Hello. I have changed my SSL provider, using now Sectigo SSL from Infomaniak.
I have built the pfx file using -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 as I do for each renew.
But with Sectigo SSL, PMS ssl uses let’s encrypt *.plex.direct ssl instead of the new one.
I have tested with the native pfx cert provided in the same time (with the native passphrase), and the result is the same.
No issue with other tools (Emby) or Apache servers, only with PMS.
If you connect to PMS using anything other than the domain name specified in the Custom certificate domain setting such as the server’s IP address then it will default back to the plex.direct certificate for the connection.
Your PKCS12 file must also contain the full certificate chain (CA, sub-CA, and site cert) as well as the private key. The top level CA must also be one that’s recognised by PMS and Plex clients.
You do not need to specify anything under Custom server access URLs as the Custom certificate domain is automatically published up to plex.tv.
Unless you have a specific use case that requires it, you’re generally better off just letting Plex manage everything and go via https://app.plex.tv.
Hello. PMS offers the possibility to use a personal domain and certificate, I am currently using since years. I dont want to use certificates I don’t master.
As I explained in the pre.vious message I follow the right complete procedure to provide pfx file, with chain, key, cert. Infomaniak offers a p12 file too, with it own passphrase, but at the end it’s the same issue.
A workaround solution is now to use a reverse proxy with quite the same cert /key, it works but it’s not clean.
I don’t understand.
Here are specs of these ssl certs, they seems compliant with PMS needs
With this output P12, I put it into PMS where PMS will see it at next restart
I use CloudFlare for DNS. CloudFlare provides a simple DNS alias record to my WAN IP. Connecting inbound as my domain is seen by PMS which then switches to its domain between client and my server. My domain is only used for the initial “Hello” part of the connection.
Hello. Your proposal is close to the procedure I use since OpenSSLv3.0, as explained here.
But it doesn’t explain why PMS refuses to consider it now, even if it’s compliant to minimum requirements.
Gandi certified the SSL with Digicert, Infomaniak uses Sectigo (Comodo) to certify it. I don’t know if there is a link, but with Gandi it perfectly worked.
But Gandi decided to at least double there prices (for the domain, SSL, mailboxes…) so I decided to change at the global renew.
Are you testing this from inside or outside of your network?
Try generating a Let’s Encrypt signed certificate and see if that works. If that works then it could be an issue specific to certificates issued by Sectigo SSL. If using acme.sh then ensure you request an RSA rather than ECC certificate (the default for acme.sh is ECC).
Also, if you want Plex clients to only connect via the custom certificate domain then disable remote access in the PMS settings. As long as an appropriate port forward and the corresponding firewall rules are configured on your router it will still be accessible. If you have remote access enabled then PMS will publish your WAN IP address back up to plex.tv and clients will use that before the custom certificate domains.
Local clients will always default to the local plex.direct domain and not the custom certificate domain.
As explained previously, with another provider it worked, with a reverse proxy also (with these CRT, key, CA) or let’s encrypt (sub domain).
So unless I find a solution (or the reason of the uncompatibility) I will remain like this. But it’s not clean. The cert works with all other uses. Only pms doesn’t.
In my case, chain.pem was 0 KB (empty), indicating that the chain was missing.
2. Create a new valid PFX file:
a. Import the existing PFX into the Windows Certificate Store b. Using certmgr.msc (C:\Windows\System32\certmgr.msc), import the existing PFX file. c. During the import, ensure the following options are selected:
Hello.
As I explained in a previous message, and as you can see, the PFX file contains the chain cert. It’s specific to Certigo ssl files. I have found a contingency procedure: I use a reverse proxy with the SSL file, and linked the reverse proxy to the local PMS server through http link. Like this, the connection is secured with the reverse proxy, the right ssl file, Of course I would have prefered a direct ssl connexion without reverse, but it’s like that.
