meatchunks 2 Posted September 28, 2017 Posted September 28, 2017 So far my attempts at enabling https access have failed. Below are the steps I've taken, maybe someone can tell me what I'm doing wrong. -got a domain name and SSL cert -got a ddns domain -submitted a CSR via Server 2012r2 IIS to godaddy and received cert files -completed the CSR request in IIS and exported the cert with private key -copied the key over to the emby server and dropped it on the desktop -pointed emby to the cert, entered the password, and ensured ports were set right as well as port forwarding -couldnt connect from the web app -succesfully connected via the android app (after it asked to install/accept the cert) -imported the cert on the emby server to see if it would make a difference, still no joy Any help is appreciated.
Happy2Play 9782 Posted September 28, 2017 Posted September 28, 2017 Have you seen this topic? https://emby.media/community/index.php?/topic/30792-howto-use-custom-ssl-cert-and-keep-private-key-secure/
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 Have you seen this topic? https://emby.media/community/index.php?/topic/30792-howto-use-custom-ssl-cert-and-keep-private-key-secure/ I did not. I'll try that. For some reason I thought it forced me to use a password, so I don't think the non password route is an option. Either way, will start working this.
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 Why would someone use an insecure .pfx file? I didn't know that was at all in common practice. With that, how is everyone else securing their servers with .pfx files if Emby doesn't work right with a pfx file that requires a password?
Luke 42080 Posted September 28, 2017 Posted September 28, 2017 Emby fully supports .pfx files with passwords. There is a field on the SSL cert config screen that allows you to enter the password. Thanks.
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 (edited) @@Luke, thanks for the response. According to this sticky post password protected certs do not work. https://emby.media/community/index.php?/topic/30792-howto-use-custom-ssl-cert-and-keep-private-key-secure/ Currently, mine also does not work. Any recommendations? Edit: I see you responded to that thread. Checking all my configs and trying again. Edited September 28, 2017 by meatchunks
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 Just checked again. With a purchased cert, only able to connect via the Android app. I cannot connect via the webapp. The android app asks to trust the cert, although I thought any major cert would be automatically trusted? I'm assuming that's the issue here. The cert was purchased through godaddy, a pretty "known" cert.
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 Hi @@Night Here is where I am at the moment... -got a domain name and SSL cert (godaddy)-got a ddns domain-submitted a CSR via Server 2012r2 IIS to godaddy and received cert files-completed the CSR request in IIS and exported the cert with private key (pfx file with a password)-copied the key over to the emby server and dropped it on the desktop-pointed emby to the cert, entered the password, and ensured ports were set right as well as port forwarding-couldnt connect from the web app / can connect from Android, once accepting the cert-In Emby, external https port is 8921, local https is 8920 -on my firewall, traffic hitting 8921 is NAT'd to 8920 on the Emby local IP
Luke 42080 Posted September 28, 2017 Posted September 28, 2017 Sounds like the devices are rejecting the cert. The only reason you saw that dialog box in android is because the device rejected the cert. In android we have the ability to override once you confirm that prompt. We do not have that ability on other platforms. I'm not sure what the problem with your cert is, but we recommend LetsEncrypt.
KMBanana 116 Posted September 28, 2017 Posted September 28, 2017 Does the DDNS domain match the domain and cert you got from godaddy or did you setup something separate for your DDNS?
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 Sounds like the devices are rejecting the cert. The only reason you saw that dialog box in android is because the device rejected the cert. In android we have the ability to override once you confirm that prompt. We do not have that ability on other platforms. I'm not sure what the problem with your cert is, but we recommend LetsEncrypt. Is there a list of known certs that work with Emby? I'll get a refund on this godaddy cert if it doesn't work. Does the DDNS domain match the domain and cert you got from godaddy or did you setup something separate for your DDNS? No, separate DDNS via no-ip
KMBanana 116 Posted September 28, 2017 Posted September 28, 2017 Is there a list of known certs that work with Emby? I'll get a refund on this godaddy cert if it doesn't work. No, separate DDNS via no-ip I'm assuming you are trying to connect using the no-ip DDNS address? If so it won't match the domain you registered (with GoDaddy) and therefore won't match the domain the cert is for, which is why it's getting rejected.
