This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv/plex-media-server-1.5.5 and app-crypt/certbot-apache-0.13.0.
You’ll need root in order to perform most of these steps.

Installing Plex Media Server and Letsencrypt client

Installing Plex Media Server on Gentoo is straight forward:

emerge -Dtva media-tv/plex-media-server

The post-installation instructions of the package will tell you:

Plex Media Server is now installed. Please check the configuration file in /etc/plex/plexmediaserver to verify the default settings.
To start the Plex Server, run 'rc-config start plex-media-server', you will then be able to access your library at http://:32400/web/

This may be good enough if you’re just having a home server to watch from the LAN, but if you will be accessing your Plex Media Server from a non-secure network (i.e. over the Internet or via your mobile data provider, etc.), clearly this is not the most secure setup. The instructions tell you to use a plaintext http connection (http://:32400/web/), but with just like any other plaintext connection, your Plex username and password can be sniffed trivially.

To make the connection secure you can obtain and install a free TLS certificate from Let’s Encrypt. If you already know how to obtain and install a Letsencrypt certificate, skip these instructions. On Gentoo you can use the certbot command-line tool, so go ahead and install its package:

emerge -Dtva app-crypt/certbot

You may end up with emerge complaining that a series of required dependencies cannot be installed. Make sure you keyword all those packages in /etc/portage/package.keywords. For example, may have to append in your package.keywords:

=app-crypt/certbot-apache-0.13.0 ~amd64

Obtaining and installing a Let’s Encrypt certificate for Plex

Once certbot is installed and provided your server’s hostname is, obtain the respective Letsencrypt free certificate:

certbot certonly --standalone --config-dir /etc/letsencrypt --preferred-challenges tls-sni-01 -d

If everything has worked out correctly, your certificate will be installed in /etc/letsencrypt/live/

Converting a Let’s Encrypt cert for use with Plex Media Server (format PKCS #12)

Assuming you have OpenSSL already installed (if not emerge -Dtva dev-libs/openssl), you can create a PKCS #12 file containing the Let’s Encrypt certificate and private key to enable TLS support for, using the following script (store in /etc/plex/, we’ll need the script again later):

# store this script in /etc/plex/

pushd /etc/plex > /dev/null
openssl pkcs12 -export \
               -out /etc/plex/${PLEX_HOSTNAME}.pfx \
               -inkey /etc/letsencrypt/live/${PLEX_HOSTNAME}/privkey.pem \
               -in /etc/letsencrypt/live/${PLEX_HOSTNAME}/cert.pem \
               -certfile /etc/letsencrypt/live/${PLEX_HOSTNAME}/chain.pem \
               -name "${PLEX_HOSTNAME}" \
               -passout pass:${PLEX_CERT_ENCKEY}

# Set the right ownership and permissions to the generated PKCS #12 container file:
chmod 600 /etc/plex/${PLEX_HOSTNAME}.pfx
chown plex:plex /etc/plex/${PLEX_HOSTNAME}.pfx

Make sure you replace with your server’s hostname and your-randomly-generated-password with a good password. You can quickly generate one here, but any will work.

Set good permissions and execute it:

chmod 700 /etc/plex/

Check the cert container has been generated:

ls -l /etc/plex/

You can even verify the key, using the PLEX_CERT_ENCKEY value when prompted, and if everything is correct you’ll see something like:

openssl pkcs12 -in /etc/plex/ -noout
Enter Import Password:
MAC verified OK

Using the Letsencrypt PKCS #12 cert with Plex Media Server

To use the generated certificate in Plex, first start the Plex server (/etc/init.d/plex-media-server start) and visit the plaintext web interface Login with your account, go to "Settings > Network", fill in the following and “Save Changes”:

        Custom certificate location: /etc/plex/
  Custom certificate encryption key: your-randomly-generated-password
          Custom certificate domain:

Plex Media Server Letsencrypt Certificate Config

Restart the Plex Media Server and visit the web interface over encrypted HTTPS now, You should see in your web browser’s address bar the green lock indicating a secure connection to the Plex Media Server.

Your done! …. Well, almost done!

Renewing the Let’s Encrypt certificates

Let’s Encrypt certificates expire after a few months and the proper way to utilize them with any server/application is to schedule a frequent renewal check. On top of that, we want to ensure that once our certificate has been renewed, it is also converted to the PKCS #12 container format and the Plex Media Server is restarted to reload the new PKCS #12 certificate.

This is fairly easy, with certbot’s option --renew-hook (check what it does with certbot --help renew) and a cronjob like the following:

#Mins  Hours  Days   Months  Day of the week
# Attempt a renewal once a day at 5:30am and if successful run --renew-hook command(s)
30 5 * * * certbot certonly --standalone --quiet \
                                         --config-dir /etc/letsencrypt \
                                         --preferred-challenges tls-sni-01 \
                                         -d \
                                         --renew-hook "/etc/plex/ && /etc/init.d/plex-media-server start"