Let's Encrypt, Emby Server, and Windows

Intro

This how-to will guide you with getting Let's Encrypt to issue a security certificate and installing it in Emby Server running on Windows.

I created this because there was litte, if any, documentation on how to do so previously and it took me ~ 3.5 hours to figure it out.

Why would you want to do this? Well, a number of reasons:

  1. Emby Server generates and uses a self-signed security certificate by default. iOS and likely other Operating Systems (OSes) explicitly distrust self-signed security certificates (for good reason). So, without installing a "proper" security certificate in Emby Server, you'll be unable to use a HTTPS connection in the iOS app and likely others.
  2. "Proper" security certificates are inherantly more secure than self-signed certificates and guarantee that when you authenticate to Emby Server you are indeed submitting your credentials (user logon name and password) to the desired Emby Server and no one is intercepting them.
  3. Let's Encrypt is a great Certification Authority (CA), mainly because they are publically trusted and issue free, basic security certificates.

    This is possible because they're a non-profit organisation who, as suggested by the name, strive to make encrypted connections ubiquitous and, as such, are funded by Mozilla, Akamai, Cisco, Electronic Frontier Foundation (EFF), Google Chrome, Facebook, Squarespace, and many others.

    This means two things:
    1. They have succeeded in getting their CA security certificates included in software developed by Microsoft, Apple, Google, etc so that their issued security certificates are trusted by almost all devices in the world.
    2. You can be sure that you're not the product, as is not the case with many for-profit, non-advertisement-driven organisations.

Prerequisites

To accomplish this, you will need:

  1. A computer running Windows or Windows Server.

    I have used Windows Server 2016 Standard in my examples.
  2. A domain name.

    HTTPS and, therefore, security certificates fundamentally rely on domain names so you cannot effectively use HTTPS with an IP address.

    If you're using dynamic DNS inbetween then this still works just as well.

    I have used test.mythofechelon.co.uk in my examples.

    This can be obtained from any domain name registrar but I'd recommend namecheap mainly because they offer Two Factor Authentication (TFA) but also because their domain names are relatively cheap and their interface is user-friendly.
  3. Knowledge or documentation on how to configure the firewall and Network Address Translation (NAT, AKA port forwarding) in your router.
  4. The installer for Certify.

    Certify is the only Windows implementation of Let's Encrypt that has a Graphical User Interface (GUI) so it's much simpler to use.

    I have used version 0.9.85 in my examples.

    This can be obtained from http://certify.webprofusion.com/home.
  5. The installer for OpenSSL.

    https://www.openssl.org/community/binaries.html says that, officially, they don't distribute binaries but https://wiki.openssl.org/index.php/Binaries says that, unofficially, they recommend a few third-party builds.

    I have used Shining Light Productions' Win64 OpenSSL Light version 1.1.0c in my examples.

    This can be obtained from https://slproweb.com/products/Win32OpenSSL.html.

Step 1: Router

The first step is to configure your router allowing inbound and forwarding port TCP 80 (HTTP) to the Windows computer running Emby Server.

You need to do this because:

  1. All CAs require domain validation. Let's Encrypt is no exception and does so via DNS Resource Records (RRs) or HTTP URLs.
  2. Certify can then do everything else automatically.

Every router does this differently so, unfortunately, I cannot possibly advise how to do so generally.

Step 2: IIS

The second step is to install and configure Microsoft's web server, Internet Information Services (IIS).

You need to do this because Emby Server uses the web server Mono (according to command "nmap -sV -Pn -p 8920 <Emby Server hostname or IP address>") but all Windows implementations of Let's Encrypt (Certify, letsencrypt-win-simple, ACMESharp, etc) seem to rely heavily, if not exclusively, on IIS.

To do this in Windows, refer to https://www.iis.net/learn/install/installing-iis-7/installing-iis-on-windows-vista-and-windows-7 and proceed from substep #8.

To do this in Windows Server, do the following:

1. Open Server Manager.

2. Select "Add roles and features" in the section "WELCOME TO SERVER MANAGER".

4. Select "Role-based or feature-based installation" in the section "Installation Type".

5. Select your computer (usually selected by default) in the section "Server Selection".

6. Select "Web Server (IIS)" and, for the popup window, "Add Features" in the section "Server Roles".

7. Complete the wizard with no further changes.

8. Open IIS Manager.

9. Expand your server in the section "Connection".

10. Right-click on "Sites" and select "Add Website...".

11. Configure the web site as desired but I'd recommend implementing the following configuration:

  • Site name: "Emby".
  • Application pool: "Emby".
  • Physical path "C:\inetpub\Emby".
  • Binding type: "http".
  • Binding IP address: "All Unassigned".
  • Binding port: "80".
  • Host name: Your Fully Qualified Domain Name (FQDN) for Emby Server (I used test.mythofechelon.co.uk).
  • Start Website immediately: Yes

You should now see the following:

 

Step 3: Certify

The third step is to install Certify, get Let's Encrypt to issue a security certificate, and get Certify to install it in IIS.

To do this, do the following:

1. Install Certify.

2. Open Certify.

3. Select "Yes" on the popup window "Create New Contact?"

4. Enter your email address.

5. Select "File" | "New..." | "Domain Certificate..."

6. Select "Request Certificate" (Certify should have automatically detected and selected the Emby web site in IIS).

You should now see the following:

 

Step 4: PFX

The fourth step is to export the Let's Encrypt-issued security certificate from IIS to a password-protected PFX file and remove the password from it.

You need to do this because:

  1. Emby Server requires passwordless / does not support password-protected PFX files.
  2. Windows will not export a security certificate with its private key to a PFX file without a password (for good reason).

To do this, do the following:

1. Open IIS Manager.

2. Select your server in the section "Connections".

3. Select "Server Certificates" | "Open Feature"

4. Select the Let's Encrypt-issued security certificate.

5. Select "Export..." in the section "Actions".

6. Enter a file name and password. I'd recommend that the file be saved in a folder where it can't be accidentally deleted. "C:\Users\<username>\AppData\Roaming\Emby-Server\ssl\" seems to be the best-suited location.

7. Complete the wizard.

8. Install OpenSSL.

9. Open Command Prompt.

10. Execute command ""<path to file openssl.exe>" pkcs12 -in "<path to password-protected PFX file>" -nodes -out "<path to folder containing PFX file>\temp.pem"".

11. Enter password for PFX file.

12. Execute command ""<path to file openssl.exe>" pkcs12 -export -in "<path to PEM file>" -out "<path for passwordless PFX file>"".

13. Enter no passwords (just press Return twice).

 

Step 5: Emby Server

The fifth and final step is to configure Emby Server to use the passwordless PFX file.

To do this, do the following:

1. Open Emby Server.

2. Select "Advanced" in the section "Expert".

3. Enter the path to the passwordless PFX file in the section "Custom certificate path".

4. Enter your FQDN in the section "External domain".

5. Enable "Report https as external address".

6. Select "Save"

7. Select "Dashboard" in the section "Server".

8. Select "Restart".

You should now see the following:

/