Custom Domain Certificate Not Used

Plex Media Server Remote Access
1

Server Version#: 1.32.6.7557-7000
Player Version#: N/A
<If providing server logs please do NOT turn on verbose logging, only debug logging should be enabled>

Team, I’m unable to resolve an issue with using my custom domain certificate. Instead, it is using a *.plex.direct certificate.

After reviewing the community forums, I found a suggestion to disable remote access. I did have remote access enabled, and this could explain why my custom domain wasn’t getting used. However, after disabling remote access I’m still seeing the *.plex.direct certificate.

Any suggestions on resolving this will be greatly appreciated. I already verified a proper .pkcs12 file, password, custom domain, and custom URL configurations are correct.

2

Basic questions:

  1. Is this a self-signed certificate ? ( IF SO then it will never work )
  2. In the P12 file, is the Key, CRT, and CA’s crt included ?
    – The CA’s crt used to create the custom crt is needed (certification chain)
3

1: Certificate is a domain cert signed by LetsEncrypt.
2: I received the domain certificate, intermediate signing certificate, private key, and public key all as .pem
- I think the CA cert may be the missing piece (thank you) I’ll continue below.

I used command * openssl pkcs12 -export-out plex-cert.p12 -incert domain.pem -inkey privatekey.pem -passout pass:UniquePassword * to convert the .pem into the .p12 format. I also tried .pkcs12 as that’s specifically called for (neither option worked).

If what you say is correct, I need to include the intermediate signing certificate in the .p12 file. Please confirm my understanding.

I really appreciate the help!

4

Example:

openssl pkcs12 -export -out mydomain.p12 -inkey mydomain-production.key -in mydomain-production.crt -certfile "Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt"

I have two key sets for my pfsense; production (live PMS) and development.

5

Thank you. Let me try and I’ll give you the results.

6

Included the signing CA into the .p12 file but it did not resolve the issue. I’m still getting the *.plex.direct certficate. Remote streaming is disabled. I am not in a position to restart the server at the moment, but once I do I will restart with the new file to see if the server uses it.

Command: openssl pkcs12 -export-out plex-cert.p12 -in domain.pem -inkey privatekey.pem -certile intermediate.pem

7

Show me the debug logs please. I need more than a summary error report.

It sounds like DNS rebinding is kicking in.

Which modem/router model do you have ?
ALSO, are you using a custom server access URL ?
(It looks like you are)

EDIT:
After rebuilding the cert and restarting PMS, did you also Restart the clients?
(Control + F5 for Plex/web, Force-terminate + Reopen for apps)

8

This is my first time collecting debug logs for Plex. Is there a specific way I should collect these logs for you?

Router: Palo Alto 10.2
Custom Server Access URL: I enabled this earlier for testing, but did not intend on using it (unless doing so is considered best practice).

I haven’t had an opportunity to restart the server just yet, but once I do I will make sure to reset clients. For testing purposes, I open a new incognito window and check the server certificate after connecting.

While viewing debug logs (not sure they’re the ones you’re interested in) I did find a “primary server URL”.

image

9

  1. Server logsSettings → [Server] → Troubleshooting (lower left corner) → Download Logs
    – It will give you a ZIP file

  2. That excerpt you show above looks like the problem. Where did that come from?

  3. You should never put a plex.direct address in Custom Server Access URL because it changes every time the certificate updates AND it’s not a real FQDN.

Lastly, For the DNS resolver, can you make an entry (pretty sure you can) which allows the private domain overlay on the LAN … aka DNS Rebinding.

Looks like this on PfSense

Screenshot from 2023-10-04 20-58-02
Screenshot from 2023-10-04 20-58-02763×165 6.1 KB

10

1: I have the .zip debug logs you requested. Do you prefer an upload directly here, or another method for delivering the files?

2: The excerpt came from Settings> Plex Web> Debug> View Debug Logs Here In these logs you’ll see the host URL (which is correct) but then the “primaryserverurl” is plex.direct.

