Shared Printers for All Users

Windows

You've probably stumbled across this page if like me you were trying to find a way to install a shared printer to all users on a Windows machine.

By default a shared printer only gets installed to a users profile, when the next user comes along the printer needs to be reinstalled.

Normally you can install the printer using a local port or TCP-IP port which would then work for all users. However if you use a printer server or just shared it from another machine then you need to know the hack below which will install it for all users.

Step 1 - Printer Server/Shared Machine

  • Install the printer as you normally would on your print server. Either using a local port (USB) or TCP/IP (Network) and drivers.
  • Make any changes to the printer, trays, adding x86 and x64 drivers, set security permissions.
  • Share the printer

Step 2 - On the remote machine

Open up CMD and run as administrator

Copy the below into the CMD window, changing \\servername\printer to your details.

rundll32 printui.dll,PrintUIEntry /ga /n\\servername\printer

The tags mean

  • /ga - global (add to all users)
  • /n - network path
  • for more options use /?

You can also copy it into a .bat file to make it easier to install on multiple machines.

Give it a few minutes to install, once completed it will have installed the printer and kept all the Custom preferences set on the Server.

Install Sophos UTM from USB

enter image description here

Sophos UTM

Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.

Sound good? Head over to Sophos UTM Home

Click on Get Started, fill in your details and download the Software UTM iso.

Once you have the UTM.iso we will need a program to create a bootable usb. For this we use Rufus.

  • Download Rufus from Rufus.akeo.ie
  • For this I used a 4GB usb pen
  • Run Rufus,
  • Partition scheme - MBR for BIOS or UEFI
  • File System - FAT32
  • Cluster - 4096 bytes
  • New Volume label - anything
  • Quick Formet - yes
  • Create a bootable disk using iso - choose the UTM.iso
  • Click Start

enter image description here

Once the USB drive is ready we can attempt to start the build.

When installing the UTM software it runs in RAM, to get it to work we need to mount it. We need to use the console interface to do this.

Insert the USB into a port, and boot to USB. You should then see this

enter image description here

Once its booted and you see the screen below press ALT + F2, this will bring up the console screen.

enter image description here

We now need to mount the USB Drive by using the command

mount /dev/sdb1 /install

Press ALT + F1 to switch back to the installer windows and continue with the installation.

If you see the error below enter image description here It means the USB drive is located at a different device ID rather than sdb1.

Go back to console using ALT + F2 and type

fdisk -l

or

sfdisk -l

Its a small L

This will list the Device ID, then type

mount /dev/**Deivce ID** /install

When the install is finished you will be able to connect to the UTM software using a web browser by navigating to https://IP-ADDRESS:4444

The rest of the config is then configured through the web browser.

To be continued....

Setting up a Dynamic DNS (DDNS)

enter image description here

Dynamic DNS (DDNS or DynDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information. (Wikipedia)

In English - a DDNS is needed when you have a DHCP ISP (WAN IP). If you restart your router you will get a different external IP (WAN IP). This is no good if you want to be able to access your services externally as everytime your IP changes you will have to remember it. This is where DDNS steps in.

A DDNS gives you a web address which resolves your WAN IP even if it changes. There are many services out there, most of them free!

For this guide I will use No-IP as a DDNS. Head over to No-IP.com and create an account.

enter image description here

Click on 'Dynamic DNS (Free)' on the left side and then click hostname.

enter image description here

Hostname - whatever you want for your domain name Domain - dropdown list, I left it on ddns.net IPv4 Address - your WAN IP, should already be filled in.

No we have a DDNS domain setup we need a way to automatically update the address with the WAN IP.

For the next part there are a few different ways to update the IP for the DDNS.

The Router

Some routers have a DDNS update client built in. The page below is from my Unifi Router

enter image description here

Here is a BT Router DDNS page

enter image description here

Once this step is setup your router will update the DDNS with your WAN IP everytime it changes.

