Skip to content

Instantly share code, notes, and snippets.

@churro-s
Last active October 21, 2024 11:09
Show Gist options
  • Save churro-s/fa3fdeb5cf10ebb251aa88338b8b37db to your computer and use it in GitHub Desktop.
Save churro-s/fa3fdeb5cf10ebb251aa88338b8b37db to your computer and use it in GitHub Desktop.
Setup Let's Encrypt certificate for use with Plex Media Server on Ubuntu

Here's my setup:

  • Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
  • Plex Media Server debian package running on server
  • Netgear Nighthawk R6900 home router
  • Dynamic hostname from no-ip.org, which I'll use for this setup

Prep

Complete up to the "Generate the cert" section in this gist and stop just before the "Set up the certificate" section.

Your ceritifcate files should now be in this directory: /etc/letsencrypt/live/myhostname.no-ip.org/

I also assume your Plex server is port-forwarded to be accessible via port 32400: http://myhostname.no-ip.org:32400

Set up the certificate

Before we begin, we need to generate a PKCS #12 (.pfx) file from the Let's Encrypt certificate files. It's all the Let's Encrypt files archived, and bundled into one file.

Create the PCKS #12 file:

  1. Run the package command:

      sudo openssl pkcs12 -export -out ~/certificate.pfx \
        -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \
        -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \
        -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem
  2. You'll first be prompted for your sudo password.

    Next you'll be asked to enter a password to encrypt the .pfx file. Enter a password you won't mind saving in the Plex settings in plaintext.

  3. Hand it over to plex.

    sudo mv ~/certificate.pfx /var/lib/plexmediaserver
    sudo chown plex:plex /var/lib/plexmediaserver/certificate.pfx

Have Plex use your PFX file

  1. Visit the Plex UI on your server: http://myhostname.no-ip.org:32400

  2. Go to Settings (icon on top right corner) > Server (tab) > Network (left navigation column).

    Click "SHOW ADVANCED" to see the necessary fields.

  3. Enter the following values:

    • Custom certificate location: /var/lib/plexmediaserver/certificate.pfx
    • Custom certificate encryption key: The password you entered on step 2 of last section
    • Custom certificate domain: https://myhostname.no-ip.org:32400
  4. Save your changes.

That's it. You don't even have to restart plex!

You can check the Plex\ Media\ Server.log file in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs if you want to verify whether there were any errors.

Visit your server at https://myhostname.no-ip.org:32400 (Custom certificate domain) and see the HTTPS in action.

@adambirds
Copy link

@doughnet yes it does.

@baalpeteor
Copy link

Looks like whoever deleted their page. The "Generate the cert" section in this gist link is broken.

correct, so this entire page is useless now.

@adambirds
Copy link

@baalpeteor this is the new link, so not useless, his username has update so the link just has the wrong username - https://gist.github.com/churro-s/e56fa7aee3b2cf36f9c240c90f456494#generate-the-cert

@timothyclarke
Copy link

Once you've got the first cert up and running you can add a renewal hook eg

$ cat /etc/letsencrypt/renewal-hooks/post/001-plex.sh
#!/bin/bash
openssl pkcs12 -export \
    -password pass:secretText \
    -out /path/to/plex/certificate.pfx \
    -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \
    -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \
    -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem

chown plex:plex  /path/to/plex/certificate.pfx

I don't know if plex needs a restart after the cert is renewed, but that can be added to the script as well

@CrazyBebop
Copy link

CrazyBebop commented Jan 15, 2023

For some reason, when I apply the certificate, I am getting a XML file type of response from Plex: https://ms.crazybebop.com:32400/

Digging into log I see:
Jan 15, 2023 15:05:41.741 [0x7f21210ccb38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.1.1]:14278: sslv3 alert certificate unknown

@knightian
Copy link

Once you've got the first cert up and running you can add a renewal hook eg

This is the way!!!!

@fidanf
Copy link

fidanf commented Apr 14, 2023

My custom certificate was broken after updating Plex to version 1.32.0.6918
Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

@Lefuneste83
Copy link

Thanks a lot for your tip. This worked for me as well with Plex running on docker and consuming a letsencrypt based pfx certificate. This setup had been running flawlessly for many months if not years, until the regression you mentioned... I was starting to freak out... Your added parameters allowed Plaex to interprete the pfx file as expected. Can you reference the source of these parameters if you have the opportunity to do so ?

@knightian
Copy link

My custom certificate was broken after updating Plex to version 1.32.0.6918
Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

Sad, CBC is not a great cipher, dropped from TLS 1.3, should be avoided and use GCM instead.

@johannesvogel
Copy link

johannesvogel commented Apr 17, 2023

My custom certificate was broken after updating Plex to version 1.32.0.6918 Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

Ugh, that's annoying. Let's hope this get's fixed at some point. Thanks for pointing this out, fixed it for me too!

@neilmunday
Copy link

Thanks for the tip about -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256!

@logan-micklewright
Copy link

logan-micklewright commented May 5, 2023

Sad, CBC is not a great cipher, dropped from TLS 1.3, should be avoided and use GCM instead.

This has nothing to do with the cipher suites allowed by the server while using the provided certificate. It is referencing the encryption used within the resulting pfx file itself. The pkcs12 format only allows for two encryption options the older PBES1 method which used the long deprecated 3DES encryption and the newer PBES2 method which uses AES256-CBC. Many things (including older openssl versions like 1.1.1) still default to PBES1 aka 3DES so forcing the use of AES256-CBC is actually a huge improvement and there is no such thing as a pfx file encrypted with AES256-GCM.

@knightian
Copy link

Sad, CBC is not a great cipher, dropped from TLS 1.3, should be avoided and use GCM instead.

This has nothing to do with the cipher suites allowed by the server while using the provided certificate. It is referencing the encryption used within the resulting pfx file itself. The pkcs12 format only allows for two encryption options the older PBES1 method which used the long deprecated 3DES encryption and the newer PBES2 method which uses AES256-CBC. Many things (including older openssl versions like 1.1.1) still default to PBES1 aka 3DES so forcing the use of AES256-CBC is actually a huge improvement and there is no such thing as a pfx file encrypted with AES256-GCM.

Ah yep makes sense, non issue then, definite improvement

@VikeHsu
Copy link

VikeHsu commented Jun 7, 2023

My custom certificate was broken after updating Plex to version 1.32.0.6918 Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

Thanks! This works great for me.

@samssausages
Copy link

Yay, that finally worked @knightian For others tryign to do the same thing, here is the full code, adjust to match your file locations:

openssl pkcs12 -export -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -out /mnt/certs/plex_cert.pfx \
    -inkey /mnt/certs/sub.domain.com.key \
    -in /mnt/certs/sub.domain.com.crt \
    -certfile /mnt/certs/sub.domain.com.fullchain \
    -passout pass:yourpassword

Then put them on your plex server and map the location. I simply added it to my docker-compose file as a volume.

@ninjatill
Copy link

Instructions work great even for a windows installation. OpenSSL is included with Git for Windows so my script includes the full path to the openssl.exe file. I'm using Certbot with Let's Encrypt so I linked the script as another action in the Certbot auto renewal scheduled task. It should run as soon as certbot renews the certificate.

@Dusty410
Copy link

Dusty410 commented Feb 8, 2024

one more thing to add, the user:group on my synology server was PlexMediaServer:PlexMediaServer instead of plex:plex. had to set the certificate to that ownership to get it to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment