Cannot connect securely outside my local network

Plex Media Server NAS & Devices
1

Server Version#: 1.40.3.8555
Player Version#: 4.132.3
Hello,

So I’ve been having this issue for a couple of weeks now.
I can’t seem to be able to connect to PMS from outside my local network.
I can connect to it only from the Android App if the secure connection is set to Never.
Any attempt to connect to it using secure connection is not working.
Accessing the serve using plex.tv has the same result. Nothing works outside the local network.
The remote access is setup and green. The port forwarding is setup. Everything is setup as it was before. Nothing has changed except that I’ve updated PMS to the latest version available for Synology.
I’ve looked around the Internet, and this appears to be a hot topic in the last years (the latest I could find is from 2015). All of them seem to have had some sort of resolution: certificate renewal (not sure how to do that to be honest), remote access not being setup, port forwarding not being setup and the latest that I found from 2 years ago, it simply just fixed itself.
I am having this issue for some time now and it does not appear to fix itself. Any idea on what I can do to make it work again?
Thank you

2

What is the output if you access https://plex.tv/api/resources?X-Plex-Token=<x-plex-token> where <x-plex-token> is found following the steps in https://support.plex.tv/articles/204059436-finding-an-authentication-token-x-plex-token/?

Note, if posting results here, make sure to obscure the accessToken field otherwise anyone can use it to access your Plex server.

It should list both your local and public addresses for your PMS. Note the connection protocol will say http rather than https even if it is set to required. Does the public address correspond to what you see if you go to https://www.whatismyip.com/ from within your local network?

Also, do you have Strict TLS configuration set in your PMS network settings (see https://support.plex.tv/articles/200430283-network/)? This is normally left unselected.

When you connect securely over your local network, what are the certificate subject alternative names that your PMS shows in your browser when you check the SSL certificate? They should be plex.tv and *.plex.tv

3

Thank you for your reply!
Both local an public IPs are listed in the XML. They are both correct.

image
image1564×76 13.5 KB

Strict TLS makes no difference. I had it turned on, but the same behavior is present when I turn it off.

The certificate does contain both plex.tv and *.plex.tv.
image

I also have pi-hole on the network, but changing the DNS to Google or any other public DNS server makes no difference.

4

Sorry, I mislead in relation to the certificate subject names. plex.tv and *.plex.tv is what you get when you access via https://app.plex.tv.

If you access your Plex server directly through its IP address, the certificate should be *.xxxx.plex.direct where xxxx is a 32 character hexadecimal string. The certificate should be issued by Let’s Encrypt.

Make sure that you’re actually logged into the Plex server as it will redirect you to app.plex.tv intially to sign in (i.e. go to https://192.168.x.x:32400, log in, and check the certificate name).

If things are working correctly, you should be able to browse to the following without any certificate errors appearing:

  • https://192-168-x-x.xxxx.plex.direct:32400 from your local network to access PMS.
  • https://79-11-x-x.xxxx.plex.direct:32400 from an external network to access PMS.

Replace 192-168-x-x and 79-11-x-x in the above with you local and public IP addresses respectively.

Given you set https to not required, you should also be able to browse to http://79-11-x-x.xxxx.plex.direct:32400 from an external network to access PMS.

5

Hello,

The certificate is just like you said.
image

I can access the server from the internal network using https://192-168-x-x.xxxx.plex.direct:32400 just fine. No certificate errors.

From an external network, https://79-11-x-x.xxxx.plex.direct:32400 tells me that the site cannot be reached.
If I go directly to https://79.11x.x.x:32400, unsecure, it goes right through and I can access PMS.

6

What happens if you use a DNS lookup to resolve 79-11x-x-x.xxxx.plex.direct? It should give your corresponding external IP.

7

It does.

image
image698×74 2.89 KB

8

Do you mean if you go directly to http://79.11x.x.x:32400, which is unsecured, it works, but if you go to https://79.11x.x.x:32400, which is secured, then it doesn’t?

9

No, I mean that it works regardless if I go to http or https, just that the https one gives me certificate errors telling me that the connection is not secure. You know, the whole Advanced -> proceed to site anyway (accept the risk and continue).
Funny thing is that the https one tells me that *.xxxxx.plex.direct certificate is there, but going to the whole https://79-11x.xx.xx.xxxxxx.plex.direct just doesn’t work.

10

That’s really strange that it doesn’t work seeing as you can get https://79-11x.xx.xx.xxxxxx.plex.direct to resolve to the correct IP when doing a DNS check remotely. It should at the minimum connect to your Plex server and then throw up a certificate error when connecting via https://79-11x.xx.xx.xxxxxx.plex.direct.

Does just unsecured http://79-11x.xx.xx.xxxxxx.plex.direct work?

What is in your server logs? Are you seeing any connection attempts at all?

You could try requesting a certificate reset.

11

The server logs do not say anything.
It makes sense since the server is not even reachable using 79-11x.xx.xx.xxxxxx.plex.direct, http or https.

Not sure exactly how to request the certificate reset. Do I just @ one of the Plex team members? :slight_smile:

12

@m0nt1

I can do the cert reset for you.

Looking at your account, I see where your machine got a certificate 13-June and again on 14-Jun.

I would like to request:

  1. Stop Plex.
  2. Start Plex
  3. Allow to run for 3 minutes (do nothing. Let it sit idle)
  4. Stop Plex
  5. Open FileStation
  6. Navigat to PlexMediaServer/AppData/Plex Media Server
  7. Right-click “Logs” → Compress to Logs.zip
  8. Download the ZIP file
  9. Upload / attach it here with your next reply.

I will look at it and see what’s happening.

1 Like
13

Hello @ChuckPa ,

I’ve attached the logs.

Logs.zip (1.6 MB)

14

You turned off debug . I can’t see what I need to see (the communications)

Please turn DEBUG logging back on… SAVE the change.

Then repeat the process above.

Thanks.

16

Sorry about that . I thought it’s still enabled.
Logs.zip (698.7 KB)

Thank you

17

Anything?

18

Hello @ChuckPa ,
Are there any updates on this? Did you find anything in the logs?

19

Soooo…nothing and no updates on this?

20

I’m sorry. I’ve been swamped and health has not been kind.

I’ll walk through your logs and report as I go.

  1. Don’t put two adapters on the same subnet unless you create a bonded adapter (which gives 2x the performance but has 1 IP).
    – two IPs confuses everything. Traffic for one ends up at the other and goes nowhere good.
Jun 28, 2024 10:06:31.799 [139643865004688] DEBUG - Detected primary interface: 192.168.1.117
Jun 28, 2024 10:06:31.799 [139643865004688] DEBUG - Network interfaces:
Jun 28, 2024 10:06:31.799 [139643865004688] DEBUG -  * 1 lo (127.0.0.1) (00-00-00-00-00-00) (loopback: 1)
Jun 28, 2024 10:06:31.799 [139643865004688] DEBUG -  * 3 eth0 (192.168.1.117) (90-09-D0-2F-5B-F7) (loopback: 0)
Jun 28, 2024 10:06:31.799 [139643865004688] DEBUG -  * 4 eth1 (192.168.1.227) (90-09-D0-2F-5B-F8) (loopback: 0)

In the Syno Control panel, you can make a Bonded adapter, and select both.

It will let you select a balanced mode. This is what you want because no special switch or router required.

  1. Other things look OK except remote clients (folks who shared with you) arent responding. (192.168.10.9 on their network)
21

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.