Error 60 certificate, cant reclaim server

Plex Media Server
1

Server Version#: 1.41.2.9200

My server just randomly said i need to claim it, but when i press the button nothing happens.
In the logs i see these errors:
[HttpClient/HCl#41] HTTP error requesting GET https://plex.tv/api/v2/user/privacy?X-Plex-Token=xxxxxxxxxxxxxxxxxxxxficate or SSH remote key was not OK) (SSL: no alternative certificate subject name matches target host name ‘plex.tv’)

[Req#84b] HTTP -60 downloading url https://plex.tv/updater/products/5/check.xml?build=linux-x86_64&channel=16&distribution=debian&version=1.41.2.9200-c6bbc1b53

[HttpClient/HCl#44] HTTP error requesting GET https://plex.tv/api/v2/features?X-Plex-Token=xxxxxxxxxxxxxxxxxxxxficate or SSH remote key was not OK) (SSL: no alternative certificate subject name matches target host name ‘plex.tv’)

I tried restarting the server, but that didnt help, When testing a curl request to plex.tv from the docker i also het ssl errors.

i then get these results:

  • Trying 54.73.74.122:443…
  • Connected to plex.tv (54.73.74.122) port 443
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: none
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=*.valumre.com
  • start date: Jul 3 00:00:00 2024 GMT
  • expire date: Aug 2 23:59:59 2025 GMT
  • subjectAltName does not match plex.tv
  • SSL: no alternative certificate subject name matches target host name ‘plex.tv’
  • Closing connection
  • TLSv1.2 (OUT), TLS alert, close notify (256):
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘plex.tv’
    More details here: curl - SSL CA Certificates

i tried using the UserCredentialsReset.sh tool but that also got this error:
ERROR: Could not get credentials from plex.tv (Error: 60)

How can i fix these errors?

2

Do you see the same if you run the following curl command:
curl --connect-to plex.tv:34.243.110.103:443 -vI https://plex.tv

And maybe a couple of digs as well (see if the IP addresses returned differ):
dig plex.tv
dig @1.1.1.1 plex.tv

It based on your output it doesn’t appear that 54.73.74.122 is a valid IP address for plex.tv any longer. Do you have a self-hosted DNS server on your network performing a domain rewrite for plex.tv? Or maybe an entry in your /etc/hosts file for plex.tv?

3

These are the commands i ran from inside the plex container:
this is a linuxserver docker container running on an unraid machine.

curl --connect-to plex.tv:34.243.110.103:443 -vI https://plex.tv

  • Host plex.tv:443 was resolved.
  • IPv6: (none)
  • IPv4: 54.73.74.122, 63.35.89.50
  • Trying 54.73.74.122:443…
  • Connected to plex.tv (54.73.74.122) port 443
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / rsaEncryption
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=*.valumre.com
  • start date: Jul 3 00:00:00 2024 GMT
  • expire date: Aug 2 23:59:59 2025 GMT
  • subjectAltName does not match plex.tv
  • SSL: no alternative certificate subject name matches target host name ‘plex.tv
  • Closing connection
  • TLSv1.2 (OUT), TLS alert, close notify (256):
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘plex.tv
    More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

dig plex.tv

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> plex.tv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50521
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;plex.tv. IN A

;; ANSWER SECTION:
plex.tv. 41809062 IN A 63.35.89.50
plex.tv. 41809062 IN A 54.73.74.122

;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1) (UDP)
;; WHEN: Thu Nov 28 22:24:21 CET 2024
;; MSG SIZE rcvd: 68

dig @1.1.1.1 plex.tv

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @1.1.1.1 plex.tv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53336
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;plex.tv. IN A

;; ANSWER SECTION:
plex.tv. 25 IN A 52.51.38.160
plex.tv. 25 IN A 34.243.110.103

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Nov 28 22:24:47 CET 2024
;; MSG SIZE rcvd: 68

cat /etc/hosts

Generated

127.0.0.1 Unraid localhost

And these are the command when i ran them straight on my unraid machine terminal:

root@Unraid:/# curl --connect-to plex.tv:34.243.110.103:443 -vI https://plex.tv

  • Host plex.tv:443 was resolved.
  • IPv6: (none)
  • IPv4: 63.35.89.50, 54.73.74.122
  • Trying 63.35.89.50:443…
  • Connected to plex.tv (63.35.89.50) port 443
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / rsaEncryption
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=*.rwy.aviva.fabricfintech.com
  • start date: Mar 7 00:00:00 2024 GMT
  • expire date: Apr 5 23:59:59 2025 GMT
  • subjectAltName does not match plex.tv
  • SSL: no alternative certificate subject name matches target host name ‘plex.tv
  • Closing connection
  • TLSv1.2 (OUT), TLS alert, close notify (256):
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘plex.tv
    More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

root@Unraid:/# dig plex.tv

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> plex.tv
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15824
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;plex.tv. IN A

;; ANSWER SECTION:
plex.tv. 41808876 IN A 54.73.74.122
plex.tv. 41808876 IN A 63.35.89.50

;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1) (UDP)
;; WHEN: Thu Nov 28 22:27:27 CET 2024
;; MSG SIZE rcvd: 68

root@Unraid:/# dig @1.1.1.1 plex.tv

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> @1.1.1.1 plex.tv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47545
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;plex.tv. IN A

;; ANSWER SECTION:
plex.tv. 22 IN A 52.51.38.160
plex.tv. 22 IN A 34.243.110.103

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Nov 28 22:27:46 CET 2024
;; MSG SIZE rcvd: 68

root@Unraid:/# cat /etc/hosts

Generated

127.0.0.1 Unraid localhost

It is interesting that there seems to be different ip addresses for plex depending on the docker or the unraid it self.

my dns for the server is trough my router that is set up with 1.1.1.1 and 8.8.8.8

4

Whatever is at 10.0.0.1 is resolving the wrong IPs I think.

