CERT: incomplete TLS handshake from 192.168.xx.xx:25738: sslv3 alert certificate expired

Plex Media Server Remote Access
1

Server Version#: 1.25.8.5663
Player Version#: chrome latest

Hello, For several days I have this error message :

Apr 14, 2022 16:56:59.919 [0x7f7d897e0b38] DEBUG - CERT: incomplete TLS handshake from 192.168.10.254:37467: sslv3 alert certificate expired
Apr 14, 2022 16:56:59.937 [0x7f7d897bdb38] DEBUG - CERT: incomplete TLS handshake from 192.168.10.254:15172: sslv3 alert certificate expired
Apr 14, 2022 16:56:59.976 [0x7f7d897e0b38] DEBUG - CERT: incomplete TLS handshake from 192.168.10.254:24441: sslv3 alert certificate expired
Apr 14, 2022 16:57:00.001 [0x7f7d897bdb38] DEBUG - CERT: incomplete TLS handshake from 192.168.10.254:9094: sslv3 alert certificate expired

My clients can no longer connect. Recently we did a migration and we changed servers. The new server ip is : 91.134.17.212
Can you possibly reset the certificates as done previously in my other tickets?
Thank you

Plex_Client_Unable Access.PNG
Plex_Client_Unable Access.PNG1091×458 27.4 KB

2

@pakito69

I have reset your certificate even though It looked ok.
Please restart the server.

If 192.168.10.254 is a TV / player device then resetting the server certificate will not fix it.

4

I’m running behind pfsense firewall.
My pfsense dns resolver already have this parameter : server: private-domain: “plex.direct”.

Now i have this WARN:

CERT] TLS connection from 176.140.185.197:35164 came in with unrecognized plex.direct SNI name ‘91-134-17-212.fc8c80255f2e42988fc6864d5d07618b.plex.direct’; using installed plex.direct cert

5

@pakito69

I also have pfsense. This isn’t pfsense related.

Did you restart the server after I reset your certificate ?

Are you using your own certificate somewhere?

Would it be possible to see the logs ZIP file which captures the startup of PMS (first few minutes) ?

6

Did you restart the server after I reset your certificate ?

→ Yes

Are you using your own certificate somewhere?

→ No

but Im using HAPROXY on pfsense with letsencrypt acme cert.
On my old server, before the migration I had exactly the same configuration and I had no problem

Here is an anchivelog

Plex Media Server Logs_2022-04-14_18-35-46.zip (3.7 MB)

thanks for your time

7

Thanks for that.

Do you realize you don’t need a proxy with pfsense ?

  1. Auto update an external DDNS (like CloudFlare)
  2. Allow you to create an alias of allowed users (by IP or FQDN)
  3. Use that alias in a firewall rule to restrict access to only those found in the Alias list ?
  4. Will do the ACME Cert updating for you. You only need that last bit of automation to export the Cert, Key, and CA to put in the P12 to give to PMS.

I suggest this because this is how I setup my server.
Screenshot from 2022-04-14 12-58-26

8

HAProxy is a reverse proxy.
I use it to put in front web services hosted on a hypervisor in VM’s (where the plex server is located).

I tried to stop HAPROXY and the result is the same.

My configuration was working fine before. It should work. Did you find a solution to my problem?
For now, I want to stay in my current configuration.

Thank you for your suggestion, it’s very interesting. I will study it via a test lab very soon

9

I agree: Your configuration should work.

The only unknown element to me is the proxy.

Please correct me if wrong, but HAProxy is a load balancer / high performance proxy and best used with multiple targets. If correct, are you using multiple servers?

I ask this because:

  1. Each server has its own ‘plex.direct’ certificate.
  2. If server “A” is interacting with a player app and then the HAProxy forwards the next client reply to server “B” (which will include the SNI from server “A”), the error being seen makes sense.
10

no, there is a simple port forwarding from pfsense to plex in the backend on the hypervisor.

