What's new

Tutorial Issue Let's Encrypt certificate with acme.sh, use it with Synology DSM and Plex

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

Deleted member 62525

Guest
This is a quick guide how to use acme.sh to issue Let’s Encrypt certificate for you custom domain, deploy it to Synology and then
convert it to PKCS format and use it with your Plex server. Two scripts are provided to make it easy setup and can be combined to automate the process.

For Synology to issue or renew certificates you need to have port 80 and 443 opened on Synology NAS. For security reasons many people do not want that. My Synology NAS is behind bridged Asus router and I do have ports 80 and 443 disabled. This is why we need to use acme.sh to issue and renew certificates. Once I generate NAS certificate I wanted to also share it with my Plex server running on the same NAS. Read below for instructions.

I prefer to install acme.sh in /usr/local/share location. If you don’t specify the location it will be installed in the /root. I am using duckdns as a provider
for my custom public domain but acme.sh supports many, so you can change CERT_DNS as required. Detailed information and acme.sh wiki is here acme.sh

Installation Steps

$ sudo su
$ cd volume1/homes/[username] or cd ~
$ wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz

$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "your-email@gmailcom"

At this point the installation is finished and we can remove master.tar.gz. You can use acme.sh and issue certificate as non root user if you wish.
Just change the ownership of the /usr/local/share/acme.sh directory to the user you want. Because Plex requires me to run as root when deploying certificate
I am running both scripts below after executing "sudo su".

Creating Certificate and Deploy to Synology
(setup your own values for variables below, USERNAME must belong to Synology admin group)

#!/bin/sh
export CERT_DOMAIN="YOUR CUSTOM DOMAIN"
export CERT_DNS="dns_duckdns"
export ACME_CERT_HOME="/usr/local/share/config/cert"

echo "Issue duckdns certificate."
/usr/local/share/acme.sh/acme.sh --insecure --issue --home "$ACME_CERT_HOME" --dns "$CERT_DNS" -d "$CERT_DOMAIN"
# Publish the certificate to Synology DSM
export SYNO_Username="USERNAME"
export SYNO_Password="PASSWORD"
export SYNO_Certificate="acme.sh certificate"
export SYNO_Create=0 # defaults to off, this setting is not saved. By setting to 1 we create the certificate if it's not in DSM
echo "Publish certificate to Synology DSM."
/usr/local/share/acme.sh/acme.sh --deploy --home "$ACME_CERT_HOME" -d "$CERT_DOMAIN" --deploy-hook synology_dsm

Create PKCS certificate and deploy to Plex server.
Make sure directory /usr/local/share/Plex has been created before running the script and your own values set for variables defined.
We are reusing existing certificate generated from previous step, converting it to PKCS with acme.sh and deploying to Plex server.
Set the variables in the script to your values, these will need to be stored in Plex as below.

Before running the script you may access Plex server settings, navigate to Network tab and set the following;
Custom certificate location -> /usr/local/share/Plex/plex_cert.pfx
Custom certificate encryption key -> PLEX ENCRYPTION KEY value
Custom certificate domain -> YOUR CUSTOM DOMAIN value

#!/bin/sh
export CERT_DOMAIN="YOUR CUSTOM DOMAIN"
export ACME_CERT_HOME="/usr/local/share/config/cert"
CERT_PLEX_KEY="PLEX ENCRYPTION KEY"
CERT_PLEX="/usr/local/share/Plex"
/usr/local/share/acme.sh/acme.sh --toPkcs --home "$ACME_CERT_HOME" -d "$CERT_DOMAIN" --password "$CERT_PLEX_KEY"
if [ "$?" -eq "0" ]; then
echo "Copy certificate and key to target location."
cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.pfx "${CERT_PLEX}/plex_cert.pfx"
cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.key "${CERT_PLEX}/plex_cert.key"
chown PlexMediaServer:users ${CERT_PLEX}/plex_cert.pfx
chown PlexMediaServer:users ${CERT_PLEX}/plex_cert.key

Log "Stopping PlexMediaServer..."
/usr/syno/bin/synopkg stop PlexMediaServer
Log "Starting PlexMediaServer..."
/usr/syno/bin/synopkg start PlexMediaServer
Log "Certificate deployment completed."
else
echo "Program completed with errors."
fi
exit 0

Last thing we have to do is schedule the task in DSM Task Scheduler to run both scripts every month or 2 to renew certificate and publish to both DSM and Plex. I am attaching a complete script that performs both functions.

