Server Plex Mac 1.20.1.3252
Player: multiple (Plex Web, FireTV, Samsung)
Hi,
As of earlier this evening (9/28), I noticed that I was no longer able to establish secure connections to my PMS using its local IP from any device on my network, using Plex Web at app.plex.tv, the Android TV (Fire TV) app, or the Samsung Smart TV app. The issue masked itself because I have an additional URL published for my server that goes through a reverse-proxy (using my own Let’s Encrypt certificate for my own domain name) on port 443 (allows me to get to Plex from behind restrictive firewalls). That URL was working from my desktop, and thus my connections were showing up as remote. However, the https://ip-address.sever-ID.plex.direct:32400/ URLs were all failing. I only noticed the issue tonight when trying to play a movie from my Fire TV, which sits on an isolated IoT VLAN where I have a firewall rule allowing local access to the PMS on 32400 but otherwise blocks access to other hosts on the LAN. Since the (fallback) reverse proxy URL wasn’t available, I was not able to access my server at all.
Further investigation revealed that my connections were failing due to a certificate hostname mismatch. Clients were attempting to connect using https://internal-ip.server-id-a.plex.direct, but the server was using a certificate for *.server-id-B.plex.direct. Somehow my server ID had changed on its own, but the new URLs were not published to plex.tv. The new wildcard certificate was issued with a start date of 8:00pm EST yesterday 9/27 (although I will note Plex was working fine from the Fire TV last night, so I can only surmise the new cert did not become active until sometime today).
Restarting PMS fixed the problem immediately. This appears to have published the new URL to plex.tv, so now the certificate hostname and URL are in agreement. The odd thing is this PMS is less than 1 month old, and would expect not near its original certificate expiration. Further, it was my belief that certificate renewal would not change the server ID.
Is my understanding correct? Under what circumstances will PMS change its server ID and issue a new certificate?
I had the issue of receiving “connection not secure” from remote connections and even through the web app within my network. Before I restarted my PMS, I checked the certificate and it said it expired 9/27/2020. Once I restarted my PMS, it updated the certificate and I no longer received the issue with secure connections.
Thank you for taking the time to post this, as it helped me figure out my issue. I unfortunately do not know the reasoning behind this, other than the certificate just had expired forcing my connections to be no longer secure.
Is there a way to force plex to get a new certificate? I tried restarting, but that did not work, When I connect to https://[my-ip]:32400/web in Chrome, I get the “ERR_CERT_REVOKED” error message.
For what it is worth, the server-id in the certificate is not what I expected. Maybe it is an old server id?
Thanks for sharing your observations. Your post prompted me to check my two Plex media servers:
Plex server ID
Check customer server access URLs
Check that custom server access URLs resolve to correct IP address
The Plex ID for my two Plex servers also seems to have changed recently. I’m not sure when.
I’ve updated custom server access URLs on my two Plex media servers. One Plex server has just IPv4 address (one custom server access URL). The other Plex server has IPv4 address and IPv6 address (custom server access URL for the IPv4 address and one for the IPv6 address). All three URLs resolve to correct IP address.
I will routinely monitor this checking for unexpected changes.
