Setup Plex Media Server to use Let’s Encrypt SSL – CENTOS 6/7

Edit 18.01.2019: As of February 13th 2019, Let’s Encrypt will stop supporting TLS-SNI-01 domain validation for renewing certificates.

To make sure everything works as intended, make sure to have certbot version 0.28 or higher.

You can also run

grep -Ri pref_challs /etc/letsencrypt/renewal

to check if you need to change the renewal method for any of your domains.

So, since it’s been over a year since my last post, I thought I would post a tutorial for a problem I had to research today.

The issue was setting up Plex Media Server running on a Cent OS 6 machine to use free certificates from Let’s Encrypt, and I had to gather information from several different sources. Also, at the end of this tutorial it should not need any manual intervention unless errors occur.

1. Log onto the servers command line with either root or an sudo approved user.
2. Download certbot-auto if you haven’t already by typing «wget https://dl.eff.org/certbot-auto» to a directory of your choosing. (Edit 1 – Please note: You might have to set execute permissions on the downloaded file using «chmod a+x certbot-auto»)
   1. Note: You should be able to use yum to install certbot, but you might have to activate the epel-release repo first.
   2. yum install epel-release -y
   3. yum install certbot -y
3. Make sure you either have a static FQDN or a dynamic FQDN pointed to your public IP adress (you need to portforward HTTP and HTTPS, in addition to 32400 to your local server adress in your router – Port forwarding is not included in this tutorial, so you should check http://www.portforward.com or google your router’s make and model to find out how-to), to be able to retrieve certificates.
4. Type ./certbot-auto certonly --standalone -d >your FQDN here< and press enter. Answer the prompts on screen, if any.
5. Next, you need to combine all certificate files from a successfull certificate request by typing «openssl pkcs12 -export -out /path/to/where/your/ssl/certificate.pfx -inkey /etc/letsencrypt/live/yourdomain.name/privkey.pem -in /etc/letsencrypt/live/yourdomain.name/cert.pem -certfile /etc/letsencrypt/live/yourdomain.name/chain.pem -password pass:PASSWORD» and press enter. If no errors occured, you should just jump down one line. If excluding the -password parameter, you will be prompted for a password, which must be entered in «Custom Certificate Encryption Key» (Please note: As far as I’ve been able to find out, this is stored in plain-text, so use a password you dont mind having stored in plain-text.), see next step.
   1. Note: It’s optional to enter a password. Do as you please.
6. In the Plex Web Interface, go to Settings -> Network -> Show Advanced. Enter «/path/to/where/your/ssl/certificate.pfx» in the field named «Custom Certificate Location», and in the field directly below it, enter the password you specified in the previous step. If you didn’t specify a password, leave the field blank. Also, enter your FQDN in the «Custom Certificate Domain» field before scrolling to the end of the page, and save your changes.
7. After reloading the Plex Web Interface (or entering https://yourdomain.name:32400/web/ in the adress bar), you should see that the page is now properly served over HTTPS.
8. You can choose to end the tutorial here, or you can continue on to the automation steps below.
   1. To automate it, first make sure the certificates renewal process works as intended. Do this by typing «./certbot-auto renew --dry-run» in the folder where you downloaded certbot-auto to previously. If you get any errors, resolve them before continuing.
   2. Execute the command «crontab -e«.
   3. Add the following lines to run the renewal process, and the packaging of the certificate files once a day (Press Insert to be able to add text, if you’re unfamiliar with VIM):
      ## Lets Encrypt Renewal, 1 minute past midnight every day
1 0 * * * /path/to/certbot-auto renew > /dev/null 2>&1
## Repackage the SSL Certificate files into a pfx, make sure LetsEncrypt are finished.
30 0 * * * openssl pksc12 -export -out /path/to/where/your/ssl/certificate.pfx -inkey /etc/letsencrypt/live/yourdomain.name/privkey.pem -in /etc/letsencrypt/live/yourdomain.name/cert.pem -certfile /etc/letsencrypt/live/yourdomain.name/chain.pem -password pass:PASSWORD
   4. It should go without saying, but if you entered a password in step 5, you have to type it in on the line above – Also note, the openssl command above should be on one line.
   5. Press Esc a couple of times, then :wq and press enter.
9. Everything should now be working smoothly, and automatically update it self without you having to do anything other than enjoying your Media served over HTTPS.

NOTE: I take no responsibillity for any damage, unintended dataloss, spelling errors or the like. I just configured my Plex Media Server and my Crontab like stated above, and it worked for me. If it don’t work for you, I’m sorry.

Edit 03.06.18: Added «> /dev/null 2>&1» to the crontab line for automatic renewals of the certificate. This is done to redirect any output (stdout & stderr) to /dev/null.

Edit 02.11.18: Fixed some spelling errors, and the formatting of the text to make sure it’s more easily readable on the commands.