hydra3333
Posts: 127
Joined: Thu Jan 10, 2013 11:48 pm

Notes while installing Plex Media Server on a Pi4-4Gb/Buster

Mon Dec 02, 2019 1:23 am

Notes while installing Plex Media Server on a Pi4-4Gb/Buster

It worked. It appears to be cool. But it is certainly not for everyone.

Main Issues arising:
  • 1. When a video is initially cast to a chromcast device, the Plex client on
    the chromecast device yields "something went wrong" and it stays that way.
    When a Netflix video is cast to that device, then the very same Plex video
    is re-cast again using the same Plex mechanism, it works. Go figure.

    2. The web client interface "pause" button doesn't seem to work when casting.
    It flickers and does nothing.

    3. HTTPS into the plex device always yields the error for the web page "not secure".
    Clicking on it to see the error, the message is that the device cannot be verified
    as the cerfificate is invalid for that device.
    It falls back to non-secure which is very much not ideal.

    4. Attempting to use my own self-signed certificate was 100% ignored by PMS.
    It's like the settings weren't entered.
    There's no other way I can see to get PMS to use a self-signed certificate for ssl.

    5. And now for the biggie.
    Even though I turned off remote access, the external plex.tv can see ALL of my media/metadata.
    The Pi4 PMS app connects to their server and allows it to communicate back and forth.
    I've never seen a bigger security hole in my life, direct access onto my "secure" LAN.
    It allows Plex to do ANYTHING on my lan including introducing worms, etc.
    The plex company and their staff over time may well be ethical and trustworthy,
    however who knows whether they get hacked from time to time ;)
    It may need the link for me to login into the Pi4 PMS.
    I can't see a way to turn that external access off.
I ended up TURNING OFF Plex Media Server on the Pi4, permanently.

Code: Select all

# Notes while installing Plex Media Server on Raspbian Buster in a Pi4 4Gb.

# This worked as at 2019.12.01
# Thanks to a few sources including 
# https://support.plex.tv/articles/235974187-enable-repository-updating-for-supported-linux-server-distributions/?_ga=2.38778155.907433054.1573883378-1579941822.1573883378


# Download an format the SD card with Raspian (Buster?) middle of the road download, not light, not full
# Start the Pi and follow the promots during the initial Raspbian install :-
# Ensure your settings for locale, language, keyboard are perfect.
# Change server name to something easily recognised eg Pi4PMS01
# Enable SSH 
# Enable VNC
# Set the video RAM to 384Mb
# Remember to ALWAYS set the Pi to boot to GIU, EVEN IF later running it headless (see later).
# Yes against most security recommendations, also check and set the Pi to auto-login.

# Assuming we're startng ith the Pi using WiFi rather than Wired :-
# Give the Pi a home LAN-wide fixed IP address on the WiFi, so that no conflicting funny business occurs later.
# Start a terminal, use IFCONFIG to find the current IP address.
ifconfig
# Reserve an IP in the home Router, corresponding to the Pi's WiFi mac address, then reboot the Pi.
# Use IFCONFIG again to check the router recognised the Pi's WiFi mac address and
# that the router gave the Pi a DHCP lease corresponding to the address reservation you made.

# Then, later, remember
# Although we were probably using WiFi to begin with, we SHOULD swap to using Wired LAN connectivity
# so that we get LAN bandwidth/speeds when streaming.
# Hence, disable the Pi's WiFi and connect to the wired LAN 
# ... then we must reserve the new IP at that time, the same as before
# Disable WiFi on the Pi
# Plug in the ethernet cable
# Start a terminal, use IFCONFIG to find the current IP address for the new Wired connection.
# Reserve an IP in the home Router, corresponding to the Pi's ethernet mac address, then reboot the Pi.
# Use IFCONFIG again to check the router recognised the Pi's ethernet mac address and
# that the router gave the Pi a DHCP lease corresponding to the address reservation you made.
ifconfig

