It is a breaking change if the certificate was created on macOS. Doesn’t matter the version. See the certificates I sent you.
I am not talking about the file extension. That’s irrelevant.
A computer running the most recent version of a supported OS, building a certificate that’s good for less than a year, would need to rebuild their certificate if they generated it more than two days ago, or they didn’t find this thread.
How is that not a breaking change?
Confirmed working on my Synology DS420+. I have a task there converting the auto created Let’s Encrypt cert from PEM to P12 format for Plex and throw it into a path it can use. Sadly Synology DSM 7.1 uses “OpenSSL 1.1.1o 3 May 2022” and the defaults I used here are quite outdated because of that. Your “-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256” saved the day though! THANKS!
Looks that way now btw:
openssl pkcs12 -export -out /volume1/music/cert.pfx -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -inkey /usr/syno/etc/certificate/system/default/RSA-privkey.pem -in /usr/syno/etc/certificate/system/default/RSA-fullchain.pem -passout pass:
Regarding breaking change or not… Tell your engineering buddies that they should add a line in the stable changelog unless they love to make the admins life here hell on earth. NAS Systems use OpenSSL v1, Ubuntu LTS does so too as you said. Even way more do so either. If they want to cause a mess in here with the next stable… of course just keep things silent as they always do. ^^ That’s the reason why engineering should do what they are here for and PR ppl should do the rest. Every and any havoc in the community in the past was the fault of bad or ZERO information to the users. I thought that they learned our of their mistakes, but it seems like some ppl need to burn their fingers 289426 times before they start to learn.
3 Likes
Generated a new certificate and converted to .p12 using the instructions above, everything is working again.
Thanks.
1 Like
Good 
There’s a case where, even with a modern and current distribution, you don’t get good encryption unless you call for it.
2 Likes
I’m experiencing this issue with PFX created and exported by LetsEncrypt certificate manager on windows server 2022. So generated on a modern, supported and updated os, trying to be imported on an older OS, yes, but openssl on that OS handled it just fine until the breaking change implemented by Plex.
Did you try adding the extra arguments to the command line you are running?
-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256
I also have a Synology DSM7.1 with an auto Let’s Encrypt script, and I can confirm as well that adding the noted details above fixed the issue for me as well. Thank you @ChuckPa for the quick resolution and others for confirming.
This, please! I ran into this problem as well and went directly to the changelogs.
Significant changes should to be… logged in the changelog.
2 Likes
It works ! Thanks.
But pleaaaaaseeee TEST releases BEFORE deploying LIVE
Test and learn is good but it has its limits …
We are customers, not testers 
Thanks anyway for the support and the quick answer !
It came around from the Beta channel release, so yes we are testers 
Just unfortunate it went in to production, (from what I can see) without anything in the release notes.
Not being in the release notes was the clerical error.
Sorry about that
I can confirm that adding the “-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256” options to my PFX generation command worked. I know have my custom *.mydomain.com certificate working with Plex.
Thanx 
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