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 I'm assuming you are trying to connect using the no-ip DDNS address? If so it won't match the domain you registered (with GoDaddy) and therefore won't match the domain the cert is for, which is why it's getting rejected. You are correct. What is the correct way to do this then, apply the cert manually to my domain registered with godaddy and manually port forward it to my Emby server? Or contact no-ip and have them apply the cert to the no-ip DDNS domain?
KMBanana 116 Posted September 28, 2017 Posted September 28, 2017 The simplest way would be to edit the GoDaddy DNS records for the domain to point to your home IP address, then on your home router port forward 443 to your Emby server's IP Address and https port, making sure that the public https port on your Emby server is 443 regardless of the local https port. You won't have dynamic dns though, so when your ISP changes your IP it will break until you manually update the DNS records. No-IP has managed DNS that allows for SSL certs but it's $35/year and doesn't actually include an SSL cert. I'm using google for my domain's registrar because they have a dynamic dns feature built in and then using LetsEncrypt for a free SSL cert. You should look carefully into the specifics though before you purchase or transfer anything though. LetsEncrypt certs are free but expire quickly, they expect you to setup automatic renewals which can be more complicated than what you want. For my google domain I use a subdomain for Emby, so you would need to make sure the cert you get is either for the subdomain or a wildcard cert that includes subdomains.
meatchunks 2 Posted September 28, 2017 Author Posted September 28, 2017 The simplest way would be to edit the GoDaddy DNS records for the domain to point to your home IP address, then on your home router port forward 443 to your Emby server's IP Address and https port, making sure that the public https port on your Emby server is 443 regardless of the local https port. You won't have dynamic dns though, so when your ISP changes your IP it will break until you manually update the DNS records. No-IP has managed DNS that allows for SSL certs but it's $35/year and doesn't actually include an SSL cert. I'm using google for my domain's registrar because they have a dynamic dns feature built in and then using LetsEncrypt for a free SSL cert. You should look carefully into the specifics though before you purchase or transfer anything though. LetsEncrypt certs are free but expire quickly, they expect you to setup automatic renewals which can be more complicated than what you want. For my google domain I use a subdomain for Emby, so you would need to make sure the cert you get is either for the subdomain or a wildcard cert that includes subdomains. Appreciate the info. Going to dig into this more and I'll post back with my updated setup.
meatchunks 2 Posted September 29, 2017 Author Posted September 29, 2017 (edited) The simplest way would be to edit the GoDaddy DNS records for the domain to point to your home IP address, then on your home router port forward 443 to your Emby server's IP Address and https port, making sure that the public https port on your Emby server is 443 regardless of the local https port. You won't have dynamic dns though, so when your ISP changes your IP it will break until you manually update the DNS records. No-IP has managed DNS that allows for SSL certs but it's $35/year and doesn't actually include an SSL cert. I'm using google for my domain's registrar because they have a dynamic dns feature built in and then using LetsEncrypt for a free SSL cert. You should look carefully into the specifics though before you purchase or transfer anything though. LetsEncrypt certs are free but expire quickly, they expect you to setup automatic renewals which can be more complicated than what you want. For my google domain I use a subdomain for Emby, so you would need to make sure the cert you get is either for the subdomain or a wildcard cert that includes subdomains. When doing the manage DNS via no-ip, should I be doing the CSR from my IIS server or from cpanel on godaddy where the domain is actually hosted? I never thought I would be this messed up by certificates. Here is what I want to do, but clearly don't know how. -I want to point Emby to a domain that I purchased -I want that domain to be SSL, and then download that cert and point Emby to it so I have a SSL connection -The domain needs to be DDNS so I don't need to update the IP ever Edited September 29, 2017 by meatchunks