# Always double-check some Pi configuration settings, doing "OK" on each config tab.
# enable SSH on the Pi via the gui config on the Pi
# enable VNC on the Pi via the gui config on the Pi
# Set the video RAM to 384Mb

# Now ensure the Pi software and system is up to date
# Start a terminal, do
sudo apt-get update -y
sudo apt-get upgrade -y
# install a remote-printing feature so we can print from the Pi via the Windows 10 PC (see below)
sudo apt-get install cups -y

# Setup a Windows 10 PC so that it can remotely control the Pi if we want to.
# Need this if we choose for the Pi to go headless (no monitor/keyboard/mouse) later.
# On a Windows 10 PC, 
# Grab RealVNC Viewer X64 Portable .EXE from https://www.realvnc.com/en/connect/download/viewer/
# using the drop-down to choose download the correct .EXE
# Choosing the Portable version of RealVNC means we don't need to install anything (hooray!).
# Then we can use the .EXE to remote-connect to the Pi, given we know the Pi's IP address.
# Remember : ALWAYS set the Pi to boot to GIU, EVEN IF later running it headless,
# since RealVNC needs to "attach" the Pi's gui.
# Once the Win10 PC RealVNC is connected to the Pi, we can use the RealVNC menu 
# which nearly invisibly hovers at the top of the RealVNC window to send/receive files !

# Let's install Plex Media Server
# -------------------------------

# 1. Preparation

# We MUST install this transport thing so that PMS installs/works correctly
sudo apt-get install apt-transport-https -y

# We have an external USB3 5Tb hard drive, pre-formatted as NTFS on a Windows 10 PC
# with SECURITY set on the root of that drive so that to EVERYONE has FULL control.
# Then with set of folders created (so they inherit the EVERYONE permissions) and 
# filled with pre-encoded .mp4 media files to be stored and then "cast" to
# Chromecast-Ultra devices attached to TVs.
# Usually .MP4 files containing h.264(avc)/aac or h.265(hevc)/aac works just fine 
#(4K yet to be tested).
# This as a standard should work just fine with other devices. 
# Files of .mp4 containing h.264(avc)/mp3 also works.

# Create a mount point for the USB3 drive, which we'll use in a minute.
# In this case I want to call it mp4library.
sudo mkdir /mnt/mp4library
# Set protections so we can so ANYTHING with it
sudo chmod +777 /mnt/mp4library

# Plugin the 5Tb external USB3 drive into the bottom USB3 sucket in the Pi4.
# Always use the same USB socket on the Pi.
# Always use a USB3 drive, so that you have sufficient data transfer bandwidth.
# The USB3 drive will auto mount with NTFS, under Raspbian Buster.

# Now we need to find  stuff about the disk, so in a Terminal do
df
# then this one
sudo blkid 
# the "blkid" shows stuff a bit like this but not quite :-
#/dev/mmcblk0p1: LABEL_FATBOOT="boot" LABEL="boot" UUID="69D5-9B27" TYPE="vfat" PARTUUID="d9b3f436-01"
#/dev/mmcblk0p2: LABEL="rootfs" UUID="24eaa08b-10f2-49e0-8283-359f7eb1a0b6" TYPE="ext4" PARTUUID="d9b3f436-02"
#/dev/sda2: LABEL="5TB-mp4library" UUID="F8ACDEBBACDE741A" TYPE="ntfs" PTTYPE="atari" PARTLABEL="Basic data partition" PARTUUID="6cc8d3fb-6942-4b4b-a7b1-c31d864accef"
#/dev/mmcblk0: PTUUID="d9b3f436" PTTYPE="dos"
#/dev/sda1: PARTLABEL="Microsoft reserved partition" PARTUUID="62ac9e1a-a82b-4df7-92b9-19ffc689d80b"
# We're interested in the line showing the disk with the label we're interested in,
# in this case /dev/sda2 ... take a note of the UUID.

