vincen 71 Posted March 31, 2024 Posted March 31, 2024 Hi Does someone hosting Emby on Linux server have found out a way to renew automatically the SSL certificate for Emby ? Here my server running Emby has also webmin that is already renewing certificate automatically with Let's Encrypt every 2 months. I use that command line to renew the certificate file in the weirdo format needed for Emby: openssl pkcs12 -export -out /etc/webmin/certificate.pfx -inkey /etc/webmin/letsencrypt-key.pem -in /etc/webmin/letsencrypt-cert.pem -certfile /etc/webmin/letsencrypt-ca.pem Unhappy openssl requests each time to type the password for the certificate (I have setup none for ease) so I can't automate it in cron. I have looked at different documents about openSSL but none of them works. Everyone on Linux renewing manually certificate file ? or found an automated way to do it ? Thanks Vincèn
Q-Droid 989 Posted March 31, 2024 Posted March 31, 2024 The weirdo format is a standard used to store keys, certificates and other things and automation depends on what package you're using to get the certs from LE. Openssl accepts a pass phrase as a command line argument. -password pass:'<password>' <-- it's better to use single quotes if you have symbols and avoid quote characters in the pass phrase -password file:<pathname> -password env:<shell variable> In your case if you really don't want a password then -password pass:'' (two single quotes) should work. It has variations depending on operation, like -passin and -passout but the above should work for you.
vincen 71 Posted June 22, 2024 Author Posted June 22, 2024 On 3/31/2024 at 3:28 PM, Q-Droid said: The weirdo format is a standard used to store keys, certificates and other things and automation depends on what package you're using to get the certs from LE. Openssl accepts a pass phrase as a command line argument. -password pass:'<password>' <-- it's better to use single quotes if you have symbols and avoid quote characters in the pass phrase -password file:<pathname> -password env:<shell variable> In your case if you really don't want a password then -password pass:'' (two single quotes) should work. It has variations depending on operation, like -passin and -passout but the above should work for you. Sorry for the late answer but didn't get time to spend on it earlier ! Unhappy it's not working, these options are not listed in openssl documentation or not supported in Debian as it generates a fault each time. I have tried also to use: Quote -passout '' as it's listed in pkcs12 chapter of openssl but same some of the commands I used: Quote root@server:~# openssl pkcs12 -export -passout '' -out /etc/webmin/certificate.pfx -inkey /etc/webmin/letsencrypt-key.pem -in /etc/webmin/letsencrypt-cert.pem -certfile /etc/webmin/letsencrypt-ca.pem Invalid password argument, missing ':' within the first 5 chars Error getting passwords root@server:~# openssl -passout '' pkcs12 -export -out /etc/webmin/certificate.pfx -inkey /etc/webmin/letsencrypt-key.pem -in /etc/webmin/letsencrypt-cert.pem -certfile /etc/webmin/letsencrypt-ca.pem Invalid command '-passout'; type "help" for a list.
Lessaj 467 Posted June 22, 2024 Posted June 22, 2024 I don't think you can specify passout that early in the command, you definitely can't put it before pkcs12. Try putting it at the end instead. 1
Q-Droid 989 Posted June 22, 2024 Posted June 22, 2024 (edited) Check your syntax, it works fine for me: openssl pkcs12 -export -passout pass:'' -out pkcs12test.pfx -inkey <path to>/privkey.pem -in <path to>/fullchain.pem From openssl man page: Pass Phrase Options Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off. Note that character encoding may be relevant, please see passphrase-encoding(7). pass:password The actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. env:var Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. file:pathname The first line of pathname is the password. If the same pathname argument is supplied to -passin and -passout arguments then the first line will be used for the input password and the next line for the output password. pathname need not refer to a regular file: it could for example refer to a device or named pipe. fd:number Read the password from the file descriptor number. This can be used to send the data via a pipe for example. stdin Read the password from standard input. Edited June 22, 2024 by Q-Droid 1 1 1
vincen 71 Posted July 10, 2024 Author Posted July 10, 2024 On 6/22/2024 at 8:32 PM, Lessaj said: I don't think you can specify passout that early in the command, you definitely can't put it before pkcs12. Try putting it at the end instead. Thanks you were right @Lessajand thanks @Q-Droidas I was passing the empty argument not in the proper way
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now