[0xb3dcb780] ERROR - CERT: Found a user-provided certificate, but couldn't install it.

Plex media server seems to ignore my certs and defaulting to using self-signed certs that don’t work on my domain. Advanced network settings:

Custom certificate location: /srv/http/private/TLS/plex.pfx
Custom certificate encryption key:
Custom certificate domain: mydomain.ca
Custom server access URLs: https://mydomain.ca:32400

The certificate is in a directory with read-only access for the plex user. The certificate is owned by plex:plex and has permissions 700. The encryption key is left empty when converting my certificate to PKCS#12. Any ideas as to what’s going on here?

I believe that needs to be explicitly in *.pkcs12 format. for input to PMS. It does what it needs internally after that

Unfortunately, this does not fix it. Plex still serves its self-signed certs.

It will continue to do so until you activate a Plex Pass.

Reference page https://support.plex.tv/hc/en-us/articles/200430283-Network

In that case, I’d like to make a feature request: add a warning on the settings page. It would save users who try to set it up without reading that article a lot of time.

Hi ChuckPA, sorry for digging out this old thread, but: is this still the case? In the article you linked I see no mention of requiring a Plex Pass to use own certificate to work on own domain, just to use a couple of the features on that page (LAN Networks and Webhooks). It’s just that I’m having the same error and I was wondering if this is the reason or not. Thanks!

@iacchi said:
Hi ChuckPA, sorry for digging out this old thread, but: is this still the case? In the article you linked I see no mention of requiring a Plex Pass to use own certificate to work on own domain, just to use a couple of the features on that page (LAN Networks and Webhooks). It’s just that I’m having the same error and I was wondering if this is the reason or not. Thanks!

What specific errors are you seeing? Can you attach the log files (or whole ZIP) which shows the entire sequence from start → Cert error? Next, are you using a private DDNS or something else?

Hi, ok, I’ll be more specific, if there is a way to actually fix this without the pass. So, to start with, this is my configuration:

Debian 9 server
Plex 1.12.1.4885
Own domain name on the server (my.own.domain, it’s not exactly a ddns, but more or less, let me know if you need more info on this)
Let’s encrypt certificate on the server (I use it for other websites inside the server as well and it works nicely)

Certificate for plex is generated from the let’s encrypt one with the following:
openssl pkcs12 -export -out /path/to/cert.pfx -inkey /etc/letsencrypt/live/me/privkey.pem -in /etc/letsencrypt/live/me/cert.pem -certfile /etc/letsencrypt/live/me/chain.pem -name “my.own.domain” -passout pass:certpassword

Plex configuration:
Remote access enabled
Public port forced to 32400
on the network settings:
certificate location is /path/to/cert.pfx (cert.pfx is readable/writable by plex user, /path/to is not)
key for the cert is certpassword
domain of custom cert is my.own.domain
custom url is https://my.own.domain:32400

port 32400 (TCP) is open on the router of course.

With these settings, if I open https://my.own.domain:32400 in a browser it loads the plex certificate and then of course it gives a security error and doesn’t load the page.

Following a suggestion on the forum I’ve also tried to disable the remote access feature in the general setting tab because it was claimed that it would prevent the plex certificate from loading, to no avail. I’m of course restarting the plex service on the system all the time to test this.

I’ve also tried to setup a reverse proxy entry in nginx to make https://my.own.domain:32400 point to https://my.own.domain/plex but I get an error 401 unauthorised access (let’s not worry about this for the moment, I don’t think it’s relevant)

And this is the relevant log (it seems that it loads plex certificate first, then it fails to load mine):

