I cant access Plex over WAN, I have my Synology to force HTTPS, I have My valid certificate and I have it setup on my Synology, everything works except Plex, I notice that in the settings Server>>Networks It lets me add the path for the certificate but cant seem to do it right, can someone help me on this ? Can someone teach me how to properly do it ? I use Plex for all my media so its important the security when Plex is on my custom Synology where all my personal files are(What can I say Im a security freak). Thanks in advanced.
Plex’s certificates are pinned to Plex. In order for your certificates to work, they must also be pinned to a valid external public domain name. This was done to prevent tampering and m-i-t-m
@ChuckPa said:
Plex’s certificates are pinned to Plex. In order for your certificates to work, they must also be pinned to a valid external public domain name. This was done to prevent tampering and m-i-t-m
Does https://www.startssl.com/ certificates are a valid ssl certificate for what Im trying to do ?
how to I pin my certificate on Plex ? Sorry for my knowledge absence, Im new to SSL certificates, dont have much experience working with them.
Pinned means “Owned and Fully registered” and set for the specific IP addresses Plex controls.
You cannot add your certificates to Plex. It would by like telling Plex to ‘accept my custom certificate, which i just made by the way, as absolute truth’.
If someone asked you to accept their certificate blindly, would you?
Teaching you about SSL certificates is a huge undertaking and not something which can be done here.
I can only tell you what is happening, why, and what you must do to use custom certs with Plex. The rest is up to you I’m afraid.
@ChuckPa said:
Pinned means “Owned and Fully registered” and set for the specific IP addresses Plex controls.You cannot add your certificates to Plex. It would by like telling Plex to ‘accept my custom certificate, which i just made by the way, as absolute truth’.
If someone asked you to accept their certificate blindly, would you?
Teaching you about SSL certificates is a huge undertaking and not something which can be done here.
I can only tell you what is happening, why, and what you must do to use custom certs with Plex. The rest is up to you I’m afraid.
I understand, can you tell me what can I do to use my custom cert ? or there is a better way ? what you recommend ?
If you want absolute security for the device, encrypt it just beware that Synology Hyperbackup CANNOT restore encrypted at this time.
As far as the communications itself is concerned,
- Don’t grant access to the DSM desktop (5000, 5001) ports.
- Only open 32400 for Plex.
- Have your router force block, or otherwise redirect into dead space (non-existent lan addresses), those port numbers you want secured like ssh, telnet, ftp, http, etc.
- After you have verified all your Plex communication on local LAN and on WAN are working correctly, set “Fallback to insecure” to “Never”.
You will then be using Plex’s certificate entirely for all your Plex access. Your certificate is not needed. This is why the changes were implemented in Plex/Web 2.6.0 (long standing request).
@ChuckPa - Everything you’ve said is appreciated and, strictly speaking, correct. I think it misses the point, however, and doesn’t answer the OP’s question.
If obtaining a cert from StartSSL or another provider, let’s assume the cert will be valid for a public domain name. Plex apps may pin the plex.tv domain certs within their apps, but that has no bearing on the validity of a cert for another domain. If you don’t plan to use plex.tv to access your server over the Internet, but instead want to access the web UI running on your NAS directly (via https://domain.name:32400/web), then you need a valid cert for the domain name where you access your DSM.
DSM allows us to create a valid SSL cert for a publicly-accessible domain name registered in DNS. The DSM handles this automatically via a number of dynamic DNS providers and Let’s Encrypt, but you can provide any valid domain name in public DNS combined with any valid cert — obtained from any 3rd-party cert provider — for that domain name.
So, let’s assume I have a valid SSL cert for a publicly-accessible domain name, which I use to access my DSM over the Internet.
In Plex running on my Synology NAS, I can go to Settings > Server > Network (Show Advanced) and configure:
- Custom certificate location
- Custom certificate encryption key
- Custom certificate domain
Does anyone know the path to the Let’s Encrypt cert on the Synology NAS?
Will that cert file work (is it in PKCS #12 format with a public cert + private key)?
Since the private key would be provided in the cert file, what is expected in the Custom certificate encryption key textbox? Is this a password to decrypt the file itself?
1 Like
To my knowledge, some of Synology’s keys are in the DSM database itself. Others are in /etc/ssl/certs. Examining the directory will show it starts at the root of the trust chain and works down.
You can export them from DSM: Control Panel => Security=> Certificates => Export
1 Like
Yeah but even with the exported certificates it does not seem to work.
I have created a certificate with StartSSL for my DDNS domain and saved the “personal.p12” as well as the “certificate.key” on the NAS in a folder on volume1/…
When providing plex network settings with this file paths, it still says “unsecured” when opening the site via my own domain name https://MyDomainName:PlexPort
In the textbox “certificate encryption key” I tried the path for the .key file as well as copied the whole content of the .key file in there and restarted the plex service everytime - still not working.
Any ideas? Or is plex simply not designed to work that way when calling the page via the own DDNS Name?
Regards
1 Like
Did anyone manage to get this working?
I have the same issue…
1 Like
Same here, I’d like to use my own certs on Synology (before letsencrypt with dsm 6 I tried startssl, too).
None of the experimets succeeded.
Help would really appreciated!
The problem is because Plex’s certs are keyed to Plex’s servers and establish https with Plex’s clients and Plex/Web in your browser (no big deal so far) . When you try to interject your cert from https://domain.name:32400/web now you have conflicting certificates. Which takes priority?
Putting your own cert on Synology for other non-Plex activities is ok. It’s this one point where things get hung up. PMS is already linked to Plex.tv and the certs are active. There’s no way to ‘bump it out of the way’ at the last second for your cert. (you can’t put your cert inside PMS at this time, possibly never due to how SSL certs work).
I will caveat this by saying I’m not 1000% certain on SSL and browser interaction but this is the understanding I came away with.
Hammerkino:
Hey, same situation.
Question, how did you generate the p12 from startssl ?
And, are you sure that the plex account can access your certs forlder ?
Plex is not clear about personal domain usage…
I have the same issue, anyone got it working with Lets Encrypt?
I’ve found a discussion here:
But still no success with the path to the file i guess…
Working good with Let’s Encrypt! Here’s what I did, http://imgur.com/a/9UKLh
4 Likes
@sickhouse said:
Working good with Let’s Encrypt! Here’s what I did, Plex/Synology - Custom domain with HTTPS - Album on Imgur
Worked perfectly. Thank you for the excellent explanation.
Hi all,
For anyone interested, I just made a script that create and renew automatically a P12 file with the Let’s encrypt default certificate on the Synology NAS.
It checks everyday if the certificate is expired, recreate a new P12 file and restart Plex Server to take effect.
You only have to modify few variables on the script, add it to DSM Task manager and it’s good 
http://wikisend.com/download/734736/PlexP12Renew.sh
This is “beta” version, I would recommend you to test it first
2 Likes
This thread has been extremely helpful. Thank you!
