Regarding LG WEBOS versions above 5.0 are incompatible with cert-v2.p12.
When I returned on my first remote server the old certificate.p12 i can access server and content from LG WEBOS versions above 5.xx I have several LG devices year 2019-2020.
When I allow plex to change the cert file its game over.
As I see because Plex would not help us as always.
We need to see the best way to use custom certs files which are compatible. Or that we all switch to Emby.
Hi all,
I resolve this issue for me.
On the Plex server, on the Network configuration page, instead of simply put a .pfx file with only the server certificate, I put a .pfx file with the fullchain certificate. So, in this file, there is 3 certificates :
I restarded Plex, I can play my files again from Plex Android.
My Plex server is behind a reverse proxy (PFsense+HAproxy) which manages the certificate with ACME. I force a renewal in ACME. Also, here is the command I automatically launch after a renewal :
openssl pkcs12 -export -out /conf/acme/plex.my-domain.com_fullchain.pfx -inkey /conf/acme/plex.my-domain.com.key -in /tmp/acme/plex.my-domain.com/plex.my-domain.com/fullchain.cer -certfile /conf/acme/plex.my-domain.com.ca -password pass:mypass && scp -i ~/.ssh/id_rsa /conf/acme/plex.my-domain.com_fullchain.pfx plex@myserver:/var/lib/plexmediaserver/ && ssh root@myserver "systemctl restart plexmediaserver.service"
This command converts the .cer certificate in a .pfx certificate then push the certificate on my Plex server and finally restart my plex service.
Regarding your command, password of what.? Plex account, or local machine account used to start plex service. Also regarding “plex@myserver” what did you write as myserver? External ip or you registered server ip with some domain name?
Could you explain regarding first two certificates how did you obtained them, could you elaborate the process.
Hi @mikiwolf,
Regarding your questions, it seems my command is too technical for you. I’m sorry, I will try to explain some points, but the others will need more knowledge to be understood.
First, my Plex Server is on a virtual machine (CentOS 7), behind another virtual machine (pFsense) which acts like a UTM firewall.
I own my own domain (example : mydomain.com), so, I use my Plex Server on a dedicated URL (example : plex.mydomain.com). So, I can use my Plex Server with a browser directly with my own URL (example : https://plex.mydomain.com).
I do want use SSL (https) in order to secure connection. So, I have to use a true SSL certificate. Let’s Encrypt provides free SSL certificates limited to 3 months (you can renew them all the time). As I don’t want to renew my certificates manually every 3 months, I use the ACME package provided by pFsense. The command I gave is executed at every renewal in order Plex Server to take into account the new certificate.
1 - Convert the certificate in the pfx format
openssl pkcs12 -export -out /conf/acme/plex.my-domain.com_fullchain.pfx -inkey /conf/acme/plex.my-domain.com.key -in /tmp/acme/plex.my-domain.com/plex.my-domain.com/fullchain.cer -certfile /conf/acme/plex.my-domain.com.ca -password pass:mypass
openssl pkcs12 -export ==> I use the openssl program to export my new certificate from the .cer format to the .pfx format.
-out /conf/acme/plex.my-domain.com_fullchain.pfx ==> the file where I want to export the fullchain.
-inkey /conf/acme/plex.my-domain.com.key ==> the original private key. It never changes.
-in /tmp/acme/plex.my-domain.com/plex.my-domain.com/fullchain.cer ==> The certificates created by ACME (pFsense). It contains the server certificate, the intermediate CA certificate and the root CA certificate. They will be converted and exported in the /conf/acme/plex.my-domain.com_fullchain.pfx file.
-certfile /conf/acme/plex.my-domain.com.ca ==> The intermediate CA certificate which has signed my server certificate.
-password pass:mypass ==> I want to “secure” the certificate content. I define here a passkey (“mypass”). It will be necessary in order to read my .pfx certificate. I have to provide it to Plex next.
