Let's Encrypt on a QNAP TS-430 Pro for Plex Media Server

Greetings,



This HOWTO is a guide on how I enabled SSL in Plex on my QNAP TS-453 Pro. This was done in the SSH console of the NAS device and may need to be massaged as there are differences in the file structure of the NAS models.

1. Download and install the Let's Encrypt qpkg from https://forum.qnap.com/viewtopic.php?f=320&t=122747. This had to be done in the SSH terminal on my NAS because it would not install via the App Center for some reason.
   sh LetsEncrypt_0.5_x86.qpkg
2. Generate the certificate
   SERVER=server.example.com
export PATH=/opt/LetsEncrypt/bin:$PATH
letsencrypt certonly --rsa-key-size 4096 --renew-by-default --webroot --webroot-path "/share/Web" -d ${SERVER} -t --agree-tos --config-dir "/share/CACHEDEV1_DATA/.qpkg/LetsEncrypt"
3. Convert the cert to PK12 format
   CERTPATH="/share/CACHEDEV1_DATA/.qpkg/LetsEncrypt/live/${SERVER}/"
HOSTONLY=server
PASSWORD=SuperSecretStuff
openssl pkcs12 -export -in "${CERTPATH}cert.pem" -inkey "${CERTPATH}privkey.pem" -out "${CERTPATH}${SERVER}.p12" -name ${HOSTONLY} -CAfile "${CERTPATH}chain.pem -caname root -password pass:${PASSWORD}
4. Install the cert in the web portal by navigating to http://server.example.com:32400 and then going to Settings -> Server -> Network -> Show Advanced.
   
   
   • Custom certificat location - /share/CACHEDEV1_DATA/.qpkg/LetsEncrypt/live/server.example.com/server.example.com.p12
   • Custom certificate encryption key - SuperSecretStuff
   • Custom certificate domain - server.example.com
   Save Changes
5. Change URL to https://server.example.com:32400 and you should be all set!

If that works for you, then you can bring it all together in a script and schedule it as a cron task to keep it up to date. This will also update the SSL for the NAS as well


#!/bin/sh

SERVER=server.example.com

CERTPATH="/share/CACHEDEV1_DATA/.qpkg/LetsEncrypt/live/${SERVER}/"

HOSTONLY=server

PASSWORD=SuperSecretStuff

export PATH=/opt/LetsEncrypt/bin:$PATH

letsencrypt certonly --rsa-key-size 4096 --renew-by-default --webroot --webroot-path "/share/Web" -d ${SERVER} -t --agree-tos --config-dir "/share/CACHEDEV1_DATA/.qpkg/LetsEncrypt"

openssl pkcs12 -export -in "${CERTPATH}cert.pem" -inkey "${CERTPATH}privkey.pem" -out "${CERTPATH}${SERVER}.p12" -name ${HOSTONLY} -CAfile "${CERTPATH}chain.pem -caname root -password pass:${PASSWORD}

/etc/init.d/stunnel.sh stop

/etc/init.d/plex.sh stop

cat ${CERTPATH}privkey.pem ${CERTPATH}cert.pem > /etc/stunnel/stunnel.pem

cp ${CERTPATH}chain.pem /etc/stunnel/uca.pem

openssl pkcs12 -export -in "${CERTPATH}cert.pem" -inkey "${CERTPATH}privkey.pem" -out "${CERTPATH}${SERVER}.p12" -name ${HOSTONLY} -CAfile "${CERTPATH}chain.pem -caname root -password pass:${PASSWORD}

/etc/init.d/stunnel.sh start

/etc/init.d/plex.sh start