It’s a previously requested feature, but not too many votes.
To get custom certificates issued, I suggest switching to DynDNU which is a free dynamic DNS service that works better with Let’s Encrypt.
Install https://github.com/acmesh-official/acme.sh by following the Wiki. You’ll probably want to install it as the root user so that it will have permission to write the certificate to the Plex directory.
You’ll need to create an API key in DynDNU for acme.sh to be able to do the necessary challenges.
Once you’ve created the API key, you then need to use acme.sh to issue the certificate using the instructions in the wiki. You’ll need to modify the command so that it exports to a PKCS12 file. For example if you just want a certifcate for the specific domain and don’t want a wildcard certificate then the command, and the encryption key for the PFX file is ` then:
export Dynu_ClientId="<client id>"
export Dynu_Secret="<secret>"
./acme.sh --issue --keylength 2048 --dns dns_dynu -d your.dynamicdns.com --to-pkcs12 --password <password>
That should then request the certificate and also create the PFX file.
To get it to deploy then you need to create a custom deployhook script calledplex.sh and place it in the deploy folder where ever acme.sh was installed.
#!/usr/bin/bash
#returns 0 means success, otherwise error.
# Variables
# You can either leave the export lines uncommented, or comment them out and enter them from the cmd line prior to using the deployment script for the first time.
# Your PFX file password/key
export DEPLOY_PLEX_P12PASS='<password>'
#The location that you want to deploy the certificate to that your Plex Media Server can access
export DEPLOY_PLEX_CERT_LIBRARY='/var/lib/plexmediasever'
#The command to restart your Plex Media Server
export DEPLOY_PLEX_RELOAD='systemctl restart plexmediaserver'
#### Do not edit below this line ####
plex_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
_getdeployconf DEPLOY_PLEX_P12PASS
_getdeployconf DEPLOY_PLEX_CERT_LIBRARY
_getdeployconf DEPLOY_PLEX_RELOAD
_debug2 DEPLOY_PLEX_P12PASS "$DEPLOY_PLEX_P12PASS"
_debug2 DEPLOY_PLEX_CERT_LIBRARY "$DEPLOY_PLEX_CERT_LIBRARY"
_debug2 DEPLOY_PLEX_RELOAD "$DEPLOY_PLEX_RELOAD"
_reload_cmd=$DEPLOY_PLEX_RELOAD
# Check if deployment path exists
if [ ! -d $DEPLOY_PLEX_CERT_LIBRARY ]; then
_err "Certificate deployment path doesn't exist"
return 1
fi
# Flag to track errors
ERROR_FLAG=false
DEPLOY_P12_FILE="$DEPLOY_PLEX_CERT_LIBRARY/$_cdomain.pfx"
cp $_import_pkcs12 $DEPLOY_P12_FILE || { _err "Error copying pkcs12 file"; ERROR_FLAG=true; }
# Restart Plex Media Server if no errors encountered
if [ "$ERROR_FLAG" = false ]; then
_info "Reload services (this may take some time): $_reload_cmd"
if eval "$_reload_cmd"; then
_info "Reload success!"
else
ERROR_FLAG=true
_err "Reload error"
return 1
fi
fi
# Check if any errors occurred during processing
if [ "$ERROR_FLAG" = true ]; then
_err "Plex Media Server deploy script failed with errors."
return 1
fi
# Successful, so save all (non-default) config:
_savedeployconf DEPLOY_PLEX_P12PASS "$DEPLOY_PLEX_P12PASS"
_savedeployconf DEPLOY_PLEX_CERT_LIBRARY "$DEPLOY_PLEX_CERT_LIBRARY"
_savedeployconf DEPLOY_PLEX_RELOAD "$DEPLOY_PLEX_RELOAD"
return 0
}
This script grabs the PFX file, copies it to the directory /var/lib/plexmediasever, and restarts PMS. The PFX file will be called your.dynamicdns.com.pfx. I’ve modified an existing custom deployment script I have for another application to work with Plex and haven’t tested it. Hopefully it shouldn’t produce any errors, but if you decide to use it I’m happy to help troubleshoot.
To get acme.sh to use the deployment hook script and deploy you need to use the command:
./acme.sh --deploy --deploy-hook plex -d your.dynamicdns.com
You’ll need to make sure the user and access persmissions of the PFX key in the destination are set so that Plex can read it.
acme.sh should automatically create a cron job to renew and deploy the certificate. If it hasn’t then you can use the command ./acme.sh --install-cronjob.
EDIT: Changed acme.sh command so that it issues a RSA rather than ECC key.
