Plexamp - Self-Signed Certificate Error for trusted certificate


#1

First off, I am VERY excited about Plexamp :) Kudos for putting it together. My PMS is primarily used for music, so I love the idea of a smaller, music-focused player.

That said, I can't get it to work :( I am receiving a self-signed certificate error and it is unable to connect to my PMS. I actually run my own Certificate Authority for all of my home network devices. I suppose one might consider this a self-signed certificate, but it is not. Semantics aside, the certificate installed on my PMS follows the standard three-tier chain (cert -> intermediate -> root). I have a Root CA installed and trusted on my local computer to establish the chain of trust.

Using Windows' certlm, my Root Certificate is install at Certificates - Local Computer/Trusted Root Certificate Authorities/Certificates. The certificate is valid, not expired and trusted for all usages.

Here is the relevant bits from my Application.log (domain changed to protect the innocent)

Dec 22, 2017 18:55:19.969 INFO - DEVICE: Player connection worked for despina ~ http://10.0.1.5:20000
Dec 22, 2017 18:55:19.984 WARN - DEVICE: Server connection https://plex.<my domain>.com didn't work for sycorax: self signed certificate in certificate chain
Dec 22, 2017 18:55:19.987 WARN - DEVICE: Server connection https://10.0.0.51:32400 didn't work for sycorax: self signed certificate in certificate chain
Dec 22, 2017 18:55:19.988 WARN - DEVICE: Server connection https://plex.<my domain>.com:32400 didn't work for sycorax: self signed certificate in certificate chain

For clarity, sycorax, 10.0.0.51 and plex..com all point to the same PMS server.

All three addresses & ports go to the same place (443 routes through an NGINX reverse-proxy, 32400 requests are direct, both have the same certificate installed). I tested and confirmed that all three address and port combinations are online and functional both inside and outside my network. I also confirmed that Google Chrome and Microsoft Edge both agree that the cert has a valid chain of trust. Plex Media Player and Plex Web also connect without issue, over a secure connection (confirmed with the "green lock" from the same computer). My PMS is configured to prefer, but not require secure connections.

I'm not really sure how to debug further, any advice would be welcome.


#2

I’ve got the same issue here. The cert is issued from my in-house CA and trusted by all the machines on the domain. Is there a way to have Plexamp use the system trust?


#3

So just to clarify, you guys both have a custom cert installed on your media server? I’m wondering if we can simply ignore it in our connection testing and use the plex.direct one.

And PMS is terminating the SSL connection, not some proxy, right?


#4

@elan yep, in order:

  1. I have a custom cert installed on my PMS with a valid trust chain
  2. My PMS is terminating the SSL.

I’m not sure how you’d ignore it. Maybe setup a special route that always serves the plex.direct cert, even when a custom cert is installed? Seems like it’d be easier to just use the OS trust chain, but you guys are the experts :slight_smile:


#5

For the benefit of @SirMengler and others, elan contacted me to test on my PMS and believes he has a fix. A new build is forthcoming, but no date offered.


#6

Thanks to @kevin.burdett and @stedaniels for their help in tracking down the issue, we’ve fixed it for the next release.


#7

Thanks for the update all. Got the new build today and it is working beautifully.

Love being able to have a small app in the corner of my display for my music instead of the full web view.

How is is that Plex continues to impress constantly. :smile:


#8

Cross-posting from here: https://forums.plex.tv/discussion/317409/plexamp-1-0-5-cannot-connect-to-server

Did anyone with self signed certs experience downtime over the weekend using Plexamp?