Plex Media Server 1.32.0.6918 custom certificate must be regenerated with new OpenSSL arguments

Plex Media Server Desktops & Laptops
1

Day before yesterday, Plex Media Server version 1.32.0.6918 was released. When I upgraded my Plex Media Server running on Ubuntu 20.04 from the previous version, 1.31.3.6868, to the new version, Plex Media Server stopped using my custom certificate and only uses a certificate issued by Plex that is valid for the *.c152cbf1d72c4055a2e73c8d3ef786cb.plex.direct. domain.

This results in my Plex Media Server showing certificate errors in the browser.

The release notes are slim but they mention FIXED : (Windows) Installing a TLS certificate could fail at random which might relate to this.

I reverted the upgrade and downgraded back to 1.31.3.6868 by fetching https://downloads.plex.tv/plex-media-server-new/1.31.3.6868-28fc46b27/debian/plexmediaserver_1.31.3.6868-28fc46b27_amd64.deb
and installing it.

This resolved the issue.

What changed in 1.32.0.6918 related to TLS certificates? How can I still load a custom certificate for the domain name of my Plex server so that I can access it directly (e.g. https://plex.example.com:32400/web/index.html#!/ )

This forum post ( Plex certificate error ) appears to report the same issue but was (I believe) incorrectly closed as relating to a change in 1.32.0.6865 which changes the OpenSSL encryption methods. The OP in that forum post, who is reporting the same thing I am, is talking about certificate issues not related to cipher suites but instead related to the fact that Plex is not actually using the custom certificate and instead using on with a domain name like what I described above.

2

SameFollowing

3
4

@FordGuy61 Right, I think that is the unrelated issue that I mentioned above in the other post. Were you posting that to say that you think the problem is related to OpenSSL version change? If so, I don’t think that is what’s going on here as the problem relates to the certificate Common Name, not to cipher suites.

5

There are many posts on the forum. Below is one that mentions PMS not using a custom certificate and defaulting to plex.direct.

The fix for all these recent SSL / cert problems seems to be creating a new certificate as mentioned in the Linux Tips.

I don’t use a custom certificate on my server, so have not had to go through the certificate update process. Apologies if I’m leading you down the wrong path to fix things.

6

To add for FordGuy,

“mac verify” errors are password errors.

Either a password was not added to the certificate (not required previously)

Test the certificate using this method:

  1. With valid password added
[chuck@glockner cert.2013]$ openssl pkcs12 -in mydmain-tld-v3.p12 -info
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID: 35 49 6B 4F 89 61 AD 0A 8A D2 8C 0A C3 0C 88 69 6A 60 4E BA 
subject=CN = mydomain.tld

issuer=C = US, O = Let's Encrypt, CN = R3

-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgISAxmi4VQC9DLTZW3Cde0RGaStMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAyMTkwNzE2MzVaFw0yMzA1MjAwNzE2MzRaMBUxEzARBgNVBAMT
--- redacted ---
  1. Repeat verification without supplying password.
[chuck@glockner cert.2013]$ openssl pkcs12 -in mydomain-tld-v3.p12 -info
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
Mac verify error: invalid password?
[chuck@glockner cert.2013]$
7

@FordGuy61 Perfect, thank you for the additional detail that clarified exactly what’s going on.

For anyone else : The confusing (to me) thing here is that Plex isn’t serving up a certificate that has cipher suite issues, instead Plex is looking at the custom certificate that is installed, seeing that it uses ciphers that Plex no longer supports, and then silently ignoring the custom certificate and using it’s own certificate.

As @FordGuy61 points out above, the fix is to change the command you’re using to generate the certificate for Plex.

In my openssl command that I run to take the Let’s Encrypt certificate and render it into a pkcs12 certificate, I added the arguments -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to the command, ran it to generate a new certificate file, upgraded Plex to the new version and restarted and it works.

