Custom domain ssl does not work after update to server version 1.42.1.10060-4e8b05daf

Right now the LE cert bot conf is

╔═[root@codex : /etc/letsencrypt/renewal]
╚═ # cat private.plex.urda.tv.conf
version = 4.1.1
archive_dir = /etc/letsencrypt/archive/private.plex.urda.tv
cert = /etc/letsencrypt/live/private.plex.urda.tv/cert.pem
privkey = /etc/letsencrypt/live/private.plex.urda.tv/privkey.pem
chain = /etc/letsencrypt/live/private.plex.urda.tv/chain.pem
fullchain = /etc/letsencrypt/live/private.plex.urda.tv/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = REMOVED-REMOVED
authenticator = dns-route53
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
post_hook = /urda/plex/scripts/post-le-renew-private-plex.sh

and as posted before to prepare the cert the script that has been running for a LONG time is:

openssl pkcs12 \
  -export \
  -certfile /etc/letsencrypt/live/private.plex.urda.tv/chain.pem \
  -in /etc/letsencrypt/live/private.plex.urda.tv/cert.pem \
  -inkey /etc/letsencrypt/live/private.plex.urda.tv/privkey.pem \
  -out /urda/plex/ssl/private.plex.pfx \
  -name private.plex.urda.tv \
  -passout pass:"${PW}" \
  -certpbe AES-256-CBC \
  -keypbe AES-256-CBC \
  -macalg SHA256

No setting on the config

# key_type = ecdsa
key_type = rsa

DID generate an RSA key, works with the working version. Breaks with the broken version.

image586×854 33.1 KB

image586×854 33.1 KB

The certificate details look the same as my custom certificate that I’m using.

Maybe try generating a self-signed certificate and testing it to see if it is something related to Let’s Encrypt.

Generate your private key:

openssl genrsa -out private.key 2048

Generate a self signed certificate:

openssl req -new -x509 -key private.key -out certificate.crt -days 365

Bundle into the PKCS#12 file:

openssl pkcs12 -export -out plexcertificate.p12 \
	-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
	-inkey private.key -in certificate.crt \
	-password pass:PASSWORD_HERE

I swapped to one of my private CA certs and have observed the same behavior. I can try generating a third one in a bit, but that did not seem to help. Same args as before for conversion.

Key still looks ok when using the last known version

$ docker exec -it plex-private sh -lc '
  set -e
  F="/certs/ssl/private.plex.pfx"
  test -r "$F" || { echo "not readable: $F"; ls -l "$F" 2>/dev/null || true; exit 1; }
  echo "uid/gid inside container:"; id
  ls -l "$F"
  openssl pkcs12 -info -in "$F" -passin pass:PASSWORD -noout && echo "OK"
'
uid/gid inside container:
uid=0(root) gid=0(root) groups=0(root)
-rw------- 1 plex plex 4486 Aug 11 00:07 /certs/ssl/private.plex.pfx
MAC: sha256, Iteration 1
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 1, PRF hmacWithSHA256
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 1, PRF hmacWithSHA256
OK

It would be great if Plex told me more than just ERROR - [CERT] Found a user-provided certificate, but couldn’t install it. Gives no reason for the error.

I get a slightly different output for my PKCS#12 file with Iteration 2048 rather than Iteration 1.

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

As mentioned before I’m also running the linuxserver/plex image so I don’t know if that handles it differently from the plex-inc/pms-docker image. I’m also using macvlan networking rather than bridge networking for the container.

I don’t think we should add another variable that is linuxserver, as that is a third party image not maintained by Plex. The networking also shouldn’t matter here, as it’s to do with how plex ingests the certificate.