# Now use nano to edit the file /etc/fstab so that the external USB3 drive is installed the same every time
# (remember, always be consistent and plugin the USB3 drive into the bottom USB3 socket)
sudo nano /etc/fstab
# and add this line at the end of the file, using the right UUID
UUID=F8ACDEBBACDE741A /mnt/mp4library ntfs defaults,auto,users,rw,nofail,umask=000,device-timeout=120 0 0
# then save the file (control O) and then exit nano (control X)

# We must REBOOT the Pi now.

# Check the exterrnal SB3 drive mounted where we told it to by doing a df
df
#Filesystem      1K-blocks       Used Available Use% Mounted on
#/dev/root        15058584    4764240   9631364  34% /
#devtmpfs          1711484          0   1711484   0% /dev
#tmpfs             1843580          8   1843572   1% /dev/shm
#tmpfs             1843580       8772   1834808   1% /run
#tmpfs                5120          4      5116   1% /run/lock
#tmpfs             1843580          0   1843580   0% /sys/fs/cgroup
#/dev/mmcblk0p1     258095      53033    205063  21% /boot
#/dev/sda2      4883638268 4868701876  14936392 100% /mnt/mp4library
#tmpfs              368716          4    368712   1% /run/user/1000
# In this case /dev/sda2 mounted to /mnt/mp4library which is what we wanted.

# 2. Install the Plex Media Server software
# Note: Do NOT consider changing the user for the Plex Media Server to pi or root. (Never!)

# Use the proper Plex Media Server respository instead of a third-party method ...

# For kicks, do this to find out the architecture of out Pi4. 
# We don't really need to do this any more though.
dpkg --print-architecture

# Add the proper Plex Media Server key to apt.  Type it EXACTLY or the install will fail.
wget -q https://downloads.plex.tv/plex-keys/PlexSign.key -O - | sudo apt-key add -

# Add the proper Plex Media Server source repository. Type it EXACTLY or the install will fail.
echo "deb https://downloads.plex.tv/repo/deb/ public main" | sudo tee /etc/apt/sources.list.d/plexmediaserver.list

# Do an update to ensure the repository is good.
sudo apt-get update -y
sudo apt-get upgrade  -y

# Now we can install Plex Media Server software 
sudo apt-get install plexmediaserver -y

# Start PMS and enable it to start on boot (ignore any errors on the initial "start")
sudo systemctl start plexmediaserver
sudo systemctl enable plexmediaserver

# Fix groups and permissions to allow the Plex Media Server so that it has no trouble
# with accessing stuff including external drives.
sudo usermod -a -G pi plex
sudo usermod -a -G plugdev plex
sudo chmod 777 /mnt/mp4library

# Don't be tempted to tinker with the Plex Media Server just yet.
# REBOOT the Pi first and let it auto-login and the GUI start.

