Server Version#: 1.22.2.4282
Player Version#: Android 8.15.2.24006 (same issue with 8.16 beta)
After setting a custom SSL certificate, playback is broken on all Android apps. Web app works fine everywhere. Android app logs in, displays library, but fails when attempting to play a video:
[FFmpeg] [ERROR] [tls @ 0x7079f16190] The certificate's owner does not match hostname <redacted>.plex.direct
I will note that when I first installed the Android app on a new device, it worked for a while (was using my custom domain name for playback), but then after the app restarted, it was back to the same error of using the *.plex.direct domain.
Client logs:
04-17 11:13:38.806 i: Fetching [method:GET] https://podcasts.provider.plex.tv/?includePreferences=1&X-Plex-Token=...EWtD
04-17 11:13:38.855 i: Fetching [method:GET] https://[my-internal-ip]:32400/media/providers?includePreferences=1&X-Plex-Token=...EWtD
04-17 11:13:38.905 i: Fetching [method:GET] https://[redacted].plex.direct:50000/media/providers?includePreferences=1&X-Plex-Token=...EWtD
04-17 11:13:38.906 i: Fetching [method:GET] https://[my-custom-domain]:50000/media/providers?includePreferences=1&X-Plex-Token=...EWtD
04-17 11:13:38.937 i: [MergingHubManager] Notifying listeners with status: LOADING
04-17 11:13:39.064 i: [SourceManagerFetcher:7943] Starting to process sources for provider MediaProviderSourceProvider.
04-17 11:13:39.066 i: [SourceManagerFetcher:7943] Processing 1 sections.
04-17 11:13:39.091 i: [SourceManager] Ignoring source (provider://tv.plex.provider.podcasts/home) because it was pinned.
04-17 11:13:39.092 i: [HomeHubsManager] Discovering. Force: false. Partial: true. Reason: onSourcesChanged
04-17 11:13:39.101 i: [ServerTests] Scheduling job to test Web Shows. Reason: queue (tests manager is idle).
04-17 11:13:39.104 i: Fetching [method:GET] https://webshows.provider.plex.tv/?includePreferences=1&X-Plex-Token=...EWtD
04-17 11:13:39.164 i: [ApplicationInitialisationTask] Finished refreshing resources
04-17 11:13:39.172 i: [ApplicationInitialisationTask] Took 797ms to complete initialisation
04-17 11:13:39.217 i: [SourceManagerFetcher:7943] Starting to process sources for provider MediaProviderSourceProvider.
04-17 11:13:39.218 i: [SourceManagerFetcher:7943] Processing 6 sections.
04-17 11:13:39.242 i: Fetching [method:PUT] http://127.0.0.1:43674/media/providers/provider%3A%2F%2Ftv.plex.provider.podcasts/connection?auth_token=...EWtD&connectionType=remote&url=https%3A%2F%2Fpodcasts.provider.plex.tv
04-17 11:13:39.253 i: [SourceManager] Ignoring source (provider://tv.plex.provider.podcasts/home) because it was pinned.
04-17 11:13:39.255 i: [SourceManager] Ignoring source (server://9b1ebb7d938f17e8c161c922825b26c20e344077/com.plexapp.plugins.library/6) because it is pinned.
04-17 11:13:39.256 i: [SourceManager] Ignoring source (server://9b1ebb7d938f17e8c161c922825b26c20e344077/com.plexapp.plugins.library/7) because it is pinned.
04-17 11:13:39.259 i: [SourceManager] Ignoring source (server://9b1ebb7d938f17e8c161c922825b26c20e344077/com.plexapp.plugins.library/5) because it is pinned.
04-17 11:13:39.261 i: [HttpServer] /127.0.0.1:46385 - PUT /media/providers/provider://tv.plex.provider.podcasts/connection
04-17 11:13:39.263 i: [SourceManager] Ignoring source (server://9b1ebb7d938f17e8c161c922825b26c20e344077/com.plexapp.plugins.library/3) because it is pinned.
04-17 11:13:39.264 i: [SourceManager] Ignoring source (server://9b1ebb7d938f17e8c161c922825b26c20e344077/com.plexapp.plugins.library/playlists) because it was pinned.
04-17 11:13:39.265 i: [HomeHubsManager] Discovering. Force: false. Partial: true. Reason: onSourcesChanged
04-17 11:13:39.294 i: [PlexDevice] diskstation Setting https://[redacted].plex.direct:50000 token: true types: [myplex] state: Reachable as the new active connection.
04-17 11:13:39.299 i: [DynamicHome] Not starting new discovery task because there's an equivalent one in progress.
