This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv/plex-media-server-1.5.5 and app-crypt/certbot-apache-0.13.0.
You’ll need root in order to perform most of these steps.
Installing Plex Media Server and Letsencrypt client
Installing Plex Media Server on Gentoo is straight forward:
emerge -Dtva media-tv/plex-media-server
The post-installation instructions of the package will tell you:
Plex Media Server is now installed. Please check the configuration file in /etc/plex/plexmediaserver to verify the default settings. To start the Plex Server, run 'rc-config start plex-media-server', you will then be able to access your library at http://:32400/web/
This may be good enough if you’re just having a home server to watch from the LAN, but if you will be accessing your Plex Media Server from a non-secure network (i.e. over the Internet or via your mobile data provider, etc.), clearly this is not the most secure setup. The instructions tell you to use a plaintext http connection (http://<ip>:32400/web/), but with just like any other plaintext connection, your Plex username and password can be sniffed trivially.
To make the connection secure you can obtain and install a free TLS certificate from Let’s Encrypt. If you already know how to obtain and install a Letsencrypt certificate, skip these instructions. On Gentoo you can use the certbot command-line tool, so go ahead and install its package:
emerge -Dtva app-crypt/certbot
You may end up with emerge complaining that a series of required dependencies cannot be installed. Make sure you keyword all those packages in /etc/portage/package.keywords. For example, may have to append in your package.keywords:
=app-crypt/certbot-apache-0.13.0 ~amd64
Obtaining and installing a Let’s Encrypt certificate for Plex
Once certbot is installed and provided your server’s hostname is home-plex.mydomain.com, obtain the respective Letsencrypt free certificate:
certbot certonly --standalone --config-dir /etc/letsencrypt --preferred-challenges tls-sni-01 -d home-plex.mydomain.com
If everything has worked out correctly, your certificate will be installed in /etc/letsencrypt/live/home-plex.mydomain.com/.
Converting a Let’s Encrypt cert for use with Plex Media Server (format PKCS #12)
Assuming you have OpenSSL already installed (if not emerge -Dtva dev-libs/openssl), you can create a PKCS #12 file containing the Let’s Encrypt certificate and private key to enable TLS support for home-plex.mydomain.com, using the following script (store in /etc/plex/plex-renew-cert.sh, we’ll need the script again later):
#!/bin/bash # # store this script in /etc/plex/plex-renew-cert.sh # PLEX_HOSTNAME=home-plex.mydomain.com PLEX_CERT_ENCKEY=your-randomly-generated-password pushd /etc/plex > /dev/null openssl pkcs12 -export \ -out /etc/plex/${PLEX_HOSTNAME}.pfx \ -inkey /etc/letsencrypt/live/${PLEX_HOSTNAME}/privkey.pem \ -in /etc/letsencrypt/live/${PLEX_HOSTNAME}/cert.pem \ -certfile /etc/letsencrypt/live/${PLEX_HOSTNAME}/chain.pem \ -name "${PLEX_HOSTNAME}" \ -passout pass:${PLEX_CERT_ENCKEY} popd # Set the right ownership and permissions to the generated PKCS #12 container file: chmod 600 /etc/plex/${PLEX_HOSTNAME}.pfx chown plex:plex /etc/plex/${PLEX_HOSTNAME}.pfx
Make sure you replace home-plex.mydomain.com with your server’s hostname and your-randomly-generated-password with a good password. You can quickly generate one here, but any will work.
Set good permissions and execute it:
chmod 700 /etc/plex/plex-renew-cert.sh /etc/plex/plex-renew-cert.sh
Check the cert container has been generated:
ls -l /etc/plex/home-plex.mydomain.com.pfx
You can even verify the key, using the PLEX_CERT_ENCKEY value when prompted, and if everything is correct you’ll see something like:
openssl pkcs12 -in /etc/plex/home-plex.mydomain.com.pfx -noout
Enter Import Password:
MAC verified OK
Using the Letsencrypt PKCS #12 cert with Plex Media Server
To use the generated certificate in Plex, first start the Plex server (/etc/init.d/plex-media-server start) and visit the plaintext web interface http://home-plex.mydomain.com:32400/web. Login with your Plex.tv account, go to "Settings > Network", fill in the following and “Save Changes”:
Custom certificate location: /etc/plex/home-plex.mydomain.com.pfx
Custom certificate encryption key: your-randomly-generated-password
Custom certificate domain: home-plex.mydomain.com
Plex Media Server Letsencrypt Certificate Config
Restart the Plex Media Server and visit the web interface over encrypted HTTPS now, https://home-plex.mydomain.com:32400/web/. You should see in your web browser’s address bar the green lock indicating a secure connection to the Plex Media Server.
Your done! …. Well, almost done!
Renewing the Let’s Encrypt certificates
Let’s Encrypt certificates expire after a few months and the proper way to utilize them with any server/application is to schedule a frequent renewal check. On top of that, we want to ensure that once our certificate has been renewed, it is also converted to the PKCS #12 container format and the Plex Media Server is restarted to reload the new PKCS #12 certificate.
This is fairly easy, with certbot’s option --renew-hook (check what it does with certbot --help renew) and a cronjob like the following:
#Mins Hours Days Months Day of the week
# Attempt a renewal once a day at 5:30am and if successful run --renew-hook command(s)
30 5 * * * certbot certonly --standalone --quiet \
--config-dir /etc/letsencrypt \
--preferred-challenges tls-sni-01 \
-d home-plex.mydomain.com \
--renew-hook "/etc/plex/plex-renew-cert.sh && /etc/init.d/plex-media-server start"
