Server Version#: 1.32.0.6918
Player Version#: N/A (web 4.100.1)
I have PMS configured with a SSL custom certificate. Having just upgraded to 1.32.0.6918, instead of the custom certificate, PMS serves a Let’s Encrypt certificate on CN: *..plex.direct. I can reproduce on two different servers.
The custom SSL certificate is configured in Settings → Network. The PMS configuration is unchanged before and after the upgrade.
% echo | openssl s_client -showcerts -servername <server name> -connect <server name>:32400
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.<removed>.plex.direct
verify return:1
write W BLOCK
---
Certificate chain
0 s:/CN=*.<removed>.plex.direct
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE----
MIIFYTCCBEmgAwIBAgISBMxMaXqo7EGOIuD/IZ9ZbtlhMA0GCSqGSIb3DQEBCwUA
...
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
...
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.<removed>.plex.direct
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4617 bytes and written 374 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-CHACHA20-POLY1305-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : AEAD-CHACHA20-POLY1305-SHA256
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1681395799
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
I am using win-acme to generate my own custom Let’s Encrypt certificate and I am seeing this same problem after upgrading my server. Are there any settings changes in win-acme for us Windows users that will produce a compatible certificate?
I do see that there is a nice solution for those using openssl, but I am using win-acme and was hoping that the team had anticipated issues like this coming up after the upgrade.
For anyone out there using win-acme to generate custom certs, win-acme does not provide built-in options to customize the encryption and MAC algorithms used within a PFX archive file. Instead, you will have to request a Let’s Encrypt certificate with options that result in the creation of PEM-formatted certificates, which will give you full chain {hostname}-chain.pem and private key {hostname}-key.pem files. In a post-processing script, convert the PEM-formatted certificate and private key to a PFX file using the specified encryption and MAC algorithms: openssl pkcs12 -export -in {hostname}-chain.pem -inkey {hostname}-key.pem -out cert_and_key.pfx -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 -password pass:your_password
Well I used the above fix to repackage my cert and everything was fine. Until I installed Version 1.32.5.7210 on my Synology and now its back to using a lets encrypt cert. So what changed now? did they decide all those keytool commands weren’t enough I need more now.
And don’t give me its not required for normal use bull feces. So if you patched and it went back to using lets encrypt instead of you named certificate then upvote this so maybe plex will look at it. otherwise I will just have to click past half a dozen errors and warnings to get to plex.
I’m trying to do this with a newly spun up plex instance in a docker container. I mounted a volume called config in which I put my p12 certs. I did generate my cert using the improved encryption schemes. I chmod 755 the p12 file. I told plex where to find my file and entered its passphrase. Still, Plex refuses to use my cert.
Is there anything special about running plex in a docker container that would prevent it for using my cert?