Still seeing this issue in 1.42.1.10060-4e8b05daf

Aug 12, 2025 01:39:54.121 [124649701043000] INFO - Plex Media Server v1.42.1.10060-4e8b05daf - Docker Docker Container x86_64 - build: linux-x86_64 debian - GMT 00:00
Aug 12, 2025 01:39:54.121 [124649701043000] INFO - Linux version: 6.8.0-64-generic, language: en-US
Aug 12, 2025 01:39:54.121 [124649701043000] INFO - Processor: 8-core Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
Aug 12, 2025 01:39:54.121 [124649701043000] INFO - Compiler is - Clang 11.0.1 (https://plex.tv 9b997da8e5b47bdb4a9425b3a3b290be393b4b1f)
Aug 12, 2025 01:39:54.121 [124649701043000] INFO - /usr/lib/plexmediaserver/Plex Media Server
Aug 12, 2025 01:39:54.121 [124649703615120] DEBUG - BPQ: [Idle] -> [Starting]
Aug 12, 2025 01:39:54.125 [124649703615120] DEBUG - FeatureManager: Using cached data for features list
Aug 12, 2025 01:39:54.129 [124649703615120] DEBUG - MyPlex: mapping state set to 'Unknown'.
Aug 12, 2025 01:39:54.129 [124649703615120] DEBUG - Relay: read 24 cached entries from hosts file
Aug 12, 2025 01:39:54.130 [124649703615120] DEBUG - Opening 20 database sessions to library (com.plexapp.plugins.library), SQLite 3.39.4, threadsafe=1
Aug 12, 2025 01:39:54.156 [124649703615120] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/features
Aug 12, 2025 01:39:54.174 [124649703615120] DEBUG - [CERT] Subject name is /CN=*.ffc037d5bcbe4a5c99b81b286b0d7ba2.plex.direct
Aug 12, 2025 01:39:54.174 [124649703615120] DEBUG - [CERT] Installed certificate with fingerprint 04:a9:49:e0:4b:a2:ef:86:5f:b6:ed:55:b4:a7:33:6f:e6:b5:6e:81.
Aug 12, 2025 01:39:54.174 [124649703615120] DEBUG - [CERT/OCSP] no URL available
Aug 12, 2025 01:39:54.174 [124649703615120] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 12, 2025 01:39:54.174 [124649703615120] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.
Aug 12, 2025 01:39:54.175 [124649703615120] DEBUG - HttpServer: Listening on port 32400.
Aug 12, 2025 01:39:54.176 [124649703615120] DEBUG - HttpServer: Listening on port 32401.
Aug 12, 2025 01:39:54.176 [124649703615120] DEBUG - Running server...
Aug 12, 2025 01:39:54.176 [124649683090232] DEBUG - HttpServer: Set up a thread pool with 2 threads.
Aug 12, 2025 01:39:54.176 [124649703615120] INFO - Running migrations. (EPG 0)
Aug 12, 2025 01:39:54.176 [124649703615120] DEBUG - Captured session 0.

@urda we are seeing both this and permissions issues on the latest docker files. any chance you’d be willing to temporarily open permissions on your cert in order to check if the issues are related?

I can try permission opening this up this evening and report back!

Your P12 file may be missing the root certificate within the chain, make sure the P12 file contains the root certificate, and that you are providing a password as well. You can download the Root Certificate from the Intermediate Certificate within the chain file (easiest way, but not the best security wise)

And as stated previously make sure the permission for the full path of the p12 is 644.

Try downloading the root certificate and then use a command like
openssl pkcs12 -export -out “/full/path/to/export/fullPath.p12” -certpbe “AES-256-CBC” -keypbe “AES-256-CBC” -macalg “sha256” -inkey “/full/path/to/privKey.key” -in “/full/path/to/fullchain.pem” -certfile “/full/path/to/root.pem” -name “My Certificate Name” -password “pass:PKCS12_PASSWORD”

Where In your case the above would be replaced with the following:

/full/path/to/export/fullPath.p12 = /urda/plex/ssl/plex.pfx

/full/path/to/privKey.key = /etc/letsencrypt/live/plex.urda.tv/privkey.pem

/full/path/to/fullchain.pem = /etc/letsencrypt/live/plex.urda.tv/chain.pem

/full/path/to/root.pem = /etc/letsencrypt/live/plex.urda.tv/root.pem (Still Needs to be created by you)

My Certificate Name = plex.urda.tv

pass:PKCS12_PASSWORD = pass:REMOVEDREMOVEDREMOVED

I have tried both full chain and cert plus chain. The cert is valid because the last production release of Plex served it correctly. I want to try the permission changes when I have free time this weekend, but the cert is valid.

