automatic SSL certificate renewal

[ALLSTAR1986 15]

Could you please add automatic SSL certificate renewal to Emby? I have an ASUSTOR NAS and now I've had to manually integrate the certificate again. I've heard that Plex, for example, automatically renews the certificate from the NAS system, and I would really like to see something similar for Emby.

[Luke 42077]

Hi, Plex uses their own certificates though so it's completely different.

How would Emby renew your SSL certificate when it did not create it to begin with?

[Neminem 1516]

So you want Emby to be your letsencrypt provider.

Setup a reverse proxy with Let's Encrypt that can handle it for you.

 

[kikinjo 281]

Dude use caddy server or anything, emby has nothing to do with ssl certificates

[ALLSTAR1986 15]

27 minutes ago, Luke said:

Hi, Plex uses their own certificates though so it's completely different.

How would Emby renew your SSL certificate when it did not create it to begin with?

I had always exported the Lets-Encrypted certificate from my Asustos NAS and then converted it to a pfx using openssl on Windows 11. Today I had to do this again, so I'm wondering if emby can retrieve the certificate from the Asustor NAS? Manually updating every 3 months is a bit annoying.

[ALLSTAR1986 15]

29 minutes ago, Neminem said:

So you want Emby to be your letsencrypt provider.

Setup a reverse proxy with Let's Encrypt that can handle it for you.

 

I haven't dealt with this yet and I don't know how to proceed. Do you have any instructions for me?

[ebr 16169]

1 hour ago, kikinjo said:

Dude use caddy server or anything, emby has nothing to do with ssl certificates

This is my suggestion.  It will take you maybe an hour to setup and you're done.

 

[ebr 16169]

Hi, there's already an open request for this or something functionally equivalent. Please join in and contribute to the existing discussion at:

 

[ALLSTAR1986 15]

1 hour ago, ebr said:

Hi, there's already an open request for this or something functionally equivalent. Please join in and contribute to the existing discussion at

 

So your link to a thread that's over 10 years old—apparently you haven't managed to implement such a feature in those 10 years, which I find really unfortunate. I have to admit, there's a lot going on with the emby fork right now, and it's completely free. I paid money for Premiere, and many features are outdated or non-existent. Suggestions and requests are usually not fulfilled or only years later, e.g., the ffmpeg update that finally displays HDR10+ at the bottom of the metadata, or HDR10+ overlay doesn't work either. Even better, 2FA for Emby admins. With my Asustor standard on Emby, you'll search in vain for something like that...

[ebr 16169]

17 hours ago, ALLSTAR1986 said:

So your link to a thread that's over 10 years old—apparently you haven't managed to implement such a feature in those 10 years

Because it wasn't necessary.  There are better available alternatives so we can stay in our lane of media.

[ALLSTAR1986 15]

@ebr

What are the best alternatives for:

SSL certificates?

2FA?

The many other feature requests?

 

[Neminem 1516]

If you can't setup a reverse proxy like Caddy or NPM.

How are you going to use 2FA?

Edited January 20 by Neminem

[brothom 177]

@ALLSTAR1986due to certbot being deprecated the next best thing for Windows (11) is win-acme which works even easier in my case.

All I had to do using win-acme is configure the certificate once manually (don't forget to allow it through Firewall and to actually store the pfx)

Then using scheduled task you can create a Powershell script to stop Emby, renew the certificates (it will check itself so this can run daily) and start Emby again.

net stop EmbyServer
C:\win-acme\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
net start EmbyServer

Before I used ZeroSLL but that was a pain and required new DNS-records every so often. This method is way cleaner imo.

Not trying to be an ad, but I was pretty suprised with how well it worked within Windows 11 https://www.win-acme.com/.

Edited January 20 by brothom

[ALLSTAR1986 15]

@brothomIf I understand correctly, I still have to export the certificate I have on my Asustor NAS, convert it with win-acme, and then integrate it with the Powershell script? Emby runs on my Asustor NAS. How can I transfer it from my Windows 11 PC to my NAS using the tool?

[brothom 177]

Just now, ALLSTAR1986 said:

@brothomIf I understand correctly, I still have to export the certificate I have on my Asustor NAS, convert it with win-acme, and then integrate it with the Powershell script? Emby runs on my Asustor NAS. How can I transfer it from my Windows 11 PC to my NAS using the tool?

No nothing like that.

Running win-acme you can do two things: create a new certificate (which settings are also stored) and refresh an existing certificated (created with win-acme): 

First you'll create have to create a new certificate using full options so you can indicate it being exported as a .pfx file (which Emby needs).

Then you can set Emby to use that .pfx file (and optionally the secret password you provided when creating) and you're all done.

Again though, be aware that you'll have to allow the win-acme.exe through Windows Defender, otherwise your handshake will fail.

[WBoweIII 7]

I have an $8/year domain name registered at namecheap.com and I use https://certifytheweb.com/ on windows to automatically get a new cert from LetsEncrypt, export it in the right format to the correct directory, and restart the emby server at 4am after the cert updates. Been working flawlessly for months. Certifytheweb has a nice GUI and supports most DNS providers so configuring the letsencrypt part is simple.