QNAP QTS 4.3 - Use built-in Let's Encrypt Certificate Process with Plex Media Server

I came across this post as a result of doing some searching after trying to access my new PMS on QNAP using an android phone and not being able to connect because it could not make a secure connection.

Just to confirm with other peoples experience. Do I need to proceed with the process listed about, get my own cert of the QNAP, etc to be able to access my content when abroad or am I missing something? I realize I may want to anyway for improved security, etc., just wondering if this problem is typical. Its just that I read a few other posts regarding Plex partnering with Digicert to allow secure access for people without needing them to buy certs for their servers.

Thanks in advance,

Russ

No, this is not a replacement for the Plex Digicert. This is to be used if you want to be able to access your server from a custom URL using a LE cert.

That is for the reply. That’s what I thought too, which is why I have been so puzzled as to why it keeps only connecting insecure

Thank you very much for this! I’ve got no prior experience with Unix systems, and your example managed to get me started!

I had an issue with the BASEPATH variable. It seemed to be some kind of escaping issue, so I just performed a cd to the cert location at the start of the script.

I’d just like to add, I found editing the crontab by using crontab -e instead of the vi command directly was simpler, because you then don’t need to manually restart crond.

Thanks again, it’s so cool being able to run a terminal directly on my NAS.

I’ve been looking at this a bit more, and managed to track down what was causing issues for me. Bash scripts do not play well with Windows style line endings, so anyone who uses Windows will have issues with this script, even if you SSH in and use vi to edit your script, like I did, or if you edit the script by using the Qnap text editor in browser.

Windows users need to run dos2unix on your script file, to strip out the carriage returns. E.g.:

dos2unix /share/CACHEDEV1_DATA/homes/admin/scripts/plex_cert_export.sh

If you don’t do this, all of your variables will have a carriage return added to the end, which will make the cert path incorrect, the key password will be wrong, etc…

I hope this saves someone else some headaches when trying to get this to work

Hi, what do we put as HOSTNAME, in place of pms-server ? Our Plex URL?

Does it need https? The port number?

Thank you,

James

Hi,

I am still a bit lost about what to put for the HOST_NAME, but I have other news to report.

I found that whilst this appears to be secure, it did not have the chain certificate properly included so it would fail some security tests. I’m not really sure why this is a problem (since it’s possible to derive the chain certificate from the main certificate), but to fix it and pass the security tests, I created a “fullchain.pem” file that included the main certificate and the chain certificate and then used that in the bash script (in place of just the cert file on its own).

Examples of where you can check your system for the security tests are:
https://whatsmychaincert.com/ or https://www.digicert.com/help/

Having made the change to the script both of these websites now show my system as having fully valid certificates for me; whereas before they did not. The modified script creates “fullchain.pem” and uses that in place of “cert” in the openssl .p12 file creation. I am not sure if the part of the openssl line which is to do with the QNAP “chain” cert and “CAfile” is actually necessary if we include the chain cert in fullchain.pem, but it doesn’t seem to cause any issues so I’ve left it in the script. Here’s the revised script:

#!/bin/sh

## Script for converting QNAP Let's Encrypt certificate to PKCS12 format needed by Plex Media Server
## This is designed to work with QTS 4.3.3+
## The script assumes that the Let's Encrypt certificate is setup and operating on the NAS so you need to 
## first generate QNAP keys by pointing 443 and 80 at QNAP and running the lets encrypt generation process
## in the QNAP web interface.  As well as the cert.p12 file for plex, fullchain.pem and privkey.pem are 
## created which may be used by other programs.

