Lost access to my own server?

Hi, yesterday when I wanted to watch a movie on my plex server It looked like the server was offline. So I did some server reboots and try to get it online. But it already were online since other users in my home group could still access my server. So me, the server admin, don’t have access to my own server yet people I’ve shared my server with still have access to it?

I decided to watch a movie on a different account and see if it sorts itself out eventually but the issue still persist. And I don’t know where to start the troubleshooting since it seems to be an issue with my account and not my server.

Grateful for any advice!

Logs:
text.txt (228.9 KB)

There is a problem with the server’s SSL certificate.

Jul 10, 2022 10:00:41.560 [0x7f8a69fb6b38] WARN - [HttpClient/HCl#15] HTTP error requesting GET https://plex.tv/media/providers?X-Plex-Token=xxxxxxxxxxxxxxxxxxxx (60, SSL peer certificate or SSH remote key was not OK) (SSL: no alternative certificate subject name matches target host name 'plex.tv')
Jul 10, 2022 10:00:41.560 [0x7f8a69d5fb38] ERROR - [MediaProviderManager] Error parsing content.
Jul 10, 2022 10:00:41.560 [0x7f8a69d5fb38] ERROR - [MediaProviderManager] Error parsing XML: Error parsing file.
Jul 10, 2022 10:00:41.560 [0x7f8a69d5fb38] DEBUG - [MediaProviderManager/HCl#1a] HTTP requesting GET https://plex.tv/media/providers?X-Plex-Token=xxxxxxxxxxxxxxxxxxxx
Jul 10, 2022 10:00:41.561 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collections: Refreshed attributes for 0 collections in section 2 in 1ms.
Jul 10, 2022 10:00:41.562 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collection: Refreshed visibility in section 2 in 0ms.
Jul 10, 2022 10:00:41.565 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collections: Refreshed attributes for 0 collections in section 2 in 2ms.
Jul 10, 2022 10:00:41.565 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collections: Found 0 collections tags in section 5.
Jul 10, 2022 10:00:41.565 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collections: We had 0 collections in the library already.
Jul 10, 2022 10:00:41.565 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collections: Synced tags in section 5 in 0ms.
Jul 10, 2022 10:00:41.566 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collections: Refreshed attributes for 0 collections in section 5 in 0ms.
Jul 10, 2022 10:00:41.566 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collection: Refreshed visibility in section 5 in 0ms.
Jul 10, 2022 10:00:41.567 [0x7f8a698f8b38] DEBUG - [DatabaseFixups] Collections: Refreshed attributes for 0 collections in section 5 in 1ms.
Jul 10, 2022 10:00:41.588 [0x7f8a69fb6b38] DEBUG - [HttpClient/HCl#19] HTTP/1.1 (0.1s) 200 response from GET http://127.0.0.1:40255/:/plugins/com.plexapp.system/messaging/function/X0J1bmRsZVNlcnZpY2U6QWxsU2VydmljZXM_/Y2VyZWFsMQoxCmxpc3QKMApyMAo_/Y2VyZWFsMQoxCmRpY3QKMApyMAo_
Jul 10, 2022 10:00:41.588 [0x7f8a6982cb38] DEBUG - [Req#1] [com.plexapp.system] HTTP reply status 200, with 61078 bytes of content.
Jul 10, 2022 10:00:41.591 [0x7f8a69ffcb38] DEBUG - Completed: [127.0.0.1:52100] 200 GET /:/plugins/com.plexapp.system/messaging/function/X0J1bmRsZVNlcnZpY2U6QWxsU2VydmljZXM_/Y2VyZWFsMQoxCmxpc3QKMApyMAo_/Y2VyZWFsMQoxCmRpY3QKMApyMAo_ (2 live) GZIP 119ms 19766 bytes
Jul 10, 2022 10:00:41.607 [0x7f8a69fb6b38] WARN - [HttpClient/HCl#17] HTTP error requesting GET https://plex.tv/api/v2/user?includeSubscriptions=1&includeProviders=1 (60, SSL peer certificate or SSH remote key was not OK) (SSL: no alternative certificate subject name matches target host name 'plex.tv')

To start sorting this out, I’ve reset your server’s certificate at plex.tv

Please restart PMS and allow it to download & install the new one.

If this fails, we’ll get into the server (where it stores the certificate) itself.

Sorry, still not working and now it’s inaccessible to my home members as well

How did this happen? Is this a missconfig on my end somewhere? I’m running a reverse proxy on my server with certbot. Recently I moved my main domain from godaddy to Google domains. Could any of these things effect plex? Most of my traffic is run through my reverse proxy except for plex which have a dedicated port 32400 for app connections.

I’m fairly proficient with Linux and been running plex for 5ish Years and never run into something like this.

Thank you for the speedy reply

@Karl_Blixt

Running a proxy will screw things up really quickly if not configured.

Suggestion:

1. Turn off the proxy – for now.
2. Communicate directly with the server in your home and get it back online.
3. Confirm everyone in your home is working.
4. Now look at what changed in the Proxy
   – Certificate ?
   – FQDN ?
   – ports ?

I don’t use a proxy. I control access in my firewall. I have the granularity to restrict access to specific IP addresses or FQDNs (DDNS FQDNs work perfectly)

I’m not currently in the same location as the server, but I’ll give it shot remotly.

I just fail to see how the remote proxy screws up the plex installation? They are on completely different VM’s. Proxy is running i a proxmox container and plex is running in its own VM.

The issue is that there’s a layer between the player and PMS.

How can there be a layer between player and PMS if I’m using the app that presumably connect directly through port 32400?

