Custom domain ssl does not work after update to server version 1.42.1.10060-4e8b05daf

Server Version#: 1.42.1.10054-f333bdaa8

Upgrading to this docker image BROKE my custom SSL certificate. I had to roll back to 1.41.9.9961-46083195d to restore functionality. Currently stuck and unable to upgrade. Was unable to determine in logs the error. SSL certs unchanged, implying this version is broken.

Updates:

Still broken in 1.42.1.10060-4e8b05daf

FIX: Had to increase file permissions to at least 444 until resolved.

EXPECTED

Aug 09, 2025 01:12:42.603 [130005153712784] DEBUG - [CERT] Subject name is /CN=*.59e6e34884854da2b5e2c7d40175cf72.plex.direct
Aug 09, 2025 01:12:42.603 [130005153712784] DEBUG - [CERT] Installed certificate with fingerprint cb:32:9d:98:8a:50:9c:89:71:06:aa:24:4c:26:ed:75:4a:93:12:69.
Aug 09, 2025 01:12:42.603 [130005153712784] DEBUG - [CERT/OCSP] no URL available
Aug 09, 2025 01:12:42.603 [130005153712784] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 09, 2025 01:12:42.606 [130005153712784] DEBUG - [CERT] Loaded a user-provided certificate for /CN=plex.urda.tv.
Aug 09, 2025 01:12:42.606 [130005153712784] DEBUG - [CERT/OCSP] no URL available
Aug 09, 2025 01:12:42.606 [130005153712784] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling

ACTUAL

Aug 09, 2025 01:08:58.889 [124738984417936] DEBUG - [CERT] Subject name is /CN=*.59e6e34884854da2b5e2c7d40175cf72.plex.direct
Aug 09, 2025 01:08:58.889 [124738984417936] DEBUG - [CERT] Installed certificate with fingerprint cb:32:9d:98:8a:50:9c:89:71:06:aa:24:4c:26:ed:75:4a:93:12:69.
Aug 09, 2025 01:08:58.889 [124738984417936] DEBUG - [CERT/OCSP] no URL available
Aug 09, 2025 01:08:58.889 [124738984417936] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 09, 2025 01:08:58.889 [124738984417936] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.

$ openssl pkcs12 -in ./plex.pfx -clcerts -nokeys
Enter Import Password:
Bag Attributes
    localKeyID: HE EX VA LU ES
    friendlyName: plex.urda.tv
subject=CN = plex.urda.tv
issuer=C = US, O = Let's Encrypt, CN = E5
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----

I generate the cert via

openssl pkcs12 \
  -export \
  -certfile /etc/letsencrypt/live/plex.urda.tv/chain.pem \
  -in /etc/letsencrypt/live/plex.urda.tv/cert.pem \
  -inkey /etc/letsencrypt/live/plex.urda.tv/privkey.pem \
  -out /urda/plex/ssl/plex.pfx \
  -name plex.urda.tv \
  -passout pass:REMOVEDREMOVEDREMOVED \
  -certpbe AES-256-CBC \
  -keypbe AES-256-CBC \
  -macalg SHA256

Given the update related to a potential security vulnerability, the updated PMS version may have changed the types of custom certificates that it accepts. Your existing certificate may have been generated with settings that are no longer compatible with PMS.

Has the certificate been generated using the settings here?

Sure looks like I already am, I shared all the generation arguments in this thread already

I’m wondering if the underlying OpenSSL in the PMS plex image changed?

PMS is weird (it behaves like a banking app).
You will have far greater success with:

1. Generate a P12 file versus PEM

# Generate new p12 (Acme LE is valid until 2025)
openssl pkcs12 -export -out my-fdqn-tld.p12 \
	-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
	-inkey my-fqdn-tld.key -in my-fqdn-tld.crt \
	-certfile CertAuth.crt \
	-password pass:PASSWORD_HERE

2. Put the resultant P12 in the Plex Media Server/Cache directory
3. Make certain it’s readable (0644)
4. Give PMS the full path and password in Settings
5. Add the FQDN access URL which the cert & FQDN are valid for.

