Setup Let's Encrypt certificate for use with Plex Media Server on Ubuntu

LetsEncrypt_HTTPS_plex.MD

Here's my setup:

• Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
• Plex Media Server debian package running on server
• Netgear Nighthawk R6900 home router
• Dynamic hostname from no-ip.org, which I'll use for this setup

Prep

Complete up to the "Generate the cert" section in this gist and stop just before the "Set up the certificate" section.

Your ceritifcate files should now be in this directory: /etc/letsencrypt/live/myhostname.no-ip.org/

I also assume your Plex server is port-forwarded to be accessible via port 32400: http://myhostname.no-ip.org:32400

Set up the certificate

Before we begin, we need to generate a PKCS #12 (.pfx) file from the Let's Encrypt certificate files. It's all the Let's Encrypt files archived, and bundled into one file.

Create the PCKS #12 file:

1. Run the package command:

     sudo openssl pkcs12 -export -out ~/certificate.pfx \
       -inkey /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem \
       -in /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem \
       -certfile /etc/letsencrypt/live/myhostname.no-ip.org/chain.pem

2. You'll first be prompted for your sudo password.

   Next you'll be asked to enter a password to encrypt the .pfx file. Enter a password you won't mind saving in the Plex settings in plaintext.

3. Hand it over to plex.

   sudo mv ~/certificate.pfx /var/lib/plexmediaserver
   sudo chown plex:plex /var/lib/plexmediaserver/certificate.pfx

Have Plex use your PFX file

1. Visit the Plex UI on your server: http://myhostname.no-ip.org:32400

2. Go to Settings (icon on top right corner) > Server (tab) > Network (left navigation column).

   Click "SHOW ADVANCED" to see the necessary fields.

3. Enter the following values:

   • Custom certificate location: /var/lib/plexmediaserver/certificate.pfx
   • Custom certificate encryption key: The password you entered on step 2 of last section
   • Custom certificate domain: https://myhostname.no-ip.org:32400

4. Save your changes.

That's it. You don't even have to restart plex!

You can check the Plex\ Media\ Server.log file in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs if you want to verify whether there were any errors.

Visit your server at https://myhostname.no-ip.org:32400 (Custom certificate domain) and see the HTTPS in action.

Thank you for your description! I applied it to Ubuntu 17.10, so I had to change a minimal part of the setup (cerbot-auto renamed to certbot), and the cron-job is already included - works like a charm!
Did you also created a cron job for converting the certificate to PCKS#12 or are you doing it still manually? :-)

BR frostl

After reading the above (which works fine) I did get a bit further and changed a letsencrypt script for unifi to work with plex. You can find it here https://oisec.net/blog/plex-letsencrypt

Thank you for the tutorial. I have successfully make a bash file on synology to run monthly to renew every now and then to keep up with letsencrypt.

Thx guys... It is doing great, even with a plain install on Ubuntu 18.04!

My Plex is also running IPv6 only - no NATing or port forwarding, so certbot is using the native port:443.
I experienced some problems with stateless autoconf and IPv6-PD on 17.10, but wasn't able (or rather I didn't take time for it) to reproduce it.
I think it was more the faulty installation than the Ubuntu itself.

Nevertheless thanks for your effort!

frostl

Thanks so much for this Charitha Sathkumara! Just to let y'all know, it worked seamlessly on my Fedora 28 box. Cheers!

Worked fine! Only issue: I needed to restart the plex service to use the certificate.

Legend. Worked a treat, however i used the method on Windows 10 Pro with Bash. Once the cert was created via bash, i then followed your steps and copied the file to a windows mount and saved the amended cert :)

The "custom certificate domain" setting in Plex, under Network, should be set to just the domain, as the certificate itself specifies, without https or a port number. That works for me, anyway. I found specifying anything else does not work.