If you want to access your Emby server from outside your home network you will want to require secure connection mode for all remote connections (see "Network" tab in Emby server configuration). To do this you need an SSL certificate. To get an SSL certificate you must have your own registered domain name. Here's a step-by-step.
Domain Name Registration
A domain name is the readable text part of a web address. So emby.media, or google.com, or media.yourdomain.net. Most home users don't have one, but you need one to get an encryption certificate. While there are many options for purchasing a domain (godaddy.com being very popular), I chose to buy my domain from domains.google. It cost me $12/year, and this is the only cost to getting your Emby server working with encryption. Go to https://domains.google, pick a domain, pay your money, and you're ready to go. For the rest of this discussion let's say you registered the domain name yourdomain.net. Now you need to associate your new domain with your home IP address. Most home users get their IP address assigned to them by their internet provider and it is "dynamic," meaning it can change. So you need to be able to tell your domain provider what your address is and update it when it changes. This can be done automatically, and is called dynamic DNS (DDNS). Google domains supports this easily, here is the help page explaining how to set it up. Fortunately, my ASUS router has this capability built in so it was easy, but it's easy even if your router doesn't (follow google's directions). That's it for domain name registration. Now yourdomain.net points to your home network IP address.
SSL Certificate
Now you need to get an SSL certificate. This has the encryption keys you need, and must be issued by a recognized certificate authority or it gets blocked by your browser. Lets Encrypt will give you a free SSL certificate but it has to be renewed every 90 days. This was the part I was most confused by, but it's actually really easy. The part to understand is that Lets Encrypt must have some way of proving you own your domain name before they can issue you a certificate. There are two options, 1) they give you a little text file to place on your web server in a certain location. I don't have a web server so this is a no-go. 2) They give you a text string to add to your DNS registration in what is called a "TXT Record." You do this with google domains, it's very easy. To get a certificate you need an ACME client program that knows how to talk to the lets encrypt server. They recommend certbot, but it doesn't work in windows. Dig enough and you'll find ZeroSSL, they have a nice downloadable program that does it all and is really easy. Download here. Make a directory on your computer (I used c:\ZeroSSL). Put the le64 (or 32) exe in this directory. A single command will create your certificate. I think the easiest way to do this is create a text file in the same folder as the program, call it "get_cert.bat" and put the following three lines of text in the file. Edit the second line to have your actual domain name (instead of "yourdomain.net"), and to have your actual password for your PFX file (whatever you want it to be, just replace "yourpasswordhere" in the code below.@[member="Echo"] offle64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains "yourdomain.net" --generate-missing --handle-as dns --export-pfx “yourpasswordhere” --livepause
Save the text file as get_cert.BAT and then double click it to run. This runs the le64 program, creates the public/private key pair, asks lets encrypt to generate a certificate, saves that certificate, and converts it to a PFX file format that Emby requires. All in one command! When you run this, a command window will appear and you can see what it's doing. After a few seconds it'll pause and ask you to place the TXT record in your domain. It gives you a name and value, the name will be something like _acme-challenge.yourdomain.net, and the value will be a bunch of random letters and numbers. The program pauses here for you to put this into your domain. So now you just log in to your google domain again, go to "DNS" on the left menu, scroll all the way down and enter a "Custom Resource Record." The type is TXT, the name and value are what le64 gave you. Put them in, wait a few minutes for the change to take effect (took just a couple of minutes for me). Then go back to the command window where le64 is running and press enter to continue. It'll then verify your TXT record is there and issue your certificate. You'll find a file certificate.pfx in the le64 directory, that's it!
Emby Setup
Now log in to your Emby server setup. Go to "Network," in the field "External Domain" you put your domain name, so yourdomain.net or whatever you chose. For "Custom SSL certificate path," browse to the .pfx file that was created by the le64 program. In the "Certificate Password" field put whatever password you used in the .BAT file above when you created your certificate. Then for "Secure Connection Mode" I recommend you choose "Required for all remote connections." You also have to log in to your home router and forward port 8920 to the computer running your Emby server. I'm not going to give directions on how to do this, it depends on your router, but it's super easy. That's it. You need to restart your Emby Server, and then you're done! You can now access your server remotely and securely at https://yourdomain.net:8920.
Certificate Renewal
Now, I mentioned before that the Lets Encrypt certificates are only good for 90 days. So every 90 days you have to renew the certificate. Take that "get_cert.bat" file you made earlier and make a copy of it called renew_cert.bat. At the end of the second line, just add the text "--renew 20" (without the double quotes). When you are within 20 days of your expiration date run this file, it'll renew your certificate. I believe it'll ask you to place a new TXT record in your domain, so certificate renewal cannot be made fully automatic. You'll have to run it manually and add this TXT record into your google domain just like when you created the certificate in the first place. But it takes just a few minutes and then your certificate is renewed. You'll have to restart your Emby server for it to take. The file locations all stay the same, so you don't have to update anything in the Emby setup, just restart Emby. That's it!