# Configure the Plex Media Server
# -------------------------------

# No further, until a new notes are jotted.
# 1. In order to login into my new PMS, I first need a to create Plex Account over at their website plex.tv.
#    A Premium Plex Pass account looks really cool, however I'm currently only testing and a free account works.
#    See https://www.plex.tv/en-au/plex-pass/?langr=1# for comparison of accounts
#         scroll down to "Plex Pass Features" 
#         and click on the "All Plex Features" for the comparison to pop-out.
# 2. A Pi4 has VERY TINY compute resources compared to modern PCs.
#    Hence transcoding on-the-fly to a limited client, although possible, MAY work for one stream.
#    PMS can call it "optimizing" which means pre-creating a transcoded copy if you choose to do that.
#    I did "optimizing" for some .avi files, fast settings and moderate quality, and got circa real-time-fps 
#    encoding (eg 1hr video = 1hr transcoding).
#    So ... Do NOT expect transcoding to work fantastic on a Pi4, particularly for 
#                   multiple concurrent streams or with high quality.
#           Providing PMS with "well pre-encoded" .mp4 files, together with "good" PMS config settings
#                  seems to be the key for it to work with multiple streams.
#           More on pre-encoding later.
# 3. Did I already say a Pi4 has VERY TINY compute resources compared to modern PCs ?
#    It is going to take HOURS for PMS to index and catalogue the several hundred media files we will provide.
#    Think overnight is good.
#    And that's with undoing the config setting to generate thumbnais (it would parse and decode every file).
#    So ... We are going to check PMS config settings and set them so the Pi needs to do the least work.
#           Which means trying to set it to stream an original .mp4 file rather than a transcoded one.
# 4. I don't like security holes.  Especially holes in my firewalls and software in 
#    my supposedly secure zone which is NOT open to the internet.
#    It's bad enough that Plex Media Server phones home for stuff ... 
#       But there's no possible reason on earth for which I would let PMS be open to the Internet.
#       I won't go into stories from security guys about the pounding "open" stuff gets. 
#       It's REALLY BAD even with million dollar security devices in chain at front of the servers.
#       There's no way on this good blue earth that I want to have my software open to the internet. 
#       There's also no possible way that Plex can have their software truly hardened. Banks get done.
#       Fear open-to-the-internet very greatly indeed.  Enough said.
#       So, I will turn off the PMS config setting for open-to-the-internet and 
#       later find a way to limit outgoing router traffic from the PMS/Pi4.
# 5. Casting videos to chromecasts failed for me unless I "required" https connections into the PMS.
#     I also got the error message 
#     "This server could not prove that it is xx.xx.xx.xx; its security certificate is 
#      from *.08894acdee0948428d18e46cf3171a43.plex.direct. This may be caused by a "
#      misconfiguration or an attacker intercepting your connection."


#    I could turn on the PMS settings and do it without generating any certificates on the Pi4.
#    However Chrome browser on a Windows PC yielded the "not secure" message :( 
#    which seemed to be the Pi4-PMS using a certificate from Plex which was invalid for the Pi4 :(
#    https://support.plex.tv/articles/200430283-network/
#    


# Create Plex Account over at their website plex.tv
# Use am email address rather than another method (one less attack vector into your perosnal stuff).
# Perhaps use a "free" account until you have tested it all works.


# The Plex Media Server will be accessible on the Pi4's Chrome browser at https://localhost:32400/web
# Or from a LAN Windows PC at https://xxx.xxx.xxx.xxx:32400/web where xxx.xxx.xxx.xxx is the IP address
# we reserved for the Pi4 earlier (eg https://192.169.0.253:32400/web).
# If we connect to the Pi4 from a Windows 10 PC (eg using Chrome browser), the Pi4 may use
# less resources by not running the Chrome browser itself - it may be a tad quicker.
# So browse to eg https://192.169.0.253:32400/web using the correct IP Address.

# The Plex Media Server will present a web page prompting to login. 
# Give it the new Plex Account's username (email address) and password and login.

# The following are my settings and suffice for my purposes. Not for everyone.

# Near the top right of the web page there is the crossed-spanner/screwdriver for Settings.
# Click on Settings to open the Plex Media Server settings page.
# For me it yielded "Web Client—General" web page.
# Notice the menu on the left of thre web page.
# Near the top there is "WEB CLIENT" and General under that. We're there.
# Choose
#    English
#   "Remember selected Tab" (it's handy later)
#   "Allow Fallback to Insecure Connections" as "never"
#   "12 Hour"
#   Untick eveything else
# Click "SAVE CHANGES"

# Click on the left menu item "Quality" under "WEB CLIENT" 
# Here we want to configure settings to mimimose risk of transcoding-on-the-fly.
# Untick "Automatically adjust quality"
# Choose "Video quality" to be "Maximum" (yes that one)
# Tick Play smaller videos at original quality"
# Tick "Use recommended settings"
# Tick "Play smaller videos at original quality"
# Click "SAVE CHANGES"