Code:
#!/bin/sh

export ACME_CERT_HOME="/usr/local/share/config/cert"
export ACME_HOME="/usr/local/share/acme.sh"
export CERT_DNS="dns_duckdns"

usage()
{
  echo "Usage: $0 [ -u SYNO_USER ] [ -p SYNO_PASSWORD ] [ -k CERT_PASSWORD ] [ -d CERT_DOMAIN ]"
  exit 2
}

set_variable()
{
  export varname=$1
  shift
  if [ -z "${!varname}" ]; then
    eval "$varname=\"$@\""
  else
    Log "Error: $varname already set"
    usage
  fi
}

Log()
{
    echo "$(basename $0)" $1
    # If you have Log Center configured all messages will be logged there with this command.
    # If not this can be disabled.
    logger -d -p info -n localhost -t "$(basename $0)" $1
}

GenerateCert() {

    Log "Issue or renew certificate."
    $ACME_HOME/acme.sh --insecure --issue --home "$ACME_CERT_HOME" --dns "$CERT_DNS" -d "$CERT_DOMAIN"

    # Publish the certificate to Synology DSM
    export SYNO_Certificate="acme.sh certificate" # Description text in Control Panel -> Security -> Certificates
    export SYNO_Create=0 # defaults to off, this setting is not saved.  By setting to 1 we create the certificate if it's not in DSM

    Log "Publish certificate to Synology DSM."
    $ACME_HOME/acme.sh --deploy --home "$ACME_CERT_HOME" -d "$CERT_DOMAIN" --deploy-hook synology_dsm

}

###################################################################################
#              Plex Server settings - Network Section.                  #
#                                          #
#      Custom certificate location      -> /usr/local/share/Plex/plex_cert.pfx   #
#      Custom certificate encryption key -> -k argument               #
#      Custom certificate domain     -> -d argument                  #
#                                          #
###################################################################################

DeployToPlex() {
 
    local CERT_PLEX="/usr/local/share/Plex" # Plex -> Custom certificate location

    # Convert new certificate to Plex format and copy to destination
    Log "Exporting certificate to PKCS12."

    # Covert generated certificate to pkcs format accepted by Plex server.
    $ACME_HOME/acme.sh --toPkcs --home "$ACME_CERT_HOME" --domain "$CERT_DOMAIN" --password "$CERT_PLEX_KEY"

    if [ "$?" -eq "0" ]; then
     
        Log "Copy certificate and key to target location ${CERT_PLEX}"
        cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.pfx "${CERT_PLEX}/plex_cert.pfx"
        cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.key "${CERT_PLEX}/plex_cert.key"
        chown PlexMediaServer:users ${CERT_PLEX}/plex_cert.pfx
        chown PlexMediaServer:users ${CERT_PLEX}/plex_cert.key
     
       
        Log "Stopping PlexMediaServer..."
        /usr/syno/bin/synopkg stop PlexMediaServer
        Log "Starting PlexMediaServer..."
        /usr/syno/bin/synopkg start PlexMediaServer
        Log "Certificate deployment completed."
    else
        Log "Program completed with errors."
    fi

}

#############################
# Main script starts here   #
#############################

unset SYNO_Username SYNO_Password CERT_PLEX_KEY CERT_DOMAIN

while getopts 'u:p:k:d:?h' option
do
  case $option in
    u) set_variable SYNO_Username $OPTARG ;;
    p) set_variable SYNO_Password $OPTARG ;;
    k) set_variable CERT_PLEX_KEY $OPTARG ;;
    d) set_variable CERT_DOMAIN $OPTARG ;;
    h|?) usage ;;
  esac
done

[ -z $SYNO_USER ] && [ -z $SYNO_PASSWORD ] && [ -z $CERT_PASSWORD ] && [ -d $CERT_DOMAIN ] && usage

GenerateCert
DeployToPlex

exit 0
 
Last edited by a moderator:
This is a quick guide how to use acme.sh to issue Let’s Encrypt certificate for you custom domain, deploy it to Synology and then
convert it to PKCS format and use it with your Plex server. Two scripts are provided to make it easy setup and can be combined to automate the process.