04-17 11:13:39.308 i: [DynamicHome] Not starting new discovery task because there's an equivalent one in progress.
Why is Plex choosing the *.plex.direct host name over my custom domain?
04-17 11:13:39.294 i: [PlexDevice] diskstation Setting https://[redacted].plex.direct:50000 token: true types: [myplex] state: Reachable as the new active connection.
If I test in a browser, accessing via the *.plex.direct host name results in an SSL error (certificate name mismatch) while accessing via my custom host name works as expected.
It has occurred to me that the SSL error with the *.plex.direct host name is due to the fact that my external port 50000 is being proxied to Plex with my custom domain SSL cert on the outside.
I was originally under the impression that using a custom SSL cert in Plex would mean that the *.plex.direct host name would no longer be used, but it seems that is not the case… Is that a correct assumption that there is no way to completely replace the *.plex.direct host name externally? (obviously the web client doesn’t use it, but the Android app does).
After considering how the Plex client is behaving, I found a simple solution.
When the Android app starts, it tests the various connections methods to see which works. Unfortunately it prioritizes *.plex.direct before the custom domain. Then, even though the SSL certificate is invalid on *.plex.direct (because it’s getting the custom cert from my proxy instead of PMS), it accepts that connection as valid. I think maybe this is a bug in the Android app since we know that streaming will fail with an invalid cert.
So the solution is to make sure that the connection to the *.plex.direct domain fails at the http level. My proxy was configured to allow all connections on my external port regardless of host name, which was a mistake. So after limiting the connections to only my custom domain on the proxy, the *.plex.direct connections fail and the Android app now chooses my custom domain as the active connection method.
And incidentally, the whole reason for needing the proxy in the first place is because of the fact that we can’t override the public IP for external access. So on Synology, Plex will use the IP address of a VPN if connected which again results in an invalid *.plex.direct certificate!
That’s a good point… I’ve always had Remove Access enabled. I’m not sure what security implications would with it disabled since Plex is handling authentication and not the proxy. I’m also not sure if Plex would even register my custom domain for external clients with it disabled?
At this point, now that everything is working, I have no appetite to mess with it any further… but that’s definitely something to keep in mind for next time it breaks.
I’m 99.9% sure that Remote Access doesn’t change anything related to authentication.
I’m 99% sure that Remote Access does these things -
Enable UPnP/NAT-PMP
(Whether using default or custom ports)
Perform Internet address detection
Perform reachability detection
Register the detected Internet address w/ the Plex Cloud
So if you don’t want Plex doing those things (perhaps because you have a reverse proxy) I think you want Remote Accessdisabled.
I also think that allowing only “expected” requests through your proxy is a good configuration. That should probably always be done! Good advice, and thanks for sharing.
I ALSO understand not breaking something that’s working fine.
I’m having this exact problem. Couldn’t figure it out for the life of me until I narrowed it down to removing the custom SSL certificate and custom domain from my server settings. Then everything in my Android phone started working again from outside the network.
Then I came across your thread and it makes sense.
My router doesn’t have the ability to only allow port forwarding based on the domain used so I just left the custom domain settings blank and access using the app.plex.tv site instead.
BTW, I did test things. With remote access DISABLED and my port forwarded manually, custom SSL certificate enabled and custom domain filled it, things still do NOT work from outside of the network
I looked at the generated XML and the *.plex.direct utilized ends up being the internal private IP address (192.168.0.3 for me) which is obviously not routeable outside.
So it would seem Volts is correct. One of the functions of having remote access enabled is indeed to detect the public Internet IP address.
This begs another question now though of why the Android app is attempting to use the 192.168.0.3 address when it’s not reachable. My custom domain was definitely listed in the XML and I can obviously connect properly to the server.
Seems like some sort of BUG to me.
This appears to be at odds with the findings from your solution though. I’m going to double check my tests again.
I think an easy fix from the server side is to have option under network settings to just completely disable the*.Plex.Direct function, for those of us who know what we’re doing with port forwarding and custom domains and certs.
I am confused, could you elaborate on this?
Edit: oh jeez, after rereading, I think I get what you mean:
do you mean for it to work you need a Client Proxy that filters all http connections to only allow your domain? ARGH
Im seeing this same issue. Im running plex within Kubernetes, and I have an ingress controller (nginx) providing a custom domain name (pms..com). I have plex docker container set with “advertise=https://pms..com” and I’m seeing this ssl error in the logs as well (certificate does not match host name)
How did you end up blocking plex.direct in your haproxy configs? The kubernetes ingress controller is set to only match the hostname pms.x.com, so it should work as your haproxy does. Perhaps I need to remove the advertise address from the docker config?