2 - Copy the .pfx certificate to the Plex Server
scp -i ~/.ssh/id_rsa /conf/acme/plex.my-domain.com_fullchain.pfx plex@myserver:/var/lib/plexmediaserver/
scp ==> I want to copy some files from a server to another
-i ~/.ssh/id_rsa ==> I use a SSH key in order to not provide a password for the connection.
/conf/acme/plex.my-domain.com_fullchain.pfx ==> the file I want to copy (source).
plex@myserver ==> The server user (plex) and the server name (myserver) I want to use to copy my file to.
/var/lib/plexmediaserver/ ==> the location where I want to put the file I’ve copied.
3 - Restart Plex service
ssh root@myserver "systemctl restart plexmediaserver.service"
ssh ==> The program I use to connect to a server to send some commands
root@myserver ==> The server user (root) and the server name (myserver) I want to connect to.
systemctl restart plexmediaserver.service ==> This is systemd from Linux. I can manage the services on my server with this. Here, I restart the Plex service in order Plex take in account the new certificate.
Is it clearer ?
No sorry its not to technical, but I didn’t knew that you could have password to the ssl certificate. Because I asked which password. Now its clear.
Second question was regarding joining 3 certificates. Third one is the one you paid its clear, but the first two are not so clear, could you elaborate about first two?
This the certificate chain. When all the (perfect) world around knows every CA certificates (root and intermediates), and theses certificates don’t move, you don’t really need to provide the certificate chain.
But somes CA expire sometimes, and some new CA are created also, so, if some devices are not up-to-date, they wil refuse the use of new certificates signed by “unknown” CA.
But our recent browsers are cool, if you’re missing some CA certificates, it will search and download it for you. But you lose some load time.
That’s why, in web hosting, you have to provide the certificate chain, in order to gain time, first, and in order to prove your certificate is true.
Some information about this : What is SSL Certificate Chain – Explained by Certificate Authority.
If so, the certificates on the Plex server should be almost irrelevant.
Some portion of this is more complicated than necessary.
Are clients still connecting directly to the Plex server?
If so, the certificates on the Plex server should be almost irrelevant.
Absolutely not. If you just want to use Plex from a web browser from outside behind a reverse proxy, indeed configuring certificate in Plex is useless.
However, as it’s written on the Plex page configuration, if you want your Plex Server be reachable from Plex Apps from outside, you have to open a port (default is 32400). When you open such a port in your routeur, this port is not used by the reverse proxy. So, you have to provide the certificate you use in the reverse proxy.
Some portion of this is more complicated than necessary.
Which one ?
So far I was able to manage my Plex server with the help of the documentation and other community posts, but the above issue with remote access gave me a bit of a headache.
Setup:
And it has been working fine for the last year, no hiccup at all. All clients were working correctly, without any problem.
On 1st October I noticed that the LG TV (43UM7100PLB, fw 05.10.25) client cannot connect. That is a remote client (parent’s TV 
), not on the local network.
Found this forum and a lot of others mentioned that it might be connected to Let’s Encrypt’s change of cert.
I tried the followings:
From this: Important information about Plex for smart TVs after September 30, 2021
I think the TV should be supported.
Turned on verbose on the server log, once I click on Try again on the TV, I only see the following:
Oct 03, 2021 12:18:14.500 [0xb1d0bd48] VERBOSE - WebSocket: processed 1 frame(s)
Oct 03, 2021 12:18:24.503 [0xb1d2ed48] VERBOSE - WebSocket: processed 1 frame(s)
Oct 03, 2021 12:18:30.799 [0xb1d2ed48] VERBOSE - Didn't receive a request from CLIENT_PUBLIC_IP:48198: stream truncated
Oct 03, 2021 12:18:34.506 [0xb1d0bd48] VERBOSE - WebSocket: processed 1 frame(s)
Oct 03, 2021 12:18:44.504 [0xb1d2ed48] VERBOSE - WebSocket: processed 1 frame(s)
What do I do wrong?
