Server Version#: 1.18.1.1973 (Docker)
I’ve been having trouble getting Plex to accept my TLS cert. I’ve been a Plex and custom cert user for years, but I cannot get it to work in this Docker container.
After much testing, I think it comes down to an OCSP problem with Plex. When checking OCSP status with openssl like so:
openssl ocsp -issuer alpha-issuing.pem -cert leaf[2021].pem -CAfile alpha-chain.pem -url http://ocsp2.globalsign.com/gsalphasha2g2/
I get a perfect response:
Response verify OK
leaf[2021].pem: good
However, when I create a pfx from these files I get the following error from Plex, and it refuses to use my certificate, falling back to the plex.direct cert:
[0x7f9b2414fb80] DEBUG - CERT: Certificate will not expire soon.
[0x7f9b2414fb80] DEBUG - CERT: Installed certificate with fingerprint 3f:8a...7c:48.
[0x7f9b2414fb80] DEBUG - CERT: Installed new private key.
[0x7f9b2414fb80] DEBUG - CERT: Subject name is /C=US/ST=California/L=Los Gatos/O=Plex, Inc./CN=*.d9...f61.plex.direct
[0x7f9b2414fb80] DEBUG - CERT: OCSP requests for stapling will be made to 'http://ocspx.digicert.com/'.
[0x7f9b2414fb80] VERBOSE - CERT: Successfully generated OCSP stapling request
[0x7f9b2414fb80] INFO - OCSP: Successfully retrieved response from cache.
[0x7f9b2414fb80] DEBUG - CERT: Installed intermediate certificate.
[0x7f9b2414fb80] DEBUG - CERT: Loaded a user-provided certificate.
[0x7f9b2414fb80] DEBUG - CERT: OCSP requests for stapling will be made to 'http://ocsp2.globalsign.com/gsalphasha2g2/'.
[0x7f9b2414fb80] VERBOSE - CERT: Successfully generated OCSP stapling request
[0x7f9b0bfff700] DEBUG - HTTP 200 response from GET http://ocsp2.globalsign.com/gsalphasha2g2/...
[0x7f9b0bfff700] ERROR - OCSP: Response did not contain a status for our cert.
[0x7f9b0bfff700] INFO - OCSP: couldn't fetch a valid response; retrying in 10800 seconds
For reference, this is an AlphaSSL wildcard cert.