# Click on the left menu item "Debug" under "WEB CLIENT" 
# Choose "Debug level" to be "Disabled" 
# Tick "Direct Play"
# Tick "Direct Stream"
# Click "SAVE CHANGES"

# Click on the left menu item "Player" under "WEB CLIENT" 
# Choose "Multi-Channel Audio Boost" to be "None"
# Choose "Burn Subtitles" to be "Automatic"
# Choose "Cinema Trailers to Play Before Movies" to be "None"
# Untick "Force multi-channel audio support"
# Click "SAVE CHANGES"

# On the left menu, down a bit fro "WEB CLIENT", spot "SETTINGS" with stuff under it.
# Click on the left menu item "General" under "SETTINGS" 
# Type in a friendly same foe PMS, eg Pi4PMSlan
# Untick "Send crash reports to Plex" unless you want to do that
# Untick "Enable Plex Media Server debug logging" unless you want to do that
# Untick "Enable Plex Media Server verbose logging" unless you want to do that
# Click "SAVE CHANGES"

# Click on the left menu item "General" under "SETTINGS" 
# Give the PMS server a name, perhaps same as the Pi4 hostname.
# Untick "Send crash reports to Plex"
# Click "SAVE CHANGES" 

# Click on the left menu item "Remote Access" under "SETTINGS" 
# Disable "Remote Access", unless you want you home LAN equipment compromised and you banking exposed.
# Click "SAVE CHANGES" 

# Click on the left menu item "Agents" under "SETTINGS" 
# Notice buttons like "Movies" "Shows" etc.  We'll Untick under each one.
# Since I only have home movies, I disable the overhead of PMS 
# accessing to the internet all the time to download metadata and stuff.
# For each "Personal Media" under the top buttons Untick eveything which is not greyed-out.
# I also happen to Untick everythig else for good measure. Personal preference.
# Click "SAVE CHANGES" 

# Click on the left menu item "Library" under "SETTINGS" 
# Tick "Scan my library automatically"
# Tick "Run a partial scan when changes are detected"
# Untick " Include music libraries in automatic updates"
# Tick "Scan my library periodically" and choose interval "daily"
# Tick "Empty trash automatically after every scan"
# Tick "Allow media deletion"
# Choose "Weeks to consider for On Deck and Continue Watching" to be 12
# Choose "Maximum number of On Deck items which will appear" to be 40
# Tick "Include season premieres in On Deck"
# Tick "Run scanner tasks at a lower priority"
# Choose "Generate video preview thumbnails"  as "never" ... (performance issue for many files?)
# Choose "Generate chapter thumbnails"  as "never" ... (performance issue for many files?)
# Choose "Analyze audio tracks for loudness"  as "never" ... (performance issue for many files?)
# Click "SAVE CHANGES" 

# Click on the left menu item "Plugins" under "SETTINGS" 
# Choose Region as my country
# Untick "Enable iTunes plugin" unless you want to do that
# Untick "Disable capability checking"
# Click "SAVE CHANGES" 

# Click on the left menu item "Network" under "SETTINGS" 
# I Untick "Enable server support for IPv6" unless you want to do that
# Choose "Secure connections" to be "Required"
# Choose "Preferred network interface" to be "Any" so PMS can use WiFi or LAN at my whim
# Tick "Enable local network discovery (GDM)"
# Under "List of IP addresses and networks that are allowed without auth"
# enter comma-separated LAN IP addresses of Windows PCs and tablets etc which you consider secure
# Untick "Webhooks"
# Click "SAVE CHANGES" 

# Click on the left menu item "Transcoder" under "SETTINGS" 
# Choose "Transcoder quality" to be "Prefer higher quality encoding" for when you manually optimize
# Under "Transcoder temporary directory"
#    first, if you need then create a folder on the USB3 drive and set permissions on it to +777
#    then enter it's path here, eg for me it's the top level /mnt/mp4library/
# Choose "Transcoder default throttle buffer" to be 120
# Choose "Background transcoding x264 preset" to be "Fast"
# Choose "Maximum simultaneous video transcode" to be 1
# Click "SAVE CHANGES" 

