Setup Let's Encrypt certificate for use with Plex Media Server on Ubuntu

LetsEncrypt_HTTPS_plex.MD

Here's my setup:

• Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
• Plex Media Server debian package running on server
• Netgear Nighthawk R6900 home router
• Dynamic hostname from no-ip.org, which I'll use for this setup

Prep

Complete up to the "Generate the cert" section in this gist and stop just before the "Set up the certificate" section.

Your ceritifcate files should now be in this directory: /etc/letsencrypt/live/myhostname.no-ip.org/

I also assume your Plex server is port-forwarded to be accessible via port 32400: http://myhostname.no-ip.org:32400

Set up the certificate

Before we begin, we need to generate a PKCS #12 (.pfx) file from the Let's Encrypt certificate files. It's all the Let's Encrypt files archived, and bundled into one file.

Create the PCKS #12 file:

1. Run the package command:

     sudo openssl pkcs12 -export -out ~/certificate.pfx \
       -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \
       -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \
       -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem

2. You'll first be prompted for your sudo password.

   Next you'll be asked to enter a password to encrypt the .pfx file. Enter a password you won't mind saving in the Plex settings in plaintext.

3. Hand it over to plex.

   sudo mv ~/certificate.pfx /var/lib/plexmediaserver
   sudo chown plex:plex /var/lib/plexmediaserver/certificate.pfx

Have Plex use your PFX file

1. Visit the Plex UI on your server: http://myhostname.no-ip.org:32400

2. Go to Settings (icon on top right corner) > Server (tab) > Network (left navigation column).

   Click "SHOW ADVANCED" to see the necessary fields.

3. Enter the following values:

   • Custom certificate location: /var/lib/plexmediaserver/certificate.pfx
   • Custom certificate encryption key: The password you entered on step 2 of last section
   • Custom certificate domain: https://myhostname.no-ip.org:32400

4. Save your changes.

That's it. You don't even have to restart plex!

You can check the Plex\ Media\ Server.log file in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs if you want to verify whether there were any errors.

Visit your server at https://myhostname.no-ip.org:32400 (Custom certificate domain) and see the HTTPS in action.

Thx guys... It is doing great, even with a plain install on Ubuntu 18.04!

My Plex is also running IPv6 only - no NATing or port forwarding, so certbot is using the native port:443.
I experienced some problems with stateless autoconf and IPv6-PD on 17.10, but wasn't able (or rather I didn't take time for it) to reproduce it.
I think it was more the faulty installation than the Ubuntu itself.

Nevertheless thanks for your effort!

frostl

Thanks so much for this Charitha Sathkumara! Just to let y'all know, it worked seamlessly on my Fedora 28 box. Cheers!

Worked fine! Only issue: I needed to restart the plex service to use the certificate.

Legend. Worked a treat, however i used the method on Windows 10 Pro with Bash. Once the cert was created via bash, i then followed your steps and copied the file to a windows mount and saved the amended cert :)

The "custom certificate domain" setting in Plex, under Network, should be set to just the domain, as the certificate itself specifies, without https or a port number. That works for me, anyway. I found specifying anything else does not work.

thx for this article, follow the steps, it works!

I'm getting a Certificate warning in Google Chrome 80 on Linux...

NET::ERR_CERT_AUTHORITY_INVALID
...also, this is in the PMS log file...

WARN - CERT: Missing cert or issuer; skipping OCSP stapling
Any ideas?

Paul

https://hobo.house/2016/11/11/how-to-use-self-signed-ssl-certificates-for-plex-media-server/

Follow these steps: If have already a certificate issued by lets encrypt or other ssl provider just skip the steps on creating self signed certificates.

I setup my plex server on windows platform and works perfectly!

Note: the python script has error, I just modified to work on python on windows (in my repo: plexpy/python/pem2plex.py)
ProcessedMachineIdentifier is located on registry

has anyone managed to automate this with something like chron?

works very well btw, thanks!

Looks like whoever deleted their page. The "Generate the cert" section in this gist link is broken.

@churro-s you need to update the link to point to your new username.

Does the PKCS have to be done whenever the certificates get renewed?

@doughnet yes it does.

Looks like whoever deleted their page. The "Generate the cert" section in this gist link is broken.

correct, so this entire page is useless now.

