QNAP QTS 4.3 - Use built-in Let's Encrypt Certificate Process with Plex Media Server

Greetings,

This post assumes that you have created a LE certificate through the QNAP NAS interface. We will set up a process to also use that cert with PMS and update itself based on a frequency decided by you using crontab.

• SSH to NAS
• Create .custom_scripts directory - mkdir /share/CACHEDEV1_DATA/.custom_scripts
• Create a script for the cron process - see example
• Make script executable - chmod +x /share/CACHEDEV1_DATA/.custom_scripts/script.sh
• Create cron entry - This may be helpful - http://crontab-generator.org
• Edit crontab - vi /etc/config/crontab
• crontab /etc/config/crontab && /etc/init.d/crond.sh restart
• Setup the cert in the web interface for PMS.

plexcert.png1914×920

Example Script:

#!/bin/sh

## Script for converting QNAP Let's Encrypt certificate to PKCS12 format needed by Plex Media Server
## This is designed to work with QTS 4.3.3+
## The script assumes that the Let's Encrypt certificate is setup and operating on the NAS

BASEPATH=/mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert
CERT_PASS=SuperSecretStuff
HOST_NAME=pms-server

/etc/init.d/plex.sh stop
/usr/bin/openssl pkcs12 -export -in ${BASEPATH}/cert -inkey ${BASEPATH}/key -out ${BASEPATH}/cert.p12 -name ${HOST_NAME} -CAfile ${BASEPATH}/chain -caname root -password pass:${CERT_PASS}
/etc/init.d/plex.sh start

Updated FAQ with this info

Thanks

Please note, there was a change in location of the SSL certs created by the QNAP utility. The bash script example has been updated to reflect.

Thanks for posting this. One question though, you screenshots from the Plex config reflect different paths than the one you posted in the script. Does it matter which one to use? It seems redundant

Edit: If you’d be using
BASEPATH=$(getcfg “QcloudSSLCertificate” Install_Path -f /etc/config/qpkg.conf)/cert
it would dynamically adjust to the install location of the QcloudSSLCertificate qpkg

Thanks for the comments. Your command produces a path which isn’t consistent on my NAS with the cert’s actual location. I am on QTS 4.3.3 and 2.0.21 for QTS SSL Certificate. This runs on a 453-Pro.

I did update the graphic to reflect the new path.

Thank you for this. I also noticed in your example certificate domain that you used a unique top-level domain for plex on your qnap server. I am interested to learn how you managed to do that on the qnap web server interface?

• Acquire a domain
• Create a DNS entry to your QNAP IP - I use Cloud Flare for DNS
  • I used an AAAA (IPv6) entry
• Set the host and domain name in the QNAP
• Run the Let’s Encrypt against the Fully Qualified Domain Name (FQDN)

If we use Plex only via the Plex app or through Plex.TV and have Plex setup to only use secured connections, is setting up cert/key in PMS pointless? This is only for ones that access their Plex directly via their custom domain?

This would be for those who want to allow direct access to their PMS via SSL with a custom domain and no cert warnings.

I’m finally getting around to setting this up, but am having issues.

What does this line mean?

I edited my crontab manually with file editor, then got stuck at this line, but skipped over and created new cert, but so far I cannot get to work.

Do I need to have port in the script and/or “Custom certificate domain” setting?

That line tells cron to use the named configuration file (load it) and (required) start crond

Thanks. I actually just figured out the issue on my own as to why it wouldn’t run. Unrelated to getting cert going in the first place though.

If I’m using a QNAP DDNS domain, how exactly should it be in both the script and my Plex settings?

mydomain.myqnapcloud.com:32400? https:// at front? Port?

You have to add your cert to PMS so it knows to be aware of it.
Without doing so, PMS will assume it’s a MITM redirect/hijack of the SSL/TLS and not allow it.

Then how do you add it? I thought this guide is what accomplished that. I didn’t see anywhere else in PMS settings to add a cert.

Settings – Server – Network – Add the Certificate info there.

You must be careful in that your certficate does not take priority over Plex’s.
If this happens, Plex (PMS) will not be able to communicate with Plex.tv

That was apart of this guide. I already did that.

How do I go about being careful that it doesn’t take over priority? I don’t see that option anywhere.

Is the example image broken for anyone else or is it just me?

Sadly broken for me as well

@bcjenkins Can you fix it?

New image uploaded. I put this one on GitHub, so it should stick around.