Setup Emby with a LetsEncrypt Certificate
Setup Emby with Letencrypt Certificate
If you want to access your Emby server from outside your home network you will want to require secure connection mode for all remote connections (see "Network" tab in Emby server configuration). To do this you need an SSL certificate. To get an SSL certificate you must have your own registered domain name. Here's a step-by-step.
Domain Name Registration
A domain name is the readable text part of a web address. So emby.media, or google.com, or media.yourdomain.net. Most home users don't have one, but you need one to get an encryption certificate. While there are many options for purchasing a domain (godaddy.com being very popular), I chose to buy my domain from domains.google. It cost me $12/year, and this is the only cost to getting your Emby server working with encryption. Go to https://domains.google, pick a domain, pay your money, and you're ready to go. For the rest of this discussion let's say you registered the domain name yourdomain.net. Now you need to associate your new domain with your home IP address. Most home users get their IP address assigned to them by their internet provider and it is "dynamic," meaning it can change. So you need to be able to tell your domain provider what your address is and update it when it changes. This can be done automatically, and is called dynamic DNS (DDNS). Google domains supports this easily, here is the help page explaining how to set it up. Fortunately, my ASUS router has this capability built in so it was easy, but it's easy even if your router doesn't (follow google's directions). That's it for domain name registration. Now yourdomain.net points to your home network IP address.
SSL Certificate
Now you need to get an SSL certificate. This has the encryption keys you need, and must be issued by a recognized certificate authority or it gets blocked by your browser. Lets Encrypt will give you a free SSL certificate but it has to be renewed every 90 days. This was the part I was most confused by, but it's actually really easy. The part to understand is that Lets Encrypt must have some way of proving you own your domain name before they can issue you a certificate. There are two options, 1) they give you a little text file to place on your web server in a certain location. I don't have a web server so this is a no-go. 2) They give you a text string to add to your DNS registration in what is called a "TXT Record." You do this with google domains, it's very easy. To get a certificate you need an ACME client program that knows how to talk to the lets encrypt server. They recommend certbot, but it doesn't work in windows. Dig enough and you'll find ZeroSSL, they have a nice downloadable program that does it all and is really easy. Download here. Make a directory on your computer (I used c:\ZeroSSL). Put the le64 (or 32) exe in this directory. A single command will create your certificate. I think the easiest way to do this is create a text file in the same folder as the program, call it "get_cert.bat" and put the following three lines of text in the file. Edit the second line to have your actual domain name (instead of "yourdomain.net"), and to have your actual password for your PFX file (whatever you want it to be, just replace "yourpasswordhere" in the code below.@[member="Echo"] offle64 --key account.key --csr domain.csr --csr-key domain.key --crt certificate.csr --domains "yourdomain.net" --generate-missing --handle-as dns --export-pfx “yourpasswordhere” --livepause Save the text file as get_cert.BAT and then double click it to run. This runs the le64 program, creates the public/private key pair, asks lets encrypt to generate a certificate, saves that certificate, and converts it to a PFX file format that Emby requires. All in one command! When you run this, a command window will appear and you can see what it's doing. After a few seconds it'll pause and ask you to place the TXT record in your domain. It gives you a name and value, the name will be something like _acme-challenge.yourdomain.net, and the value will be a bunch of random letters and numbers. The program pauses here for you to put this into your domain. So now you just log in to your google domain again, go to "DNS" on the left menu, scroll all the way down and enter a "Custom Resource Record." The type is TXT, the name and value are what le64 gave you. Put them in, wait a few minutes for the change to take effect (took just a couple of minutes for me). Then go back to the command window where le64 is running and press enter to continue. It'll then verify your TXT record is there and issue your certificate. You'll find a file certificate.pfx in the le64 directory, that's it!
Emby Setup
Now log in to your Emby server setup. Go to "Network," in the field "External Domain" you put your domain name, so yourdomain.net or whatever you chose. For "Custom SSL certificate path," browse to the .pfx file that was created by the le64 program. In the "Certificate Password" field put whatever password you used in the .BAT file above when you created your certificate. Then for "Secure Connection Mode" I recommend you choose "Required for all remote connections." You also have to log in to your home router and forward port 8920 to the computer running your Emby server. I'm not going to give directions on how to do this, it depends on your router, but it's super easy. That's it. You need to restart your Emby Server, and then you're done! You can now access your server remotely and securely at https://yourdomain.net:8920.
Certificate Renewal
Now, I mentioned before that the Lets Encrypt certificates are only good for 90 days. So every 90 days you have to renew the certificate. Take that "get_cert.bat" file you made earlier and make a copy of it called renew_cert.bat. At the end of the second line, just add the text "--renew 20" (without the double quotes). When you are within 20 days of your expiration date run this file, it'll renew your certificate. I believe it'll ask you to place a new TXT record in your domain, so certificate renewal cannot be made fully automatic. You'll have to run it manually and add this TXT record into your google domain just like when you created the certificate in the first place. But it takes just a few minutes and then your certificate is renewed. You'll have to restart your Emby server for it to take. The file locations all stay the same, so you don't have to update anything in the Emby setup, just restart Emby. That's it!