Here is a template configuration of my infrastructure.

proxmox-install_simple-infra-map
proxmox-install_simple-infra-map963×519 38.9 KB

Concerning HAPROXY I have just deactivated it to exclude any problem.
It doesn’t come from there.
HAPROXY is installed on pfsense. It’s simply loadbalancer of web servers.
This allows front-end access accessible via a domain name to a backend service such as an apache server installed on a hypervisor VM (example: https///toto.com → backendVM1-https://192.168 .10.57)

image Example :

maxresdefault
maxresdefault943×530 79.4 KB

A few days ago, we migrated from server to another datacenter which was totally identical. We have followed the migration instructions here
https://support.plex.tv/articles/201370363-move-an-install-to-another-system/

My vm is running on centos 7
it works I assure you. It just seems to be a certificate issue.

the logs from a few minutes ago

Apr 14, 2022 21:11:09.481 [0x7f4c148d4b38] DEBUG - CERT: incomplete TLS handshake from 192.168.10.254:13695: sslv3 alert certificate expired
Apr 14, 2022 21:11:09.497 [0x7f4c148d4b38] WARN - [CERT] TLS connection from 192.168.10.254:42554 came in with unrecognized plex.direct SNI name ‘91-134-17-212.fc8c80255f2e42988fc6864d5d07618b.plex.direct’; using installed plex.direct cert

11

This might be the root of what’s happening.

What is this device please?

I can see your server’s LAN and WAN IP in plex.tv . This confirms it’s working (as of 3 hours ago)

12

What is this device please?

its my computer.

I can see your server’s LAN and WAN IP in plex.tv . This confirms it’s working (as of 3 hours ago)

it is 9:37 p.m. in France now

192.168.10.20 private
91.134.17.212 public

13

I keep looking at your drawing.

With ProxMox as the hypervisor, there is very little which we can do.

This is a tough problem which isn’t seen often.
I run 4 PMS servers in ESXi and don’t have this problem.

Given it did work, and knowing what PMS is looking for; which is the networking,
I need to ask if anything in the network settings changed?

Are the hosts setup in Bridge mode, meaning they each have their own LAN IP, or are they NAT addressed and exist as part of the Proxmox host IP address ?

14

Proxmox is installed on a physical server.
PFsense is the gateway for all VMs on the hypervisor. The pfsense WAN card is connected to a public failover ip.

The LAN card is used by the VMs. I specify once again that this configuration works perfectly.
We have been experimenting with it for 2 years now or more.
This problem occurred after the migration of our hypervisor.

What information do you have on my plexserver please?
Network etc

15

Yes, since we changed servers and migrated the data, the MAC address of the plexserver VM has changed.
The local ip address 192.168.10.20 has remained the same.
On the other hand, the WAN address and the gateway have changed.

Plex VM:
Before migration:
LAN ip : 192.168.10.20
WAN ip : 62.210.147.77

After migration:
LAN ip : 192.168.10.20
WAN ip : 91.134.17.212

16

sni
sni1634×704 76.2 KB

We can clearly see that the default plex certificate and what is sent does not match
So the error message makes sense.

I also still have this one:
Apr 15, 2022 13:42:08.067 [0x7f4c148f7b38] DEBUG - CERT: incomplete TLS handshake from 192.168.10.254:28776: sslv3 alert certificate expired

17

I have reset your certficate.
I don’t know what else could be happening.

Please restart your server.

18

Seems to not be working, same error as
un 02, 2022 21:48:01.901 [0x1493a4e47b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.124]:51922 came in with unrecognized plex.direct SNI name ‘192-168-1-195.38922eeefe3a4c8689b67652ca246218.plex.direct’; using installed plex.direct cert

Jun 02, 2022 21:48:01.923 [0x1493a4e6ab38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.1.124]:51919: stream truncated
Thank you

19

When you see a mismatched SNI

[::ffff:192.168.1.124]:51922 came in with unrecognized plex.direct SNI name ‘192-168-1-195.38922eeefe3a4c8689b67652ca246218.plex.direct’; using installed plex.direct cert

Something wasn’t rebooted.

This is because the SNI (Server Name Identifier) is included in the certificate

If need be, we can force PMS to retrieve the certificate again (manually remove the local copy) but app devices need to be restrarted after the server is.

20

Hello, how should I proceed to force PMS to retrieve the certificate again?
thank you.

21

In Linux,

  1. Stop PMS
  2. Open a terminal session
  3. sudo rm "/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Cache/cert-v2.p12"
  4. Start PMS
  5. Give it a minute to download the server again.

As FYI… RFC-1918 (LAN) addresses are safe to publish openly.
The RFC stipulates, which is obeyed by everyone, these addresses are not publicly routable. This means I can safely tell you my server is at 192.168.0.20 and it means nothing without knowing my public IP