Apr 01, 2018 22:19:46.944 [0x7ff8f2bfe700] INFO - Plex Media Server v1.12.1.4885-1046ba85f - ubuntu PC x86_64 - build: linux-ubuntu-x86_64 ubuntu - GMT 02:00
Apr 01, 2018 22:19:46.944 [0x7ff8f2bfe700] INFO - Linux version: 4.14.0-0.bpo.3-amd64 (#1 SMP Debian 4.14.13-1~bpo9+1 (2018-01-14)), language: it-IT
Apr 01, 2018 22:19:46.944 [0x7ff8f2bfe700] INFO - Processor Intel® Pentium® CPU J4205 @ 1.50GHz
Apr 01, 2018 22:19:46.944 [0x7ff8f2bfe700] INFO - /usr/lib/plexmediaserver/Plex Media Server
Apr 01, 2018 22:19:46.944 [0x7ff8fec87800] DEBUG - BPQ: [Idle] -> [Starting]
Apr 01, 2018 22:19:46.944 [0x7ff8fec87800] VERBOSE - BPQ: delaying processing 120 second(s)
Apr 01, 2018 22:19:46.946 [0x7ff8fec87800] DEBUG - Opening 20 database sessions to library (com.plexapp.plugins.library), SQLite 3.13.0, threadsafe=1
Apr 01, 2018 22:19:47.066 [0x7ff8fec87800] DEBUG - Running migrations.
Apr 01, 2018 22:19:47.152 [0x7ff8fec87800] DEBUG - ChangestampAllocator: initialized to 96180
Apr 01, 2018 22:19:47.152 [0x7ff8fec87800] DEBUG - Opening 2 database sessions to library (com.plexapp.plugins.library.blobs), SQLite 3.13.0, threadsafe=1
Apr 01, 2018 22:19:47.164 [0x7ff8fec87800] DEBUG - Running migrations.
Apr 01, 2018 22:19:47.167 [0x7ff8fec87800] DEBUG - Relay: read 3 cached entries from hosts file
Apr 01, 2018 22:19:47.186 [0x7ff8fec87800] DEBUG - CERT: Installed certificate with fingerprint 68:ff:1f:8f:21:0f:7b:eb:42:f2:c2:2e:63:cf:bb:21:6e:df:84:0a.
Apr 01, 2018 22:19:47.186 [0x7ff8fec87800] DEBUG - CERT: Installed new private key.
Apr 01, 2018 22:19:47.186 [0x7ff8fec87800] DEBUG - CERT: Subject name is /C=US/ST=California/L=Los Gatos/O=Plex, Inc./CN=*.b311d3daa5074cd583ecf425f78406c1.plex.direct
Apr 01, 2018 22:19:47.186 [0x7ff8fec87800] DEBUG - CERT: Requesting OCSP response from ‘http://ocspx.digicert.com/’ for stapling.
Apr 01, 2018 22:19:47.187 [0x7ff8fec87800] VERBOSE - CERT: Successfully generated OCSP stapling request
Apr 01, 2018 22:19:47.187 [0x7ff8fec87800] DEBUG - CERT: Installed intermediate certificate.
Apr 01, 2018 22:19:47.187 [0x7ff8fec87800] ERROR - CERT: Found a user-provided certificate, but couldn’t install it.
Apr 01, 2018 22:19:47.188 [0x7ff8ef3fd700] DEBUG - HTTP requesting GET http://ocspx.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnVdbEyh8T3xvVlkPGHNCJxnqCPgQUlIuJ90hyifJRStmIe%2BVhtaqc1QECEAOrKiSdbu%2F%2BjAOvpoKJEnE%3D

I do not understand how certs actually work in PMS. That part of networking is my weakest skill.

When I’ve seen that in the past, it was because the certificate format didn’t match up between PMS and the OS (which is what holds the root authority certificates).

Your log fragment looks like it

1. put the Plex certificate for your server in.
2. Found the certificate you provided
3. Attempted to add it
4. Failed.

PKCS 12 comes to mind but again, I don’t know the significance. Hope this makes sense to you?

Yes it does, although it doesn’t bring me closer to a solution Anyway, thank you very much for the effort. I will try to open a new thread with the information I’ve provided you in my previous post to try and make it a bit more visible and see if someone has the answer, if that’s ok with the forum’s rules?

I don’t know how opening a new thread will be of any help. Duplicate threads are frowned on and closed when discovered.
If you’d like me to move this thread, I will be more than happy to.

I think you might need assistance from a proper Linux forum on the internet because this is really outside the scope of Plex.

Ok, I’ll try somewhere else. However, I still think it’s a Plex problem, since it’s Plex that has trouble loading the cert, not other Linux components.

Other folks use their own certs without issue.

What you’re asking of me is how to fix it and since I can’t help, all I can do is direct you elsewhere. It stinks, I know, and I’m sorry but I don’t have anyone I can turn to internally for help.

I truly am sorry.

No need to be sorry, you’ve done the best you could, and I thank you for this

I had the same error when the certificate was in the home directory, even with proper permissions. It started working when I used the recommended path of /var/lib/plexmediaserver/certificate.pfx.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.