I prefer to install acme.sh in /usr/local/share location. If you don’t specify the location it will be installed in the /root. I am using duckdns as a provider
for my custom public domain but acme.sh supports many, so you can change CERT_DNS as required. Detailed information and acme.sh wiki is here acme.sh

Installation Steps

$ sudo su
$ cd volume1/homes/[username] or cd ~
$ wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz

$ tar xvf master.tar.gz
$ cd acme.sh-master/
$ ./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "your-email@gmailcom"

At this point the installation is finished and we can remove master.tar.gz. You can use acme.sh and issue certificate as non root user if you wish.
Just change the ownership of the /usr/local/share/acme.sh directory to the user you want. Because Plex requires me to run as root when deploying certificate
I am running both scripts below after executing "sudo su".

Creating Certificate and Deploy to Synology
(setup your own values for variables below, USERNAME must belong to Synology admin group)

#!/bin/sh
export CERT_DOMAIN="YOUR CUSTOM DOMAIN"
export CERT_DNS="dns_duckdns"
export ACME_CERT_HOME="/usr/local/share/config/cert"

echo "Issue duckdns certificate."
/usr/local/share/acme.sh/acme.sh --insecure --issue --home "$ACME_CERT_HOME" --dns "$CERT_DNS" -d "$CERT_DOMAIN"
# Publish the certificate to Synology DSM
export SYNO_Username="USERNAME"
export SYNO_Password="PASSWORD"
export SYNO_Certificate="acme.sh certificate"
export SYNO_Create=0 # defaults to off, this setting is not saved. By setting to 1 we create the certificate if it's not in DSM
echo "Publish certificate to Synology DSM."
/usr/local/share/acme.sh/acme.sh --deploy --home "$ACME_CERT_HOME" -d "$CERT_DOMAIN" --deploy-hook synology_dsm

Create PKCS certificate and deploy to Plex server.
Make sure directory /usr/local/share/Plex has been created before running the script and your own values set for variables defined.
We are reusing existing certificate generated from previous step, converting it to PKCS with acme.sh and deploying to Plex server.
Set the variables in the script to your values, these will need to be stored in Plex as below.

Before running the script you may access Plex server settings, navigate to Network tab and set the following;
Custom certificate location -> /usr/local/share/Plex/plex_cert.pfx
Custom certificate encryption key -> PLEX ENCRYPTION KEY value
Custom certificate domain -> YOUR CUSTOM DOMAIN value

#!/bin/sh
export CERT_DOMAIN="YOUR CUSTOM DOMAIN"
export ACME_CERT_HOME="/usr/local/share/config/cert"
CERT_PLEX_KEY="PLEX ENCRYPTION KEY"
CERT_PLEX="/usr/local/share/Plex"
/usr/local/share/acme.sh/acme.sh --toPkcs --home "$ACME_CERT_HOME" -d "$CERT_DOMAIN" --password "$CERT_PLEX_KEY"
if [ "$?" -eq "0" ]; then
echo "Copy certificate and key to target location."
cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.pfx "${CERT_PLEX}/plex_cert.pfx"
cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.key "${CERT_PLEX}/plex_cert.key"
chown plex:users ${CERT_PLEX}/plex_cert.pfx
chown plex:users ${CERT_PLEX}/plex_cert.key
echo "Restarting Plex Media Server..."
sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status stop
sleep 5
sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status start
else
echo "Program completed with errors."
fi
exit 0

Last thing we have to do is schedule the task in DSM Task Scheduler to run both scripts every month or 2 to renew certificate and publish to both DSM and Plex. I am attaching a complete script that performs both functions.