Client

There is also a client you can download and have run on a PC which updates the IP. Download it from No-IP Client

When setting it up, use the account settings you used when creating the No-IP account

enter image description here

There are other ways, however for now I will leave it with the 2 options above.

NGINX Reverse Proxy

enter image description here

This is a guide on how to install NGINX for Windows and add extra security to it.

Ever want to get an A security rating for your website. Then look no further

enter image description here

Pre-Requisites

Your own Domain name A Trust certificate in either .crt or .pem format A Private.key to go with the certificate Access to your router for port forwarding Either a DDNS or have an A Record for WAN IP.

If you havent got a Trusted Certificate you can use my guide Easy Let's Encrypt Certificate to get a free one.

This guide assumes you have either setup a DDNS or have an A record setup to point your Domain Name to your WAN IP. If you dont have this setup go here.

Step 1 - Port Forwarding

Every router is different and rather than try to describe how to do this on all the different brands I will simplify it so it is more relevant to all routers.

  • Log into your router
  • Head over to port forwarding
  • Create a new rule to forward port 443 and port 80 to the machine that NGINX will be running on.

Step 2 - Installing NGINX

Head over to NGINX-Win and download the latest version of NGINX for Windows. As of writing this guide the latest version is 1.13.1.1 Violet.

NGINX

Extract the .zip folder somewhere easy to find. for my example I will extract it to C:\NGINX\ Open up the config folder C:\NGINX\configNGINX Open up notepad (I recommend Notepad++) and copy the following into it.

Worker_processes  2;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

         tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
 ## End: Timeouts ##

This is some default code to let NGINX know what to do. For security i added

server_tokens off;

This prevents outsiders looking up what version of NGINX the server is running. This prevent version weaknesses being easily exploited.

After the part above copy in this code

## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
 return 301 https://$host$request_uri;
}

This part makes NGINX listen on port 80 and any traffic it receives on port 80 (HTTP) it redirects to port 443 (HTTPS). It forces the connection to use a secure connection. listen [::]:80 is only required if you have users connecting on IPv6 addresses.

The next part is to configure NGINX to forward the traffic it receives to the correct location. Copy the code below into the same notepad.

##Server Block##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name mysite.com; 

Anything with # in front of it means that its a note or a disabled configuration.

From the code above change mysite.com to what ever your sub-domain name is. listen 443 ssl http2; means that NGINX listens on port 443 and uses the http2 protocol.

Next we look at adding our beefed up security into the config.

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

Most of the above is to do with the ciphers to create the secure connection. ssl_protocols lists in order the protocols to use. TLSv1.2 is the most secure. These have replaced SSL which are now obsolete. In the very near future TLSv1.3 will make all the other versions of TLS obsolete. Preferred ciphers just list in the order of the ciphers used to create the secure connection.

So from the above we need to edit the following

ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;

This is the location of our cert.pem and private.key. I have them located in my NGINX folder in the following location C:\NGINX\config\SSLNGINX To find out how to create the Certs please use the guide Easy Let's Encrypt Certificates At the bottom it describes how to create .pem certs.

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Most of the above is to do with the headers in html. They add extra security to the connection.

X-Xss-Protection - sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

#

X-content-type-options - stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".

#

Strict-Transport-Security - is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

#

X-Frame - tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.

#

Referrer Policy - is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

#

Content-Security-Policy - is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail.

Next part we need to change from the above is

add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Change mysite.com emby.mysite.com to your Domain names. Also you need to add in here ALL your other sub domains that NGINX will manage. for example mysite.com emby.mysite.com sonarr.mysite.com

The next block is the location block, add this to your notepad.

         location / {
            proxy_pass http://127.0.0.1:*PORT;  

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            }
    }
}

The location block tells NGINX what to do when it received data and where to forward it to. It is also required for web sockets to work.

