Using Let’s Encrypt for Plex on Synology 14

One of the great features with my Synology NAS, is that it uses the Let’ Encrypt SSL certificates.  I am using my NAS for personal use so I didn’t want to spend money on a SSL certificate nor do I want to use a Self Signed one.  Synology has a how to guide on their site if you wish to set up one your self.  

Once this is completed you can connect to your DiskStation Manager securely… ‘yay, and there is much rejoicing’.  With this guide I am presuming, you know about OpenSSL and have basic knowledge on its use and you are using Plex.  All that said, you also would like to use a secure connection to your Plex media server.

Now we are ready to set up our Plex service to use https.


  1. You will need to export your “Let’s Encrypt” certificate from your NAS.  Login to your DSM and open the Control Panel and goto Security -> Certificate. Select the certificate your Default Certificate and export it.
  2. Unzip the exported certificates and navigate to the folder.  If you are using a windows machine it’s easier to unzip the contents in the openssl folder and run “openssl” as the administrator.  In the OS X or Linux environment open your terminal and navigate to the unzipped folder and type “openssl”
  3. Your terminal should now have the “OpenSSL>” prompt
  4. Type pkcs12 -export -out *your domain*.pfx -in cert.pem -inkey privkey.pem -certfile chain.pem -name “*your domain*”
    Remember the password you entered in, you’ll need that for later
  5. Upload the new certificate to the root folder of Plex on your NAS server – should be “Plex”
  6. In your Plex Manager goto “Settings – Server – Network”.
    • Custom certificate location: /volume1/Plex/*your domain*.pfx
    • Custom certificate encryption key: the password you used earlier
    • Custom certificate domain: *your domain*

  7. Save your changes and restart your Plex service.

Leave a Reply

14 thoughts on “Using Let’s Encrypt for Plex on Synology

  • naitakal

    This was very helpful, thanks! I actually wasn’t using the Default certificate provided by Synology though mainly because it didn’t contain a chain.pem file on export. So I ended up creating a Let’s encrypt certificate for the plex subdomain I wanted to use and everything worked like a charm. Only thing I am wondering now, will I have to recreate the pfx file when the certificate gets renewed?

    • Karsten Pearce Post author

      I do each time I update my certificate, I believe you do, because it’s using the privkey.pem from the new cert.

      • naitakal

        Which makes sense.I will probably try to make it part of the daily cert renew job running on my NAS, optimally without actually creating the pfx file every night when nothing got renewed.

    • Karsten Pearce Post author

      I don’t have port 80 open through my firewall so I haven’t tested this yet, but do you have the following turned on?
      Control Panel -> Network -> DSM Settings -> Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded).

      I think this will only work if your Plex station is sharing the same URL as your Synology box

    • Karsten Pearce Post author

      Yeah, “Let’s Encrypt” needs to verify that you own the domain before it generates a certificate. You can create a self-sign certificate and load it. Just skip the steps that are dealing with “Let’s Encrypt”. Granted I haven’t done this before, but I don’t see why it wouldn’t work.

  • Zach Gelnett (@zachg99)

    Ok, the person that created the script in github removed it. Here is the script setup for the above install instructions. Search for the **SET THIS** values and replace them. Save this in the plex home folder as Set up a scheduled task to run daily as root with the following command:


    ****Script Start****


    # p12 file
    p12_file_path=$script_folder/**SET THIS**.pfx
    # p12 password
    p12cert_password=**SET THIS**
    # Synology’s Default Let’s encrypt folder
    # renew timestamp


    current_date=`date +”%s”`
    current_certificate_date=`openssl x509 -enddate -noout -in $letsencrypt_cert_folder/cert.pem | cut -d’=’ -f2`
    current_certificate_timestamp=`date -d “$current_certificate_date” +”%s”`

    # check if the renew_timestamp file exists
    if [ ! -f $script_folder/$renew_timestamp ]; then
    echo “Generate timestamp for the current renew date… ”
    echo $current_certificate_timestamp > $script_folder/$renew_timestamp
    chmod +rw $script_folder/$renew_timestamp
    chown admin:users $script_folder/$renew_timestamp

    # generate the first p12 file
    renew_date=`cat $script_folder/$renew_timestamp`
    # check if it is necessary to renew the certificate or not
    if expr “$current_date” “>” “$renew_date” > /dev/null; then
    # generate a new p12 file
    echo “Renewing certificate…”

    # update timestamp in the file
    echo $current_certificate_timestamp > $script_folder/$renew_timestamp
    echo “It is not necessary to renew the certificate, abort.”
    exit 0

    # generate a new certificate file if necessary, and restart Plex
    if expr “$generate_p12” “=” “true” > /dev/null; then
    echo “Generating the p12 certificate file…”
    openssl pkcs12 -export -out $p12_file_path -in $letsencrypt_cert_folder/cert.pem -inkey $letsencrypt_cert_folder/privkey.pem -certfile $letsencrypt_cert_folder/chain.pem -name “**SET THIS**” -password pass:$p12cert_password
    chmod +r $p12_file_path
    chown admin:users $p12_file_path
    echo “Restarting Plex Media Server…”
    sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status stop
    sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status start
    echo “Done.”