One of the great features with my Synology NAS, is that it uses the Let’ Encrypt SSL certificates. I am using my NAS for personal use so I didn’t want to spend money on a SSL certificate nor do I want to use a Self Signed one. Synology has a how to guide on their site if you wish to set up one your self.
Once this is completed you can connect to your DiskStation Manager securely… ‘yay, and there is much rejoicing’. With this guide I am presuming, you know about OpenSSL and have basic knowledge on its use and you are using Plex. All that said, you also would like to use a secure connection to your Plex media server.
Now we are ready to set up our Plex service to use https.
- You will need to export your “Let’s Encrypt” certificate from your NAS. Login to your DSM and open the Control Panel and goto Security -> Certificate. Select the certificate your Default Certificate and export it.
- Unzip the exported certificates and navigate to the folder. If you are using a windows machine it’s easier to unzip the contents in the openssl folder and run “openssl” as the administrator. In the OS X or Linux environment open your terminal and navigate to the unzipped folder and type “openssl”
- Your terminal should now have the “OpenSSL>” prompt
- Type pkcs12 -export -out *your domain*.pfx -in cert.pem -inkey privkey.pem -certfile chain.pem -name “*your domain*”
Remember the password you entered in, you’ll need that for later
- Upload the new certificate to the root folder of Plex on your NAS server – should be “Plex”
- In your Plex Manager goto “Settings – Server – Network”.
- Custom certificate location: /volume1/Plex/*your domain*.pfx
- Custom certificate encryption key: the password you used earlier
- Custom certificate domain: *your domain*
- Save your changes and restart your Plex service.
Thanks!
This was very helpful, thanks! I actually wasn’t using the Default certificate provided by Synology though mainly because it didn’t contain a chain.pem file on export. So I ended up creating a Let’s encrypt certificate for the plex subdomain I wanted to use and everything worked like a charm. Only thing I am wondering now, will I have to recreate the pfx file when the certificate gets renewed?
I do each time I update my certificate, I believe you do, because it’s using the privkey.pem from the new cert.
Which makes sense.I will probably try to make it part of the daily cert renew job running on my NAS, optimally without actually creating the pfx file every night when nothing got renewed.
how can I redirect the plex server from http to https? is there any config I can set in the synology?
I don’t have port 80 open through my firewall so I haven’t tested this yet, but do you have the following turned on?
Control Panel -> Network -> DSM Settings -> Automatically redirect HTTP connections to HTTPS (Web Station and Photo Station excluded).
I think this will only work if your Plex station is sharing the same URL as your Synology box
You could try setting up a reverse proxy. That’s how I set up a sub domain to redirect from HTTPS 443 to HTTPS 32400.
“your domain”? wait.. so I have to buy a domain to use this? crap
Yeah, “Let’s Encrypt” needs to verify that you own the domain before it generates a certificate. You can create a self-sign certificate and load it. Just skip the steps that are dealing with “Let’s Encrypt”. Granted I haven’t done this before, but I don’t see why it wouldn’t work.
You might try this as a way to automatically keep it updated: https://gist.github.com/ryansully/fa6f1832c77ef63bf9383ea6bfb8ecfd
Thank you for these instructions! I took the script (that was removed by the original author) and tweaked it to match your instructions and posted to Github here: https://github.com/zachg99/synology-plex-cert-autorenew
Once you have the SSL cert setup this script automatically renews it as needed every 3 months.
Ok, the person that created the script in github removed it. Here is the script setup for the above install instructions. Search for the **SET THIS** values and replace them. Save this in the plex home folder as SynoPlexP12Renew.sh. Set up a scheduled task to run daily as root with the following command:
/var/services/homes/plex/SynoPlexP12Renew.sh
****Script Start****
#!/bin/sh
# CONFIGURATION
script_folder=/var/services/homes/plex
# p12 file
p12_file_path=$script_folder/**SET THIS**.pfx
# p12 password
p12cert_password=**SET THIS**
# Synology’s Default Let’s encrypt folder
letsencrypt_cert_folder=/usr/syno/etc/certificate/system/default
# renew timestamp
renew_timestamp=renew_plex_timestamp
# DO NOT CHANGE BELOW UNLESS YOU’RE A WIZARD
generate_p12=false
current_date=`date +”%s”`
current_certificate_date=`openssl x509 -enddate -noout -in $letsencrypt_cert_folder/cert.pem | cut -d’=’ -f2`
current_certificate_timestamp=`date -d “$current_certificate_date” +”%s”`
# check if the renew_timestamp file exists
if [ ! -f $script_folder/$renew_timestamp ]; then
echo “Generate timestamp for the current renew date… ”
echo $current_certificate_timestamp > $script_folder/$renew_timestamp
chmod +rw $script_folder/$renew_timestamp
chown admin:users $script_folder/$renew_timestamp
# generate the first p12 file
generate_p12=true
else
renew_date=`cat $script_folder/$renew_timestamp`
# check if it is necessary to renew the certificate or not
if expr “$current_date” “>” “$renew_date” > /dev/null; then
# generate a new p12 file
echo “Renewing certificate…”
generate_p12=true
# update timestamp in the file
echo $current_certificate_timestamp > $script_folder/$renew_timestamp
else
echo “It is not necessary to renew the certificate, abort.”
exit 0
fi
fi
# generate a new certificate file if necessary, and restart Plex
if expr “$generate_p12” “=” “true” > /dev/null; then
echo “Generating the p12 certificate file…”
openssl pkcs12 -export -out $p12_file_path -in $letsencrypt_cert_folder/cert.pem -inkey $letsencrypt_cert_folder/privkey.pem -certfile $letsencrypt_cert_folder/chain.pem -name “**SET THIS**” -password pass:$p12cert_password
chmod +r $p12_file_path
chown admin:users $p12_file_path
echo “Restarting Plex Media Server…”
sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status stop
sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status start
echo “Done.”
fi
The script Ryan Sully previously published was removed. I recreated it and tweaked it to work with your instructuions above. Take a look, it will automatically update your Plex certificate whenever the LetsEncrypt script gets updated by the synology:
https://github.com/zachg99/synology-plex-cert-autorenew
Gracias !!