Here is my full openssl command with the added arguments for reference :

openssl pkcs12 -export -out $plex_cert_file \
  -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
  -inkey ${letsencrypt_cert_path}/privkey.pem \
  -in ${letsencrypt_cert_path}/cert.pem \
  -certfile ${letsencrypt_cert_path}/chain.pem \
  -password pass:
4 Likes
8

@ChuckPa In my case the issue wasn’t certificate password related, it was the missing cipher arguments that @FordGuy61 pointed out. Adding -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 to my certificate generation command solved the problem.

9

If that was you under the other username, then yep you forgot to add the new cipher qualifier.

I thought I’d made the required change clear enough in the Linux Tips post

# Generate new p12 (Acme LE is valid until 2025)
openssl pkcs12 -export -out my-fdqn-tld.p12 \
	-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
	-inkey my-fqdn-tld.key -in my-fqdn-tld.crt \
	-certfile CertAuth.crt \
	-password pass:PASSWORD_HERE

It was like 4-almost 5am here. (sorry if I was fuzzy/terse)

After that — PMS restart is required to load the new cert.

10

This worked perfectly for re-exporting my namecheap cert, thank you for posting.

11

Solved
Thanks

12

But for me it is not resolve the problem - any ideas?

Apr 19, 2023 20:24:21.753 [0x7efd291f1b38] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Apr 19, 2023 20:24:21.754 [0x7efd291f1b38] ERROR - [CERT] Found a user-provided certificate, but couldn’t install it.
Apr 19, 2023 20:24:28.059 [0x7efd2541fb38] WARN - [Req#30] MyPlex: attempted a reachability check but we’re not yet mapped.
Apr 19, 2023 20:24:33.639 [0x7efd272f1b38] WARN - NAT: PMP, got an error: Not Supported by gateway.
Apr 19, 2023 20:24:41.573 [0x7efd270c3b38] WARN - [HttpClient/HCl#2e] HTTP error requesting GET /media/providers (3, URL using bad/illegal format or missing URL) ()

13

@timeki

I can’t see what’s happening with DEBUG turned OFF.

Please turn it on and try again.

Worst case – go back to 1.31, get control, come forward again.

14

Sorry for long answer, there are logs with debug

Apr 23, 2023 12:51:44.366 [0x7f3e7fe16b38] INFO - Compiler is - Clang 11.0.1 (https://plex.tv 9b997da8e5b47bdb4a9425b3a3b290be393b4b1f)
Apr 23, 2023 12:51:44.366 [0x7f3e7fe16b38] INFO - /usr/lib/plexmediaserver/Plex Media Server
Apr 23, 2023 12:51:44.358 [0x7f3e80084a90] DEBUG - BPQ: [Idle] → [Starting]
Apr 23, 2023 12:51:44.358 [0x7f3e80084a90] VERBOSE - BPQ: delaying processing 120 second(s)
Apr 23, 2023 12:51:44.358 [0x7f3e80084a90] DEBUG - FeatureManager: Using cached data for features list
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] DEBUG - [CERT] Subject name is /CN=*.37692d6dd313419e9d8653de95e9ba5d.plex.direct
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] DEBUG - [CERT] Installed certificate with fingerprint ec:01:72:61:f9:65:fb:08:df:0c:c3:61:b4:f8:91:4f:59:5b:4e:27.
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] DEBUG - [CERT/OCSP] Stapling requests will be made to ‘http://r3.o.lencr.org/’.
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] VERBOSE - [CERT/OCSP] Successfully generated stapling request
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] ERROR - [CERT] Found a user-provided certificate, but couldn’t install it.
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] DEBUG - HttpServer: Listening on IPv6 as well as IPv4.
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] DEBUG - HttpServer: Listening on port 32400.
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] DEBUG - HttpServer: Listening on port 32401.
Apr 23, 2023 12:51:44.422 [0x7f3e80084a90] DEBUG - Running server


15

I cant diagnose from this.

All I can tell you is your user-supplied certificate was rejected by PMS.

The rules (as of 1.32.0) are now:

  1. CA included with your CERT & KEY (this hasn’t changed)
  2. AES-256 or better (whatever v3.0.0 supports)
16

Thanks for you help, I resolve the problem. I forget do this:

chown plex:plex new_cert.p12
chmod 775 new_cert.p12

17

Perfect thanking you :slight_smile: solved


18

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.