# Click on the left menu item "Languages" under "SETTINGS"
# Choose "Subtitle mode" to be "Manually selected"
# Click "SAVE CHANGES" 

# Click on the left menu item "DLNA" under "SETTINGS"
# Tick "Enable the DLNA server"
# Click "SAVE CHANGES" 

# Click on the left menu item "Scheduled Tasks" under "SETTINGS"
# Choose "Time at which tasks start to run" to be 2am
# Choose "Time at which tasks stop running" to be 8am
# Tick "Backup database every three days"
# Under "Backup directory"
#    first, if you need then create a folder on the USB3 drive and set permissions on it to +777
#    then enter it's path here, eg for me it's /mnt/mp4library/plexmediaserver/Databases
# Tick everything else, EXCEPT for
# Untick "Perform extensive media analysis during maintenance"
# Untick "Perform refresh of program guide data" since I have no attached OTA TV capture stick
# Click "SAVE CHANGES" 

# Click on the left menu item "Extras" under "SETTINGS"
# Choose "Choose Cinema Trailers from" to be "All movies"
# Untick everything else
# Click "SAVE CHANGES" 

# Now we are ready to add library folders.
# Near the top left of the web page there is the Home Button.
# Click Home.
# Notice the left menu has "pinned" items and libraries.
# Notice the "MORE>" near the bottom left of the left menu.
# Click on "MORE>"
# Notice the name of the PMS server at the top eg Pi4PMSlan ... 
#    hover over it with the mouse and notice the "+" sign appear.
# Click on that "+" sign (not the 3 vertical dots) to start to add a library.
# To add a Home Videos library
#   click on "Other Videos"
#   enter the name of the library (make it short) and click Next
#   click on "browse for media folder"
#   navigate to the folder on the USB3 hard drive containing the .mp4 files
#      eg /mnt/mp4library/mp4library/BigIdeas
#   then click "Add"
#   note the "Advanced" button and click on that
#   tick "Include in dashboard"
#   untick "Enable Cinema Trailers"
#   untick "Enable video preview thumbnails"
#   scroll down, and set "Collections" to be "Show collections and their items"
#   set "Scanner" to be "Plex Video Files Scanner" to avoid lots of metadata searching
#   set "Agent" to be "Personal Media" to avoid lots of metadata
#   only then, click "Add Library"
# Repeat, to add other libraries (folders including their subfolders)

# Now we are still at "MORE>" web page and have a list of folders in the menu on the left.
# Hover over a library with the mouse and see three vertical dots and "Actions" pop up.
# Click on the three vertical dots and click "Pin" to pin the library to appear on the main page
# Click on the three vertical dots and click "Scan Library Files" 
# Click on the three vertical dots and hover over "Manage Library" click "Analyze" 

# Now wait for a long time, probably overnight, for it to update.
# Watch progress, Cick on the "Settings" icon at top right, then "Alerts" on the menu on the left.
# Lots of things will scroll by.

# Later, since I have only home videos, I want to see their properties when selecting them.
# Click on the Home button at top.
# Click on one of the newly pinned libraries.
# Notice buttons at the top, "RECOMMENDED" and "LIBRARY"
# Click on the "LIBRARY" button.  
# On the right of the "LIBRARY" button click on tyhe drop-down hamburger ands choose "List View".
# Notice the headings for the list, and the 3 vertical dots as thr rightmost heading.
# Click on those 3 vertical dots and ensure only ticked are
#   Title
#   Duration
#   Resolution
#   Bitrate
# If PMS is still cataloging, the values in the list will gradually fill in
# Do this to the other libraries.  
# When you return some other time, it should remember you chose the "LIBRARY" tab and settings.