BASEPATH=/mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert
CERT_PASS=SuperSecretStuff
HOST_NAME=pms-server

cat ${BASEPATH}/cert ${BASEPATH}/chain > ${BASEPATH}/fullchain.pem
cp ${BASEPATH}/key ${BASEPATH}/privkey.pem

/etc/init.d/plex.sh stop
/usr/bin/openssl pkcs12 -export -in ${BASEPATH}/fullchain.pem -inkey ${BASEPATH}/key -out ${BASEPATH}/cert.p12 -name ${HOST_NAME} -CAfile ${BASEPATH}/chain -caname root -password pass:${CERT_PASS}
/etc/init.d/plex.sh start

Thanks,

James

Hey Plexr’s
I am wondering if this LE for QNAP is still valid for 2019, since this post is old. Has there been any breaking changes?
Thanks

Yes it still works for me. I found that somehow the crontab entry disappeared (or perhaps I never remembered to add it). I added some extra functionality to the script so that I can run it daily/hourly/whatever, and Plex will only get restarted when the cert is renewed:

#!/bin/sh
BASEPATH=/mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert
CERT_PASS=SuperSecretStuff
HOST_NAME=pms-server

if [ "${BASEPATH}/cert" -nt "${BASEPATH}/cert.p12" ]
 then
  /etc/init.d/plex.sh stop
  /usr/bin/openssl pkcs12 -export -in ${BASEPATH}/cert -inkey ${BASEPATH}/key -out ${BASEPATH}/cert.p12 -name ${HOST_NAME} -CAfile ${BASEPATH}/chain -caname root -password pass:${CERT_PASS}
  /etc/init.d/plex.sh start
fi

Hi Jamesk,

You need to put your public hostname, without any protocols (so don’t put http or https in there).

If you’re using the QNAP cloud DDNS service, it will be myhostname.myqnapcloud.com, where “myhostname” is your account name.

It’s important that this matches the hostname you use to access your plex server exactly, otherwise the browser will complain that it is invalid.

In case you find it useful, here’s my version of the script. I added comments as a reminder for when I modify it. As you can see, it’s pretty much identical to the script that OP posted, but it explains some additional things you need to know.

# IMPORTANT!!! Windows line endings will prevent bash from working!!!!
# If you ever modify this script, you must run dos2unix and pass this file to it
# You must also run chmod +x to allow this script to be executed

BASEPATH=/mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert
CERT_PASS=redacted
HOST_NAME=myhostname.myqnapcloud.com
echo exporting cert...
/usr/bin/openssl pkcs12 -export -in ${BASEPATH}/cert -inkey ${BASEPATH}/key -out ${BASEPATH}/cert.p12 -name ${HOST_NAME} -CAfile ${BASEPATH}/chain -caname root -password pass:${CERT_PASS}
echo restarting plex...
/etc/init.d/plex.sh stop
/etc/init.d/plex.sh start

You must also run chmod +x to allow this script to be executed, otherwise it won’t work. You need to do this every time you modify the file.

chmod +x /share/CACHEDEV1_DATA/homes/admin/scripts/plex_cert.sh

Windows users also need to remove carriage returns from the file, I do this by using the dos2unix command.

dos2unix /share/CACHEDEV1_DATA/homes/admin/scripts/plex_cert.sh

Remember, if you do this, you’ll need to use chmod +x again, because it modifies the file.

Here’s my crontab entry, to make my script automatically run at 03:00 every day. The >/dev/null 2>&1 ignores output from standard error and standard out.

0 3 * * * /share/CACHEDEV1_DATA/homes/admin/scripts/plex_cert.sh >/dev/null 2>&1

Thanks!

That’s what I used in the end and it worked ok. I didn’t know it was the only correct response though, it just seemed the most logical. What if you have two hostnames? Do you know if you can put both somehow?

E.g. I can access my server from:

mydomain.duckdns.org
and
home.mydomain.co.uk

To my knowledge, Plex can only use one certificate, or at least that’s all they expose in the admin settings UI, so you’ll have to choose which one you prefer / have a valid certificate for.
If you have a single certificate that is valid for both host names, then you can use both. I have no experience with multi domain certificates though, so I can’t advise on that.

I went with the automatically acquired let’s encrypt cert, because it was free and it was low effort because the NAS automatically renews it. It has worked very well for me, it was a case of configure once, and then forget about it.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.