Merge 8b9ebe55b596dccc2d89633129567895aa9587a9 into 3d8b682380773f01df0e5abc2ef582c30c663010

2025-06-14 06:22:43 +00:00 · 2025-06-11 03:41:29 +00:00 · 2025-06-11 03:41:29 +00:00 · e6ff596d73
commit e6ff596d73
parent 3d8b682380 8b9ebe55b5
2 changed files with 224 additions and 0 deletions
--- a/deploy/plex.sh
+++ b/deploy/plex.sh
@ -0,0 +1,116 @@
+#!/usr/bin/env sh
+
+# Here is a script to deploy cert to local Plex Media Server on Debian.
+
+# The following environment variables must be set:
+#
+# PLEX_PKCS12_Password - Password used for the PKCS12 certificate
+
+#returns 0 means success, otherwise error.
+
+# Settings for Plex Media Server:
+#
+# PLEX_PKCS12_password -- Password for the PKCS file. Required by plex
+# PLEX_PKCS12_file -- Full PKCS file location, otherwise defaults to placing with the other certs in that domain with a pfx extension
+# PLEX_sudo_required -- 1 = True, 0 = False. You may need to add "plex ALL=(ALL) NOPASSWD:/bin/systemctl restart plexmediaserver.service" to your sudo'ers file
+# PLEX_RELOAD -- Optional custom command to restart Plex. If not set, the script will try
+#                to restart the service via systemctl when Plex is detected as active.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+plex_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  _getdeployconf PLEX_PKCS12_password
+  _getdeployconf PLEX_PKCS12_file
+  _getdeployconf PLEX_sudo_required
+  _getdeployconf PLEX_RELOAD
+
+  #_DEPLOY_PLEX_WIKI="https://github.com/acmesh-official/acme.sh/wiki/deploy-to-plex"
+
+  _plex_to_pkcs() {
+    # The existing _toPkcs command doesn't have an option to specify cipher, so copied here
+    # to force using a modern cipher, as required by PMS:
+    # https://forums.plex.tv/t/ssl-became-broken-after-latest-pms-update/837416/4
+    _cpfx="$1"
+    _ckey="$2"
+    _ccert="$3"
+    _cca="$4"
+    pfxPassword="$5"
+
+    ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword"
+  }
+
+  if [ -z "$PLEX_PKCS12_password" ]; then
+    _err "The PLEX_PKCS12_password variable is not defined. Plex requires a password for the certificate."
+    #_err "See: $_DEPLOY_PLEX_WIKI"
+    return 1
+  fi
+  _debug2 PLEX_PKCS12_password "$PLEX_PKCS12_password"
+
+  if [ -z "$PLEX_PKCS12_file" ]; then
+    PLEX_PKCS12_file="$DOMAIN_PATH/$_cdomain.pfx"
+    _debug2 "Setting PLEX_PKCS12_file to default"
+  fi
+  _debug2 PLEX_PKCS12_file "$PLEX_PKCS12_file"
+
+  if [ -z "$PLEX_sudo_required" ]; then
+    PLEX_sudo_required=0
+    _debug2 "Setting PLEX_PKCS12_file to default (0/False)"
+  fi
+
+  _debug2 PLEX_sudo_required "$PLEX_sudo_required"
+  _debug2 PLEX_RELOAD "$PLEX_RELOAD"
+
+  _reload_cmd="$PLEX_RELOAD"
+
+  _debug "Generate import pkcs12"
+
+  if ! _plex_to_pkcs "$PLEX_PKCS12_file" "$_ckey" "$_ccert" "$_cca" "$PLEX_PKCS12_password"; then
+    _err "Error generating pkcs12. Please re-run with --debug and report a bug."
+    return 1
+  fi
+
+  if [ -z "$_reload_cmd" ]; then
+    if systemctl -q is-active plexmediaserver; then
+      _debug2 "Plex is active. Restarting..."
+      if [ "$PLEX_sudo_required" = "1" ]; then
+        _reload_cmd="sudo systemctl restart plexmediaserver.service"
+      else
+        _reload_cmd="systemctl restart plexmediaserver.service"
+      fi
+    fi
+  fi
+  if [ -z "$_reload_cmd" ]; then
+    _info "Plex server is not active. Certificates installed, but skipping restart."
+  else
+    if eval "$_reload_cmd"; then
+      _info "Reload success!"
+    else
+      _err "Reload error"
+      return 1
+    fi
+  fi
+
+  _services_updated="${_services_updated} plexmediaserver"
+  _info "Install Plex Media Server certificate success!"