# End of settings.

# Using the web interface

# To "cast" a video to a Chromecast-Ultra connected to a TV
# Navigate to the library and its list of videos
# Notice at the top right the usual "cast" button (rectangle with radio waves in bottom left)
# Click on the "cast" button and chosoe the dropdown "cast..."
# If you get an error, try to instead connect to the PMS using HTTPS
# Choose fropm the list of chromecast devices on the LAN to cast videos onto, 
# and at the bottom of the dropdown choose surce "cast tab"
# then click elsewhere on the page to close the cast menu
#
so that played videos will get "cast" to the chromecast
#


# Final NOTES
# -----------

# It works. Sort of.

# Issues:

# 1. When a video is initially cast to a chromcast device, the Plex client on 
#    the chromecast device yields "something went wrong" and it stays that way.
#    When a Netflix is cast to that device, then the very same Plex video 
#    is re-cast again using the same Plex mechanism, it works. Go figure.
# 2. The web client interface "pause" button doesn't seem to work when casting. 
#    It flickers and does nothing.
# 3. HTTPS into the plex device always yields the error for the web page "not secure".
#    Clicking on it to see the error, the message is that the device cannot be verified
#    as the cerfificate is invalid for that device.  
#    It falls back to non-secure which is very much not ideal. 
# 4. Attempting to use my own self-signed certificate was 100% ignored by PMS (see below)
#    It's like the settings weren't entered.
#    There's no other way I can see to get PMS to use a self-signed certificate.
# 5. And now for the biggie.
#    Even though I turned off remote access, the external plex.tv can see ALL of my media/metadata.
#    The Pi4 PMS app connects to their server and allows it to communicate back and forth.
#    I've never seen a bigger security hole in my life, direct access onto my "secure" LAN.
#    The plex company and their staff over time may well be ethical and trustworthy, 
#    however who knows whether they get hacked from time to time ;)

#    It may need the link for me to login into the Pi4 PMS.
#    I can't see a way to turn that external access off.
#
#    *** I've TURNED OFF Plex Media Server on the Pi4 permanently ***
#

# Attempt to generate and install a self-signed certificate
# ---------------------------------------------------------

#https://hobo.house/2016/11/11/how-to-use-self-signed-ssl-certificates-for-plex-media-server/

cd /home/pi/Desktop
mkdir Plex-Certificates
cd Plex-Certificates
openssl genrsa -des3 -out plex.key 1024
#enter passphrase=Plex-Certificates
# Create the CSR:
# The only important thing that must match is the Common Name 
# which should be valid FQDN / hostname of your home machine 
# where any external clients will connect.
hostname
hostname --fqdn
hostname --all-ip-addresses

openssl req -new -key plex.key -out plex.csr
#Enter pass phrase for plex.key: Plex-Certificates
#You are about to be asked to enter information that will be incorporated
#into your certificate request.
#What you are about to enter is what is called a Distinguished Name or a DN.
#There are quite a few fields but you can leave some blank
#For some fields there will be a default value,
#If you enter '.', the field will be left blank.
#-----
#Country Name (2 letter code) [AU]:AU
#State or Province Name (full name) [Some-State]:anon
#Locality Name (eg, city) []:Adelaide
#Organization Name (eg, company) [Internet Widgits Pty Ltd]:noname
#Organizational Unit Name (eg, section) []:noname
#Common Name (e.g. server FQDN or YOUR name) []:PiPMS
#Email Address []:[email protected]
#
#Please enter the following 'extra' attributes
#to be sent with your certificate request
#A challenge password []:
#An optional company name []:
#
# Strip Out Passphrase
cp plex.key plex.key.org
openssl rsa -in plex.key.org -out plex.key

