Snaak 0 Posted November 6, 2020 Posted November 6, 2020 (edited) I've been trying to use HTTPS instead of HTTP for my Emby server, but it's not working out. Port 8096 & 8920 are enabled for my device and I used certbot which should have given me access to use HTTPS, but Emby doesn't give any notice that it can use port 8920. I'm probably missing something but I can't figure out what. Does anyone know what I'm missing? Edited November 6, 2020 by Snaak
Luke 42077 Posted November 6, 2020 Posted November 6, 2020 Hi, did you configure a certificate in emby server?
Snaak 0 Posted November 6, 2020 Author Posted November 6, 2020 Yes, but when I try to save this I keep getting "not found". Which is why I think I missed a step. I thought the path would either be /etc/letsencrypt/live/MyHostname/fullchain.pem or /etc/letsencrypt/live/MyHostname/privkey.pem. Sadly neither of those work.
Q-Droid 989 Posted November 6, 2020 Posted November 6, 2020 Emby doesn't work with a PEM file, it needs a PKCS 12 archive with your private key, certificate and intermediate (chain) certs.
Snaak 0 Posted November 6, 2020 Author Posted November 6, 2020 Just now, Q-Droid said: Emby doesn't work with a PEM file, it needs a PKCS 12 archive with your private key, certificate and intermediate (chain) certs. Oh I see, my bad. In that case, how would I activate SSL then if I can't do it with certbot?
Q-Droid 989 Posted November 6, 2020 Posted November 6, 2020 When certbot runs it saves your newly issued cert under its own structure. You can run openssl to create the pfx archive which you then copy to the location for emby, like /var/lib/emby/ssl. openssl pkcs12 -export -in /etc/letsencrypt/live/<FQDN>/fullchain.pem -inkey /etc/letsencrypt/live/<FQDN>/privkey.pem -out <your filename>.pfx Remember the password you give it. To verify pfx and password are good. openssl pkcs12 -info -in <your filename>.pfx -nokeys Create the directory /var/lib/emby/ssl, make sure it's owned by emby. Copy the pfx file there (make sure it's owned by emby), then enter the full path and password in the Emby network setup. Save and restart Emby.
Snaak 0 Posted November 6, 2020 Author Posted November 6, 2020 I followed the steps, it changed my WAN IP to the domain name in the dashboard. But except for that, I can't find any trace of HTTPS and/or port 8920.
Q-Droid 989 Posted November 6, 2020 Posted November 6, 2020 (edited) Server log? What is your secure connection mode setting? Edited November 6, 2020 by Q-Droid
Snaak 0 Posted November 6, 2020 Author Posted November 6, 2020 (edited) [log] (hope this is the right one) My secure connection mode setting is "Required for all remote connections". When I try that, I get "server on (IP) takes too long to reply". Edited November 6, 2020 by Snaak
Q-Droid 989 Posted November 6, 2020 Posted November 6, 2020 It can't load the cert. 2020-11-06 21:17:13.982 Error App: Error loading cert from /var/lib/emby/ssl/certificate.pfx Are you sure the password is correct and emby can access the pfx file?
Snaak 0 Posted November 6, 2020 Author Posted November 6, 2020 (edited) I think I made a rookie mistake when I tried to chown for the certificate, my bad. Now my dashboard looks like this, which is great. Weird thing now is that the remote access link doesn't load anything... Edited November 6, 2020 by Snaak
Q-Droid 989 Posted November 6, 2020 Posted November 6, 2020 Time to test connectivity. First - you might want to hide your domain in the image you posted. Connect locally to LAN IP using browser and HTTPS. It should work even if you have to click through the SSL security error. Then look through the "Connection Help" to make sure you have the remote access setup properly. If your WAN IP is not static you'll need ddclient or something else (router?) to keep the DNS record updated.
Snaak 0 Posted November 6, 2020 Author Posted November 6, 2020 I found out what happened, I forgot to allow port 8920 in my ufw. Now it works, thanks! One more question, is there any way to block people of using the http://domain.name:8096 ? I only want to use http://ipaddress:8096 locally and https://domain.name:8920 when using remote access.
Q-Droid 989 Posted November 6, 2020 Posted November 6, 2020 If you don't forward port 8096 then it can't be reached from the remote (WAN) side. Forward 8920 only.
Snaak 0 Posted November 6, 2020 Author Posted November 6, 2020 14 minutes ago, Q-Droid said: If you don't forward port 8096 then it can't be reached from the remote (WAN) side. Forward 8920 only. Alright yeah I should have known that one. Thanks a lot for your help, literally couldn't have done it without you!
Snaak 0 Posted February 4, 2021 Author Posted February 4, 2021 @Q-Droid Hello! You helped me with SSL a few months ago , as you can see up here. I've been getting warnings that, when I connect to my Emby server remotely, my connection isn't secure anymore. I didn't change anything. I think my SSL-certificate has expired, but I don't know how I could tell that for sure. Could you help me out? Thanks in advance!
Q-Droid 989 Posted February 4, 2021 Posted February 4, 2021 The timing is about right for the cert to expire. Click on the "Not Secure" tag (or the lock) on the browser address bar, then on "Certificate" to view it. The validity date will be in that window. LetsEncrypt certs are good for 90 days. Run certbot again to renew the cert then follow the same steps above that you used the last time. 1
Snaak 0 Posted February 6, 2021 Author Posted February 6, 2021 (edited) On 2/5/2021 at 12:28 AM, Q-Droid said: The timing is about right for the cert to expire. Click on the "Not Secure" tag (or the lock) on the browser address bar, then on "Certificate" to view it. The validity date will be in that window. LetsEncrypt certs are good for 90 days. Run certbot again to renew the cert then follow the same steps above that you used the last time. I followed the steps but it won't work, I have an error in my log but I can't make sense of it. Edited February 6, 2021 by Snaak Better screenshot
Q-Droid 989 Posted February 6, 2021 Posted February 6, 2021 Post output from: ls -l /var/lib/emby/ssl
Snaak 0 Posted February 6, 2021 Author Posted February 6, 2021 (kudos to your reaction speed btw, much appreciated)
Q-Droid 989 Posted February 6, 2021 Posted February 6, 2021 sudo chown emby:emby /var/lib/emby/ssl/certificate.pfx restart emby 1
Snaak 0 Posted February 6, 2021 Author Posted February 6, 2021 I see, I assumed the certificate.pfx would also be owned by emby because I gave the path ownership. Another quick question, can't I simply use "certbot renew" to renew my certificate? Or wouldn't it work because Emby doesn't support it?
Q-Droid 989 Posted February 6, 2021 Posted February 6, 2021 The pfx will be owned by the user who creates it, the one running openssl. Certbot creates the pem files, it doesn't create the pfx file so "certbot renew" only gets you partway there. The pfx file is a container to hold the certificates in a pkcs12 file format. With LetsEncrypt they need to be replaced every 90 days. Other ACME based clients might have the option to renew the certs and create the pfx in one step but I haven't explored those. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now