Edit the proxy_pass and point it to the location of your Service that you are running. If it is running on the same machine as NGINX you can leave it as http://127.0.0.1:PORT. If its running on another machine you will need to know the IP. http://192.168.1.10:PORT etc.

    location / {
    proxy_pass http://127.0.0.1:*PORT;  

The whole config should now look like this.

worker_processes  2;

events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##



## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;


      return 301 https://$host$request_uri;
}   

##Server Block##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name mysite.com; 

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";


     location / {
        proxy_pass http://127.0.0.1:*PORT;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }


}
}

Save the notepad as nginx.config in the following location C:\NGINX\config

Step 3 - Set NGINX as a Windows Service

To get NGINX to start with Windows we need to donwload an application called NSSM (Non-sucking service manager). Download it and extract it. You will have a choice to use win32 or win64 version. Choice the version that relates to your Windows installation. Copy the nssm.exe to C:\Windows\System32

Open up a command prompt (Run as administrator) type the following

nssm install NGINX

It will now display this

NGINX

Fill in the Path to the NGINX.exe and the Startup Directory as above.

Click ok

enter image description here

Open up Service.msc and find the NGINX Service we just installed.

Right click and Start.

enter image description here

To Test, we can navigate to emby.mysite.com and it should bring up your Emby Server!

If you have any problems drop a comment below. I will also be creating a Troubleshooting NGINX post soon.

Emby Server HTTPS (Reverse Proxy)

enter image description here

There are 2 ways to connect to your Emby server using HTTPS.

This Guide is for setting up Emby behind a reverse proxy such as NGINX or Apache. For the purposes of this guide it will follow Installing and configuring NGINX on a Windows based machine.

For a basic HTTPS connection to Emby please see the Direct Connection (Simple) Guide 'HERE'.

Pre-Requisites

  • Emby Server installed and running
  • Your own Domain name
  • A Trust certificate in either .crt or .pem format
  • A Private.key to go with the certificate
  • Access to your router for port forwarding
  • Either a DDNS or have an A Record for WAN IP.

If you havent got a Trusted Certificate you can use my guide Easy Let's Encrypt Certificate to get a free one.

This guide assumes you have either setup a DDNS or have an A record setup to point your Domain Name to your WAN IP. If you dont have this setup go here.

Step 1 - Port Forwarding

Every router is different and rather than try to describe how to do this on all the different brands I will simplify it so it is more relevant to all routers.

  • Log into your router
  • Head over to port forwarding
  • Create a new rule to forward port 443 and port 80 to the machine that NGINX will be running on.

Step 2 - Installing NGINX

Head over to NGINX-Win and download the latest version of NGINX for Windows. As of writing this guide the latest version is 1.13.1.1 Violet.

NGINX

Extract the .zip folder somewhere easy to find. for my example I will extract it to C:\NGINX\ Open up the config folder C:\NGINX\configNGINX Open up notepad (I recommend Notepad++) and copy the following into it.

Worker_processes  2;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

         tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
 ## End: Timeouts ##

This is some default code to let NGINX know what to do.

After the part above copy in this code

## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
 return 301 https://$host$request_uri;
}

This part makes NGINX listen on port 80 and any traffic it receives on port 80 (HTTP) it redirects to port 443 (HTTPS). It forces the connection to use a secure connection.

The next part is to configure NGINX to forward the traffic it receives for Emby to the correct location. Copy the code below into the same notepad.

##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mysite.com; 

Anything with # in front of it means that its a note or a disabled configuration.

From the code above change emby.mysite.com to what ever your sub-domain name is.

Next we look at adding our beefed up security into the config.

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Without going into too much detail for this guide, the above section tells NGINX what encryption ciphers to use, the location of our certs and adds some extra security measures to the html headers.

So from the above we need to edit the following

ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;

This is the location of our cert.pem and private.key. I have them located in my NGINX folder in the following location C:\NGINX\config\SSLNGINX To find out how to create the Certs please use the guide Easy Let's Encrypt Certificates At the bottom it describes how to create .pem certs.

