{"id":1922,"date":"2017-05-13T18:18:10","date_gmt":"2017-05-13T16:18:10","guid":{"rendered":"https:\/\/www.npcglib.org\/~stathis\/blog\/?p=1922"},"modified":"2020-11-20T00:49:33","modified_gmt":"2020-11-19T22:49:33","slug":"plex-media-server-over-https-with-letsencrypt-certificates","status":"publish","type":"post","link":"https:\/\/www.npcglib.org\/~stathis\/blog\/2017\/05\/13\/plex-media-server-over-https-with-letsencrypt-certificates\/","title":{"rendered":"Plex Media Server over HTTPS with Letsencrypt Certificates"},"content":{"rendered":"

This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt\/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv\/plex-media-server-1.5.5<\/code> and app-crypt\/certbot-apache-0.13.0<\/code>.
\nYou’ll need root in order to perform most of these steps. <\/p>\n

Installing Plex Media Server and Letsencrypt client<\/h3>\n

Installing Plex Media Server on Gentoo is straight forward:<\/p>\n

\r\nemerge -Dtva media-tv\/plex-media-server\r\n<\/pre>\n
The post-installation instructions of the package will tell you:<\/p>\n
\r\nPlex Media Server is now installed. Please check the configuration file in \/etc\/plex\/plexmediaserver to verify the default settings.\r\nTo start the Plex Server, run 'rc-config start plex-media-server', you will then be able to access your library at http:\/\/:32400\/web\/\r\n<\/pre>\n
This may be good enough if you’re just having a home server to watch from the LAN, but if you will be accessing your Plex Media Server from a non-secure network (i.e. over the Internet or via your mobile data provider, etc.), clearly this is not the most secure setup. The instructions tell you to use a plaintext http connection (http:\/\/<\/span><ip>:32400\/web\/<\/code>), but with just like any other plaintext connection, your Plex username and password can be sniffed trivially.<\/p>\n
To make the connection secure you can obtain and install a free TLS certificate from Let’s Encrypt<\/a>. If you already know how to obtain and install a Letsencrypt certificate, skip these instructions. On Gentoo you can use the certbot command-line tool, so go ahead and install its package:<\/p>\n
\r\nemerge -Dtva app-crypt\/certbot\r\n<\/pre>\n
You may end up with emerge complaining that a series of required dependencies cannot be installed. Make sure you keyword all those packages in \/etc\/portage\/package.keywords<\/code>. For example, may have to append in your package.keywords<\/code>:<\/p>\n
\r\n=app-crypt\/certbot-apache-0.13.0 ~amd64\r\n<\/pre>\n
Obtaining and installing a Let’s Encrypt certificate for Plex<\/h3>\n
Once certbot is installed and provided your server’s hostname is home-plex.mydomain.com<\/code>, obtain the respective Letsencrypt free certificate:<\/p>\n
\r\ncertbot certonly --standalone --config-dir \/etc\/letsencrypt --preferred-challenges tls-sni-01 -d home-plex.mydomain.com\r\n<\/pre>\n
If everything has worked out correctly, your certificate will be installed in \/etc\/letsencrypt\/live\/home-plex.mydomain.com\/<\/code>.<\/p>\n
Converting a Let’s Encrypt cert for use with Plex Media Server (format PKCS #12)<\/h3>\n
Assuming you have OpenSSL already installed (if not emerge -Dtva dev-libs\/openssl<\/code>), you can create a PKCS #12 file containing the Let’s Encrypt certificate and private key to enable TLS support for home-plex.mydomain.com, using the following script (store in \/etc\/plex\/plex-renew-cert.sh, we’ll need the script again later):<\/p>\n