In your previous post I do not see you adding the root certificate in the commands. Try adding it and try again.

Again, the full chain has been posted in this thread, and is served from the previous version of Plex correctly:

image1518×1054 153 KB

I’m wondering if the new docker image has a messed up root CA at this point.

That is exactly what I am pointing out, that is not your root certificate, a root certificate would be self signed (IE Common Name: ISRG Root X1 and Issuer: ISRG Root X1). Just try the command I provided for you after you download the self signed root certificate. What you displayed in your image is the Intermediate Certificate. You can open the chain of the intermediate to download the root certificate.

1. michael_766 providing the root cert means nothing if the root CA is not embeded, it’s not trusted. The cert is valid

2. I’m posting a workaround now.

I had to crank permissions on the file to 644 regardless of the user running. The cert loaded.

YUP I had to grant FULL READ even though the pms-plex user had permissions to the file

Aug 13, 2025 02:15:53.049 [129756275465016] INFO - Plex Media Server v1.42.1.10060-4e8b05daf - Docker Docker Container x86_64 - build: linux-x86_64 debian - GMT 00:00
Aug 13, 2025 02:15:53.049 [129756275465016] INFO - Linux version: 6.8.0-64-generic, language: en-US
Aug 13, 2025 02:15:53.049 [129756275465016] INFO - Processor: 8-core Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
Aug 13, 2025 02:15:53.049 [129756275465016] INFO - Compiler is - Clang 11.0.1 (https://plex.tv 9b997da8e5b47bdb4a9425b3a3b290be393b4b1f)
Aug 13, 2025 02:15:53.049 [129756275465016] INFO - /usr/lib/plexmediaserver/Plex Media Server
Aug 13, 2025 02:15:53.049 [129756278037136] DEBUG - BPQ: [Idle] -> [Starting]
Aug 13, 2025 02:15:53.053 [129756278037136] DEBUG - FeatureManager: Using cached data for features list
Aug 13, 2025 02:15:53.057 [129756278037136] DEBUG - MyPlex: mapping state set to 'Unknown'.
Aug 13, 2025 02:15:53.057 [129756278037136] DEBUG - Relay: read 24 cached entries from hosts file
Aug 13, 2025 02:15:53.058 [129756278037136] DEBUG - Opening 20 database sessions to library (com.plexapp.plugins.library), SQLite 3.39.4, threadsafe=1
Aug 13, 2025 02:15:53.084 [129756278037136] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/features
Aug 13, 2025 02:15:53.102 [129756278037136] DEBUG - [CERT] Subject name is /CN=*.ffc037d5bcbe4a5c99b81b286b0d7ba2.plex.direct
Aug 13, 2025 02:15:53.102 [129756278037136] DEBUG - [CERT] Installed certificate with fingerprint 04:a9:49:e0:4b:a2:ef:86:5f:b6:ed:55:b4:a7:33:6f:e6:b5:6e:81.
Aug 13, 2025 02:15:53.102 [129756278037136] DEBUG - [CERT/OCSP] no URL available
Aug 13, 2025 02:15:53.102 [129756278037136] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 13, 2025 02:15:53.105 [129756278037136] DEBUG - [CERT] Loaded a user-provided certificate for /CN=private.plex.urda.tv.
Aug 13, 2025 02:15:53.105 [129756278037136] DEBUG - [CERT/OCSP] no URL available
Aug 13, 2025 02:15:53.105 [129756278037136] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 13, 2025 02:15:53.107 [129756278037136] DEBUG - HttpServer: Listening on port 32400.
Aug 13, 2025 02:15:53.107 [129756278037136] DEBUG - HttpServer: Listening on port 32401.
Aug 13, 2025 02:15:53.107 [129756278037136] DEBUG - Running server...
Aug 13, 2025 02:15:53.107 [129756257512248] DEBUG - HttpServer: Set up a thread pool with 2 threads.
Aug 13, 2025 02:15:53.107 [129756278037136] INFO - Running migrations. (EPG 0)
Aug 13, 2025 02:15:53.108 [129756278037136] DEBUG - Captured session 0.