# Create the Certificate
openssl x509 -req -days 5475 -in plex.csr -signkey plex.key -out plex.crt

# Create the PKCS12 Certificate
# Plex requires a pkcs12 certificate to be generated, 
# but we’re going to use a python script for that.  
# You first need your ProcessedMachineIdentifier number from your Plex installation, 
# thanks to the Reddit post that cleared this up.
# Obtain your PMI Number
# Obtain the long 30-35 character alphanumeric string after ProcessedMachineIdentifier= in the following file:
sudo cat /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Preferences.xml
#<?xml version="1.0" encoding="utf-8"?>
#...stuff...
# Thus see the id

# Now you’ll snag the following Python tool, it will create your pkcs12 certificate 
# as well as generate a long hash that you’ll need for Plex as the “private key” 
# (this is confusing as you’d normally think it refers to your actual private key – not so.
wget https://raw.githubusercontent.com/sadsfae/misc-scripts/master/python/pem2plex.py
# which is pem2plex.py :-
#!/usr/bin/python
# original credit to @lokulin
import sys
import hashlib
from OpenSSL.crypto import *
def main():
  if(len(sys.argv) != 4):
    print sys.argv[0] + " /path/to/ssl.crt /path/to/ssl.key ProcessedMachineIdentifier"
    sys.exit(0)
  hash = hashlib.sha512()
  hash.update('plex')
  hash.update(sys.argv[3])
  passphrase = hash.hexdigest()
  with open(sys.argv[1], 'rb') as f:
    c = f.read()
  with open(sys.argv[2], 'rb') as f:
    k = f.read()
  key = load_privatekey(FILETYPE_PEM,k)
  cert = load_certificate(FILETYPE_PEM,c)
  p12 = PKCS12()
  p12.set_certificate(cert)
  p12.set_privatekey(key)
  open("certificate.p12", 'w' ).write( p12.export(passphrase) )
  print passphrase
if __name__ == '__main__':
  main()
  
# The syntax is plex.cert plex.key ProcessedMachineIdentifier
python pem2plex.py plex.crt plex.key that_id

# If all is well you’ll see a long hash as the return, save this as you’ll need this later.  
# It will also generate a certificate.p12 file.  
# The hash is a decryption passphrase for the PKCS #12 file :
# a big long if is shown, copy it

# At this point you should have the following items ready – 
#   certificate.p12 
#   and the long hash (passphrase) above.

# Installing Certificate in Plex, in the Network (Advanced) section of COnfig settins in the process below.
# and place the above info into the fields 
#   – the full path to the file /home/pi/Desktop/Plex-Certificates/certificate.p12
#   - the really long hash (passphrase) that was generated earlier 
#   - You will also want to put the Common Name you entered during SSL certificate creation here in the custom certificate domain area PiPMSwifi50
#   - and the custom server access URL https://xxx.xxx.xxx.xxx:32400/web
# NOTE: Be sure that the permissions are correct on the certificates, they should be owned by the plex user.  
sudo chmod +777 -R *

# Lastly make sure you enter the full URL for your home server under Custom Server Access URLs. 
https://xxx.xxx.xxx.xxx:32400/web

# Save your settings and then restart Plex Media Server.  
systemctl restart plexmediaserver

# You can also take a look at the logs to make sure everything is humming along, usually  located in 
# /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Logs/Plex Media Server.log

Mrmark52
Posts: 4
Joined: Fri Dec 05, 2014 1:37 pm

Re: Notes while installing Plex Media Server on a Pi4-4Gb/Buster

Thu Dec 05, 2019 11:22 pm

I would really like to see a knowledgeable reply to hydra3333's noted security hole issues. I'm for the most part a newbie who wants to load Plex to my newly purchased Pi4 - but hydra3333's comments scare me, and not only for a Pi but doing so for any SBC box.

Thanks!

hydra3333
Posts: 127
Joined: Thu Jan 10, 2013 11:48 pm

Re: Notes while installing Plex Media Server on a Pi4-4Gb/Buster

Mon Dec 09, 2019 4:25 am

I, too, would value informed comment.

Return to “Media centres”