\r\n#!\/bin\/bash\r\n#\r\n# store this script in \/etc\/plex\/plex-renew-cert.sh\r\n#\r\n\r\nPLEX_HOSTNAME=home-plex.mydomain.com<\/span>\r\nPLEX_CERT_ENCKEY=your-randomly-generated-password<\/span>\r\n\r\npushd \/etc\/plex > \/dev\/null\r\nopenssl pkcs12 -export \\\r\n               -out \/etc\/plex\/${PLEX_HOSTNAME}.pfx \\\r\n               -inkey \/etc\/letsencrypt\/live\/${PLEX_HOSTNAME}\/privkey.pem \\\r\n               -in \/etc\/letsencrypt\/live\/${PLEX_HOSTNAME}\/cert.pem \\\r\n               -certfile \/etc\/letsencrypt\/live\/${PLEX_HOSTNAME}\/chain.pem \\\r\n               -name \"${PLEX_HOSTNAME}\" \\\r\n               -passout pass:${PLEX_CERT_ENCKEY}\r\npopd\r\n\r\n# Set the right ownership and permissions to the generated PKCS #12 container file:\r\nchmod 600 \/etc\/plex\/${PLEX_HOSTNAME}.pfx\r\nchown plex:plex \/etc\/plex\/${PLEX_HOSTNAME}.pfx\r\n\r\n\r\n<\/pre>\n
Make sure you replace home-plex.mydomain.com<\/span> with your server’s hostname and your-randomly-generated-password<\/span><\/code> with a good password. You can quickly generate one here<\/a>, but any will work. <\/p>\n
Set good permissions and execute it:<\/p>\n
\r\nchmod 700 \/etc\/plex\/plex-renew-cert.sh\r\n\/etc\/plex\/plex-renew-cert.sh\r\n<\/pre>\n
Check the cert container has been generated:<\/p>\n
\r\nls -l \/etc\/plex\/home-plex.mydomain.com.pfx\r\n<\/pre>\n
You can even verify the key, using the PLEX_CERT_ENCKEY value when prompted, and if everything is correct you’ll see something like:<\/p>\n
\r\nopenssl pkcs12 -in \/etc\/plex\/home-plex.mydomain.com.pfx -noout\r\nEnter Import Password:\r\nMAC verified OK<\/span>\r\n<\/pre>\n
Using the Letsencrypt PKCS #12 cert with Plex Media Server<\/h3>\n
To use the generated certificate in Plex, first start the Plex server (\/etc\/init.d\/plex-media-server start<\/code>) and visit the plaintext web interface http:\/\/home-plex.mydomain.com:32400\/web<\/code>. Login with your Plex.tv account, go to \"Settings > Network\"<\/code>, fill in the following and “Save Changes”:<\/p>\n
\r\n        Custom certificate location: \/etc\/plex\/home-plex.mydomain.com.pfx\r\n  Custom certificate encryption key: your-randomly-generated-password<\/span>\r\n          Custom certificate domain: home-plex.mydomain.com\r\n<\/pre>\n
\"\"
Plex Media Server Letsencrypt Certificate Config<\/p><\/div>\n
Restart the Plex Media Server and visit the web interface over encrypted HTTPS now, https:\/\/<\/span>home-plex.mydomain.com:32400\/web\/<\/code>. You should see in your web browser’s address bar the green lock indicating a secure connection to the Plex Media Server.<\/p>\n
Your done! …. Well, almost done!<\/p>\n
Renewing the Let’s Encrypt certificates<\/h3>\n
Let’s Encrypt certificates expire after a few months and the proper way to utilize them with any server\/application is to schedule a frequent renewal check. On top of that, we want to ensure that once our certificate has been renewed, it is also converted to the PKCS #12 container format and the Plex Media Server is restarted to reload the new PKCS #12 certificate.<\/p>\n
This is fairly easy, with certbot’s option --renew-hook<\/code> (check what it does with certbot --help renew<\/code>) and a cronjob like the following:<\/p>\n
\r\n#Mins  Hours  Days   Months  Day of the week\r\n# Attempt a renewal once a day at 5:30am and if successful run --renew-hook command(s)\r\n30 5 * * * certbot certonly --standalone --quiet \\\r\n                                         --config-dir \/etc\/letsencrypt \\\r\n                                         --preferred-challenges tls-sni-01 \\\r\n                                         -d home-plex.mydomain.com \\\r\n                                         --renew-hook \"\/etc\/plex\/plex-renew-cert.sh && \/etc\/init.d\/plex-media-server start\"\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
This is a guide useful for anyone using Plex Media Server on Gentoo and seeking to encrypt\/secure their connections with TLS for the Plex Web UI. The instructions can be easily adapted to other distros and should work with minor modifications. I have written these notes using media-tv\/plex-media-server-1.5.5 and app-crypt\/certbot-apache-0.13.0. You’ll need root in order […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[48,5],"tags":[85,6,84,83,69,82],"yoast_head":"\n\n\n\n\t\n\t\n\t\n