+
+  # Successful, so save all (non-default) config:
+  _savedeployconf PLEX_PKCS12_password "$PLEX_PKCS12_password"
+  _savedeployconf PLEX_PKCS12_file "$PLEX_PKCS12_file"
+  _savedeployconf PLEX_sudo_required "$PLEX_sudo_required"
+  _savedeployconf PLEX_RELOAD "$PLEX_RELOAD"
+
+  return 0
+}
--- a/deploy/plex_synology.sh
+++ b/deploy/plex_synology.sh
@ -0,0 +1,108 @@
+#!/usr/bin/bash
+
+# Here is a script to deploy cert to local Plex Media Server on Synology.
+# Based on https://www.snbforums.com/threads/issue-lets-encrypt-certificate-with-acme-sh-use-it-with-synology-dsm-and-plex.70395/
+
+# The following environment variables must be set:
+#
+# PLEX_PKCS12_Password - Password used for the PKCS12 certificate
+
+#returns 0 means success, otherwise error.
+
+# Settings for Plex Media Server:
+#
+# PLEX_PKCS12_password -- Password for the PKCS file. Required by plex
+# PLEX_PKCS12_file -- Full PKCS file location, otherwise defaults to placing with the other certs in that domain with a pfx extension
+# PLEX_sudo_required -- 1 = True, 0 = False. You may need to add "plex ALL=(ALL) NOPASSWD:/bin/systemctl restart plexmediaserver.service" to your sudo'ers file
+
+# Set Plex certificate location to /usr/local/share/Plex/plex_cert.pfx
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+plex_synology_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  _getdeployconf PLEX_PKCS12_password
+  _getdeployconf PLEX_PKCS12_file
+  _getdeployconf PLEX_sudo_required
+
+  #_DEPLOY_PLEX_WIKI="https://github.com/acmesh-official/acme.sh/wiki/deploy-to-plex"
+
+  _plex_to_pkcs() {
+    # The existing _toPkcs command doesn't have an option to specify cipher, so copied here
+    # to force using a modern cipher, as required by PMS:
+    # https://forums.plex.tv/t/ssl-became-broken-after-latest-pms-update/837416/4
+    _cpfx="$1"
+    _ckey="$2"
+    _ccert="$3"
+    _cca="$4"
+    pfxPassword="$5"
+
+    ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:$pfxPassword"
+  }
+
+  if [ -z "$PLEX_PKCS12_password" ]; then
+    _err "The PLEX_PKCS12_password variable is not defined. Plex requires a password for the certificate."
+    #_err "See: $_DEPLOY_PLEX_WIKI"
+    return 1
+  fi
+  _debug2 PLEX_PKCS12_password "$PLEX_PKCS12_password"
+
+  if [ -z "$PLEX_PKCS12_file" ]; then
+    PLEX_PKCS12_file="/usr/local/share/Plex/plex_cert.pfx"
+    _debug2 "Setting PLEX_PKCS12_file to default"
+  fi
+  _debug2 PLEX_PKCS12_file "$PLEX_PKCS12_file"
+
+  if [ -z "$PLEX_sudo_required" ]; then
+    PLEX_sudo_required=0
+    _debug2 "Setting PLEX_PKCS12_file to default (0/False)"
+  fi
+
+  _debug2 PLEX_sudo_required "$PLEX_sudo_required"
+
+  _reload_cmd=""
+
+  _debug "Generate import pkcs12"
+
+  if ! _plex_to_pkcs "$PLEX_PKCS12_file" "$_ckey" "$_ccert" "$_cca" "$PLEX_PKCS12_password"; then
+    _err "Error generating pkcs12. Please re-run with --debug and report a bug."
+    return 1
+  fi
+
+  if systemctl -q is-active pkgctl-PlexMediaServer.service; then
+    _debug2 "Plex is active. Restarting..."
+    _reload_cmd="/usr/syno/bin/synopkg restart PlexMediaServer"
+  fi
+  if [ -z "$_reload_cmd" ]; then
+    _info "Plex server is not active. Certificates installed, but skipping restart."
+  else
+    if eval "$_reload_cmd"; then
+      _info "Reload success!"
+    else
+      _err "Reload error"
+      return 1
+    fi
+  fi
+
+  _services_updated="${_services_updated} plexmediaserver"
+  _info "Install Plex Media Server certificate success!"
+
+  # Successful, so save all (non-default) config:
+  _savedeployconf PLEX_PKCS12_password "$PLEX_PKCS12_password"
+  _savedeployconf PLEX_PKCS12_file "$PLEX_PKCS12_file"
+  _savedeployconf PLEX_sudo_required "$PLEX_sudo_required"
+
+  return 0
+}