Custom certificate not loaded

Plex Media Server NAS & Devices
1

Server Version#:1.41.8
Player Version#:
<If providing server logs please do NOT turn on verbose logging, only debug logging should be enabled>

QNAP QTS 5.2.5.3162

Jul 08, 2025 03:00:53.082 [139859573508752] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/features
Jul 08, 2025 03:00:53.121 [139859573508752] DEBUG - [CERT] Subject name is /CN=.9ce48d2d227dac.plex.direct
Jul 08, 2025 03:00:53.121 [139859573508752] DEBUG - [CERT] Installed certificate with fingerprint 0b:aa:60:e9:55.
Jul 08, 2025 03:00:53.121 [139859573508752] DEBUG - [CERT/OCSP] no URL available
Jul 08, 2025 03:00:53.121 [139859573508752] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Jul 08, 2025 03:00:53.126 [139859573508752] DEBUG - [CERT] Loaded a user-provided certificate for /CN=.man.de.
Jul 08, 2025 03:00:53.126 [139859573508752] WARN - [CERT/OCSP] Missing cert or issuer; skipping stapling
Jul 08, 2025 03:00:53.126 [139859573508752] DEBUG - HttpServer: Listening on IPv6 as well as IPv4.

I am trying to install my custom certificate.
I have tried various ways and lost a night, but no resolution. Anyone knows what is the issue?

Screenshot 2025-07-08 031048
Screenshot 2025-07-08 031048717×595 34.7 KB

2

PMS must also have the CA’s cert included in the P12 in order to accept it.

Self-signed certificates are not accepted.

3

Thank you for your reply.
How would I do that in PMS? Or do I have it done in QTS Ubuntu?

4

You create the P12 externally to PMS first.

My cert is from Let’s Encrypt, managed by Pfsense and the ACME management software in PfSense

openssl pkcs12 -export -out my-domain.p12 -inkey my-domain-production.key -in my-domain-production.crt \
        -certfile Acme-LE.crt \
        -password pass:password

I put the p12 where PMS can read it

Let's Encrypt-provided ECC certificate rejected/ignored
5

Thank you. It worked by adding CA certificate into the mix.

6

@ChuckPa I use the acme.sh script with letsencrypt. I get an “intermediate CA cert” and a “full chain cert” file. Which one should I use with the certfile option in openssl?

This is the error I am getting:

Aug 06, 2025 21:05:01.114 [140572162636432] DEBUG - [CERT] Subject name is /CN=*.stuff.plex.direct
Aug 06, 2025 21:05:01.114 [140572162636432] DEBUG - [CERT] Installed certificate with fingerprint ##:##
Aug 06, 2025 21:05:01.114 [140572162636432] DEBUG - [CERT/OCSP] no URL available
Aug 06, 2025 21:05:01.114 [140572162636432] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 06, 2025 21:05:01.114 [140572162636432] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.

When I create the certificate using the acme.sh script, when I specify the domain, I use -d *.mydomain.com because I want not only plex.mydomain.com but anything.mydomain.com. So in the Settings->Network, what should I use for the “Custom certificate domain”?

7

@folofjc

When you get an ACME cert, it’s based on the CA from the provider.

That CA is all you need with your CRT and KEY.

“Full Chain” stuff ie messy.

Also … DO NOT supersede plex.direct. You will break it.
plex.direct is an INTERNAL domain, tied to your Plex-issued cert, which expires every 30 days, and is used by PMS and players for DDNS resolution

8

Okay, I tried that and it didn’t work. Should I upload my logs?

About the plex direct stuff, I edited the log. I wasn’t sure if that and the fingerprint are supposed to be private, so I just obscured the log when I posted it here. I did not mess with the plex.direct stuff in reality.

9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.