Let's Encrypt, Emby Server, and Windows


This how-to will guide you with getting Let's Encrypt to issue a security certificate and installing it in Emby Server running on Windows.

I created this because there was litte, if any, documentation on how to do so previously and it took me ~ 3.5 hours to figure it out.

Why would you want to do this? Well, a number of reasons:

  1. Emby Server generates and uses a self-signed security certificate by default. iOS and likely other Operating Systems (OSes) explicitly distrust self-signed security certificates (for good reason). So, without installing a "proper" (publicly-trusted) security certificate in Emby Server, you'll be unable to use a HTTPS connection in the iOS app and likely others.
  2. Proper security certificates are inherently more secure than self-signed certificates and guarantee that, when you authenticate, your credentials (user logon name and password) are not being intercepted and are being sent to the desired Emby Server.
  3. Let's Encrypt is a great Certification Authority (CA), primarily because they issue free, basic, publicly-trusted security certificates.

    This is possible because they're a non-profit organisation who, as suggested by the name, strive to make encrypted connections ubiquitous and, as such, are funded by Mozilla, Akamai, Cisco, Electronic Frontier Foundation (EFF), Google Chrome, Facebook, Squarespace, and many others.

    This means two things:
    1. They have succeeded in getting their CA security certificates included in software developed by Microsoft, Apple, Google, etc so that their issued security certificates are trusted by almost all devices in the world.
    2. You can be sure that you're not the product, as is not the case with many for-profit, non-advertisement-driven organisations.


To accomplish this, you will need:

  1. A computer running Windows or Windows Server.

    I have used Windows Server 2016 Standard in my examples.
  2. A domain name.

    HTTPS and, therefore, security certificates fundamentally rely on domain names so you cannot effectively use HTTPS with an IP address.

    This can be obtained from any domain name registrar but I'd recommend namecheap, primarily because they offer Two Factor Authentication (TFA) but also because their domain names are relatively cheap and their interface is user-friendly.

    If you're using dynamic DNS (DDNS) inbetween then this still works just as well.

    I have used the Fully Qualified Domain Name (FQDN) test.mythofechelon.co.uk in my examples.
  3. Knowledge or documentation on how to configure the firewall and Network Address Translation (NAT, AKA port forwarding) in your router.
  4. The installer for Certify.

    Certify is the only Windows implementation of Let's Encrypt that has a Graphical User Interface (GUI) so it's much simpler to use.

    I have used version 0.9.85 (the latest as of this post) in my examples.

    This can be obtained from http://certify.webprofusion.com/home.
  5. Emby Server version and older only: The installer for OpenSSL.

    https://www.openssl.org/community/binaries.html says that, officially, they don't distribute binaries but https://wiki.openssl.org/index.php/Binaries says that, unofficially, they recommend a few third-party builds.

    I have used Shining Light Productions' Win64 OpenSSL Light version 1.1.0c (the latest as of this post) in my examples.

    This can be obtained from https://slproweb.com/products/Win32OpenSSL.html.

Step 1: Router

The first step is to configure your router allowing inbound and forwarding port TCP 80 (HTTP) to the Windows computer running Emby Server.

You need to do this because:

  1. Let's Encrypt, like all publicly-trusted CAs, require domain validation (proof-of-ownership) and does so via DNS Resource Records (RRs) or HTTP URLs but only the latter is supported by Certify.
  2. Certify can then do everything else automatically.

Every router does this differently so, unfortunately, I cannot possibly advise how to do so generally but I'd advise searching for your router model with the following terms: "firewall", "NAT", "Network Address Translation", "port forwarding", etc.

Step 2: IIS

All Windows implementations of Let's Encrypt (Certify, letsencrypt-win-simple, ACMESharp, etc) seem to rely heavily, if not exclusively, on Microsoft's web server, Internet Information Services (IIS).

However, Emby Server seems to use Mono's web server (according to the output of command "nmap -sV -Pn -p 8920 <Emby Server hostname or IP address>" and https://github.com/mono/mono/blob/master/mcs/class/System/System.Net/HttpListenerResponse.cs).

To install IIS in Windows, refer to https://www.iis.net/learn/install/installing-iis-7/installing-iis-on-windows-vista-and-windows-7 and proceed from substep #8.

To install IIS in Windows Server, do the following:

1. Open Server Manager.

2. Select "Add roles and features" in the section "WELCOME TO SERVER MANAGER".

4. Select "Role-based or feature-based installation" in the section "Installation Type".

5. Select your computer (usually selected by default) in the section "Server Selection".

6. Select "Web Server (IIS)" and, for the popup window, "Add Features" in the section "Server Roles".

7. Complete the wizard with no further changes.

8. Open IIS Manager.

9. Expand your server in the section "Connection".

10. Right-click on "Sites" and select "Add Website...".

11. Configure the web site as desired but I'd recommend implementing the following configuration:

  • Site name: "Emby".
  • Application pool: "Emby".
  • Physical path "C:\inetpub\Emby".
  • Binding type: "http".
  • Binding IP address: "All Unassigned".
  • Binding port: "80".
  • Host name: Your FQDN for Emby Server (I used "test.mythofechelon.co.uk").
  • Start Website immediately: Yes

You should now see the following:


Step 3: Certify

The third step is to install Certify, get Let's Encrypt to issue a security certificate, and get Certify to install it in IIS.

To do this, do the following:

1. Install Certify.

2. Open Certify.

3. Select "Yes" on the popup window "Create New Contact?"

4. Enter your email address.

5. Select "File" | "New..." | "Domain Certificate..."

6. Select "Request Certificate" (Certify should have automatically detected and selected the Emby web site in IIS).

You should now see the following:


Step 4: PFX

The fourth step is to export the Let's Encrypt-issued security certificate from IIS to a password-protected PFX file then remove the password from the PFX file.

You need to do this because:

  1. Emby Server requires passwordless / does not support password-protected PFX files.
  2. Windows will not export a security certificate with its private key to a PFX file without a password (for good reason).

To do this, do the following:

1. Open IIS Manager.

2. Select your server in the section "Connections".

3. Select "Server Certificates" | "Open Feature"

4. Select the Let's Encrypt-issued security certificate.

5. Select "Export..." in the section "Actions".

6. Enter a file name and password. I'd recommend that the PFX file be saved in a folder where it can't be accidentally deleted. "C:\Users\<username>\AppData\Roaming\Emby-Server\ssl\" seems to be the best-suited location.

7. Complete the wizard.


If your installation of Emby Server is version or older then you'll need to do the following too:

8. Install OpenSSL.

9. Open Command Prompt.

10. Execute command ""<path to file openssl.exe>" pkcs12 -in "<path to password-protected PFX file>" -nodes -out "<path to folder containing PFX file>\temp.pem"".

11. Enter password for the PFX file.

12. Execute command ""<path to file openssl.exe>" pkcs12 -export -in "<path to PEM file>" -out "<path for passwordless PFX file>"".

13. Enter no passwords (just press Return twice).


Step 5: Emby Server

The fifth and final step is to configure Emby Server to use the passwordless PFX file.

To do this, do the following:

1. Open Emby Server.

2. Select "Advanced" in the section "Expert".

3. Enter the path to the passwordless PFX file in the section "Custom certificate path".

4. Enter your FQDN in the section "External domain".

5. Enable "Report https as external address".

6. Select "Save"

7. Select "Dashboard" in the section "Server".

8. Select "Restart".

You should now see the following: