Let's Encrypt output formats for created certificates (e.g. pkcs12)

Some of my external applications require another format for certificates. (pkcs12 for my emby media server).

I would like an option to optionally create additional file formats while running this addon. This because I cannot get shell_command to work with openssl without having to ssh into the host.
My specific requirement is a PKCS12 (.p12) file with or without password.

  • Add this perticular (although pretty generic imo) pkcs12 format as bool option in the addon.
  • Add a lot of additional format(s) and commands.
  • Allow to run additional commands after certificate creation.
  • None of the above :slight_smile:

FWIW the required openssl command is:

openssl pkcs12 -export -keypbe NONE -certpbe NONE -passout pass: -out /ssl/keystore.p12 -inkey /ssl/privkey.pem -in /ssl/fullchain.pem

(mind you, -keypbe NONE -certpbe NONE -passout pass: makes it passwordless)

Hi, have you succeeded or are you still looking for a solution? Because I am on the same boat and going the SSH way it seems the only viable solution so far

I’ve changed into a more ‘modern’ solution: remove SSL from Jellyfin Media Server and reverse proxy traffic in.
Basically, I have a SWAG container running (it’s using nginx, which allows my certificate format).
In this SWAG container, HTTPS traffic is routed to the Jellyfin Media Servers’ non HTTPS port.

That way Jellyfin/Emby doesn’t need to know about encryption, and a more robust web server is used for serving traffic.

The SWAG container you are talking about is not an addon, correct?

Ah yes, i host it on a different machine with docker. I dont think there is an addon. You could try nginx which is basically used by swag too

I was trying to find something running together with home assistant, I don’t have another machine to use
So far the only working option I found should be running a shell command via SSH

yes, i did the same thing. It took me about 5 shell_commands to get it to automate right - and still broken regularly…

In you situation, I think you should still be able to host everything ‘behind’ a Reverse Proxy (like nginx, which is available as HA addon).

This is recommended even, as nginx is a hardened web facing proxy - and better to expose than HomeAssistant or (any other service even). If traffic goes via that proxy, you only need 1 location and certificate format.

good luck :slight_smile:

I use nginx addon already, but it does not have any certificate creation function since it is handles by let’s encrypt

Well then the LE ones are available to nginx in the /ssl directory, no?

Yes but I need to create the PKCS12 certificate automatically

I don’t understand, sorry. If you reverse proxy all the internal services with SSl, you dont need SSL in the applications (and thus no other formats or copying of certs on renewal)

sure, I need the certificate for another application running elsewhere since nginx can’t do reverse proxy for another machine

At the end I installed Caddy 2 that was able publish a service running on another machine.

1 Like