I close now port forwarding for port 80 on my router becouse security. Do I have to open it? Can You tell me also during that tutorial on Emby forum I have to change my certificates to another format. Does this not affect my nextcloud? I have to go to my folder /etc/letsencrypt/live/myserver.ddns.net/ and change my certificates with command:
The port 80 we already discussed some days ago. I guess it would be needed to recreate your certificates once they are going to expire.
Regarding the transformation for emby. I guess it will just create the *.pfx file and do anything with your other files. However you could create a copy of the original files if needed.
no need to do this because you already created the letsencrypt certificate. So you can skip these steps. Only thing to do is to create the *.pfx file and configure emby.
Thank You very much one more time. It works now. Can You tell me something about renew that certificate. Do I get some info or my nextcloud and emby stops working on https?
if the certificate expire, you will get a message on the web browser that the certificate is not valid anymore. basically you could check the lifetime yourselves by opening your https website an display the certificate. there you should see the expatriation date. Usually the validation is 90 days, so renewing the certificates once a month should be sufficient.
Btw when using dietpi-letsencryt or certbot, a systemd timer is added which renews the certificate automatically 30 days before or it expires.
And port 80 can or better should stay opened. It is required for certificate renewal in most cases and as long as you have automated redirection to HTTPS active and/or force it though the other web applications, it is no security risk.
systemctl status certbot.timer
journalctl -u certbot
It should show a renewal attempt two times a day, skipping it as long as expiry is more then 30 days in the future. Probably we should point that our within dietpi-letsencrypt UI.
Long-term plan is some dietpi-https/dietpi-ssl tool to generate SSL certs from different sources, self-signed, certbot, acme.sh and others. Would contain then enable/disable selection not only for webservers but also for other web applications that run their own internal webserver. There it makes sense to show certificate status, expiry date and others. But I lack the time currently to start working on this .
hehe. Anyway let’s come back to the original topic of recreation the certificates. So for the normal letsencrypt we are save because it will be done automatically. I guess for Emby the transformation into the *.pfx file would still need to be done manually as there is no automation be default.
Indeed, the non-webserver-based applications one needs to copy the certs in place manually. Or, one could add it as script to /etc/letsencrypt renewal-hooks, so it is done automatically when certbot renews the certs.
Other solution is to grant those applications direct access to the letsencrypt certs/keys, but this is probably not wanted for security reasons and some need those files in different format, Emby *.pfx? Yeah this is exactly what would be nice to have in a dedicated DietPi tool.
Got everything up and working and I’m now staring at the Nextcloud login page. Probably a stupid question but what’s my Nextcloud login credentials and how do I set them up?
Opening ports to the internet would need to be done on your internet router. The description above is describing how to create SSL certificates for a web server like lighttpd or nginx running port 80/443. This will enable to access applications using standard web server. Thinks like Plex and Sonarr using it’s on web server, running on different ports. Therefore they will not be reachable. Access would need to be configured separately on your internet router be opening respective ports.