Are you very sure the full chain is correct ?
Please check it with a openssl pkcs12 -info -in mycert.pfx command.
Can you share the result (except your own certificate) ?
Also, you have dynamic IP. Have you enabled dynDNS (or similar) ?
Hi Jlenuff,
Thanks for your ideas.
I am very sure that the full chain is correct:
Bag Attributes
localKeyID: XX XX XX
friendlyName: plex.mydomain.com
subject=/CN=plex.mydomain.com
issuer=/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
-- my key
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=US/O=Let's Encrypt/CN=R3
issuer=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-- more
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-- more
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
Crossed checked them with the ones on Chain of Trust - Let's Encrypt
Yes, I have dyndns enabled, that is what I meant by I manage my domain. 
I start to think that my problem might be unrelated to this issue, but the weird part is the timing and that Plex works normally on different clients on the same remote network (Mac, iOS, Windows), just this LG TV does not seem to cooperate. 
The other devices are on the same remote network of the LG TV ?
Yes.
In the meantime I found something else:
Based on this I checked and indeed I have webOS 4.9.
And also I am able to browse websites with the new cert in the built in browser of the TV. So it indeed seems like a limitation from Plex rather than LG. 
And also I am able to browse websites with the new cert in the built in browser of the TV. So it indeed seems like a limitation from Plex rather than LG.
That doesn’t prove anythind, sadly. However, what is true is that the manufacturer no longer supports its devices, and, so, Plex will not / can not publish updates. So, just try the solution from the link you-ve provided. 
NB : I’ve replaced my Samsung TV 4 years ago because of this kind of situation. 
This TV is not even 2 yrs old.
If you refer to insecure connection by “just try the solution”, I already did and it did not work. Furthermore I would like to refrain from it. Maybe if there was a way to tell Plex from where to accept insecure connection.
@captainfodder was able to solve it on a webos 4.9. Not sure how though.
The YT app on the TV was updated 5 days ago, so I would say Plex can, but seems like won’t provide an update.
Also it is not clear to me, that certain users who were using an unsupported app received a warning e-mail. I did not receive such e-mail, so I believe I am using only supported apps, which contradicts 4.9 being not supported.
Those points don’t follow from each other. I believe there may be several misconceptions here. These may be a distraction from the root of the issue.
The Plex client apps can also use a reverse proxy. It is uncommon to expose both a reverse proxy and Plex directly.
And when using a reverse proxy, the Plex server doesn’t need the same certificate as the reverse proxy.
If the old devices only support certain root CAs (or key lengths or algorithms) then the suggestion to allow Insecure or HTTP connections should make it function again.
@dtekan, are you using a reverse proxy?
Did you see the suggestion that on the TV app, Allow Insecure Connections should be set to Always, but on the Plex Server, Secure connections should be set to Preferred? The language is inverted between the server and client.
Thank you for posting this! My Pi running RasPlex is no longer a lightweight paperweight!
Thank for your suggestions @Volts. I am not using a reverse proxy, only a port forward on the router, but I use a Let’s Encrypt cert on Plex for the secure connections.
Yes, I have seen the differences with the insecure connection.
Ok…I am currently using my cloud home as my server. I am able to access everything in my wifi environment. Everything outside of network was working good Sept. 28, 2021, then everything outside wifi environment stopped working. Just spins. No changes were made up to that point. Remote access is good with port forwarding on plex settings. I am able to play music with mycloud app outside environment. Any help would be appreciated. It is very frustrating.
12:00 noon EST (16:00 GMT) Wednesday 6 October 2021 - My Plex Server had returned, but overnight last night it is not even reachable from the machine it is running on. I had tried stopping and restarting the service (in Ubuntu) but that makes no difference. Anyone know if Plex knows about this issue? It certainly is not resolved. Hoping for a comprehensive fix soon…
