Jägs 85 Posted February 24, 2025 Posted February 24, 2025 Greetings, all: I've migrated off my ASUSTOR NAS to a UGREEN NAS (DXP8800 Plus) so I thought I'd share how I set up SSL for Emby using Let's Encrypt. I'm posting here because UGREEN does not have its own subthread in the Emby Community, but mods, feel free to move this where you see fit. DISCLAIMER: I tried my best to document this based on what worked for me, but YMMV. NOTE: UGOS does now also use ZeroSSL for certs but I wasn't sure how to leverage this with Emby. ASSUMPTIONS: you have a domain hosted somewhere (I've use Dreamhost for nearly twenty years, now, and they are swell) you have SSH/sudo access to your DXP you are comfortable on the command line, as there's no native Let's Encrypt support in UGOS (yet) STEPS: SSH into your DXP install certbot: sudo apt-get install certbot Once installed run certbot to get just the cert: sudo certbot certonly --manual --preferred-challenges dns -d yoursubdomain.yourdomain.com NOTE: if you are using a subdomain, just exclude the "yoursubdomain." part You are going to be asked by certbot to create a TXT record for your domain. How you do so will be dependent on your host. Here are Dreamhost's for a reference: https://help.dreamhost.com/hc/en-us/articles/360035516812-Adding-custom-DNS-records#toc-heading10 IMPORTANT: the host name will be different than your actual host name (mine was prefaced with "_acme-challenge" (ignore the period after your host name). Copy the text string into the TXT value. WAIT. KEEP WAITING. WAIT SOME MORE. SERIOUSLY, WAIT EVEN MORE. That TXT record needs to propagate through throughout the world. I tried to proceed after five minutes and it was not enough, so I had to start the whole process again. I ultimately waited an hour and it went through. Once you've downloaded the cert, you need to generate a PFX file for Emby. To do so, run this command: openssl pkcs12 -export -out /path/to/yourdomain.pfx -inkey /etc/letsencrypt/live/yoursubdomain.yourdomain.com/privkey.pem -in /etc/letsencrypt/live/yoursubdomain.yourdomain.com/fullchain.pem -password pass:yourpassword The "/path/to/yourdomain.pfx" should be in a place that Emby can access the file. You will also need to change ownership on it so Emby can read it (e.g., chown emby:emby domain.pfx). We'll come back to this in a minute. You need to point "/etc/letsencrypt/yoursubdomain.yourdomain.com" to the correct paths (the "/etc/letsencrypt/" part should be the same for everyone). NOTE: if you are using a subdomain, just exclude the "yoursubdomain." part Finally, change "yourpassword" to whatever you want. You'll need this later in the instructions when setting up SSL in Emby. So, this will only generate the PFX file once, and you'll need to renew the cert from time to time, so the next step is to add an entry to the cron to schedule this to run. First, let's create a script to run so you can more easily edit it if/when needed: sudo nano renewCert.sh -= OR, if you are like me and prefer to edit in VIM =- sudo vi renewCert.sh NOTE: I created this in the "/etc/letsencrypt" folder, just to keep everything cert related in the same spot Paste the following into whichever editor you are using: #!/bin/bash certbot renew --manual --preferred-challenges dns --post-hook "openssl pkcs12 -export -out /path/to/yourdomain.pfx -inkey /etc/letsencrypt/live/yoursubdomain.yourdomain.com/privkey.pem -in /etc/letsencrypt/live/yoursubdomain.yourdomain.com/fullchain.pem -password pass:yourpassword" NOTE: all the same comments in step 6 apply here, too (e.g., changing the appropriate paths, changing "yourpassword," etc.) Save the file. Now, make the file executable: sudo chmod +x renewCert.sh Now, let's add it to cron: sudo crontab -e NOTE: if you have not previously edited the cron before, you will be asked which editor you want to use; choose the same one from step 7 Paste the following into the cron and save it: 0 0 * * * /path/to/renewCert.sh NOTE: This will run the script each day at midnight. You can adjust this accordingly. Finally, let's set up Emby to work with the PFX. I'm not going to go through each of the network settings, here, but just the ones relevant to this guide. You can tweak this as you desire. Open your Emby server dashboard and click on Network. In the "External domain" box, enter whatever you used in steps 6 and 8 for "yoursubdomain.yourdomain.com" Under "Custom SSL path," enter the path you used in steps 6 and 8 above (/path/to/yourdomain.pfx). Under "Certificate password," enter whatever you changed "yourpassword" in steps 6 and 8 above. Save. Reboot Emby server. If all goes well, you should now be able to access your Emby instance via https. If anyone else has more experience with this and sees any problems with these instructions, please let me know and I'll update accordingly. Hope you find this useful! 1
Q-Droid 989 Posted February 24, 2025 Posted February 24, 2025 A couple of things to consider. 1. --force-renewal will try to renew the cert every time the command runs, in this case nightly. What you want to use instead is a keep option so that it checks but doesn't renew until it's due for replacement. I believe the default is 30 days before expiration. (--keep-until-expiring, --keep) 2. The DNS challenge generates a new TXT string each time it runs and you can't just automate without including options or hooks to handle this. Certbot does have plugins for some but not all of the DNS providers. If your provider is not in the list of plugins you can write a custom hook or use a different challenge method.
Jägs 85 Posted February 24, 2025 Author Posted February 24, 2025 2 hours ago, Q-Droid said: 1. --force-renewal will try to renew the cert every time the command runs, in this case nightly. What you want to use instead is a keep option so that it checks but doesn't renew until it's due for replacement. I believe the default is 30 days before expiration. (--keep-until-expiring, --keep) Crud, yeah, I had put that in when troubleshooting and didn't take it out. I've updated the docs. 2 hours ago, Q-Droid said: 2. The DNS challenge generates a new TXT string each time it runs and you can't just automate without including options or hooks to handle this. Certbot does have plugins for some but not all of the DNS providers. If your provider is not in the list of plugins you can write a custom hook or use a different challenge method. Yeah, that's the exact thing I ran into, thus the whole "WAIT" bit, as I had to change my TXT string when I restarted the process. It's good to know that there are plugins for at least some providers.
Jägs 85 Posted February 24, 2025 Author Posted February 24, 2025 Ugh, it looks like I can no longer edit the original post. Mods, can you remove the "--force-renewal" bit from step 8? @Abobader
Abobader 3464 Posted February 25, 2025 Posted February 25, 2025 On 24/02/2025 at 18:15, Jägs said: Ugh, it looks like I can no longer edit the original post. Mods, can you remove the "--force-renewal" bit from step 8? @Abobader Done. 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now