I will give this a try Sunday is the plan and report back

This looks really close to my existing values, is there any other notes about how the certs are used? This won’t gen a file much different than the command I listed (file extensions don’t match but yours and my command both use pkcs12)

I still think this is a regression in Plex

No this results in similar file and agrees with my current script. As a reminder I run:

openssl pkcs12 \
  -export \
  -certfile /etc/letsencrypt/live/plex.urda.tv/chain.pem \
  -in /etc/letsencrypt/live/plex.urda.tv/cert.pem \
  -inkey /etc/letsencrypt/live/plex.urda.tv/privkey.pem \
  -out /urda/plex/ssl/plex.pfx \
  -name plex.urda.tv \
  -passout pass:REMOVEDREMOVEDREMOVED \
  -certpbe AES-256-CBC \
  -keypbe AES-256-CBC \
  -macalg SHA256

Adding -noiter -nomaciter did not help. Cert still worked fine with 1.41.9.9961-46083195d and that arg but not 1.42.1.10054-f333bdaa8

And for reference this is the compose file that deploys the container:

# plex-private-stack

services:
  plex-private:
    container_name: plex-private
    image: plexinc/pms-docker:1.41.9.9961-46083195d     # Works great, as expected with the SSL cert
    # image: plexinc/pms-docker:1.42.1.10054-f333bdaa8  # Broken
    restart: unless-stopped
    network_mode: 'bridge'
    environment:
      - HOSTNAME=REMOVED
      - PLEX_CLAIM=claim-REMOVED
      - ADVERTISE_IP=http://REMOVED
      - TZ=UTC
    volumes:
      - /path/to/config:/config
      - /path/to/transcode:/transcode
      - /path/to/data:/data
      - /urda/plex/ssl:/certs/ssl:ro
    devices:
      - /dev/dri:/dev/dri

I flipped verbose logging on, and captured a good startup and bad startup

Good startup

Aug 10, 2025 20:12:55.988 [136143887518520] INFO - Plex Media Server v1.41.9.9961-46083195d - Docker Docker Container x86_64 - build: linux-x86_64 debi
an - GMT 00:00
Aug 10, 2025 20:12:55.988 [136143887518520] INFO - Linux version: 6.8.0-64-generic, language: en-US
Aug 10, 2025 20:12:55.988 [136143887518520] INFO - Processor: 8-core Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
Aug 10, 2025 20:12:55.988 [136143887518520] INFO - Compiler is - Clang 11.0.1 (https://plex.tv 9b997da8e5b47bdb4a9425b3a3b290be393b4b1f)
Aug 10, 2025 20:12:55.988 [136143887518520] INFO - /usr/lib/plexmediaserver/Plex Media Server
Aug 10, 2025 20:12:55.988 [136143890057872] DEBUG - BPQ: [Idle] -> [Starting]
Aug 10, 2025 20:12:55.988 [136143890057872] VERBOSE - BPQ: delaying processing 120 second(s)
Aug 10, 2025 20:12:55.993 [136143890057872] DEBUG - FeatureManager: Using cached data for features list
Aug 10, 2025 20:12:55.996 [136143890057872] DEBUG - MyPlex: mapping state set to 'Unknown'.
Aug 10, 2025 20:12:55.997 [136143890057872] DEBUG - Relay: read 24 cached entries from hosts file
Aug 10, 2025 20:12:55.997 [136143890057872] DEBUG - Opening 20 database sessions to library (com.plexapp.plugins.library), SQLite 3.39.4, threadsafe=1
Aug 10, 2025 20:12:56.023 [136143890057872] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/features
Aug 10, 2025 20:12:56.041 [136143890057872] DEBUG - [CERT] Subject name is /CN=*.ffc037d5bcbe4a5c99b81b286b0d7ba2.plex.direct
Aug 10, 2025 20:12:56.041 [136143890057872] DEBUG - [CERT] Installed certificate with fingerprint 04:a9:49:e0:4b:a2:ef:86:5f:b6:ed:55:b4:a7:33:6f:e6:b5:6e:81.
Aug 10, 2025 20:12:56.041 [136143890057872] DEBUG - [CERT/OCSP] no URL available
Aug 10, 2025 20:12:56.041 [136143890057872] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 10, 2025 20:12:56.041 [136143890057872] DEBUG - [CERT] Loaded a user-provided certificate for /CN=private.plex.urda.tv.
Aug 10, 2025 20:12:56.041 [136143890057872] DEBUG - [CERT/OCSP] no URL available
Aug 10, 2025 20:12:56.041 [136143890057872] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 10, 2025 20:12:56.043 [136143890057872] DEBUG - HttpServer: Listening on port 32400.
Aug 10, 2025 20:12:56.043 [136143890057872] DEBUG - HttpServer: Listening on port 32401.
Aug 10, 2025 20:12:56.043 [136143890057872] DEBUG - Running server...