Code:
#!/bin/sh

export ACME_CERT_HOME="/usr/local/share/config/cert"
export ACME_HOME="/usr/local/share/acme.sh"
export CERT_DNS="dns_duckdns"

usage()
{
  echo "Usage: $0 [ -u SYNO_USER ] [ -p SYNO_PASSWORD ] [ -k CERT_PASSWORD ] [ -d CERT_DOMAIN ]"
  exit 2
}

set_variable()
{
  export varname=$1
  shift
  if [ -z "${!varname}" ]; then
    eval "$varname=\"$@\""
  else
    Log "Error: $varname already set"
    usage
  fi
}

Log()
{
    echo "$(basename $0)" $1
    # If you have Log Center configured all messages will be logged there with this command.
    # If not this can be disabled.
    logger -d -p info -n localhost -t "$(basename $0)" $1
}

GenerateCert() {

    Log "Issue or renew certificate."
    $ACME_HOME/acme.sh --insecure --issue --home "$ACME_CERT_HOME" --dns "$CERT_DNS" -d "$CERT_DOMAIN"

    # Publish the certificate to Synology DSM
    export SYNO_Certificate="acme.sh certificate" # Description text in Control Panel -> Security -> Certificates
    export SYNO_Create=0 # defaults to off, this setting is not saved.  By setting to 1 we create the certificate if it's not in DSM

    Log "Publish certificate to Synology DSM."
    $ACME_HOME/acme.sh --deploy --home "$ACME_CERT_HOME" -d "$CERT_DOMAIN" --deploy-hook synology_dsm

}

###################################################################################
#              Plex Server settings - Network Section.                  #
#                                          # 
#      Custom certificate location      -> /usr/local/share/Plex/plex_cert.pfx   #
#      Custom certificate encryption key -> -k argument               #
#      Custom certificate domain     -> -d argument                  #
#                                          #
###################################################################################

DeployToPlex() {
  
    local CERT_PLEX="/usr/local/share/Plex" # Plex -> Custom certificate location

    # Convert new certificate to Plex format and copy to destination
    Log "Exporting certificate to PKCS12."

    # Covert generated certificate to pkcs format accepted by Plex server.
    $ACME_HOME/acme.sh --toPkcs --home "$ACME_CERT_HOME" --domain "$CERT_DOMAIN" --password "$CERT_PLEX_KEY"

    if [ "$?" -eq "0" ]; then
      
        Log "Copy certificate and key to target location ${CERT_PLEX}"
        cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.pfx "${CERT_PLEX}/plex_cert.pfx"
        cp ${ACME_CERT_HOME}/${CERT_DOMAIN}/${CERT_DOMAIN}.key "${CERT_PLEX}/plex_cert.key"
        chown plex:users ${CERT_PLEX}/plex_cert.pfx
        chown plex:users ${CERT_PLEX}/plex_cert.key
      
        Log "Restarting Plex Media Server..."
        sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status stop
        sleep 3
        sh /var/packages/Plex\ Media\ Server/scripts/start-stop-status start
        Log "Certificate deployment completed."
    else
        Log "Program completed with errors."
    fi

}

#############################
# Main script starts here   #
#############################

unset SYNO_Username SYNO_Password CERT_PLEX_KEY CERT_DOMAIN

while getopts 'u:p:k:d:?h' option
do
  case $option in
    u) set_variable SYNO_Username $OPTARG ;;
    p) set_variable SYNO_Password $OPTARG ;;
    k) set_variable CERT_PLEX_KEY $OPTARG ;;
    d) set_variable CERT_DOMAIN $OPTARG ;;
    h|?) usage ;;
  esac
done

[ -z $SYNO_USER ] && [ -z $SYNO_PASSWORD ] && [ -z $CERT_PASSWORD ] && [ -d $CERT_DOMAIN ] && usage

GenerateCert
DeployToPlex

exit 0
I just wonder why you would need an FQDN and certs with Plex as it allows you to connect remotely through the Plex Web App. In fact, i read somewhere they don't recommend it.
 
How r you accessing Plex remotely?
There r settings in Plex server to accommodate your own certificate. If it was not recommended these setting would not be there. I have this setup for years on bridged router. I like the fact that I am in a full control of my Plex and security on my synology NAS with custom domain and own certificate.
 
Last edited by a moderator:
1620373479025.png



Just like that with a port forwarding in my router for the specific IP and port.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top