KMBanana 116 Posted September 29, 2017 Posted September 29, 2017 When doing the manage DNS via no-ip, should I be doing the CSR from my IIS server or from cpanel on godaddy where the domain is actually hosted? I never thought I would be this messed up by certificates. Here is what I want to do, but clearly don't know how. -I want to point Emby to a domain that I purchased -I want that domain to be SSL, and then download that cert and point Emby to it so I have a SSL connection -The domain needs to be DDNS so I don't need to update the IP ever Did you already purchase the no-ip Plus Managed DNS? It's pretty expensive if you're just going to be using it for one domain. You can use duckDNS as an alternative to no-ip, then add a cname record at GoDaddy so that the www.DomainYouOwn.XYZ will always point wherever your duckDNS url points. Here's a guide I found specifically for GoDaddy and DuckDNS, though a CNAME record should work for no-ip as well. https://www.joe0.com/2015/11/11/dynamic-dns-and-domain-hosted-with-godaddy-duckdns-solution/ If you're using a cname record you'll need to use www.DomainYouOwn.XYZ specifically. I haven't used no-ip's managed DNS but I think you would just need to purchase it and add the no-ip nameservers to your GoDaddy registered domain. After that you should be able to use no-ip to setup and manage your dynamic DNS. A simpler option is transferring your domain from GoDaddy to a registrar that supports dynamic DNS. Either way, once you have DNS setup so that www.DomainYouOwn.XYZ points to your home ip address you should be able to just add the .pfx cert to Emby, forward the correct ports in your router and connect. I said in an earlier post you needed to do some stuff with port 443 but this was inaccurate, if you have Emby's https port open on your router you can access it by going to https://www.DomainYouOwn.XYZ:<Port> It doesn't sound like you need to do anything with IIS at all.
meatchunks 2 Posted September 29, 2017 Author Posted September 29, 2017 Did you already purchase the no-ip Plus Managed DNS? It's pretty expensive if you're just going to be using it for one domain. You can use duckDNS as an alternative to no-ip, then add a cname record at GoDaddy so that the www.DomainYouOwn.XYZ will always point wherever your duckDNS url points. Here's a guide I found specifically for GoDaddy and DuckDNS, though a CNAME record should work for no-ip as well. https://www.joe0.com/2015/11/11/dynamic-dns-and-domain-hosted-with-godaddy-duckdns-solution/ If you're using a cname record you'll need to use www.DomainYouOwn.XYZ specifically. I haven't used no-ip's managed DNS but I think you would just need to purchase it and add the no-ip nameservers to your GoDaddy registered domain. After that you should be able to use no-ip to setup and manage your dynamic DNS. A simpler option is transferring your domain from GoDaddy to a registrar that supports dynamic DNS. Either way, once you have DNS setup so that www.DomainYouOwn.XYZ points to your home ip address you should be able to just add the .pfx cert to Emby, forward the correct ports in your router and connect. I said in an earlier post you needed to do some stuff with port 443 but this was inaccurate, if you have Emby's https port open on your router you can access it by going to https://www.DomainYouOwn.XYZ:<Port> It doesn't sound like you need to do anything with IIS at all. So the problem I'm having now is this... If I do the CSR on GoDaddy, I don't get a .pfx cert. If I do the CSR from IIS, I am able to export a .pfx cert for the Emby server, but you can't upload .pfx to GoDaddy domains, so the domain isn't secure. Am I missing something?
darkassassin07 652 Posted September 30, 2017 Posted September 30, 2017 (edited) It definitely sounds like an issue with the cert itself. If you want to rule that out/ test with a different cert. you could make a quick cert for free at sslforfree.com (via Lets Encrypt) which will give you a .crt and .key file which you can convert with openSSL locally, or via sslshopper.com/ssl-converter.html into the required .pfx Note: lets Encrypt does not currently support ips in their certs so you will only be able to secure the external domain, there is no option for the local ip. Im not super fussed about it so I have been using that alone for a while. Just havn't gotten around to setting up a script to handle the csr myself yet. Edited September 30, 2017 by darkassassin07
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now