Emby Server Migration HTTPS Issue

[ubelong2matt 3]

Greetings,

 

First, I want to preface this by saying I've searched these forums and Google for the answer to this.  I fear this is a Windows 10 issue but I refuse to believe that I'd be the only one having the problem so I'm not exactly sure what's going on.

 

I've been running Emby Server on Windows 7 Ultimate, 64-bit for years now.  It's my gaming rig and I wanted to get it on it's own dedicated computer so I fired up an older, decent desktop machine and installed Windows 10 Pro, 1709 64-bit on it.  I thought that would be the hardest part, honestly.  I run the backup plugin and read through the migration process so I figured this would be cake.  I'd restore the most recent backup, switch the ports in my router to the IP of the new machine, and let my user base (friends/family) know they could use the service again after a library refresh.  However, things did not seem to go as expected.

 

I am running 3.3.1.0 on both machines.  I have attached pictures for what I'm referring to but basically HTTPS isn't even an option for the Windows 10 machine.

 

 <== Windows 7, the current Emby server.

 <== Windows 10, the new one.

 

I can see in each server startup log that my custom port, 8097, is in there.  I can run netstat -abn and see that 8097 is listening.  However, no matter what I do it doesn't offer HTTPS as even an option.  Here's what I've tried:

• Tried to restart the machine because that's usually the place to start (been working in IT professionally for around 15-years now).
• Tried uninstalling and removing all evidence of Emby from the machine, reinstalling it, and skipping the backup restoration.
• I've checked the troubleshooting site for external connections and confirmed that externally, 8097 works (not my issue).
• I've tried shutting down the original Emby server (obviously given I was trying to migrate it) to see if it was a permissions thing.

I'm at a loss for what to do next.  Everything I find on these forums and online mentions "don't use self-signed certs."  That's great and all but I can't even get to that point.  I can't get Emby to even acknowledge it can do HTTPS.  Is this some sort of security thing with duplicate premium keys or IPs?  I don't plan on using both servers and fully intend to completely remove Emby from my Windows 7 machine once I have confirmed it is 100% operational on the Windows 10 machine.  The only similar thing I've found online pertained to something unrelated to my issue.

 

If you have any information, please share it.  I'd really like to proceed with my migration but after hours of working on this I am at a loss.

 

Thanks for your time,

Matt

[Luke 42085]

Hi there, you need to go into the Advanced section and configure an SSL cert. Once you've set that up and restarted the server, then it should change. Please let us know if this helps. Thanks.

[ubelong2matt 3]

Hi there, you need to go into the Advanced section and configure an SSL cert. Once you've set that up and restarted the server, then it should change. Please let us know if this helps. Thanks.

Thanks for the reply, Luke.  Is that something new with server setups now?  I never had to do that with the current server and both the cert and password fields in that setting are presently blank.  I do note that there is an SSL folder with pfx certs listed in that folder.

 

 

Thanks,

Matt

[Luke 42085]

Correct. Newer versions of the server are not generating a self-signed cert anymore.

[ubelong2matt 3]

Correct. Newer versions of the server are not generating a self-signed cert anymore.

 

So if I'm understanding this correctly you guys did away with self-signed certs and are now forcing regular users to pay yearly for domain names in order to continue to use HTTPS with their Emby servers?  I tried to follow along with https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/&do=findComment&comment=419087 but it seemed the only options was to pay for a domain name.  To me that seems kind of like shafting users who want HTTPS, were fine with HTTPS only working in browsers, and now cannot use HTTPS without paying a yearly fee for a DNS name.

[Luke 42085]

What ended up happening is we moved from .NET framework to .NET Core, and the api's that we were using to generate a self signed cert were no longer available. That may have changed over the last few months but I haven't had a chance to look into it.

 

The bigger issue with self signed certs though is that they will not work with all apps and there's nothing we can do to change that. It ended up creating a situation where users would check the box, and then come back and report that it wasn't working because their devices rejected the self signed cert.

 

We are looking into better ways to provide ssl out of the box though.

[ubelong2matt 3]

I never cared that SSL didn't work right in the apps -- and I bet anyone who thought about it hard enough wouldn't care either -- since most users are not admins of the server; what is a hacker going to be able to do with only the ability to watch content, right?  However, since I use an admin account to access the server, SSL via the browser (usually), even with the annoying "self-signed cert warning," it was necessary and easy to ignore.

 

Is there an older version people like me can install, which gets us the self-signed cert, which we can then let update?  Apparently, if you had a self-signed cert before the code switch then your server still runs.  Instead of passing the buck onto users, maybe providing a link to the last version which used the self-signed cert, allowing them to update from there, would be a better suggestion, no?

Edited March 15, 2018 by ubelong2matt

[Swynol 375]

there still might be a way to get a cert for free or using a free domain name and cert. let me have a quick look and i will get back to you.

[Swynol 375]

quickest way to get a self signed is from https://zerossl.com/free-ssl/#self

 

create it for your IP address. you will be given a .crt and .key file which will then need to be converted to a .pfx. For this I use https://www.sslshopper.com/ssl-converter.html

 

should take no more than 5mins to do all that. Aslong as your happy with the risks or more correctly the limits of a self signed cert then the above will do what you need. For other people coming here looking at the same issue, a self signed cert wont work on some apps such as Roku. Not sure on Android TV.

 

 

EDIT: the much more long winded way to do it with a FREE domain name -> https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby  This will give you a domain name and a free Trusted certificate with a 20 year expiry.

Edited March 15, 2018 by Swynol

[ubelong2matt 3]

Swynol,

 

Thank you for the information.  I'm at work right now but I'll try that if I have time throughout the day.  I appreciate you trying and if this is a workaround to the self-signed removal then I'm all for it.

I understand that apps cannot use HTTPS and, as stated, that was never a concern since most of my users are accessing Emby from their home networks on their media devices such as FireTVs, AppleTVs, and Rokus.  For me, however, being an admin, the HTTPS via browser was the only acceptable way to manage my server from outside my home network.  I use Chrome so I was accustomed to the "this site may not be who it says, blah blah" error message and I was fine simply clicking to ignore that.

 

Thanks again and I'll let you know.

 

Sincerely,

Matt

[J2ghz 11]

I personally use it with Cloudflare and it's working great. I also use nginx proxy, so I can have emby and other things all running on port 443, with different subdomains. Let me know if you want me to describe any part of my setup.