sigmoid

..oo..oo..oo..oo..oo..oo..

This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv/plex-media-server-1.5.5 and app-crypt/certbot-apache-0.13.0.
You’ll need root in order to perform most of these steps.

Installing Plex Media Server and Letsencrypt client

Installing Plex Media Server on Gentoo is straight forward:

emerge -Dtva media-tv/plex-media-server

The post-installation instructions of the package will tell you:

Plex Media Server is now installed. Please check the configuration file in /etc/plex/plexmediaserver to verify the default settings.
To start the Plex Server, run 'rc-config start plex-media-server', you will then be able to access your library at http://:32400/web/

This may be good enough if you’re just having a home server to watch from the LAN, but if you will be accessing your Plex Media Server from a non-secure network (i.e. over the Internet or via your mobile data provider, etc.), clearly this is not the most secure setup. The instructions tell you to use a plaintext http connection (http://:32400/web/), but with just like any other plaintext connection, your Plex username and password can be sniffed trivially.

To make the connection secure you can obtain and install a free TLS certificate from Let’s Encrypt. If you already know how to obtain and install a Letsencrypt certificate, skip these instructions. On Gentoo you can use the certbot command-line tool, so go ahead and install its package:

emerge -Dtva app-crypt/certbot

You may end up with emerge complaining that a series of required dependencies cannot be installed. Make sure you keyword all those packages in /etc/portage/package.keywords. For example, may have to append in your package.keywords:

=app-crypt/certbot-apache-0.13.0 ~amd64

Obtaining and installing a Let’s Encrypt certificate for Plex

Once certbot is installed and provided your server’s hostname is home-plex.mydomain.com, obtain the respective Letsencrypt free certificate:

certbot certonly --standalone --config-dir /etc/letsencrypt --preferred-challenges tls-sni-01 -d home-plex.mydomain.com

If everything has worked out correctly, your certificate will be installed in /etc/letsencrypt/live/home-plex.mydomain.com/.

Converting a Let’s Encrypt cert for use with Plex Media Server (format PKCS #12)

Assuming you have OpenSSL already installed (if not emerge -Dtva dev-libs/openssl), you can create a PKCS #12 file containing the Let’s Encrypt certificate and private key to enable TLS support for home-plex.mydomain.com, using the following script (store in /etc/plex/plex-renew-cert.sh, we’ll need the script again later):

#!/bin/bash
#
# store this script in /etc/plex/plex-renew-cert.sh
#

PLEX_HOSTNAME=home-plex.mydomain.com
PLEX_CERT_ENCKEY=your-randomly-generated-password

pushd /etc/plex > /dev/null
openssl pkcs12 -export \
               -out /etc/plex/${PLEX_HOSTNAME}.pfx \
               -inkey /etc/letsencrypt/live/${PLEX_HOSTNAME}/privkey.pem \
               -in /etc/letsencrypt/live/${PLEX_HOSTNAME}/cert.pem \
               -certfile /etc/letsencrypt/live/${PLEX_HOSTNAME}/chain.pem \
               -name "${PLEX_HOSTNAME}" \
               -passout pass:${PLEX_CERT_ENCKEY}
popd

# Set the right ownership and permissions to the generated PKCS #12 container file:
chmod 600 /etc/plex/${PLEX_HOSTNAME}.pfx
chown plex:plex /etc/plex/${PLEX_HOSTNAME}.pfx

Make sure you replace home-plex.mydomain.com with your server’s hostname and your-randomly-generated-password with a good password. You can quickly generate one here, but any will work.

Set good permissions and execute it:

chmod 700 /etc/plex/plex-renew-cert.sh
/etc/plex/plex-renew-cert.sh

Check the cert container has been generated:

ls -l /etc/plex/home-plex.mydomain.com.pfx

You can even verify the key, using the PLEX_CERT_ENCKEY value when prompted, and if everything is correct you’ll see something like:

openssl pkcs12 -in /etc/plex/home-plex.mydomain.com.pfx -noout
Enter Import Password:
MAC verified OK

Using the Letsencrypt PKCS #12 cert with Plex Media Server

To use the generated certificate in Plex, first start the Plex server (/etc/init.d/plex-media-server start) and visit the plaintext web interface http://home-plex.mydomain.com:32400/web. Login with your Plex.tv account, go to "Settings > Network", fill in the following and “Save Changes”:

        Custom certificate location: /etc/plex/home-plex.mydomain.com.pfx
  Custom certificate encryption key: your-randomly-generated-password
          Custom certificate domain: home-plex.mydomain.com

Plex Media Server Letsencrypt Certificate Config

Restart the Plex Media Server and visit the web interface over encrypted HTTPS now, https://home-plex.mydomain.com:32400/web/. You should see in your web browser’s address bar the green lock indicating a secure connection to the Plex Media Server.

Your done! …. Well, almost done!

Renewing the Let’s Encrypt certificates

Let’s Encrypt certificates expire after a few months and the proper way to utilize them with any server/application is to schedule a frequent renewal check. On top of that, we want to ensure that once our certificate has been renewed, it is also converted to the PKCS #12 container format and the Plex Media Server is restarted to reload the new PKCS #12 certificate.

This is fairly easy, with certbot’s option --renew-hook (check what it does with certbot --help renew) and a cronjob like the following:

#Mins  Hours  Days   Months  Day of the week
# Attempt a renewal once a day at 5:30am and if successful run --renew-hook command(s)
30 5 * * * certbot certonly --standalone --quiet \
                                         --config-dir /etc/letsencrypt \
                                         --preferred-challenges tls-sni-01 \
                                         -d home-plex.mydomain.com \
                                         --renew-hook "/etc/plex/plex-renew-cert.sh && /etc/init.d/plex-media-server start"

I have built ICU v59.1 with MSVC 2015 & 2017 which are available at the Precompiled ICU page.
In the respective archives you will find, as always, the dynamic and statically linked libraries.

Note that ICU cannot be built with any of the older MSVC compilers, as support has been dropped upstream. Thus only MSVC 2015 and 2017 are available from now on.

I am now compiling all libraries with the recently released MSVC 2017 compiler. You can find OpenSSL v1.1.0e and v1.0.2k, along with the batch build scripts, in the Precompiled OpenSSL page.

The final MS Visual Studio 2017 came out a couple of days ago, so I am starting to build the precompiled libraries for the included compiler too.

The ICU v58.2 is the first library I have built successfully and it is available at the Precompiled ICU page. Note, that the respective built batch script has also been updated.

Compiled static and shared OpenSSL v1.1.0e for MSVC 2008-2015 are now available in the Precompiled OpenSSL page. Build scripts and patches also available for anyone who wants to customize their builds.

Library names have changed upstream for v1.1.0e, but I follow the older pattern for my builds (i.e. libname[MT/MD][d]), as with the other branches.

Bear in mind that as of 02 Jan 2017 the OpenSSL team has announced that support for the 1.0.1 branch has been discontinued, so you are strongly encouraged to drop it as soon as possible and move to the latest 1.1.x branch. I will keep the latest supported version (1.0.1u) around for anyone wanting to use it.

Older versions of OpenSSL are moved in the Precompiled OpenSSL (Past Builds) page, however it is only there for archival purposes, do not use these builds for any production systems. Actually, if you are doing any serious work, you ought to build your own OpenSSL anyway.