Error 60 SSL for plex.tv | No local or remote access | Previously working, no changes made

Plex Media Server NAS & Devices
, ,
1

Server Version#: v1.42.1.10060-4e8b05daf
Player Version#: N/A

I went to add an additional user to my long running, remotely accessible server and they identified issues getting my server to show up.

It was fine for me, so I logged out and in as a sanity check, and now I too can’t access my own server, either locally (http://192.168.50.200:32400/) or remotely (https://app.plex.tv/desktop/#!/).

Inspecting my Plex Media Server.log I see a lot of, if not all, API requests to plex.tv failing with the error: (60, SSL peer certificate or SSH remote key was not OK) (SSL: no alternative certificate subject name matches target host name 'plex.tv')

Related forum posts or support articles:

More context:

  • Running on Unraid 7.1.2 using the official plexinc app (plexinc/pms-docker - Docker Image | Docker Hub). Set to host network type.
  • No proxy, No CGNat, No custom domain name (All users use https://app.plex.tv/), No custom SSL
  • On a dynamic IP with my ISP
  • Port 32400 forwarded in router (working fine for many users for more than a year)
  • I’ve updated plex recently, but my logs don’t go back far enough to confirm when the API requests started failing, and if they were associated with a specific update. I suspect this isn’t associated with an update.
  • Log file: Plex Media Server.log (387.4 KB)
    • Note that I’ve redacted emails, media names and my public ip. Happy to share unedited logs via DM.

Troubleshooting I’ve tried:

  • Deleting (renaming) the .p12 certificate file that was under Cache/. I seem to have lost it during my troubleshooting so I no longer have it.

  • Deleting specific values from Preferences.xml per Why am I locked out of Server Settings and how do I get in? | Plex Support

    • This allowed me to access the server locally. It was unclaimed, but clicking the claim button tried to make an API request to plex.tv that failed with the same error.
    • I’ve undone this change for now.

  • Changing my Unraid server’s DNS from my router to 1.1.1.1, restarting entire docker service.

  • Comparing a DNS lookup from a third-party ( SSL Checker ) with a DNS lookup from within the docker container

    • Website said 52.213.108.76. Container (only getent seems to come installed) said 52.49.141.28 & 52.213.108.76. Seems fine.
      • getent 
        # getent hosts plex.tv
52.49.141.28    plex.tv
52.213.108.76   plex.tv

  • Checking subject & issuer from this command within the container: openssl s_client -connect plex.tv:443 -servername plex.tv. This connected and listed DigiCert, looks legit.

  • I will try restarting the Unraid server within the next 12 hours or so when I can get physical access to it.

Appreciate any help figuring out what’s going on with this. Cheers.

2

Try ChuckPA’s User Credential Reset Utility:

https://github.com/ChuckPa/UserCredentialReset

3

Error 60 means there’s another cert / domain name / request being rewritten involved.

It’s essentially a Man-in-the-middle error.

The name expected and what was received don’t match

4

I gave this a shot. I’m still getting the same error unfortunately.

5

I’ve contacted my ISP with a generic question about Plex, to see if they mention any recent changes.

I’ve also spotted this other forum post with a similar issue, although their symptoms started at least a few days earlier than mine: Can not claim server suddenly after having no problem for over a year - Plex Media Server - Plex Forum

I’ve also tried downgrading to 1.41.6.9685-d301f511a, but that didn’t help.

I’m also in the process of exploring setting up a fresh new plex container adjacent to the existing one, but I’m having trouble claiming that one too, getting the same or similar SSL errors.

6

Interesting. I can’t imagine anything on my end that would interfere like this. My router is basically default except for the ports I’ve forwarded. And the container is just running on the host network type on the machine that it’s forwarded to.

It smells like an ISP issue to me, as much as I don’t want it to be. I can’t imagine what reason they’d have to meddle.

Is there a way I can trigger some sort of certificate refresh on my plex instance or something? Or is this definitely an issue outside the container itself?

7

If you want to conduct a test outside of PMS, you can verify whether the ISP or some entity between you and Plex is interfering.

  1. Download my Claim script
  1. Stop Plex
  2. Run the script
  3. Give it a Plex Claim Token as it asks.

If it can talk to Plex.tv without issue, it’ll claim the server and report your username & email address.

If it gets any other error, it will report it -OR- print blank username & email.

9

I have the same error on my Truenas Scale using the official plex image ver 1.42.1.10060-4e8b05daf.

I have also tried all the aforementioned troubleshooting+ checked if system time was correct

10

I’m curious, if you go to CanYouSeeMe.org, does it show that port 32400 is open?

Also, under Settings → Remote Access, Do you have the “Manually specify public port” box checked or do you let Plex negotiate the Public port with your router?

11

CanYouSeeMe sees the port open, be it the upnp port or a manually specified one (tried both). Server is still unreachable in both cases.

12

do a nslookup your.wan.ip.addr
and then a whois your.wan.ip.addr

Does it come back with a human-style FQDN name
or
does it come back with automation name
( e.g. c-102-66-202-222.name.name.ISP.tld ) ?

13

It comes back as

Name: static-my-wan-ip-adress.ftth.abo.isp.tld

14

This has now been resolved for me.

The fix was simply updating my router.

For reference, my router is a ASUS ZenWiFi XD5.

I updated it from 3.0.0.4.388_24011 to 3.0.0.4.388_24022.

And that simply resolved it. Not the most satisfying solution but I hope it helps others.

15

The issue dissapeared for 1 day and then came back. This is nonsense