├── README.md
└── plexrenew.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # PlexSSLAutorenew
 2 | A bash script to auto renew https certificate on a Plex instance with Let's Encrypt and dns-challenge
 3 | 
 4 | As I share Plex with friends and family, I thought it would be interesting to have an active SSL certificate. 
 5 | As cheap as they are elsewhere (a few euros/year) I wondered if it might be feasible with Let's Encrypt. The answer is obviously yes.
 6 | 
 7 | One of the advantages that I think might be interesting is that it does not require port forwarding or the installation of an apache server as the challenge for the certificate is done via dns-challenge on cloudflare. I use cloudflare but you can use whatever you want as the script itself should work with any DNS provider that accepts queries from certbot.
 8 | 
 9 | ** *This repository will not cover certificate activation on the Plex interface or how to activate a dns-challenge for certbot.* **
10 | 
11 | I based it on the excellent work of Churro-s which you can find [here](https://gist.github.com/churro-s/fa3fdeb5cf10ebb251aa88338b8b37db).
12 | 
13 | **My setup**
14 | 
15 | - Debian 10
16 | - Domain nameservers on Cloudflare
17 | - [Expect](https://wiki.debian.org/Expect) 
18 | 
19 | **How to**
20 | 
21 | 1. Download the script and place it wherever you want
22 | 2. Modify it by entering the working path, personally I kept the folder that is automatically generated by certbot for the first certificate creation.
23 | 3. Give execution permissions with `chmod +x plexrenew.sh`
24 | 4. Create a new crontab setup with `crontab -e`
25 | 5. Profit
26 | 
27 | ## FAQ
28 | 
29 | **What does the script do?**
30 | 
31 | 1. Sets the working directory in which the rest of the script will be executed
32 | 2. It runs certbot renew to regenerate certificates. 
33 | 3. The expect command launches the openssl conversion command to generate the certificate file in pfx format (required by Plex).
34 | 4. The certificate in pfx format is moved and permissions are assigned
35 | 5. The Plex service is restarted
36 | 
37 | **Why did you use expect?**
38 | 
39 | Because I'm not exactly an ace in development, I came across this program that allows you to automatically insert characters if a certain object is passed on the screen. 
40 | Since a password is requested for the key when converting the certificate, I needed to replace human input with automatic input. 
41 | Personally, I have put in an enter, but you can put in whatever you like.
42 | 
43 | **What can be improved?**
44 | 
45 | Practically everything. For example, to make it more accessible to the public, the working directory could be variable.
46 | Or maybe someone knows a way not to use expect.
47 | 
48 | Feel free to fork the project and improve it.
49 | 
50 | **Notes**
51 | 
52 | Personally, I renew my certificate every 85 days at 4 am.
53 | The certificate is valid for 90 days from when you generate it and Let's Encrypt will still send you an email to remind you of the expiry.
54 | If you need help generating a cron you can use the following online tool: https://crontab.tech/
55 | 


--------------------------------------------------------------------------------
/plexrenew.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #https://github.com/Stinocon/PlexSSLAutorenew/
 3 | #Change your.public.domain with the folder automatically generated by certbot that was created at the first manual certificate generation
 4 | cd /etc/letsencrypt/live/your.public.domain/
 5 | certbot renew
 6 | /usr/bin/expect <(cat << EOF
 7 | spawn openssl pkcs12 -export -out /etc/letsencrypt/live/your.public.domain/certificate.pfx -inkey /etc/letsencrypt/live/your.public.domain/privkey.pem -in /etc/letsencrypt/live/your.public.domain/cert.pem -certfile /etc/letsencrypt/live/your.public.domain/chain.pem
 8 | expect "Enter Export Password:"
 9 |   send "\r"
10 | expect "Verifying - Enter Export Password:"
11 |   send "\r"
12 |   interact
13 | EOF
14 | )
15 | mv /etc/letsencrypt/live/your.public.domain/certificate.pfx /var/lib/plexmediaserver
16 | chown plex:plex /var/lib/plexmediaserver/certificate.pfx
17 | service plexmediaserver restart
18 | 


--------------------------------------------------------------------------------