BAD

Aug 10, 2025 20:12:32.453 [137527579970360] INFO - Plex Media Server v1.42.1.10054-f333bdaa8 - Docker Docker Container x86_64 - build: linux-x86_64 debian - GMT 00:00
Aug 10, 2025 20:12:32.453 [137527579970360] INFO - Linux version: 6.8.0-64-generic, language: en-US
Aug 10, 2025 20:12:32.454 [137527579970360] INFO - Processor: 8-core Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
Aug 10, 2025 20:12:32.454 [137527579970360] INFO - Compiler is - Clang 11.0.1 (https://plex.tv 9b997da8e5b47bdb4a9425b3a3b290be393b4b1f)
Aug 10, 2025 20:12:32.454 [137527579970360] INFO - /usr/lib/plexmediaserver/Plex Media Server
Aug 10, 2025 20:12:32.454 [137527582542480] DEBUG - BPQ: [Idle] -> [Starting]
Aug 10, 2025 20:12:32.454 [137527582542480] VERBOSE - BPQ: delaying processing 120 second(s)
Aug 10, 2025 20:12:32.457 [137527582542480] DEBUG - FeatureManager: Using cached data for features list
Aug 10, 2025 20:12:32.461 [137527582542480] DEBUG - MyPlex: mapping state set to 'Unknown'.
Aug 10, 2025 20:12:32.461 [137527582542480] DEBUG - Relay: read 24 cached entries from hosts file
Aug 10, 2025 20:12:32.461 [137527582542480] DEBUG - Opening 20 database sessions to library (com.plexapp.plugins.library), SQLite 3.39.4, threadsafe=1
Aug 10, 2025 20:12:32.490 [137527582542480] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/features
Aug 10, 2025 20:12:32.511 [137527582542480] DEBUG - [CERT] Subject name is /CN=*.ffc037d5bcbe4a5c99b81b286b0d7ba2.plex.direct
Aug 10, 2025 20:12:32.511 [137527582542480] DEBUG - [CERT] Installed certificate with fingerprint 04:a9:49:e0:4b:a2:ef:86:5f:b6:ed:55:b4:a7:33:6f:e6:b5:6e:81.
Aug 10, 2025 20:12:32.511 [137527582542480] DEBUG - [CERT/OCSP] no URL available
Aug 10, 2025 20:12:32.511 [137527582542480] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 10, 2025 20:12:32.511 [137527582542480] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.
Aug 10, 2025 20:12:32.513 [137527582542480] DEBUG - HttpServer: Listening on port 32400.
Aug 10, 2025 20:12:32.513 [137527582542480] DEBUG - HttpServer: Listening on port 32401.
Aug 10, 2025 20:12:32.513 [137527582542480] DEBUG - Running server...

Have your tried using an alternative Plex Docker image such as linuxserver/plex to check whether it’s a specific issue with the latest Plex version or just the plexinc/pms-docker image?

How are you testing that the certificate is working? If you access PMS by anything other the your custom URL or domain then Plex will return the plex.direct certificate.

The certificate 100% works with the last prod version of plex, and presents as a correct Let’s Encrypt certificate with chain

I have on my list to try Linux server image, but again, this is the official image from Plex as well, so adding that layer of indirection was not desired here yet. But it’s in my list for next maintenance window.

It is ONLY ever accessed with my custom domain. I never ever use plex direct or IPs as I have proper external and internal DNS configured.

The only smoking gun I’ve got so far is the plex version.

image589×850 32.9 KB

Here’s an example of the valid cert

Try 2048 bit RSA rather than Eliptic Curve for your certificate algorithm. It works for me with the current version of Plex (although I am using the LinuxServer.io image).

I have found there are some things that don’t work under the official Plex Docker image but work with the LinuxServer.io image.

can you share your command for pkcs12 you run to generate the cert for plex please?

What do you use to generate the key and certificate with Let’s Encrypt as it will need to be done at the key generation and certificate signing staages, rather than with the openssl command to compile the PKCS12 file.

I use acme.sh to generate the key and manage signing via Let’s Encrypt and just added --keylength 2048 to the –-issue command when I originally generated the key.

If you use certbotthen I think you need to add --key-type rsa when you generate the key.

If you use openssl to manually generate the key and signing request for Let’s Encrypt, then you would need to use openssl genrsa -out private-key.key 2048when generating the key and certificate pair.