Im sorry if I’m a bit inquisitive, I’m just trying to understand the root issue here? What exactly is the issue? Is it an issue with the ssl cert that plex provide between the player and PMS?

Thank you so much for the assistance in this issue!

So.

I followed your guiding. Sorry if it its been a while. Vacation and all that.

I shut down my reverse proxy so all of my services are down. And I’m physically by my machine. So there is litterly nothing between me and localhost:32400

How do I “get it back online”? The plexmediaserver service is running. But when I go to localhost:32400 all I get is a plex.tv login request. And after logging in there and gets in on the web app on my localhost:32400 there is nothing there. All it says is “add your media to plex” with a button that links to where to download plexmediaserver… Which is already running on the system.

I’ve also tried it through app.plex.tv. Same story.

Here is a fresh set of logs:
logs.txt (538.4 KB)

@Karl_Blixt

I don’t know what you posted but it’s jumbled.

i can make out the SSL errors.

Looking at your account, I do see a *.FAMILY domain.
Where is that coming from?

We’re going to go in and make PMS forget it has a default certificate.

1. Stop PMS
2. Go to /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Cache
3. Remove the Certificate.p12 or cert-v2.p12 (whichever you have)
4. Start PMS
5. Let it sit idle.
6. Notify me when it’s running and I’ll check Plex.tv

Ok, cert is removed and server is idle.

*.Family is my own domain. I think I tried to close the 32400 towards the web and try to route the app traffic through my remote proxy but I just left the port up anyway. You can remove it if it’s disrupting things.

And this is some quick responses man… I’m very grateful for the support

Sorry about the logs. Something must have gone wrong in the copy paste.

@ChuckPa

OK, I think I might found the culprit here.

My ddns provider that I use is apparently as stable as a leaf and have been offline for the past 10 days. Could this be an explanation for my issues?

I don’t understand why it would effect my plex setup other than being unable to get through to my server externally through my reverse proxy.

But it seems like an unlikely coincidence to not be related.

The external DDNS – which points TO your server shouldn’t have any impact here.
I would remove it from the Settings - Network until everything is working again.

The problem being seen is PMS reaching OUT to Plex.tv and Plex.tv complaining the certificate is borked .

Now, with the certificate.p12 / cert-v2.p2 removed from within PMS,

Start it.

Let’s see if it’s able to contact plex.tv and pull a new PMS internal cert.
IF NOT, then all your outbound traffic is getting wrapped in another certificate.

while inside PMS,

Look at “Preferences.xml”

Make certain you don’t see PlexOnlineToken="" (empty)

Jul 16, 2022 02:02:29.053 [0x7f912832fb38] WARN - [HttpClient/HCl#48] HTTP error requesting GET https://plex.tv/media/providers?X-Plex-Token=xxxxxxxxxxxxxxxxxxxx (60, SSL peer certificate or SSH remote key was not OK) (SSL: no alternative certificate subject name matches target host name 'plex.tv')

More of the same I’m afraid, and now I removed the added domains that I had previously.

Did you restart the host and plex after removing?

No, but I just did. Nothing changed.

That’s progress, you’re not getting forbidden. You’re getting a complaint that the CA that signed Plex’s cert does not exist in your bundle of CA Certs. That’s just a guess from reading the docs from the curl folks and searching DDG for that 60 error message.

Let’s get some verbose output to be sure. Start by finding your Plex Token.
https://support.plex.tv/articles/204059436-finding-an-authentication-token-x-plex-token/

Once you’ve copied your token, open a terminal.
Type the command you listed above that failed,
but use curl and verbose and paste your real token
in the command

curl -v https://plex.tv/media/providers?X-Plex-Token=PASTEYOURTOKENHERE

REDACT YOUR TOKEN, and paste the output into your reply please.
Pasted output works best in a code block.
(paste it, highlight the pasted mess, and click the </> button to wrap it in preformatted block)

[~] # curl -v https://plex.tv/media/providers?X-Plex-Token=REDACTED
*   Trying 52.213.118.233...
* Connected to plex.tv (52.213.118.233) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* 	 subject: C=CH; ST=Nidwalden; L=Stans; O=Plex GmbH; CN=*.plex.tv
* 	 start date: 2021-09-22 00:00:00 GMT
* 	 expire date: 2022-09-22 23:59:59 GMT
* 	 subjectAltName: plex.tv matched
* 	 issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
* 	 SSL certificate verify ok.

karl@plex:~$ curl -v https://plex.tv/media/providers?X-Plex-Token=(redacted) 
*   Trying 52.209.234.37...
* TCP_NODELAY set
* connect to 52.209.234.37 port 443 failed: Connection timed out
*   Trying 54.73.99.112...
* TCP_NODELAY set
* Connected to plex.tv (54.73.99.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=fatllama.com
*  start date: Feb  4 00:00:00 2022 GMT
*  expire date: Mar  5 23:59:59 2023 GMT
*  subjectAltName does not match plex.tv
* SSL: no alternative certificate subject name matches target host name 'plex.tv'
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'plex.tv'

Hope this is correct. I was unable to find the plex token through the normal method since I don’t have any media…

But I had a token in a script that I used.

fatllama I hope Chuck knows what that means.

@ChuckPa

So from the result that @nibbles suggested I figured that the nameserver my router use returned the wrong address for plex.tv for some reason. So I changed my routers nameserver to 1.1.1.1

And now it works. So I guess it was an issue with my routers manufacturers default nameserver.

Thank you ChuckPa and Nibbles for the assistance

@Karl_Blixt

Future reference.

If you ever need a claim token – Claim | Plex

It’ll give you the token for the token-exchange curl operation which will then deposit the PlexOnlineToken in your Preferences.xml