Next part we need to change from the above is

add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Change mysite.com emby.mysite.com to your Domain names. Also you need to add in here ALL your other sub domains that NGINX will manage. for example mysite.com emby.mysite.com sonarr.mysite.com

The next block is the location block, add this to your notepad.

         location / {
            proxy_pass http://127.0.0.1:8096;  

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            }
    }
}

The location block tells NGINX what to do when it received data and where to forward it to. It is also required for web sockets to work.

Edit the proxy_pass and point it to the location of your Emby Server. If it is running on the same machine as NGINX you can leave it as http://127.0.0.1:8096. If its running on another machine you will need to know the IP. http://192.168.1.10:8096 etc.

    location / {
    proxy_pass http://127.0.0.1:8096;  

The whole config should now look like this.

worker_processes  2;

events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##



## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;


      return 301 https://$host$request_uri;
}   

##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mysite.com; 

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";


     location / {
        proxy_pass http://127.0.0.1:8096;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }


}
}

Save the notepad as nginx.config in the following location C:\NGINX\config

Step 3 - Set NGINX as a Windows Service

To get NGINX to start with Windows we need to donwload an application called NSSM (Non-sucking service manager). Download it and extract it. You will have a choice to use win32 or win64 version. Choice the version that relates to your Windows installation. Copy the nssm.exe to C:\Windows\System32

Open up a command prompt (Run as administrator) type the following

nssm install NGINX

It will now display this

NGINX

Fill in the Path to the NGINX.exe and the Startup Directory as above.

Click ok

enter image description here

Open up Service.msc and find the NGINX Service we just installed.

Right click and Start.

enter image description here

To Test, we can navigate to emby.mysite.com and it should bring up your Emby Server!

If you have any problems drop a comment below. I will also be creating a Troubleshooting NGINX post soon.

Emby Server HTTPS (Direct Connect)

enter image description here

There are 2 ways to connect to your Emby server using HTTPS.

This Guide is for Direct Connection (Simple). Go 'HERE' if you want the reverse proxy connection (Advanced).

Pre-Requisites

  • Emby Server installed and running
  • Your own Domain name
  • A Trusted Certificate in .pfx format
  • Access to your router for port forwarding.
  • Either have DDNS or have A Record for WAN IP

If you want to find out how to get a Certificate and convert it to .pfx head over to Easy Let's Encrypt Cert

This guide assumes you have either setup a DDNS or have an A record setup to point your Domain Name to your WAN IP. If you dont have this setup go here.

Step 1 - Router Access

Every router is different and rather than try to describe how to do this on all the different brands I will simplify it so it is more relevant to all routers.

  • Log into your router
  • Head over to port forwarding
  • Create a new rule to forward port 443 to the machine that Emby Server runs on.

Step 2 - Configure Emby Server

Head over to your your Emby server via a web browser. Usually accessed by HTTP://IP-Address:8096 Go to Server Management and then 'Expert' and 'Advanced' Embyconfig

Most of this page can stay the same except

    Public HTTPS port number = 443
    Custom certificate path = *path to your .pfx certificate
    Certificate password = *your .pfx password
    External Domain = https://emby.mysite.com
    Report HTTPS as external address = Yes

Save and Restart Emby Server

To test go to HTTPS://DomainName (https://emby.mysite.com) and it should work.

Easy Let's Encrypt Certificate

enter image description here

So you run a website or services and at the moment they are accessible over HTTP (port 80). However you want a secure connection and a nice green padlock to be displayed in your web browser. In that case you need to create a HTTPS (port 443) connection which requires the webpage/service and the user to communicate over a encrypted connection using secure protocols such as SSL (Secure Sockets Layer) or TLS (Transport Layer Security).

Let's Encrypt.

