Auto Renew on EMby - not apache etc

I've got an emby server, which doesn't run Apache etc, and needs a standalone certificate. I've installed certbot, using a script supplied and at the end of this message, and everything works perfectly. the --dry-run works perfectly too.
I had to convert the certificate to pkcs12 certifiate as this is what emby uses. Using this command;

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out pkcs12.pfx -certfile chain.pem

I looked at the /etc/cron.d/certbot which is;

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

So I wanted to make sure it auto renews, so I issued the command;

/usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

but it came back with;
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

Which leads me to suspect it's going to fail the auto renew on the emby server.

I've tried, but can't seem to get the certonly option working.

Could I ask for help configuring this, what am I missing?

One additional question if i may, I'm sure the certificate, once setup to renew, will be fine, but can I confirm I won't need to build the pkcs12 certificate again using openssl

Thank you for your help, I'm very appreciative

My domain is:emby.remrah.com

I ran this command: N/A

It produced this output:

My web server is (include version): Emby

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40.0

Script supplied
#!/bin/bash
cd ~
sleep 1
SERVICE="apache2"
if pgrep -x "$SERVICE" >/dev/null
then
echo "$SERVICE is running"
sleep 2
echo "Will now stop Apache2"
systemctl stop apache2
fi
sleep 2
SERVICE="nginx"
if pgrep -x "$SERVICE" >/dev/null
then
echo "$SERVICE is running"
sleep 2
echo "Will now stop Nginx"
systemctl stop apache2
fi
sleep 2
ufw disable
sleep 1
iptables -F
sleep 1
iptables -X
sleep 1
REQUIRED_PKG="certbot"
PKG_OK=$(dpkg-query -W --showformat='${Status}\n' $REQUIRED_PKG|grep "installed and working")
echo Checking for $REQUIRED_PKG: $PKG_OK
if [ "" = "$PKG_OK" ]; then
echo "$REQUIRED_PKG is missing. Installing $REQUIRED_PKG."
apt-get --yes install $REQUIRED_PKG
fi
sleep 1
file="/var/lib/emby/emby.pfx"
if [ -f $file ] ; then
rm $file
fi
sleep 1
read -p "Enter your FQDN: " fqdn
echo "2" | certbot certonly --register-unsafely-without-email --agree-tos --standalone -d $fqdn
openssl pkcs12 -inkey /etc/letsencrypt/live/$fqdn/privkey.pem -in /etc/letsencrypt/live/$fqdn/fullchain.pem -export -out /var/lib/emby/emby.pfx
sleep 1
read -p "Enter your emby system group and user (default is: emby): " user
chown $user $file
sleep 1
service emby-server restart
sleep 1
SERVICE="nginx"
if pgrep -x "$SERVICE" >/dev/null
then
echo "$SERVICE is running"
else
echo "$SERVICE was stopped"
sleep 2
echo "Will now try to start Nginx"
systemctl start nginx
fi
sleep 2
SERVICE="Apache2"
if pgrep -x "$SERVICE" >/dev/null
then
echo "$SERVICE is running"
else
echo "$SERVICE was stopped"
sleep 2
echo "Will now try to start Apache2"
systemctl start apache2
fi
sleep 2
echo "y" | ufw enable
sleep 1
echo "Certificate has been installed, and is now valid for 90 days."
sleep 1
exit 0

A Certbot renew acts on certs that you previously got on that same machine. This works by creating a profile in the /etc/letsencrypt/renewal folder. This profile contains all the options you used when getting the cert. The renew command acts on all the profiles in that folder using those saved options.

I don't know why you would get an error about failing to automatically configure a web server. I don't see any Certbot commands that requested a cert with options to do that (so the renew would not either). Are you running Certbot on different machines?

