Using Posh-ACME's "fullchain.cer" and "cert.key" for Plex Media Center about posh-acme HOT 6 CLOSED

Hey @mkanet. You're in luck, Posh-ACME already generates PKCS12 files for you by default. They have the .pfx extension. You can get the path from the PfxFile and PfxFullChain properties on the output of Get-PACertificate. PfxFile has just the leaf cert and private key. PfxFullChain has leaf cert, private key, and chain certs. Have a loot at the output of Get-PACertificate | Format-List.

The password associated with the PFX files (which I think is what plex is referring to as the encryption key) is whatever is configured for PfxPass on the associated order object. By default, it's just poshacme.

from posh-acme.

Also out of curiosity, why do you need a custom cert for Plex? It generates publicly valid certs all on its own if I recall correctly.

from posh-acme.

@rmbolger thank you so much. Just a note; I am able to access https://plex.mydomain.com from my web browser internally on my network as well as externally. However, I keep getting the below warning message in Plex's console immediately after accessing https://plex.mydomain.com or https://plex.mydomain.com with my web browser; as well as when using my Plex Android apps.

Request came in with unrecognized domain / IP 'plex.mydomain.com' in header Referer; treating as non-local

I thought if I were to explicitly set the cert in the fields above, it would recognize my domain as local. I'm not sure if explicitly pointing to my certs in Plex would even be applicable to my configuration.

If you have any tips or suggestions, I would really appreciate it.

Below, is my NGINX.conf for Plex:

server {
        listen 443 ssl http2; 
        listen [::]:443 ssl http2;
        ssl_certificate     ./ssl/fullchain.cer;
        ssl_certificate_key ./ssl/cert.key;
        ssl_prefer_server_ciphers on;
        server_name  plex.mydomain.com;
        client_max_body_size 0;
        set $plex http://127.0.0.1:32400;
        gzip on;
        gzip_vary on;
        gzip_min_length 1000;
        gzip_proxied any;
        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
        gzip_disable "MSIE [1-6]\.";
        # Forward real ip and host to Plex
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        #When using ngx_http_realip_module change $proxy_add_x_forwarded_for to '$http_x_forwarded_for,$realip_remote_addr'
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
        # Websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        # Buffering off send to the client as soon as the data is received from Plex.
        proxy_redirect off;
        proxy_buffering off;
        location / {
            proxy_pass $plex;
        }
}

from posh-acme.

@rmbolger actually explicitly adding the pfx and key files in Plex's configuration didn't make any difference. I'm not even sure if its a good idea to add the pfx and key files in Plex's configuration. Maybe, I should remove those certs from plex's config?

Maybe, Request came in with unrecognized domain / IP 'plex.mydomain.com' in header Referer; treating as non-local message could be mitigated by revising my NGINX config above? If so, any ideas what I could change in my ngnix.conf above?

from posh-acme.

I'm not super familiar on nginx configs, but that error doesn't look like it's cert related.

In any case, I think you only need a custom cert if you want to connect directly to the server via a custom name without cert errors. I don't ever connect to mine directly though. I use the web launcher here: https://app.plex.tv/desktop

from posh-acme.

@rmbolger no worries. I already can access https://plex.mydomain.com instead of https://app.plex.tv/desktop from outside and inside my network without any errors in the web browser. I only get prompted once to authenticate. After that, it can just get to my Plex interface every time.

The only issue I have is the message I get in Plex's console when I login via my custom domain name that plex doesn't recognize my custom domain in the header. Anyway, I'll keep looking for a solution.

As always, thank you for your time.

from posh-acme.