Plexamp raspberry pi certificate expired

Plex Labs
1

Hello!

since the letsencrypt root ca has expired now (see DST Root CA X3 Expiration (September 2021) - Let's Encrypt ) and we’re using a so-very-old-and-unsupported version 9 of nodejs with plexamp for rpi my instance refuses to work.

Oct 01 08:43:59 hifiberry1 node[18647]: warn: DEVICE: Server connection https://192.168.11.8:32400 didn't work for xxxxx: certificate has expired
...

the server is fine, plexamp for android works, app.plex.tv works, plexamp on rpi does not.

is there any known way to fix this?

2 Likes
2

How do I look for this error?
I’m looking in the console on the server? Canot see it there

or do i have to ssh into the pi?

Lets hope @elan is still using plexamp on pi and is therefore morer likely :crossed_fingers: to remedy this? :grinning:

3

You need to ssh to the rpi and then run

journalctl -xfu plexamp

Or filter for ‘certificate’

journalctl -xfu plexamp | grep certificate
4

Thanks.

Please post if you find a path to fixing this

5

Can you confirm the certificate error?

Ugly workaround for me is setting the date back to September.

sudo timedatectl set-ntp false
sudo date -s "2021-09-01 08:38"
1 Like
6

I’m in the same boat. Noticed I was able to connect to my pi, but not play music from it on Friday (the 1st) and get the expired certificate error in my logs.

7

Here also same problem. I am using Plexamp on top of Hifiberry OS on a RPI3. My Plex is installed on a Synology NAS.

Does Node v9 use system certificates? For example in my case the system certs are stored in /etc/ssl/certs.

I’m not an expert on SSL. This is the information I gathered.

The certificate chain according to openssl when connecting to my local plex address:

# openssl s_client -connect 10.0.0.22:32400
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.[some-long-id].plex.direct
verify return:1
---
Certificate chain
 0 s:CN = *.[some-long-id].plex.direct
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

According to openssl the issuer of “ISRG Root X1” is “DST Root CA X3”. Where the latter is expired.
When I visit same URL in the browser the issuer of “ISRG Root X1” is ISRG Root X1.

The browser behaves differently compared to openssl.
Info regarding intermediate and root ca certs should be stored in the server certificate (CN = *.[some-long-id].plex.direct). But why does this differ between the browser and openssl command? Is this because of the openssl implementation? My openssl version is:

# openssl version
OpenSSL 1.1.1h  22 Sep 2020

Any thoughts?

8

yes
the above command returned
Oct 04 17:19:47 root node[561]: warn: DEVICE: Server connection https://192.168.xx.xx:32400 didn’t work for MEDIA: certificate has expired

10

This worked for me… Thanks

11

I’m now REALLY dead in the water since support for remote use (casting?) was removed for Plexamp V3, and the certificates for older Plexamp versions expired. Given other services running on rasp-pi, I’m not comfortable setting the clock back permanently. So I was wondering if there might be a way to update the associated SSL certificates within the package? I’m on V1.? of Plexamp. ANY ideas appreciated…

12

I tried this and I get the following error:

Sep 01 08:39:24 pi node[473]: error: Unhandled Rejection! certificate is not yet valid
Sep 01 08:39:24 pi node[473]: error: Error: certificate is not yet valid

Any suggestions?

13

obviously you do render certain certificates invalid because they appear newer than the current date. plexamp tries several endpoints for your server and for me these errors do appear but ultimately it still works.

regardless, messing with the date is not actually a solution and will certainly lead to other problems. it’s merely an ugly workaround while we hope for an actual fix.

14

@elan has a soft spot for Pi and i think when time allows, there may be a new version of Plexamp For Pi

16

yes, probably the known IDs are gone, the new ones are invalid.

you can try with api calls, described here:

Get your token here Finding an authentication token / X-Plex-Token | Plex Support

Then edit your config.

But rather make a separate post and try to focus on fixing the certificate issue in this one.

17

But rather make a separate post and try to focus on fixing the certificate issue in this one

Of course. Sorry. Didn’t mean to hijack.

19

Dev guys already working on that, as mentioned by Elan in this post. But if you reed between the lines… I don’t think a new version is just around the corner :frowning:

1 Like
20

I have the same issue with my RPi3 and Plexamp 2.00 beta2.
I can connect to the player but the player can not connect to the server (…certificate has expired).
Changing system time dosn’t work for me (…certificate is not yet valid) and would lead to other issues as mentioned above.

I’d tried to put PlexOnlineToken, grabbed from PMS Preferences.xml, to Plexamp server.json - without any success :frowning:

@elan I know you’re using RPi as well… any suggestion for us?

1 Like
21

looks like i found a solution.

according to this:

[1] Client on Debian 9 erroneously reports expired certificate for letsencrypt-issued domain - Server Fault

we can remove the invalid X3 certificate.
then make nodejs use the system-wide installed openssl-ca certificates.

detailed steps, some instructions from [1]

1. check for certificates

a) check if you have the invalid X3

on rpi

$ grep X3 /etc/ca-certificates.conf 
mozilla/DST_Root_CA_X3.crt

if your output matches this, you have the invalid X3 certificiate

b) check if you have the valid X1 certificate

on rpi

$ grep X1 /etc/ca-certificates.conf 
mozilla/ISRG_Root_X1.crt

if your output matches this, you have the valid X1 certificiate and can skip to 3.

2. if you lack the X1 certificate

install ca-certificates (20210119) from Debian – Details of package ca-certificates in bullseye

on rpi

$ wget http://ftp.de.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20210119_all.deb
$ sudo dpkg -i ca-certificates_20210119_all.deb

3. disable invalid X3

on rpi

$ sudo sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf && sudo update-ca-certificates -f

4. edit plexamp.service and add --use-openssl-ca

on rpi

$ sudo systemctl edit --full plexamp

and add --use-openssl-ca so it looks similar to

ExecStart=/usr/bin/node --use-openssl-ca /home/pi/plexamp/server/server.prod.js

5. set clock to ntp again and check if the date is correct

on rpi

$ sudo timedatectl set-ntp true
$ date
Fri 08 Oct 2021 09:45:11 AM CEST

6. restart plexamp

on rpi

$ sudo systemctl restart plexamp

7. profit

5 Likes
22

works for me - RPi is back again!

Great Job!

Kudos to xkonni.

23

Wow, that worked… 3 Cheers for @xkonni !! Thank you.