What does this show on the machine that has your emby.remrah.com cert?

sudo certbot certificates

And, please show the contents of its conf profile in /etc/letsencrypt/renewal

3 Likes

Sorry about the delay.
If I enter sudo certbot certificates, I get

root@emby:~# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: emby.remrah.com
Domains: emby.remrah.com
Expiry Date: 2024-05-06 19:10:55+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/emby.remrah.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/emby.remrah.com/privkey.pem


root@emby:~#
The contents of the /etc/letsencrypt/renewal Conf file is

root@emby:/etc/letsencrypt/renewal# cat emby.remrah.com.conf

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/emby.remrah.com
cert = /etc/letsencrypt/live/emby.remrah.com/cert.pem
privkey = /etc/letsencrypt/live/emby.remrah.com/privkey.pem
chain = /etc/letsencrypt/live/emby.remrah.com/chain.pem
fullchain = /etc/letsencrypt/live/emby.remrah.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account =1234124 - Edited
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
root@emby:/etc/letsencrypt/renewal# ls
emby.remrah.com.conf
root@emby:/etc/letsencrypt/renewal#

certbot renew --dry-run gives;

root@emby:/etc/letsencrypt/renewal# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/emby.remrah.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for emby.remrah.com
Waiting for verification...
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/emby.remrah.com/fullchain.pem



** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/emby.remrah.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


root@emby:/etc/letsencrypt/renewal#

If I try to renew manually it works ok, it's the automatic side I'm concerned about. I don't want to manually have to do it, I'll forget.

Thanks again for your help ad my apologies for the delay, it doesn't indicate how important this is to me, everything had to stop.

Yes, the commands you showed all worked normally.

When Certbot is installed it usually sets up an auto-renew. You can check whether yours is setup reviewing the topic below.

Since the --dry-run worked if the auto-renew runs (cronjob or systemd timer) the cert should renew just fine. You can re-run certbot certificates in 31 days to see if that happened. By default Certbot renews with 30 days remaining before expiry of cert.

And, check for a cronjob or systemd timer with these instructions
https://eff-certbot.readthedocs.io/en/latest/using.html#automated-renewals

2 Likes

You will have to rebuild that each time.

You could use the Certbot --deploy-hook option and reference a script you make to do that. Had you used the --deploy-hook option when you originally got the cert that option would have been saved in the renewal conf file for the auto-renew.

Your Ubuntu version easily supports the snap install for Certbot. If you were running that you would have a current version of Certbot which has a reconfigure command. You could add a deploy-hook to your config file using that. I recommend upgrading to the snap so you can do that.
Update to snap version (oops, mistyped .com instead of .org):

The reconfigure command
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-v2-3-0-and-newer

2 Likes

Thanks Mike.

Is there anything I need to do, or can I just install the snap on top of my existing system?

I'll look at the reconfigure command once I know if I can just install on top.

much appreciated

1 Like

Not sure what you mean by "on top of". The snap version will take precedence over your apt version. The data files in /etc/letsencrypt/... will not be affected

The instructions on the Certbot site should explain all that. Just follow each step carefully. Sorry for typo in URL for this page in my prior post

2 Likes

Hi Mike,

I have the snap version of certbot installed.When I issue "snaps list" I get

certbot 2.9.0 3643 latest/stable certbot-eff✓ classic

So my next step is to create the script to convert the certificat to a PKSC12. I just worked out the passin and passout options, with the command

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:1234 -passout pass:1234

but the pksc12 file dose not update it's date it seemed to the first time I ran it though

The folder contents are;
root@emby:/etc/letsencrypt/live/emby.remrah.com# ls -l
total 28
-rw------- 1 root root 5637 Mar 14 17:30 certificate.pfx
-rwxrwxr-- 1 root emby 1328 Mar 9 2023 cert.p12
lrwxrwxrwx 1 root root 39 Feb 6 20:10 cert.pem -> ../../archive/emby.remrah.com/cert3.pem
lrwxrwxrwx 1 root root 40 Feb 6 20:10 chain.pem -> ../../archive/emby.remrah.com/chain3.pem
-rwxr-xr-x 1 root root 146 Mar 14 17:24 convert-to-pfs.sh
lrwxrwxrwx 1 root root 44 Feb 6 20:10 fullchain.pem -> ../../archive/emby.remrah.com/fullchain3.pem
-rwxrwxr-- 1 root root 5637 Mar 14 17:23 pkcs12.pfx
lrwxrwxrwx 1 root root 42 Feb 6 20:10 privkey.pem -> ../../archive/emby.remrah.com/privkey3.pem
-rwxrwxr-- 1 root emby 692 Mar 9 2023 README

Why isn't the time chaging on the PKCS file? Does it only allow a renewal every so many days?

Thanks

1 Like

The -out file has a timestamp of Mar14 at 17:30 that looks new to me. You have two different files with .pfx extension and one with .p12 . Is that what you planned? I'm guessing not. You probably should be consistent with your file names.

The openssl command option you use reads files and makes a new file. You can run that as often as you like. You could check the openssl manual.

I also recommend not putting your scripts or even the .pfx or .p12 files in the Certbot folders. You should make your own folders for your own files.

3 Likes

And then there are:

3 Likes

You're right, after cleaning up a few files and running the script, it works. I'll move the script file once it's all ok. For now I'll leave it where is then there are no path issues.

So the next step is to call the script after the renewal process, so I added

post-hook = bash /etc/letsencrypt/live/emby.remrah.com/convert-to-pfs.sh

to the emby.remrah.com.conf

I wanted post rather than renew for testing.

but I tried --dry-run --run-deploy-hooks but it failed with

certbot: error: unrecognized arguments: --run-deploy-hooks

A bit of research, and it appears I have two installations of certbot

julianh@emby:~$ certbot --version
certbot 0.40.0

julianh@emby:~$ sudo certbot --version
[sudo] password for julianh:
certbot 0.40.0
julianh@emby:~$ which certbot
/usr/bin/certbot
julianh@emby:~$ sudo find / -name certbot
/var/snap/certbot
/etc/cron.d/certbot
/etc/logrotate.d/certbot
/snap/certbot
/snap/certbot/3566/bin/certbot
/snap/certbot/3566/lib/python3.8/site-packages/certbot
/snap/certbot/3643/bin/certbot
/snap/certbot/3643/lib/python3.8/site-packages/certbot
/snap/bin/certbot
/usr/bin/certbot
/usr/lib/python3/dist-packages/certbot
/usr/share/doc/certbot
/root/snap/certbot

How do i "point" to the snap version? is it as simple as apt remove? The system is in use, so I don't want to kill anything.

Thanks

It should be explained here. Follow instructions for your type of system

2 Likes

Getting there, the --run-deploy-hooks works with no errors, unfortunatley with no sucess either :frowning_face:

from the emby.remrah.com.conf file

Options used in the renewal process

[renewalparams]
account = *****
authenticator = standalone
server = https://********
post-hook = bash /etc/letsencrypt/live/emby.remrah.com/convert-to-pfs.sh

When I run the script it works perfectly. The script is;

openssl pkcs12 -export -out pkcs12.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass:*** -passout pass:***
chown emby:root pkcs12.pfx

the permissions are;
-rwxr-xr-x 1 root root 168 Mar 15 18:00 convert-to-pfs.sh

I tried altering the script to include and not include the bash, but it didn't make a difference, so I'm wondering if it's beig called at all. I'd expect an error with one

I'm so close.....

Did you add that into that file by hand? Because I am pretty sure that should be post_hook with an underscore.

It is best to only use Certbot to update its own renewal config files. It is easy to make mistakes.

But, the --deploy-hook is probably better choice. That isn't the name in the config file though just the command line. Use the Certbot command(s) and it will make the correct entry in the config file.

Use the reconfigure command or re-run your original command that got the cert with the --deploy-hook option. These are only run when a new cert is issued. The hook you chose runs every time a renew is run (by default a couple times per day).

3 Likes

Brilliant that was it, a - instead of a _

now to document it on the emby site so it's easy for the next person.

Thank yo VERY much for you help :smiley:

3 Likes