FabrizioR8
Dabbler
- Joined
- Jul 13, 2022
- Messages
- 17
How do I properly generate the PKCS#12 certificate file that Plex wants from the LE cert/key pair dropped in /etc/certificates?
Does the LE cert renewal on SCALE always replace named cert in /etc/certificates in-place directly? (rather not wait 2+ mos. to find out)
Once I have the appropriate .pfx cert archive file, what's the best way to get it to the Plex app?
Is it appropriate to configure an extra host path volume for Plex to /etc/certificates in order to expose the cert files, or is there another method that folks have used?
I scripted a nightly cron job to run on my QNAP to monitor for new certs and generate the PKCS#12 archive on-the fly as needed. Please see details below. Would something like this script be appropriate on TrueNAS? Folks on this forum seem somewhat antsy about installing/tweaking anything outside of the UI or API...
I'm running TrueNAS-SCALE-22.02.2.1 and have used the out-of-the-box Credentials > Certificates bits to generate a LetsEncrypt cert for this system.
I see my
Plex wants a PKCS #12 archive (.pfx) file for it's configuration.
On my existing QNAP server, the LE certs are being generated by the deployed Linuxserver.io "swag" container where the certs get incremented by number and each renewal provides a fullchain.pem archive. I used this and the key to generate the PKCS#12 archive for plex.
On my QNAP, I run a cron job to check for a new cert (newer than the archive.pfx I generate for Plex), and regex the archive if needed.
The Network settings for Plex have the path to the
My cron job code is as follows:
Thank you.
Does the LE cert renewal on SCALE always replace named cert in /etc/certificates in-place directly? (rather not wait 2+ mos. to find out)
Once I have the appropriate .pfx cert archive file, what's the best way to get it to the Plex app?
Is it appropriate to configure an extra host path volume for Plex to /etc/certificates in order to expose the cert files, or is there another method that folks have used?
I scripted a nightly cron job to run on my QNAP to monitor for new certs and generate the PKCS#12 archive on-the fly as needed. Please see details below. Would something like this script be appropriate on TrueNAS? Folks on this forum seem somewhat antsy about installing/tweaking anything outside of the UI or API...
I'm running TrueNAS-SCALE-22.02.2.1 and have used the out-of-the-box Credentials > Certificates bits to generate a LetsEncrypt cert for this system.
I see my
/etc/certificates/tndev_le.crt and /etc/certificates/tndev_le.key files generated and the general settings are configured to use this cert for the UI successfully. The official charts Plex app (v1.27.2.5929_1.7.14) is installed and functioning without TLS currently.Plex wants a PKCS #12 archive (.pfx) file for it's configuration.
On my existing QNAP server, the LE certs are being generated by the deployed Linuxserver.io "swag" container where the certs get incremented by number and each renewal provides a fullchain.pem archive. I used this and the key to generate the PKCS#12 archive for plex.
Code:
[/share/docker] # ls -al /share/docker/mediasvcs/swag/config/etc/letsencrypt/live/mydomainredacted.com total 44 drwxrwx--- 2 mediasvcs mediasvcs 4096 2022-05-25 02:11 ./ drwxrwx--- 3 mediasvcs mediasvcs 4096 2022-06-10 15:05 ../ -rw------- 1 mediasvcs mediasvcs 7294 2022-07-02 16:31 archive.pfx lrwxrwxrwx 1 mediasvcs mediasvcs 41 2022-05-25 02:11 cert.pem -> ../../archive/mydomainredacted.com/cert9.pem lrwxrwxrwx 1 mediasvcs mediasvcs 42 2022-05-25 02:11 chain.pem -> ../../archive/mydomainredacted.com/chain9.pem lrwxrwxrwx 1 mediasvcs mediasvcs 46 2022-05-25 02:11 fullchain.pem -> ../../archive/mydomainredacted.com/fullchain9.pem -rwxr-x--- 1 mediasvcs mediasvcs 9249 2022-05-25 02:11 priv-fullchain-bundle.pem* lrwxrwxrwx 1 mediasvcs mediasvcs 44 2022-05-25 02:11 privkey.pem -> ../../archive/mydomainredacted.com/privkey9.pem -rwx------ 1 mediasvcs mediasvcs 7133 2022-05-25 02:11 privkey.pfx* -rwx------ 1 mediasvcs mediasvcs 692 2022-05-06 23:20 README*
On my QNAP, I run a cron job to check for a new cert (newer than the archive.pfx I generate for Plex), and regex the archive if needed.
The Network settings for Plex have the path to the
archive.pfx file, the hash for the key, and the server's FQDN configured.My cron job code is as follows:
Code:
[/share/docker] # cat letsencrypt_update_archive_pfx.sh
#!/bin/bash
liveledir=/share/docker/mediasvcs/swag/config/etc/letsencrypt/live/mydomainredacted.com
lastfile=$(ls -tr ${liveledir} | tail -1)
# If archive.pfx is latest file (certs have not renewed since...) then nothing to do.
if [ "${lastfile}" == "archive.pfx" ]; then exit 0; fi
# otherwise, re-generate archive.pfx from the fullchain and privkey.
### openssl pkcs12 -export -in fullchain1.pem -inkey privkey1.pem -out archive.pfx -name "mydomainredacted.com pkcs12 Archive" -passout pass:
openssl pkcs12 -export \
-in ${liveledir}/fullchain.pem \
-inkey ${liveledir}/privkey.pem \
-out ${liveledir}/archive.pfx \
-name "mydomainredacted.com pkcs12 Archive" \
-passout pass:HASHREDACTED
lastfile=$(ls -tr ${liveledir} | tail -1)
# If archive.pfx is latest file now, then certs have been renewed and archive.pfx has been updated again successfully.
if [ "${lastfile}" == "archive.pfx" ]; then
echo "$(date +%Y%m%d-%H%M%S ) [INFO] archive.pfx has been re-generated properly."
chown mediasvcs:mediasvcs ${liveledir}/archive.pfx
chmod 600 ${liveledir}/archive.pfx
else
echo "$(date +%Y%m%d-%H%M%S ) [ERROR] archive.pfx re-generation failed."
exit 1
fi
# Restart QNAP services
/etc/init.d/plex.sh restart 2>&1 > /dev/null; ret=$?;
if [ "0" != "${ret}" ]; then
echo "$(date +%Y%m%d-%H%M%S ) [ERROR] Non-zero return code while restarting Plex."
else
echo "$(date +%Y%m%d-%H%M%S ) [INFO] Plex has been restarted."
fi
Thank you.
