Jump to content

Recommended Posts

Posted

Hi,

I want to use SSL certificates from startssl.com.

There certificates needs the installation of additional root certificates to keep the ssl chain closed.

Is this supported from emby? Simple put all certificates into a folder and configure amby to use this folder?

-- Tolotos

 

Posted

I don't use my certs with Emby directly, but you should be able to combine the certificate and the rest of the trust chain into one PFX file with OpenSSL, then you can use that with Emby.

 

Also make sure your certificate was issued before Oct. 21. WoSign/StartCom/StartSSL have had their trust revoked by Mozilla due to security and transparency issues, so if it was issued in the last week it won't work in Firefox. It remains to be seen if other browsers/OSes will follow suit. More info.

Posted (edited)

Thank you. I have currently no certificate - so I don't get one from StartSSL after your message  B)

I ordered one from my domain provider now and pay the ~2€ per month to be on the save side. 

 

Edit: 

I got now 3 files from my provider:

- 2 *.pem (the chain files)

- 1 *.crt (the certificate)

 

Can you tell me how I can create the PFX file?

Google gives me not the anwers I need - maybe i use the wrong search words.  

Edited by Tolotos
Posted

I got a pfx file with putting all 3 files into one file and execute "openssl pkcs12 -export -in <combined-file> -inkey <key-file> -out <pfx-file>"

 

After setup Emby to use this <pfx-file> and a server restart I get

 

2016-10-31 21:31:05.1293 Info HttpServer: attempting to load pfx: <pfx-file>
2016-10-31 21:31:05.1485 Error HttpServer: Exception loading certificate: <pfx-file>
        *** Error Report ***
        Version: 3.0.8400.0
        Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /var/lib/emby-server -restartpath /usr/lib/emby-server/restart.sh
        Operating system: Unix 4.4.0.45
        Processor count: 12
        64-Bit OS: True
        64-Bit Process: True
        Program data path: /var/lib/emby-server
        Mono: 4.6.1 (Stable 4.6.1.5/ef43c15 Fri Oct 28 20:30:39 UTC 2016)
        Application Path: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe
        Input data cannot be coded as a valid certificate.
        System.Security.Cryptography.CryptographicException
          at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) [0x0035e] in <e220be0b0a364427860ee43376ab6f2b>:0
          at Mono.Security.X509.X509Certificate..ctor (System.Byte[] data) [0x0003e] in <e220be0b0a364427860ee43376ab6f2b>:0
          at System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.Import (System.Byte[] rawData, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00050] in <59be416de143456b88b9988284f43350>:0
          at System.Security.Cryptography.X509Certificates.X509Helper2.Import (System.Byte[] rawData, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00023] in <59be416de143456b88b9988284f43350>:0
          at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.Byte[] rawData, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00000] in <59be416de143456b88b9988284f43350>:0
          at System.Security.Cryptography.X509Certificates.X509Certificate2.Import (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) [0x00007] in <59be416de143456b88b9988284f43350>:0
          at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor (System.String fileName) [0x00011] in <59be416de143456b88b9988284f43350>:0
          at SocketHttpListener.Net.HttpListener.LoadCertificateAndKey (System.String certificateLocation) [0x0003e] in <33c4fa8b218e4df9a8fbe6eca87be836>:0
        InnerException: System.Security.Cryptography.CryptographicException
        Input data cannot be coded as a valid certificate.
          at Mono.Security.X509.X509Certificate.Parse (System.Byte[] data) [0x00041] in <e220be0b0a364427860ee43376ab6f2b>:0
Posted

~2€/mo isn't bad. Sometime it may be worth checking out Let's Encrypt, too. It's a little different and takes more setup, but the certificates are free.

 

To combine all those files into one PFX, what you need to do is first combine the 2 .pem files. You can just open them in a text editor and paste them into a new file named fullchain.pem, starting with the intermediate CA, followed by the root CA. Then, you'll use this command to export to .PFX:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile fullchain.pem
Posted

 

I got a pfx file with putting all 3 files into one file and execute "openssl pkcs12 -export -in <combined-file> -inkey <key-file> -out <pfx-file>"

 

After setup Emby to use this <pfx-file> and a server restart I get

...

 

 

Hmm, a combined input file should work, but maybe try specifying the chain separately using -certfile, like in my example. Also try some of the checks on this page to make sure you're getting a valid result.

Posted

Also, be sure you aren't setting a password on the file when you export to PFX.

Posted

Glad you got it working! I still owe you for the TVHeadend plugin.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...