PMS on docker: Certificate not taken

Server Version#: 1.32.5.7516
Player Version#: 1.59.1.3398

Hi,

I’m using the docker version of PMS on a RHEL based Linux (Rocky).
Plex in general is working quite well but I would like to use my own certificate.
What I did:

• Created a certificate with RSA 4K and put in in a p12
• Mounted this p12 inside the container
• at Server > Network I put in the path to the cert inside the container incl. the password for the private Key (no spaces or else, double checked)
• Recreated the docker container
• Strict TLS is not being used

Unfortunately the certificate is not being taken (I’ve also tried icognito for caching issues). I always get the selfsigned cert.

What needs to be done to be able to use my own LE cert?

Thx

I got pretty much the same, but it works on mine.

1. Docker container on Ubuntu 22.04
2. SSL cert from Letsencrypt automatically generated and updated from my reverse proxy
3. Convert that into a pkcs12 format and copied it to the data directory
4. Add the password for the cert
5. Add your custom domain name below the password

And it worked after a restart of the container, and I also had to manually change to https at first.

You might want to check the permissions on the file. Can PMS access that?

I’ve looked again at the permissions and on the file they were 755.
But the owner was not correct (using rootless docker).
After changing the owner and group to the subuid/subgid the user inside was plex insted of “nouser”.

Unfortunately this didn’t fix the issue.
@MatthKarl You mentioned something about changing to https first.
What exactly do you mean and where?

Also please bear in mind that I’m using a reverse proxy.

Regarding the https. When I first accessed the server in my browser via the IP address, it used he http protocol. Once I added the cert information, silly me, only changed the IP address to the domain name, but didn’t add the s to http in front to switch to an encrypted protocol. And I kept wondering why I still had an unencrypted connection. Plex does not automatically change to a secure connection, you specifically have to choose it.

Regarding the reverse proxy. I do use an nginx, however not for Plex. But in all cases, I do use a normal http connection to forward, while the SSL cert is served by the proxy. I’m not sure you would actually see the SSL of the server behind the proxy, or you’d have to possibly configure it accordingly. Do you get the proper secure connection when you access it internally and direct to the PMS?

Okay you just mean in the browser as an protocol.
This I have already checked and I still get the self signed cert instead of the correct one.

I could only forward http from IIS (Reverse proxy) to plex but then there wouldn’t be encryption all the way (what I want to have). As I’m quite strict IIS gives an HTTP500 when not using a globally signed cert.

Are there any logs I could check?
Would that be inside the debug/trace logs?

The first thing you have to check is, whether you get the https working if you connect direct, without the proxy.

Once that is done, you figure out, how to add the proxy.

Yes, that is true and that’s what I’ve tried to accomplish. The proxy is the second step.

But exactly there lies the issue. I do not know why this doesn’t work even though I already got it to work once on a windows system (without docker). But for certain reasons I have to change to linux.

So what happens when you connect direct?

That what I explained further up.
Connecting directly only gives me the self-signed (*.[hexnumber].plex.direct) cert instead of the correct one.
I’ve tried it also with icognito to be sure no cache is interfering but still the same.

Well, here is my setup. Feel free to compare it with yours.

This is the docker run command:

docker run -d \
  --name=Plex \
   --restart=unless-stopped \
  -p 32400:32400/tcp \
  -p 8324:8324/tcp \
  -p 32469:32469/tcp \
  -p 1900:1900/udp \
  -p 32410:32410/udp \
  -p 32412:32412/udp \
  -p 32413:32413/udp \
  -p 32414:32414/udp \
  -h VS03 \
  -e TZ="Asia/Hong_Kong" \
  -e ADVERTISE_IP="http://192.168.7.8:32400/" \
  -e PLEX_CLAIM="claim-xyz...." \
  -v /home/matth/docker/plex:/config \
  -v /home/matth/transcode/temp:/transcode \
  -v /mnt/media/:/data \
  -v /mnt/music/:/music \
  -e PUID=1026 \
  -e PGID=100 \
  --device=/dev/dri:/dev/dri \
  plexinc/pms-docker

Now I copied the cert to /mnt/media/certs and called it vs03.pkcs12 (vs03 is the host name). The file has the following permissions:

matth@vs03:~$ ls -lia /mnt/media/certs/
total 20
16581107 drwxrwxrwx  2 1026 users 4096 Sep 16 03:45 .
    1206 drwxrwxrwx 22 root root  4096 Sep 27 08:03 ..
16581108 -rwxrwxrwx  1 1026 users 4480 Sep 27 07:10 vs03.pkcs12
matth@vs03:~$

In Plex, I point the cert as follows:

I use internally a domain, and use my router to hand out the IP addresses for the hosts. So I can point to https://vs03.domain.com:32400 and end up at my Plex server. You might use the hosts file on your PC to point your domain name to the Plex IP and check.

I figured out that plex has some issues reading the cert.
After applying a fix mentioned here one error message about enveloping was gone.

But now I still have the following error message even in DEBUG and I won’t get any more infos:

Sep 27, 2023 17:32:03.319 [140503353031312] DEBUG - [CERT] Subject name is /CN=*.2fe2a31f04994a16946eb36b9bc676bd.plex.direct
Sep 27, 2023 17:32:03.319 [140503353031312] DEBUG - [CERT] Installed certificate with fingerprint aa:ea:8a:bd:88:55:cb:83:78:fb:3e:17:76:e0:b7:2e:a6:e6:a4:96.
Sep 27, 2023 17:32:03.319 [140503353031312] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
Sep 27, 2023 17:32:03.320 [140503353031312] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Sep 27, 2023 17:32:03.320 [140503353031312] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.

Priv key algorithm:

Pub key algorithm:

Signature:

Any idea what this might be about?

Okay I’ve found the issue.
It was a P12 problem. Somehow it wasn’t build so plex could understand as it uses libs from openssl v3.

So I’m using openssl as mentioned on this page. Now it works.

Glad it works now. I just wanted to post how to change the format to PKCS12 that Plex expects:

openssl pkcs12 -passout pass:VeryStrongPassword -export -inkey /etc/letsencrypt/live/vs03.domain.com/privkey.pem -in /etc/letsencrypt/live/vs03.domain.com/fullchain.pem -out /mnt/media/certs/vs03.pkcs12

@MatthKarl What version of Plex are you using?

For me only these didn’t work. I think it depends on what openssl version you are using and what are the defaults there.
I had to add the following to be able to use it:

-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256

I’m on Version 1.32.6.7468

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.