3: I did not manually set this configuration item. I wonder if it was in place after enabling remote streaming. I wasn’t aware remote streaming enabled plex.direct. I have discovered a more approparite means of delivering content and do not require remote streaming.

For DNS Rebinding; are you requesting I set a record on my DNS server for Plex? I do have a record set internally. (forgive me as I’m not as proficient in DNS as I should be)

I should also mention; at this time I’m hoping to establish trusted secure local connections only. I do not have remote streaming enabled and do not plan to in the future. However, it is crucial for me to deliver a proper trusted certificate to clients viewing Plex on the local network.

11

I am suggesting creating a DNS Resolver entry in your DNS server/resolver module of Palo Alto to allow the FQDN hostnames in the plex.direct domain to resolve to LAN addresses (This is what DNS rebinding protection is designed for). We’ve seen many firewalls / routers which were so super-strict that Plex would not run without allowing ‘plex.direct’ on LAN to resolve.

12

I understand. “If you’re looking for plex.direct, go to plex.localdomain”. Let me get this configured and test.

EDIT: Actually, I don’t think DNS is the issue here. I’m not browsing to plex.direct. I get to the server using the correct DNS. Resolving works just fine, but the server certificate presented for secure connections remains plex.direct as opposed to the configured certificate.

image
image
image

NOTE: Ping timeout due to firewall block policy. The server is reachable.

Do you think the server configurations are somehow stuck using the plex.direct certificate after having remote streaming enabled? I’m not against completely starting over. It doesn’t take too long to rebuild the library.

13

Based on the OP and initial replies, I presumed it was cert related.

Now, as this discussion progresses. I don’t know where it’s headed but it is clear I need to see the server DEBUG logs.

Specifically, please capture the server logs -

  1. Confirm server DEBUG logging is enabled. SAVE if changes made.
  2. Restart PMS on the Syno
  3. WAIT 3 minutes
  4. Access the Syno PMS using the Plex/web app
  5. Download the server logs ZIP file
  6. Attach the ZIP file.

This will allow me to follow the entire sequence from start to plex/web connect

14

Thank you, Chuck. I did get the debug logs you requested. I reviewed these logs myself, and due to the sensitive information collected I will not share the file on this thread.

I did find this section here:

image
image1049×58 3.48 KB

I’m assuming at this point the failed install is on me. I did not find anything specific in the logs to suggest why it couldn’t properly install, so I will need to do additional research. Could be the way the cert was crafted, or maybe there are limitations to acceptable passwords and that’s preventing the proper use. If you have any further insight, please let me know.

I appreciate your time and help regarding this matter. You’ve been great to work with.

EDIT: I did find documentation suggesting the version of openssl may be the issue. openssl is currently 1.1.1, and the recommendation is upgrading to version 3 (3.1 as recommended stable). I will upgrade openssl, repackage the .p12 file, and try again.

15

Here’s the answer for your custom cert.
I apologize. I forgot this in my initial cert reply because all my systems are SSLv3.0.0 compliant (I don’t use v1.1.1 anymore)

This will remedy the MAC Verify.

This is because of SSLv3 changes (I detail the info in this tip)

I did this work back in April 2023. (AGES ago LOL)

16

Excellent work. Looks like we stumbled across the same solution (I edited my previous comment with this info). I will let you know once I figure out upgrading openssl.

1 Like
17

Chuck,

I appreciate every minute you spent troubleshooting and researching this issue. Your expertise and patience helped discover the issue, and because of this we were able to find a resolution.

In this case:
CA provided .pem certificate files.
openssl 1.1.1 generated a .p12 certificate file for Plex
openssl 1.1.1 is EOL and doesn’t support modern standards
Upgraded openssl 1.1.1 to openssl 3.1.3
openssl 3.1.3 generated a .p12 certificate file for Plex
Plex server certificate is now using custom domain certificate

image
image922×237 9.64 KB

1 Like
18

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.