I confirmed this on my production server as well

Aug 13, 2025 02:17:51.488 [138329093385016] INFO - Plex Media Server v1.42.1.10060-4e8b05daf - Docker Docker Container x86_64 - build: linux-x86_64 debian - GMT 00:00
Aug 13, 2025 02:17:51.489 [138329093385016] INFO - Linux version: 6.8.0-64-generic, language: en-US
Aug 13, 2025 02:17:51.489 [138329093385016] INFO - Processor: 8-core Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
Aug 13, 2025 02:17:51.489 [138329093385016] INFO - Compiler is - Clang 11.0.1 (https://plex.tv 9b997da8e5b47bdb4a9425b3a3b290be393b4b1f)
Aug 13, 2025 02:17:51.489 [138329093385016] INFO - /usr/lib/plexmediaserver/Plex Media Server
Aug 13, 2025 02:17:51.468 [138329095957136] DEBUG - BPQ: [Idle] -> [Starting]
Aug 13, 2025 02:17:51.472 [138329095957136] DEBUG - FeatureManager: Using cached data for features list
Aug 13, 2025 02:17:51.476 [138329095957136] DEBUG - MyPlex: mapping state set to 'Unknown'.
Aug 13, 2025 02:17:51.476 [138329095957136] DEBUG - Relay: read 40 cached entries from hosts file
Aug 13, 2025 02:17:51.476 [138329095957136] DEBUG - Opening 20 database sessions to library (com.plexapp.plugins.library), SQLite 3.39.4, threadsafe=1
Aug 13, 2025 02:17:51.504 [138329095957136] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/features
Aug 13, 2025 02:17:51.522 [138329095957136] DEBUG - [CERT] Subject name is /CN=*.59e6e34884854da2b5e2c7d40175cf72.plex.direct
Aug 13, 2025 02:17:51.522 [138329095957136] DEBUG - [CERT] Installed certificate with fingerprint 82:9f:90:94:6d:21:08:17:9f:1c:69:86:59:f4:20:fc:63:7a:fb:40.
Aug 13, 2025 02:17:51.522 [138329095957136] DEBUG - [CERT/OCSP] no URL available
Aug 13, 2025 02:17:51.522 [138329095957136] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 13, 2025 02:17:51.525 [138329095957136] DEBUG - [CERT] Loaded a user-provided certificate for /CN=plex.urda.tv.
Aug 13, 2025 02:17:51.525 [138329095957136] DEBUG - [CERT/OCSP] no URL available
Aug 13, 2025 02:17:51.525 [138329095957136] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Aug 13, 2025 02:17:51.527 [138329095957136] DEBUG - HttpServer: Listening on port 32400.
Aug 13, 2025 02:17:51.527 [138329095957136] DEBUG - HttpServer: Listening on port 32401.
Aug 13, 2025 02:17:51.527 [138329095957136] DEBUG - Running server...
Aug 13, 2025 02:17:51.527 [138329075391288] DEBUG - HttpServer: Set up a thread pool with 2 threads.
Aug 13, 2025 02:17:51.527 [138329095957136] INFO - Running migrations. (EPG 0)
Aug 13, 2025 02:17:51.528 [138329095957136] DEBUG - Captured session 0.

READERS:

Increase the read permissions on the certificate file EVEN IF it was setup with the right PID/GID