Normally you would have to pay a fee to get a certificate and pay a yearly fee. However Let's Encrypt are dishing out free certificates with the only catch being they are valid for 90 days. The cert will need to be renewed every 90 days. I tend to renew with at least 15-20 days left before expiry just incase I have any issues with the new cert and it gives me time to install and test it.

Pre-Requisites .

  • Having your own Domain Name. My example *.mysite.com
  • Access to your Domain Registrars DNS settings

Step 1 - Generate the cert.

Head over to ZeroSSL and click on Online Tools and free SSL Certificate Wizard ZeroSSL main page Enter the details it asks for. ZeroSSL3 In the Domain box enter all the domains and subdomains you require the certificate to cover separated by a space. Example:-

  • mysite.com blog.mysite.com test.mysite.com

Accept both the TOS and SA and change the verification from HTTP to DNS.

Click next and it will generate a CSR key. Copy the CSR and save it as you will need this when it comes time to renew.

Click next again and it will generate an account key (RSA PRIVATE KEY). Again Copy and save the private key, we will need it to renew.

ZeroSSL4

We should now see the Verification screen like below.

ZeroSSL6

Step 2 - DNS Verification.

For this step we need to prove to ZeroSSL that we own the domain name we are trying to create the cert for.

Head over to your domain registrar. For this example I will user namecheap.com

Login and head over to DNS or Advanced DNS. We need to create a TXT Record for each of our domains and subdomains. Like in the example below. Set TTL (Time to Live) to 1min or the lowest setting.

ZeroSSL5

IMPORTANT - We should now leave it 15mins to allow the TXT Records we created above to propagate through the internet. If you click 'Next' on the ZeroSSL page too soon then it will fail to find the TXT Records. To test to see whether the Records have updated you can run a command prompt on your PC and type

nslookup -q=TXT _acme-challenge.blog.mysite.com

It should reply with the TXT Record Value. If it replies with:-

can't find _acme-challenge.blog.mysite.com: Non-existent domain

Then you have to wait longer.

Eventually you can click 'Next' and it should take you to your Certificates.

ZeroSSL7

They are available to download on the right or you can copy and paste the keys.

The Certificate includes 2 parts, you can see this from the 2 sections

-----BEGIN CERTIFICATE-----
Your Domain Certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Your Certificate Authority
-----END CERTIFICATE-----

The first part is your Certificate for the domain/subdomain you listed The second Part is the Issuing Authorities Certificate or CA Root you listed. You can either keep these together as 1 certificate (ca_bundle.crt) or split them into 2, (cert.crt) and (ca_root.crt).

Finally the second box is your Private key. Save this key as private.key

Congratulations you now have your own Certificate signed by Let's Encrypt.

Step 3 - Certificate Formats (Optional)

crt to pem

We currently have the certificates in a .crt format. To create a .pem file we need to include the cert.crt and ca_root.crt into one file. You can use notepad to do this. Copy both your cert and the ca_root into notepad like below.

----BEGIN CERTIFICATE-----
Your Domain Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Your Certificate Authority
-----END CERTIFICATE-----

and then save the file as cert.pem. Simple as that!

crt to pfx Creating a .pfx certificate isnt as simple as a pem. A pfx file contains your cert, the CA root cert and your private.key into one file. It also usually contains a password to open/import and export.

If you have access to OpenSSL you can use the command below

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in cert.crt -certfile CA_root.crt

Another option is to use SSLShopper free online utility.

ZeroSSLConvert

First of all change the 'Type To Convert To' to PFX/PKCS#12

Certificate to convert = your domain cert.crt
Private Key file = your private.key
Chain Certification File (optional) = your ca_root.crt
PFX = create a strong password and remember it!

Click 'Convert' and you should then get the new .pfx file automatically downloaded.

Congratulations you know how a Trusted Certificate. Have a look through my sites for other guides and how you can use a certificate. Dont forget you need to renew it as it will expire after 90 days.