Customer Certificate Woes: "Found a user-provided certificate, but couldn't install it"

Running Plex on a FreeBSD host (currently running version 1.18.1.1973), like others who have attempted to use a custom SSL/TLS certificate, I cannot get PLEX to use my certificate.

First, let’s validate that the certificate is a PKCS12 DER-encoded certificate and private key in a PFX file:

$ openssl pkcs12 -info -nodes -in mycert.pfx
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: AB CD EF 00 11 22 33 44 55 66 77 88 99 DE AD BE EF 60 0D 18
subject=CN = my.plexserver.domain
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    localKeyID: AB CD EF 00 11 22 33 44 55 66 77 88 99 DE AD BE EF 60 0D 18
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Okay, that looks normal and good. I launch PLEX, notice it is NOT using this certificate, so I look at the logs and discover:

$ grep CERT Plex\ Media\ Server.log
Oct 31, 2019 13:49:30.977 [0x8027bd000] DEBUG - CERT: Installed certificate with fingerprint de:ad:be:ef:15:60:0d:de:a
1:70:5e:e2:00:11:22:33:44:55:66:77.
Oct 31, 2019 13:49:30.977 [0x8027bd000] DEBUG - CERT: Installed new private key.
Oct 31, 2019 13:49:30.977 [0x8027bd000] DEBUG - CERT: Subject name is /C=US/ST=California/L=Los Gatos/O=Plex, Inc./CN=
*.718825f9b570481f9e42a6a95f718f01.plex.direct
Oct 31, 2019 13:49:30.977 [0x8027bd000] DEBUG - CERT: OCSP requests for stapling will be made to 'http://ocspx.digicer
t.com/'.
Oct 31, 2019 13:49:30.977 [0x8027bd000] VERBOSE - CERT: Successfully generated OCSP stapling request
Oct 31, 2019 13:49:30.977 [0x8027bd000] DEBUG - CERT: Installed intermediate certificate.
Oct 31, 2019 13:49:30.977 [0x8027bd000] ERROR - CERT: Found a user-provided certificate, but couldn't install it.
Oct 31, 2019 13:49:37.990 [0x80f78a100] DEBUG - CERT: Certificate will not expire soon.
Oct 31, 2019 13:49:37.991 [0x80b3e3c00] DEBUG - CERT: Installed certificate with fingerprint 09:bf:f5:6e:a0:0a:c7:36:0
e:19:80:70:6f:b7:b9:15:d4:21:86:9f.
Oct 31, 2019 13:49:37.991 [0x80b3e3c00] DEBUG - CERT: Installed new private key.
Oct 31, 2019 13:49:37.991 [0x80b3e3c00] DEBUG - CERT: Subject name is /C=US/ST=California/L=Los Gatos/O=Plex, Inc./CN=
*.718825f9b570481f9e42a6a95f718f01.plex.direct
Oct 31, 2019 13:49:37.991 [0x80b3e3c00] DEBUG - CERT: OCSP requests for stapling will be made to 'http://ocspx.digicer
t.com/'.
Oct 31, 2019 13:49:37.991 [0x80b3e3c00] VERBOSE - CERT: Successfully generated OCSP stapling request
Oct 31, 2019 13:49:37.991 [0x80b3e3c00] DEBUG - CERT: Installed intermediate certificate.
Oct 31, 2019 13:49:37.991 [0x80b3e3c00] ERROR - CERT: Found a user-provided certificate, but couldn't install it.

Nope, the installed certificate is the PLEX auto-magic *.plex.direct certificate. As for the certificate I wanted insalled, I see:

ERROR - CERT: Found a user-provided certificate, but couldn’t install it

Okay, not very helpful. Why not a nice DEBUG-level message saying WHY it couldn’t be installed. It obviously found the file just fine. There is no password encrypting the private key, and the PLEX configuration screen shows an empty field:

Custom certificate location: /path/to/mycert.pfx
Custom certificate encryption key: [empty field]
Custom certificate domain: my.plexserver.domain

Any way to convince PLEX to log MORE verbosely the certificate rejection reason?

Puzzled and frustrated,
–Astounding

I don’t know anything about how these work, but here is a post from our expert previously. Plex Media Server v0.9.14.0 custom SSL certificate.

Apparently you need a .p12 file.

Yes, as posts in that thread mention, the certificate needs to be in PKCS#12 format. My certificate meets that criteria. Whether the actual filename ends in a .pfx or .p12 suffix does not make a difference. Renaming my file from mycert.pfx to mycert.p12 and changing my settings accordingly did not do anything:

Custom certificate location: /path/to/mycert.p12
Custom certificate encryption key: [empty field]
Custom certificate domain: my.plexserver.domain

The suggest forum thread mentions the certificate needs to include the intermediate certificates–that is, it must be a “full chain” certificate. Specifically, PLEX employee rcombs said in that other thread:

The certificate path needs to point at a .p12 containing the leaf certificate, the intermediate cert that issued it, and the private key. The encryption key field is for the password the .p12 is encrypted with.

I’ve tried just using the end or “leaf” certificate and private key in addition to what rcombs suggested–which is what I tried first–that is, I including the full certificate chain by including the intermediate certificate in addition to the “leaf” certifiate and key.

No matter what variation, the SAME ERROR persists:
Nov 04, 2019 22:39:44.723 [0x80b3e3c00] ERROR - CERT: Found a user-provided certificate, but couldn’t install it.

So sadly, that other post does not help resolve this particular problem wherein I am using a valid PKCS#12 certificate that includes the private key, certificate, and intermediate certificate. Note my original post uses the openssl CLI utility to examine my PKCS#12 certificate.

Thanks, MovieFan.Plex, for your pointer. I appreciate, even if it didn’t solve my problem. Any and all ideas are very welcome!

I hope a PLEX employee developer sees this thread and adds more useful logging output to PLEX’s certificate loading and parsing code so that PLEX will log the reason why a user-provided certificate that is found cannot be used. A more specific error in the logs would likely have led me to a solution by now

Still puzzled and frustrated,
–Astounding

Why is this empty? That other thread mentioned that this is the password for one of the certificate files, so this would be needed.

The encryption key field is empty because the key is not encrypted. Thus there is no password.

Like I said, I’m no expert, but I believe the certificate needs to be encrypted.

No, the certificate is NEVER encrypted. But the private key within the PKCS#12 file may or may not be encrypted. If PLEX only accepts files with private keys that ARE encrypted, this is a BUG in PLEX.

And just to see if perchance PLEX was rejecting my certificate because my private key therein was NOT encrypted, I encrypted my private key within the PKCS#12 file and added the password to the PLEX configuration.

No luck:
Nov 05, 2019 13:41:24.521 [0x80b3e3700] ERROR - CERT: Found a user-provided certificate, but couldn't install it.

sigh

Hoping for a miracle,
-Astounding

So… PLEX… HELP!

Have you got the file permissions set correctly on the certificate?

Permissions on the certificate are just fine, readable by the PLEX server processes. I truly wish it were something that simple. sigh

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.