QNAP NAS running Plex compiled QPKG, all perms are QNAP admin.
OOPS! 
Youāre right. my bad. I saw linux. I didntā read further in the Host ID info.
I should know better! 
@ChuckPa
I am having issues with my remote access all the sudden and I believe I need your help with resetting my certificate. I tried several suggestions on my end, including removing the cache dir to no avail. Plex says my port mapping is good, but players cannot connect securely.
Sep 26, 2022 20:50:22.203 [0x147f7e9e7b00] ERROR - CERT: Error acquiring new certificate: Failed to upload CSR: 429, <?xml version="1.0" encoding="UTF-8"?> error code=ā1003ā message=āAPI rate limit exceededā status=ā429ā
Thanks, that fixed it!
Server Version#: 1.29.0.6244
Player Version#: NA
I am seeing the following error in my PMS Console output AFTER I cleared the Config/Cache directory and restarted Plex Media Server (I did this because I saw the same error and attempted to resolve by clearing cache and restarting PMS):
CERT: Error acquiring new certificate: Failed to upload CSR: 429, <?xml version="1.0" encoding="UTF-8"?> <errors> <error code="1003" message="API rate limit exceeded" status="429"/> </errors>
Reading other forum posts, do I just need a new cert. issued by Plex?
NOTE: This request/post was from a different thread here:
Sorry if this should have been opened here @ChuckPa but can you reset my certificate?
Thank you.
Ok, looks like it finally was able to download the app.plex.tv cert (took 12 tries):
/certificate/download (reused)
Oct 18, 2022 10:45:08.341 [0xafd2cc50] DEBUG - [Req#c3] CERT: Downloaded new cert from plex.tv; took 12 tries.
This time, before I restarted PMS, I removed Preferences.xml and went through the PMS setup steps again. Maybe this was key but I suspect this problem will come up again and can confirm that the cert UUID is different in Preferences.xml (once it was able to be downloaded). Is there any setting in Preferences that would interfere with the download of the https app.plex.tv certificate (customConnections, allowedNetworks)?
If this API rate limit is only reset once every 24 hours and PMS will continuously check/get the cert. and it doesnāt get the request on the first try as it appears to be the caseā¦this could be why the āAPI Rate limitā issue is occurring thus preventing secure connection to app.plex.tv (and our PMS)?
Please let me know if I should include anything else (logs, etc.).
Thanks - hopefully this is fixed/working!
JB
Your server had gotten itself confused about certificate usage.
(You had used 8 certificates before it stopped you from getting more).
Deleting the old server instance and Preferences.xml allowed you to create a new one which wasnāt locked.
Since the cause of it locking isnāt known, watch out for it happening again.
If it does, please grab the logs and attach the zip file so we can hopefully see why.
Also, one of us will reset the certificate so it can be resolved.
@ChuckPa - thank you for that information, I couldnāt go far back enough in my Plex Media Server logs to see what may have caused it to request so many certificates. I did restart my home network and got a new IP around that time (Oct 15) but that should not have interfered with it?
I went ahead and configured PMS to use my own LetsEncrypt domain certificate for now (all working as far as I can tell). I still see cert-v2.p12 in my Cache directory so looks like it still downloaded but when I go to my https://domain:32400 - it shows my certificate as being used instead of the *.plex.tv issued cert.
Any option to stop or increase rollover of Plex Media Server 1-5.log? Verbose logging is turned off.
Tks.
JB
Not quite.
- Your given Plex certificate is used for all communication with plex.tv
- Your Letās Encrypt certificate is supplemental.
- By adding your certificate to PMS, you are telling it to also accept it as a secondary identification / encryption key set.
@ChuckPa - thank you for that clarificationā¦would make sense that my cert. is supplemental. In any case, I see a good number of these errors too now that I have my cert. installed:
[type or paste code here](http://r3.o.lencr.org/XXXXXXXXXXXXXXXXXUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUebRZ5nu25eQBc4AIiMgaWPbpm24CEgSl5bB%2BZ7MtwEOuBb4mHMfhcg%3D%3D)
Oct 18, 2022 13:40:54.812 [0xb22bfc50] ERROR - [CERT/OCSP] response error: unauthorized.
Oct 18, 2022 13:40:54.812 [0xb22bfc50] INFO - [CERT/OCSP] couldn't fetch a valid response; retrying in 10800 second
Opening that URL works so it is accessible from PMS but for whatever reason, the response is not what PMS expects?
