SSL Certs for Plex Media Server using Letstencrypt

I need a little direction here. I want to get https with my hostname that I generated at No-IP working with my Plex Media Server. I can connect through my hostname to my plex media server just fine I just want letsencrypt to generate secure SSL certs for it.

I run the following command:

sudo su -
./certbot-auto  --webroot "/var/lib/plexmediaserver/Library/Application Support" -d example.com

and it return the following error:

letsencrypt: error: unrecognized arguments: /var/lib/plexmediaserver/Library/Application Support

If I run the following command:

sudo su -
./certbot-auto certonly --standalone -d example.com

It return the following error:

Failed authorization procedure. example.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested e1b6ab6aa7251a908a0f2fc1dd6a3597.beae34c6504c7db8412d92c3f1885e08.acme.invalid from 1.2.3.4:443. Received certificate containing '*.0beedbf17c2042c089ef5e20952e62c8.plex.direct'

I really don't even know if that is the right webroot or not. I'm at a complete lose as to where to go from here. This is the last step in my puzzle and any direction would be helpful.

Note: This is running on a Rasberry pi 3.

I'm assuming you already have plex setup so I will skip that part, if not look at this link: wesleysinstructions.weebly.com

1. Go to No-IP (or any other service you want to use for a hostname) and setup a hostname

   • Login To the dashboard.
   • On the side bar click "Dynamic DNS"
   • Select "Hostnames"
   • On that page click the button "Add Hostname" ​ - Fill that out and you now have a hostname (Note: This takes about 5 minutes to become active)

2. Install the Dynamic DNS client to link your plex ip address (that is always changing) to your hostname on No-Ip.com

   • Note: They have instructions on their website on how to do this

3. On your router port forward 443/80 to where you're hosting plex

• Visit portforward.com for instructions regarding your exact router

4. SSH into your plex server
5. Install "certbot" by LetsEncrypt

mkdir ~/certs
cd ~/certs
wget https://dl.eff.org/certbot-auto
sudo chmod a+x certbot-auto
sudo ./certbot-auto certonly --standalone -d <hostname>

• NOTE: This will attempt to verify the host over 443.
• If everything goes well you should get a message that looks something like this:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/<hostname>/fullchain.pem. Your cert
will expire on..

6. Setup a Reverse Nginx proxy to serve your cert.

sudo apt-get update
sudo apt-get install nginx -y
sudo unlink /etc/nginx/sites-enabled/default
sudo nano /etc/nginx/sites-available/reverse

The "reverse" file is setup something like the following:

server {
    listen       80;
    server_name  <hostname>;
    rewrite https://$host$request_uri? permanent;

    listen 443 ssl;

    ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;
    #root /usr/share/nginx/html;
    #index index.html index.htm;
    ssl_stapling on;
    ssl_stapling_verify on;

    location / {
            proxy_pass http://127.0.0.1:32400;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

• Note: This assumes you have the default plex setup where it is using port 32400.

Finish the setup

sudo ln -s /etc/nginx/sites-available/reverse /etc/nginx/sites-enabled/reverse
sudo nginx -t
sudo service nginx restart

Hopefully I didn't type anything wrong. If I did at least this is the setup process you will need to go through.