OttoKerner, Rocking 
I will give that a try when I get home… It makes sense that this could be the issue.
Following a recent server upgrade/rebuild it would appear that this issue is still present in the latest version. On a clean installation of Windows Server 2016 Home Essentials, with the latest updates applied I installed Plex Media Server 1.5.5.3634 and created an empty TV Shows library into which I then dropped a single program (correctly named). PMS detected the change and scanned for metadata. As before programme info (title, description etc) were downloaded, but not the artwork. Checking the com.plexapp.agents.thetvdb log revealed the familiar [SSL: CERTIFICATE_VERIFY_FAILED] error message.
Re-reading through the thread since I last posted, I noticed the comments raised by OttoKerner regarding the manual issuing of a certificate on the server. I gave this a go and got the same result. On double-checking the log again I noticed that the advice referenced in the other thread suggests getting a certificate from https://tvdb2.plex.tv/ however the URL that is being attempted immediately prior to the error in my log begins https://thetvdb.com/. So, I downloaded the certificate from there, issued it on my server through the MMC certificate snap-in and, it works!! Artwork is now downloaded and presented.
Same, I Can also say this working for me by using the Manual Cert… Bit of a pain to go though but I am glad its working
I have manually exported the cert (using Chrome) from https://thetvdb.com and https://tvdb2.plex.tv, imported them into root repository on my Windows Server 2016 Server Core installation and I’m still getting the same certification errors.
@RamGuy said:
I have manually exported the cert (using Chrome) from https://thetvdb.com and https://tvdb2.plex.tv, imported them into root repository on my Windows Server 2016 Server Core installation and I’m still getting the same certification errors.
Are you using any type of 3rd party Anti Virus and/or Firewall?
Some of these do decrypt TLS traffic to inspect it for viruses. Then they re-encrypt it again - but of course since they don’t have the private certificate of the original server, they use their own ‘generic’ certificate.
Which gets rejected by Plex because it doesn’t ‘fit’ the original server’s domain name.
Nope, this is running on Windows Server 2016 Server Core at home, the server itself has no anti-virus of any sorts (defualt for Server Core installations) and there is no HTTPS Inspection on my network so there is no messing with the certificates locally on my network.
I have tried to export the certificates from tvdb.com, tvdb2.plex.tv and plex.tv from both Chrome (.cer) and Firefox (.crt) and it still can’t establish a connection towards https://tvdb2.plex.tv according to the logs.
post the logs, please.
only ‘debug’, not ‘verbose’!
It was something to do with the certificates. I went the “easy route”, I removed all those I exported from tvdb.com, tvdb2.plex.tv etc… But I compared the default certificates in Windows 10 compared to the ones in Windows Server 2016 Server Core using MMC and Certificate snap-in and Server Core comes with only a few certificates. I simply dumped all the default ones from Windows 10 over to the Server and then it started working.
So it might seem like Microsoft doesn’t supply Windows Server 2016 Server Core with all default certificates for communicating over WAN/Internet. This might be normal as it doesn’t have any UI, no web-browser etc… I don’t really know. They do supply all the ones that come default with Windows 10 if you install Windows Server 2016 with Desktop Experience so it seems to be a Server Core only thing.
@RamGuy said:
So it might seem like Microsoft doesn’t supply Windows Server 2016 Server Core with all default certificates for communicating over WAN/Internet. This might be normal as it doesn’t have any UI, no web-browser etc… I don’t really know. They do supply all the ones that come default with Windows 10 if you install Windows Server 2016 with Desktop Experience so it seems to be a Server Core only thing.
I understand the “automatic update of ‘core’ certificates” is disabled in the server editions.
There should be a policy to enable it, which in theory should take care of this problem the “proper” way.
That was only relevant to older versions of Windows Server. That mentioned registry key does not exsist on Windows Server 2016 and you certificate updates through Windows Update as usual.
Yep same issues here. I’ve attached my logs if it helps
Here’s how I fixed TV metadata and artwork not downloading on Server 2016 Core. This fix has the twin advantages of:
- Installing just the two required root CA certificates
- Both certificates have long validity times (DigiCert has 14 years validity, AddTrust has 3 years validity) - so wont need replacing anytime soon
Here’s how:
- Download the “DigiCert Global Root CA” certificate from https://www.digicert.com/digicert-root-certificates.htm - you’ll need the cert that is valid until: 10/Nov/2031 and has a thumbprint ending in 5436
- Download the “AddTrust External CA Root” certificate from https://support.cloudflare.com/hc/en-us/articles/115001186052-What-intermediates-and-roots-are-Cloudflare-issued-certs-signed-against- you’ll need the cert that has a serial number of 1 and has a SHA-1 Fingerprint ending in 1868
- Copy both certificates to your 2016 core install, say “C:\Temp”
- Logon to core server and launch powershell
- Run:
Set-Location Cert:\LocalMachine\CA - Followed by:
Import-Certificate C:\Temp\DigiCertGlobalRootCA.crt - And
Import-Certificate C:\Temp\1.crt - (optional) Run
dirand confirm that you see the following listed:
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
and
02FAF3E291435468607857694DF5E45B68851868 CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust…
Refresh all metadata on your Plex TV libraries and hey presto.
Works for me!
3 Likes
@chall32 said:
Here’s how I fixed TV metadata and artwork not downloading on Server 2016 Core. This fix has the twin advantages of:
Yes, this is probably the best method, since it won’t stop working when the host certificates expire.
Since you appear to know what you are doing: is there no way to teach the Windows server editions to automatically download and update root certificates, just like the desktop editions?
@chall32 said:
Here’s how I fixed TV metadata and artwork not downloading on Server 2016 Core. This fix has the twin advantages of:
Worked for me also on fresh 2016 core install. Two second fix, thanks a bunch man.
Worked for me too!
THANKS
Thanks worked for me on Windows Server 2012.
@chall32 said:
Here’s how I fixed TV metadata and artwork not downloading on Server 2016 Core. This fix has the twin advantages of:
- Installing just the two required root CA certificates
- Both certificates have long validity times (DigiCert has 14 years validity, AddTrust has 3 years validity) - so wont need replacing anytime soon
Here’s how:
- Download the “DigiCert Global Root CA” certificate from https://www.digicert.com/digicert-root-certificates.htm - you’ll need the cert that is valid until: 10/Nov/2031 and has a thumbprint ending in 5436
- Download the “AddTrust External CA Root” certificate from https://support.cloudflare.com/hc/en-us/articles/115001186052-What-intermediates-and-roots-are-Cloudflare-issued-certs-signed-against- you’ll need the cert that has a serial number of 1 and has a SHA-1 Fingerprint ending in 1868
- Copy both certificates to your 2016 core install, say “C:\Temp”
- Logon to core server and launch powershell
- Run:
Set-Location Cert:\LocalMachine\CA- Followed by:
Import-Certificate C:\Temp\DigiCertGlobalRootCA.crt- And
Import-Certificate C:\Temp\1.crt- (optional) Run
dirand confirm that you see the following listed:
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
and
02FAF3E291435468607857694DF5E45B68851868 CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust…Refresh all metadata on your Plex TV libraries and hey presto.
Works for me!
Confirmed works in Windows Server 2016 in a VirtualBox environment.
worked fo me. Thank you.
This fix has stopped working with Plex Media Server 1.13.4.5251 and 1.13.4.5271. Is this a bug in the stated releases or are there other certificates needed?
So after a reboot, all is fine. I get so tired of using a big hammer to fix MS.