I checked that OCSP works as well and got the following with my cert./intermediate chain:
openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://r3.o.lencr.org OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: XXXXXXXXXXXXX4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: XXXXXXXX40E61FAF9D8B14C2C6
Serial Number:XXXXXXXX043AE05BE261CC7E172
Request Extensions:
OCSP Nonce:
04108E0475110C85B2C5E1C22397966BCC42
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Oct 18 21:31:00 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: XXXXXXXXXXXXXXFF0DE68D2F567B735F9B3C4
Issuer Key Hash: 1XXXXXXXXXXXCBAE500940E61FAF9D8B14C2C6
Serial Number: XXXXXXXB32DC043AE05BE261CC7E172
Cert Status: good
This Update: Oct 18 21:00:00 2022 GMT
Next Update: Oct 25 20:59:58 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
43:09:e6:98:e8:f5:5c:66:4c:ba:bd:8b:83:f4:b3:a6:37:2b:
08:74:51:c6:b5:cd:bf:53:a6:ad:0a:e8:cd:f2:73:e1:a3:ce:
ca:5e:24:d7:2d:86:66:ef:d5:2b:3d:4b:5c:f5:65:de:2f:24:
3a:1f:17:f9:5e:01:e6:88:42:03:7c:e0:fd:a8:19:e6:be:03:
50:b1:a4:7f:3e:98:d8:a5:24:a7:9d:27:57:3b:f0:30:64:32:
e0:6c:3b:0b:6a:31:94:a2:1d:1b:fc:68:d8:7a:93:f9:27:36:
55:63:c5:50:22:4b:44:94:1c:5e:af:83:28:ed:47:da:44:09:
c8:d4:cf:d1:27:64:30:80:02:11:43:f4:29:1a:8d:4e:15:ac:
8e:79:9e:cc:eb:c9:2a:8f:64:35:b1:fa:a9:02:2b:d1:70:8f:
1d:80:94:c2:44:b9:1b:e8:95:e5:35:7c:9c:1a:8d:f3:e4:5e:
68:6f:98:4d:72:44:0d:40:9c:e5:ea:5c:7f:db:a3:b8:fa:be:
6d:7c:05:e3:07:d1:d5:b4:ee:de:dc:16:af:1f:99:95:6c:e9:
4e:c2:28:06:01:0b:23:9a:48:aa:14:2d:d7:a7:83:4c:1b:64:
f6:99:7c:b7:61:3a:b1:d1:ed:9f:de:3b:0d:3f:1a:a0:2c:01:
69:df:08:4a
WARNING: no nonce in response
**Response verify OK**
**cert.pem: good**
Followed these steps to check OCSP response using LE PMS certificate:
Guess it will check this again in 3 hoursā¦
Define above please
And if meaning AppData\Plex Media Server\Cache then do note, that below also contained the following:
- cert-v2.p12
- OCSP\main.der
So if above is missing, I recommend you try a reinstall on top of the old one
I have PMS installed on a Pi server - the /var/lib/plexmediaserver/Library/Application Support is actually served out of a different directory:
/storage/.config/Plex Media Server -->Cache
Preferences.xml is also updated here -->/storage/.config/Plex Media Server
So that is what I meant when I renamed Preferences.xml and cleared the Cache directory.
Checking the ./Cache directory now (after several restarts/tests) has the following:
5753 Oct 18 12:36 cert-v2.p12
-->OCSP\Oct 18 12:36 main.der
Thanks.
J
DEBUG logs please ā¦ captured 3 minutes after startup
Itās not possible to diagnose anything from a partial line snippet.
@ChuckPa - appreciate your help on this, attached are my PMS logs (just restarted) and waited 5 minutes before generating the attached .zip.
J
Plex Media Server Logs_2022-10-18_16-54-10.zip (636.3 KB)
Check your system date & time.
Is it still in Daylight Savings Time ?
Is the clock off?
Your logs should be 3 hours different than my time zone by show 4 hours.
Also, is the password valid? āUnauthorizedā is whatās being returned.
Oct 18, 2022 16:49:06.794 [0xb2857c50] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
Oct 18, 2022 16:49:06.794 [0xad364c50] DEBUG - [CERT/OCSP/HCl#20] HTTP requesting GET http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUebRZ5nu25eQBc4AIiMgaWPbpm24CEgSl5bB%2BZ7MtwEOuBb4mHMfhcg%3D%3D
Oct 18, 2022 16:49:06.804 [0xb19b2c50] DEBUG - [HttpClient/HCl#20] HTTP/1.1 (0.0s) 200 response from GET http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUebRZ5nu25eQBc4AIiMgaWPbpm24CEgSl5bB%2BZ7MtwEOuBb4mHMfhcg%3D%3D
Oct 18, 2022 16:49:06.804 [0xad364c50] ERROR - [CERT/OCSP] response error: unauthorized.
@ChuckPa - my PMS timezone (ādateā) command matches my timezone - 16:49 PM PST Oct 18 when PMS was restarted.
Current date/time on system:
# date
Tue Oct 18 17:22:10 PDT 2022
As for the āunauthorizedā message - I put in the .pfx certificate password - same one used to generate the .pfx with the openssl -out command - in the āCustom certificate encryption keyā (Under Settingsā>Network).
Are you saying youāve now resolved this error message?
Oct 18, 2022 16:49:06.804 [0xad364c50] ERROR - [CERT/OCSP] response error: unauthorized.
Oct 18, 2022 16:49:06.804 [0xad364c50] INFO - [CERT/OCSP] couldn't fetch a valid response; retrying in 10800 seconds
Hi @ChuckPa - no, the āunauthorizedā error for OCSP validation of my domain cert. still comes up when I restart PMS (double-checked the password for the cert. etc. in Settingsā>Network.
This error though does not appear to interfere with connecting to https://<mydomain.net>:32400/web/index.html rather than https://app.plex.tv and when I checked the certificate presented in my browser it was showing as valid and for <mydomain.net> so is this OCSP error really an issue I should try and resolve at this point given this is a āsupplementalā cert. for security and the main app.plex.tv cert. is downloaded/installed/working?
Thanks.
J
One thing you must make certain of is that your host configuration with the certificate does not try to insert itself on inbound traffic from plex.tv ā which is what I think is happening.I
I am still puzzled by something.
Oct 18, 2022 16:49:00.234 [0xb2c83c50] INFO - Plex Media Server v1.29.0.6244-819d3678c - unknown PC unknown - build: linux-armv7neon debian - GMT -07:00
Which Distro?
Is this in a VM?
I donāt remember seeing this anywhere as a standard PMS distribution.
Oct 18, 2022 16:49:00.235 [0xb2c83c50] INFO - /storage/.cache/app.plex/Plex Media Server
