" && openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:12345 && echo "Successful Emby certificate change!" && synopkg restart EmbyServer && echo "Embyserver restarted!" ######End of file############# On the webgui, go to control center-->Task Scheduler-->create--> User: root On the schedule tab, I set monthly run On the Task settings tab, i selected "send run details by email" (then you'll have info about if the renewal was successful or not) And the user definied script: bash /volumeX/#RandomUserFolder#/synocert/cert_renewal.sh On the Emby webgui make sure in the network settings, the cert option points to the right location (eg.: /volumeX/#RandomUserFolder#/synocert/pkcs12.pfx ), and also type the export password of the cert, from the script above.
toooo 8 Posted November 22, 2025 Posted November 22, 2025 (edited) Sorry for the huge delay, I lost access to my account for a while. Currently, my certificate appears fully functional. For posterity, my setup is detailed below. ----- Certificate renewal and conversion I use Letsencrypt and a DDNS service. To update the Emby certificate with LE, I have a script in "/etc/letsencrypt/renewal-hooks/deploy/deployhook.sh". After converting the cert, I "chown & chmod" for the "user:group" that the Emby service runs under (I use systemd to run "emby-server.service"). #!/bin/bash logpath=/var/log/certbot-renew.log echo "$(date) renewing certs DEPLOY-HOOK" >> $logpath # location of active/latest LE certificates le_dir="/etc/letsencrypt/live" # your dns name associated with your WAN/external IP address dns_name="YOURDOMAIN" # where to put your .pfx cert emby_dir="YOURembyFOLDER" ### stop running emby server echo "$(date) stopping emby-server" >> $logpath systemctl stop emby-server >> $logpath ### handle Emby cert # backup existing echo "$(date) mkdir -p $emby_dir/bak" >> $logpath mkdir -p $emby_dir/bak # put in your emby-server "user:group" chown -R user:group $emby_dir/bak echo "$(date) mv emby/*.pfx $emby_dir/bak/" >> $logpath mv $emby_dir/*.pfx $emby_dir/bak/ # convert certificate to Emby compatible format. # replace "certpass" with password that you will put into the Emby network configuration echo "$(date) openssl convert to pkcs12" >> $logpath openssl pkcs12 -export -out $emby_dir/$dns_name.pfx -inkey $le_dir/$dns_name/privkey.pem -in $le_dir/$dns_name/cert.pem -certfile $le_dir/$dns_name/chain.pem -passout pass:certpass # put in your emby-server "user:group" echo "$(date) chown user:group" >> $logpath chown user:group $emby_dir/$dns_name.pfx chmod u=rwx,g+rwx,o=r $emby_dir/$dns_name.pfx # restart Emby service echo "$(date) emby-server restarting" >> $logpath systemctl restart emby-server >> $logpath ----- Emby settings ....... The public https port is what I use from Emby apps (TV, mobile, etc.). The certificate password is set inside the deployhook script. !!WARNING!!: this is a potential security risk if not set up appropriately. My unsecured port is not forwarded externally (at the router/modem, etc.). ----- DNS (so that my domain works on local network using "domain.com:port" from Emby apps) I run Pi-hole for ad-blocking and such. I set a local DNS for my own domain name --> my server LAN ip address. This way, my devices will connect to my Emby instance directly over LAN when on my local network, instead of going out over the internet and back. I think that's all. Hope this helps someone. Edited November 22, 2025 by toooo housekeeping 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now