That doesn’t appear to be the case. From within the container:

;; ANSWER SECTION:
plex.tv. 41809062 IN A 63.35.89.50
plex.tv. 41809062 IN A 54.73.74.122

;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1) (UDP)
;; WHEN: Thu Nov 28 22:24:21 CET 2024
;; MSG SIZE rcvd: 68

On the Unraid host:

;; ANSWER SECTION:
plex.tv. 41808876 IN A 54.73.74.122
plex.tv. 41808876 IN A 63.35.89.50

;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1) (UDP)
;; WHEN: Thu Nov 28 22:27:27 CET 2024
;; MSG SIZE rcvd: 68

They differ depending on the DNS server queried, 10.0.0.1 vs. 1.1.1.1.

Also, that curl command I gave had a typo; I left out the port number for plex.tv. It should have been:
curl --connect-to plex.tv:443:34.243.110.103:443 -vI https://plex.tv

Sorry about that.

5

The device at 10.0.0.1 is my router.

this is the new curl data from within the plex container:

curl --connect-to plex.tv:443:34.243.110.103:443 -vI https://plex.tv

  • Connecting to hostname: 34.243.110.103
  • Connecting to port: 443
  • Trying 34.243.110.103:443…
  • Connected to 34.243.110.103 (34.243.110.103) port 443
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
  • ALPN: server accepted http/1.1
  • Server certificate:
  • subject: C=CH; ST=Nidwalden; L=Stans; O=Plex GmbH; CN=*.plex.tv
  • start date: Aug 21 00:00:00 2024 GMT
  • expire date: Sep 21 23:59:59 2025 GMT
  • subjectAltName: host “plex.tv” matched cert’s “plex.tv
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
  • SSL certificate verify ok.
  • Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  • Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  • Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  • using HTTP/1.x

HEAD / HTTP/1.1
Host: plex.tv
User-Agent: curl/8.5.0
Accept: /

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
    < HTTP/1.1 302 Found
    HTTP/1.1 302 Found
    < Date: Thu, 28 Nov 2024 21:40:11 GMT
    Date: Thu, 28 Nov 2024 21:40:11 GMT
    < Content-Type: text/html; charset=utf-8
    Content-Type: text/html; charset=utf-8
    < Connection: keep-alive
    Connection: keep-alive
    < Location: https://www.plex.tv/
    Location: https://www.plex.tv/
    < Cache-Control: no-cache
    Cache-Control: no-cache
    < Set-Cookie: _my-plex_session_32=VGF6UnhQWTRCWXY2V01jNENXUXVhSEJnNXZ5c3VIM3FVTzdJYjlVaUZLK0hyeng4VUxveUtNSlV0SnlwdjdRTE5UcU01S1VINm8vSHEyMEJjeXZzNHNjUkNxVnhtZS8wMlBzQ2RyVmNUeC84YzFqcVlUcGdSUkpqbUZYTlZ5SWdyZU5OWmxodDR3UmQrR1ZkTWxRRFRCR2VBOG9rYWRLZVZIRUhvU0QxUmNjPS0teE1LSEUwc1hTcDdOZUpCY05GWnpwdz09–0b169a1fabe7dd50935750dd5ba1bb37beb6b5d9; path=/; HttpOnly; secure
    Set-Cookie: _my-plex_session_32=VGF6UnhQWTRCWXY2V01jNENXUXVhSEJnNXZ5c3VIM3FVTzdJYjlVaUZLK0hyeng4VUxveUtNSlV0SnlwdjdRTE5UcU01S1VINm8vSHEyMEJjeXZzNHNjUkNxVnhtZS8wMlBzQ2RyVmNUeC84YzFqcVlUcGdSUkpqbUZYTlZ5SWdyZU5OWmxodDR3UmQrR1ZkTWxRRFRCR2VBOG9rYWRLZVZIRUhvU0QxUmNjPS0teE1LSEUwc1hTcDdOZUpCY05GWnpwdz09–0b169a1fabe7dd50935750dd5ba1bb37beb6b5d9; path=/; HttpOnly; secure
    < X-Request-Id: 17f162ef4ec379763a93fda51a432056
    X-Request-Id: 17f162ef4ec379763a93fda51a432056
    < X-Runtime: 0.003825
    X-Runtime: 0.003825
    < Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    < Referrer-Policy: origin-when-cross-origin
    Referrer-Policy: origin-when-cross-origin
    < X-Content-Type-Options: nosniff
    X-Content-Type-Options: nosniff
    < X-Frame-Options: SAMEORIGIN
    X-Frame-Options: SAMEORIGIN
    < X-XSS-Protection: 1; mode=block
    X-XSS-Protection: 1; mode=block
    < vary: Origin
    vary: Origin

<

  • Connection #0 to host 34.243.110.103 left intact
6

This is the CN in the certificate which 54.73.74.122 is providing:

This is the one from 34.243.110.103:

For whatever reason 10.0.0.1 is resolving plex.tv to incorrect IP addresses. It could be that the IPs were valid until recently, changed, and the changes haven’t propagated to everywhere yet.

1 Like
7

so i feel stupid now…

after this information i rebooted my router and now it works.

Thanks for the incredible help.

8

You’re welcome, glad you got it working!

9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.