@baalpeteor this is the new link, so not useless, his username has update so the link just has the wrong username - https://gist.github.com/churro-s/e56fa7aee3b2cf36f9c240c90f456494#generate-the-cert

Once you've got the first cert up and running you can add a renewal hook eg

$ cat /etc/letsencrypt/renewal-hooks/post/001-plex.sh
#!/bin/bash
openssl pkcs12 -export \
    -password pass:secretText \
    -out /path/to/plex/certificate.pfx \
    -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \
    -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \
    -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem

chown plex:plex  /path/to/plex/certificate.pfx

I don't know if plex needs a restart after the cert is renewed, but that can be added to the script as well

For some reason, when I apply the certificate, I am getting a XML file type of response from Plex: https://ms.crazybebop.com:32400/

Digging into log I see:
Jan 15, 2023 15:05:41.741 [0x7f21210ccb38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.1.1]:14278: sslv3 alert certificate unknown

Once you've got the first cert up and running you can add a renewal hook eg

This is the way!!!!

My custom certificate was broken after updating Plex to version 1.32.0.6918
Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

Thanks a lot for your tip. This worked for me as well with Plex running on docker and consuming a letsencrypt based pfx certificate. This setup had been running flawlessly for many months if not years, until the regression you mentioned... I was starting to freak out... Your added parameters allowed Plaex to interprete the pfx file as expected. Can you reference the source of these parameters if you have the opportunity to do so ?

My custom certificate was broken after updating Plex to version 1.32.0.6918
Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

Sad, CBC is not a great cipher, dropped from TLS 1.3, should be avoided and use GCM instead.

My custom certificate was broken after updating Plex to version 1.32.0.6918 Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

Ugh, that's annoying. Let's hope this get's fixed at some point. Thanks for pointing this out, fixed it for me too!

Thanks for the tip about -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256!

Sad, CBC is not a great cipher, dropped from TLS 1.3, should be avoided and use GCM instead.

This has nothing to do with the cipher suites allowed by the server while using the provided certificate. It is referencing the encryption used within the resulting pfx file itself. The pkcs12 format only allows for two encryption options the older PBES1 method which used the long deprecated 3DES encryption and the newer PBES2 method which uses AES256-CBC. Many things (including older openssl versions like 1.1.1) still default to PBES1 aka 3DES so forcing the use of AES256-CBC is actually a huge improvement and there is no such thing as a pfx file encrypted with AES256-GCM.

Sad, CBC is not a great cipher, dropped from TLS 1.3, should be avoided and use GCM instead.

This has nothing to do with the cipher suites allowed by the server while using the provided certificate. It is referencing the encryption used within the resulting pfx file itself. The pkcs12 format only allows for two encryption options the older PBES1 method which used the long deprecated 3DES encryption and the newer PBES2 method which uses AES256-CBC. Many things (including older openssl versions like 1.1.1) still default to PBES1 aka 3DES so forcing the use of AES256-CBC is actually a huge improvement and there is no such thing as a pfx file encrypted with AES256-GCM.

Ah yep makes sense, non issue then, definite improvement

My custom certificate was broken after updating Plex to version 1.32.0.6918 Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the openssl export command solved the problem (using OpenSSL 1.1.1)

Thanks! This works great for me.

Yay, that finally worked @knightian For others tryign to do the same thing, here is the full code, adjust to match your file locations:

openssl pkcs12 -export -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -out /mnt/certs/plex_cert.pfx \
    -inkey /mnt/certs/sub.domain.com.key \
    -in /mnt/certs/sub.domain.com.crt \
    -certfile /mnt/certs/sub.domain.com.fullchain \
    -passout pass:yourpassword

Then put them on your plex server and map the location. I simply added it to my docker-compose file as a volume.

Instructions work great even for a windows installation. OpenSSL is included with Git for Windows so my script includes the full path to the openssl.exe file. I'm using Certbot with Let's Encrypt so I linked the script as another action in the Certbot auto renewal scheduled task. It should run as soon as certbot renews the certificate.

one more thing to add, the user:group on my synology server was PlexMediaServer:PlexMediaServer instead of plex:plex. had to set the certificate to that ownership to get it to work.