So in the recent update 0.9.14.6 (23.des) we can now add our own custom ssl certs.
I’m not familiar with pkcs#12.
I however have been using Letsencrypt to get my free signed ssl certs for all my standalone and apache web servers. How can I use does certs in Plex?
Edit: Available cert files from Letsencrypt: cert.pem chain.pem fullchain.pem privkey.pem
I’m not familiar with pkcs#12.
PKCS#12 is an archive file format, in this case used to bundle your private key and certificates.
I however have been using Letsencrypt to get my free signed ssl certs for all my standalone and apache web servers. How can I use does certs in Plex?
Edit: Available cert files from Letsencrypt: cert.pem chain.pem fullchain.pem privkey.pem
You’ll have to create a .pfx file (the PKCS#12 archive) containing both the private key and certificates of your chain. This is done using OpenSSL commands in your terminal:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out archive.pfx -name "Name for Archive"
You’ll be prompted for a password, this password has to be filled in the Plex’ ‘Custom certificate encryption key’ field. I’m not sure if you had to password protect your private key upon Let’s Encrypt setup, you might be prompted for that as well.
After you’be obtained the .pfx file, store it on your media server computer (e.g. C:\SSL\archive.pfx). Then, occupy the ‘Custom certificate path’ field with the path to the file (C:\SSL\archive.pfx).
Last but not least, fill in the domain the certificate has been created for (e.g. plex.example.com).
A quick tip: in the ‘Remote Access’ setting, manually specify port 443 and update your router to point 443 external to 32400 internal. Then, for ‘Custom server access URLs’, fill in: https://plex.example.com:443.
You can now visit your custom SSL secured Plex domain using https://plex.example.com. Plex will do the rest. Try testing the domain outside your network the Plex server is hosted in, it might not work accessing the domain internally.
I forgot to mention here:
Last but not least, fill in the domain the certificate has been created for (e.g. plex.example.com).
That was ment for the ‘Custom certificate domain’ field.
Somehow forgotful tonight (is it possible to edit earlier posts?): restart your Plex Media Server program after setting up the certificate details. This is needed in order to get the certificate to work.
I made this tutorial, but Plex doesn’t activate the certificate.
I open the logs and there it says: ERROR - CERT: Found a user-provided certificate, but couldn’t install it.
Any idea?
@Philipp1999 said:
I made this tutorial, but Plex doesn’t activate the certificate.
I open the logs and there it says: ERROR - CERT: Found a user-provided certificate, but couldn’t install it.
Any idea?
I had the same issue after my certificate expired and I was installing a new one. It was a permissions issue for me. Make sure to double check that Plex can access the file.
@henkierani said:
…
You’ll have to create a .pfx file (the PKCS#12 archive) containing both the private key and certificates of your chain. This is done using OpenSSL commands in your terminal:
…
Thanks, works!
I am running PMS on a Win 10 Pro machine and have an external CentOS machine that runs as a webserver.
What I am trying to do is link a subdomain on my webserver to my PMS system and secure it with my wildcard that I purchased from AlphaSSL.
Is it even possible? Do I have to setup a reverse proxy on my webserver?
I’ve been stuck with this for several days now, but can’t seem to get this working.
I’ve been trying to create a PKCS #12 file from my .crt and .key file on my webserver, but it doesn’t seem to load it correctly.
Any help is greatly appreciated.
I’ve gotten this to work with lets encrypt free SSL crts, I used this to convert SSL crt to PKCS # 12
openssl pkcs12 -export -out /home/night/plex/test/yourdomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:
Quick question, I’ve followed your detailed instructions and it works using my DNS name but if I use the local interal IP address using SSL it errors out and uses the default Plex certificate.
Only details in the log are below:
Sep 11, 2016 14:14:47.927 [0xf3e7e740] DEBUG - CERT: Loaded a user-provided certificate.
Sep 11, 2016 14:14:47.927 [0xf3e7e740] DEBUG - CERT: no OCSP URL available
Sep 11, 2016 14:14:47.927 [0xf3e7e740] WARN - CERT: getCertInfo failed; skipping OCSP stapling
@theroninhunter said:
Quick question, I’ve followed your detailed instructions and it works using my DNS name but if I use the local interal IP address using SSL it errors out and uses the default Plex certificate.Only details in the log are below:
Sep 11, 2016 14:14:47.927 [0xf3e7e740] DEBUG - CERT: Loaded a user-provided certificate.
Sep 11, 2016 14:14:47.927 [0xf3e7e740] DEBUG - CERT: no OCSP URL available
Sep 11, 2016 14:14:47.927 [0xf3e7e740] WARN - CERT: getCertInfo failed; skipping OCSP stapling
I just tested and same happens, here. Why would you enter ip address instead of dns ? if you want to access “interal” add a local hostfile for your domain with internal ip for your domain thus enabling you to use site internally with your domain.
https://support.rackspace.com/how-to/modify-your-hosts-file/
This is expected behaviour, because the SSL certificate covers the (sub)domain and not the internal IP. It wouldn’t make any sense since the traffic is routed locally anyway, no need to encrypt.
The logs you provide are not related to this.
@henkierani said:
This is expected behaviour, because the SSL certificate covers the (sub)domain and not the internal IP. It wouldn’t make any sense since the traffic is routed locally anyway, no need to encrypt.The logs you provide are not related to this.
True expected behavior, however , that plex fallbacks to another SSL Certificate is a potential security bug. ssl cipher suite order is still good enough so not a huge issue but still a bug.
So I’ve done everything henkierani suggested which was very helpful by the way, but I’m still seeing the old self signed certificate. I’ve rebooted several times and double checked my settings. Any thoughts?
Could you provide the “Plex Media Server.log” after a fresh reboot?
How do I generate the CSR for Plex? I’m using Namecheap for the domain but it needs a CSR. Presumably I can do this with OpenSSL?
I have no idea how to use Let’s Encrypt
Would prefer to use a longer lasting one from Namecheap (RapidSSL)
to secure plex , I use on my server (Debian 8)Nginx and Let’s Encrypt , I create in nginx 1 vhost as a proxy .I am setting up a domain name that I redirect to 127.0.0.1:32400 .sorry for my english , i’m french.
where i can find qnap (clound) ssl file?
