Last active
March 21, 2025 14:53
-
-
Save hydrian/90aa3f0a427dba947d32cc9d8c624f1e to your computer and use it in GitHub Desktop.
Let's Encrypt Plex renew-hook script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env -S bash | |
| logger -p daemon.debug -- "Running $(realpath "$0")" | |
| PLEX_BASE_DIR="${PLEX_BASE_NAME:-/var/lib/plexmediaserver}" | |
| SERVICE_NAME="plexmediaserver.service" | |
| PLEX_USER="${PLEX_USER:-plex}" | |
| PLEX_GROUP="${PLEX_GROUP:-plex}" | |
| function cleanup { | |
| test -e "$TEMP_DIR" && rm -Rf "$TEMP_DIR" | |
| return 0 | |
| } | |
| PLEX_SERVER_XML_FILE="${PLEX_BASE_DIR}/Library/Application Support/Plex Media Server/Preferences.xml" | |
| XMLSTARLET_BIN=$(which xmlstarlet) | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Could not find xmlstarlet executable. Make sure xmlstarlet is installed." | |
| exit 1 | |
| fi | |
| PLEX_HOSTNAME="$($XMLSTARLET_BIN sel -t -v '/Preferences/@customCertificateDomain' "$PLEX_SERVER_XML_FILE" )" | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Failed to lookup plex certificate hostname in configuration. Make sure value is set in settings" | |
| exit 1 | |
| fi | |
| PLEX_CERT_PATH="$($XMLSTARLET_BIN sel -t -v '/Preferences/@customCertificatePath' "$PLEX_SERVER_XML_FILE" )" | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Failed to lookup plex certificate path in configuration. Make sure value is set in settings" | |
| exit 1 | |
| fi | |
| PLEX_CERT_PASSPHRASE="$($XMLSTARLET_BIN sel -t -v '/Preferences/@customCertificateKey' "$PLEX_SERVER_XML_FILE" )" | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Failed to lookup plex certificate key in Preferences.xml. Make sure value is set in settings" | |
| exit 1 | |
| fi | |
| echo "${RENEWED_DOMAINS}" | grep -iq "${PLEX_HOSTNAME}" | |
| if [ $? -eq 1 ] ; then | |
| logger -p daemon.debug -- "${PLEX_HOSTNAME} not renewed" | |
| exit 0 | |
| fi | |
| PEM_CERTS_FILE="${RENEWED_LINEAGE}/fullchain.pem" | |
| PEM_KEY_FILE="${RENEWED_LINEAGE}/privkey.pem" | |
| TEMP_DIR="$(mktemp -d)" | |
| pushd "${TEMP_DIR}" 1>/dev/null | |
| cp "${PEM_CERTS_FILE}" "certs.pem" | |
| if [ $? -ne 0 ] ;then | |
| logger -p daemon.error -s -- "Failed to copy ${PEM_CERTS_FILE} to temp directory" | |
| cleanup | |
| exit 1 | |
| fi | |
| cp "${PEM_KEY_FILE}" "key.pem" | |
| echo -n "${PLEX_CERT_PASSPHRASE}" > passphrase | |
| openssl pkcs12 -export -in "certs.pem" -inkey "key.pem" -out plex.p12 -keypbe aes-256-cbc -certpbe aes-256-cbc -macalg SHA256 -passout "file:passphrase" | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Failed to generate p12 file" | |
| cleanup | |
| exit 1 | |
| fi | |
| cp plex.p12 "${PLEX_CERT_PATH}" | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Failed copy generated p12 file to ${PLEX_CERT_PATH}" | |
| cleanup | |
| exit 1 | |
| fi | |
| chmod 600 "${PLEX_CERT_PATH}" | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Failed to set file permissions on ${PLEX_CERT_PATH}" | |
| cleanup | |
| exit 1 | |
| fi | |
| chown ${PLEX_USER}:${PLEX_GROUP} "${PLEX_CERT_PATH}" | |
| if [ $? -ne 0 ] ; then | |
| logger -p daemon.error -s -- "Failed to set ownership on ${PLEX_CERT_PATH}" | |
| cleanup | |
| exit 1 | |
| fi | |
| logger -p daemon.info -- 'Update P12 certificate file for plex' | |
| cleanup | |
| systemctl restart "${SERVICE_NAME}" | |
| if [ $? -eq 0 ] ; then | |
| logger daemon.info -- "Sucessfully restarted $SERVICE_NAME after certificate update" | |
| else | |
| logger -p daemon.error -s -- "Restart of $SERVICE_NAME failed after certificate update" | |
| fi | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment