Intro

This how-to will guide you with getting Let's Encrypt to issue a security certificate and installing it in Emby Server running on Windows.

I created this because there was litte, if any, documentation on how to do so previously and it took me ~ 3.5 hours to figure it out.

Why would you want to do this? Well, a number of reasons:

Emby Server generates and uses a self-signed security certificate by default. iOS and likely other Operating Systems (OSes) explicitly distrust self-signed security certificates (for good reason). So, without installing a "proper" (publicly-trusted) security certificate in Emby Server, you'll be unable to use a HTTPS connection in the iOS app and likely others. Proper security certificates are inherently more secure than self-signed certificates and guarantee that, when you authenticate, your credentials (user logon name and password) are not being intercepted and are being sent to the desired Emby Server. Let's Encrypt is a great Certification Authority (CA), primarily because they issue free, basic, publicly-trusted security certificates.



This is possible because they're a non-profit organisation who, as suggested by the name, strive to make encrypted connections ubiquitous and, as such, are funded by Mozilla, Akamai, Cisco, Electronic Frontier Foundation (EFF), Google Chrome, Facebook, Squarespace, and many others.



This means two things: They have succeeded in getting their CA security certificates included in software developed by Microsoft, Apple, Google, etc so that their issued security certificates are trusted by almost all devices in the world. You can be sure that you're not the product, as is not the case with many for-profit, non-advertisement-driven organisations.

Prerequisites

To accomplish this, you will need:

A computer running Windows or Windows Server.



I have used Windows Server 2016 Standard in my examples. A domain name.



HTTPS and, therefore, security certificates fundamentally rely on domain names so you cannot effectively use HTTPS with an IP address.



This can be obtained from any domain name registrar but I'd recommend namecheap, primarily because they offer Two Factor Authentication (TFA) but also because their domain names are relatively cheap and their interface is user-friendly.



If you're using dynamic DNS (DDNS) inbetween then this still works just as well.



I have used the Fully Qualified Domain Name (FQDN) test.mythofechelon.co.uk in my examples. Knowledge or documentation on how to configure the firewall and Network Address Translation (NAT, AKA port forwarding) in your router. The installer for Certify.



Certify is the only Windows implementation of Let's Encrypt that has a Graphical User Interface (GUI) so it's much simpler to use.



I have used version 0.9.85 (the latest as of this post) in my examples.



This can be obtained from http://certify.webprofusion.com/home. Emby Server version 3.2.15.0 and older only: The installer for OpenSSL.



https://www.openssl.org/community/binaries.html says that, officially, they don't distribute binaries but https://wiki.openssl.org/index.php/Binaries says that, unofficially, they recommend a few third-party builds.



I have used Shining Light Productions' Win64 OpenSSL Light version 1.1.0c (the latest as of this post) in my examples.



This can be obtained from https://slproweb.com/products/Win32OpenSSL.html.

Step 1: Router

The first step is to configure your router allowing inbound and forwarding port TCP 80 (HTTP) to the Windows computer running Emby Server.

You need to do this because:

Let's Encrypt, like all publicly-trusted CAs, require domain validation (proof-of-ownership) and does so via DNS Resource Records (RRs) or HTTP URLs but only the latter is supported by Certify. Certify can then do everything else automatically.

Every router does this differently so, unfortunately, I cannot possibly advise how to do so generally but I'd advise searching for your router model with the following terms: "firewall", "NAT", "Network Address Translation", "port forwarding", etc.

Step 2: IIS

All Windows implementations of Let's Encrypt (Certify, letsencrypt-win-simple, ACMESharp, etc) seem to rely heavily, if not exclusively, on Microsoft's web server, Internet Information Services (IIS).

However, Emby Server seems to use Mono's web server (according to the output of command "nmap -sV -Pn -p 8920 <Emby Server hostname or IP address>" and https://github.com/mono/mono/blob/master/mcs/class/System/System.Net/HttpListenerResponse.cs).