This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv/plex-media-server-1.5.5 and app-crypt/certbot-apache-0.13.0.
You’ll need root in order to perform most of these steps.

Installing Plex Media Server and Letsencrypt client

Installing Plex Media Server on Gentoo is straight forward:

emerge -Dtva media-tv/plex-media-server

The post-installation instructions of the package will tell you:

Plex Media Server is now installed. Please check the configuration file in /etc/plex/plexmediaserver to verify the default settings.
To start the Plex Server, run 'rc-config start plex-media-server', you will then be able to access your library at http://:32400/web/

This may be good enough if you’re just having a home server to watch from the LAN, but if you will be accessing your Plex Media Server from a non-secure network (i.e. over the Internet or via your mobile data provider, etc.), clearly this is not the most secure setup. The instructions tell you to use a plaintext http connection (http://<ip>:32400/web/), but with just like any other plaintext connection, your Plex username and password can be sniffed trivially.

To make the connection secure you can obtain and install a free TLS certificate from Let’s Encrypt. If you already know how to obtain and install a Letsencrypt certificate, skip these instructions. On Gentoo you can use the certbot command-line tool, so go ahead and install its package:

emerge -Dtva app-crypt/certbot

You may end up with emerge complaining that a series of required dependencies cannot be installed. Make sure you keyword all those packages in /etc/portage/package.keywords. For example, may have to append in your package.keywords:

=app-crypt/certbot-apache-0.13.0 ~amd64

Obtaining and installing a Let’s Encrypt certificate for Plex

Once certbot is installed and provided your server’s hostname is home-plex.mydomain.com, obtain the respective Letsencrypt free certificate:

certbot certonly --standalone --config-dir /etc/letsencrypt --preferred-challenges tls-sni-01 -d home-plex.mydomain.com

If everything has worked out correctly, your certificate will be installed in /etc/letsencrypt/live/home-plex.mydomain.com/.

Converting a Let’s Encrypt cert for use with Plex Media Server (format PKCS #12)

Assuming you have OpenSSL already installed (if not emerge -Dtva dev-libs/openssl), you can create a PKCS #12 file containing the Let’s Encrypt certificate and private key to enable TLS support for home-plex.mydomain.com, using the following script (store in /etc/plex/plex-renew-cert.sh, we’ll need the script again later):

#!/bin/bash
#
# store this script in /etc/plex/plex-renew-cert.sh
#

PLEX_HOSTNAME=home-plex.mydomain.com
PLEX_CERT_ENCKEY=your-randomly-generated-password

pushd /etc/plex > /dev/null
openssl pkcs12 -export \
               -out /etc/plex/${PLEX_HOSTNAME}.pfx \
               -inkey /etc/letsencrypt/live/${PLEX_HOSTNAME}/privkey.pem \
               -in /etc/letsencrypt/live/${PLEX_HOSTNAME}/cert.pem \
               -certfile /etc/letsencrypt/live/${PLEX_HOSTNAME}/chain.pem \
               -name "${PLEX_HOSTNAME}" \
               -passout pass:${PLEX_CERT_ENCKEY}
popd

# Set the right ownership and permissions to the generated PKCS #12 container file:
chmod 600 /etc/plex/${PLEX_HOSTNAME}.pfx
chown plex:plex /etc/plex/${PLEX_HOSTNAME}.pfx


Make sure you replace home-plex.mydomain.com with your server’s hostname and your-randomly-generated-password with a good password. You can quickly generate one here, but any will work.

Set good permissions and execute it:

chmod 700 /etc/plex/plex-renew-cert.sh
/etc/plex/plex-renew-cert.sh

Check the cert container has been generated:

ls -l /etc/plex/home-plex.mydomain.com.pfx

You can even verify the key, using the PLEX_CERT_ENCKEY value when prompted, and if everything is correct you’ll see something like:

openssl pkcs12 -in /etc/plex/home-plex.mydomain.com.pfx -noout
Enter Import Password:
MAC verified OK

Using the Letsencrypt PKCS #12 cert with Plex Media Server

To use the generated certificate in Plex, first start the Plex server (/etc/init.d/plex-media-server start) and visit the plaintext web interface http://home-plex.mydomain.com:32400/web. Login with your Plex.tv account, go to "Settings > Network", fill in the following and “Save Changes”:

        Custom certificate location: /etc/plex/home-plex.mydomain.com.pfx
  Custom certificate encryption key: your-randomly-generated-password
          Custom certificate domain: home-plex.mydomain.com

Plex Media Server Letsencrypt Certificate Config

Restart the Plex Media Server and visit the web interface over encrypted HTTPS now, https://home-plex.mydomain.com:32400/web/. You should see in your web browser’s address bar the green lock indicating a secure connection to the Plex Media Server.

Your done! …. Well, almost done!

Renewing the Let’s Encrypt certificates

Let’s Encrypt certificates expire after a few months and the proper way to utilize them with any server/application is to schedule a frequent renewal check. On top of that, we want to ensure that once our certificate has been renewed, it is also converted to the PKCS #12 container format and the Plex Media Server is restarted to reload the new PKCS #12 certificate.

This is fairly easy, with certbot’s option --renew-hook (check what it does with certbot --help renew) and a cronjob like the following:

#Mins  Hours  Days   Months  Day of the week
# Attempt a renewal once a day at 5:30am and if successful run --renew-hook command(s)
30 5 * * * certbot certonly --standalone --quiet \
                                         --config-dir /etc/letsencrypt \
                                         --preferred-challenges tls-sni-01 \
                                         -d home-plex.mydomain.com \
                                         --renew-hook "/etc/plex/plex-renew-cert.sh && /etc/init.d/plex-media-server start"
3+