QNAP PMS 1.24.5.5173 installed and now PLEX SSL certificate seems to be broken?

Server Version#: PlexMediaServer-1.24.5.5173-8dcc73a59-x86_64.qpkg
Player Version#: All

HELP! On 10/27/21 I updated my PLEX Media Server on my QNAP NAS [PlexMediaServer-1.24.5.5173-8dcc73a59-x86_64.qpkg]. This PLEX installation has been rock solid and available for several years. After installing the update, I am no longer able to access my PLEX using HTTPS via myQNAPCloud service [“https://redacted.myqnapcloud.com:32400/web”]. I can login to the PLEX site and launch “https://app.plex.tv/desktop/#!/” so I know my PLEX account login is good, but I cannot see my PLEX server that is hosted on my QNAP NAS, I can only see my subscribed podcasts. If I try to use the HTTP ONLY for “http://redacted.myqnapcloud.com:32400/web” I can login to my PLEX account, but still only see my subscribed podcasts but no PMS.

My browsers all tell me that “This site does not have a certificate.” and I get a " Hmmm… can’t reach this page. It looks like redacted.myqnapcloud.com closed the connection. “ERR_CONNECTION_CLOSED” message. I have reinstalled the previous PMS .qpkg [PlexMediaServer-1.24.4.5081-e362dc1ee-x86_64.qpkg] with no change in behavior.

I have opened two tickets with QNAP and one with my network hardware provider (Fortinet) and have not been able to find a problem. It feels like there is a certificate problem on the PLEX side of things and my PMS cannot be accessed because of it. Our PLEX server has been down for over 3 weeks now and I really don’t want to mess something up that would require me to rebuild. Any guidance from the PLEX Support team and Forum would be so appreciated!

DEBUG log files which capture this are needed.

Good evening ChuckPa, I think I enabled debug for PMS. I edited the last entry on the “/share/CACHEDEV1_DATA/.qpkg/PlexMediaServer/Library/Plex Media Server/Preferences.xml” file, where it was “…logDebug=“0”/>” and I changed it to “…logDebug=“1”/>.” I stopped and restarted PMS. If there is something else I need to do, please just let me know. I’ve attached the log bundle from the debug session and also a bundle from a few days ago without debug, just in case that is helpful.
curl output for HTTPS and HTTP.txt (10.9 KB)
PMS_LOGS_ALL_11-21-21[DEBUG_ENABLED].zip (205.7 KB)
Q148I19052_NAS_LOGS_111921[DEBUG_NOT_ENABLED].zip (1.1 MB)

Thank you for your help!

@mtwfamily

1. Looking at the logs, I see no certificate activity – that’s a sign.

2. Looking at your account, (based on the email here), I see only Linux servers –

3. Of which, one server (10.250.0.7) had a questionable certificate – so I reset it for you. Please restart that sercer.

Is there another account to which it’s attached?

ChuckPa, I have restarted the NAS and PLEX Media Server, but am still getting the error “This site does not have a certificate.” when trying to hit PLEX from my QNAP App Center at “https://mtw.myqnapcloud.com:32400/web/index.html#!/”. However, when trying to launch from “https://app.plex.tv/desktop/#!/” I get a valid SSL cert. It seems like the PLEX Media Server on my QNAP NAS is not able to see the cert or has a bad cert of its own? I have a valid SSL cert that is good until Mar 2022 (see screenshots), and it is valid when launching other QNAP apps like Surveillance Station and getting direct access to my NAS via myqnapcloud.com over port 443.

myQNAPcloud QTS Certificate OK1045×479 53.9 KB

PLEX TLS-SSL Handshake Error from work network1304×384 119 KB

Is there a way to troubleshoot this from the command line on the QNAP? I have access, but can’t sudo to root and don’t have a deep enough understanding of the PLEX code to know how to troubleshoot the cert issue from inside of QTS.
The address on my NAS that PLEX is accessed from is 192.168.0.68, standard port 32400. I am not familiar with the IP address you mentioned; 10.250.0.7. I have three friends who share libraries from their PMS. Could it be one of those?

PLEX Media Servers777×643 80.9 KB

Take the certificate,

Export the CRT, KEY, and CA.

From there, recombine them back into a P12 file you can add to Plex as an ancillary cert.

You cannot supersede Plex’s cert with your own. You add your cert to Plex (settings - Server - Network) so it knows about the transition.

ChuckPa, I need to clarify the SSL certificate issue. You mentioned “add your cert to Plex (settings - Server - Network) so it knows about the transition.” There are two thing I need to explain. First, I haven’t tried to install or supercede any cert that PLEX is using. I pay for a QTS SSL certificate through QNAP so that I can access my NAS and remote published applications like Surveillance Station and PLEX using the “MyQNAPcloud Service” over HTTPS. In my case, the common name for my certificate is ‘mtw.myqnapcloud.com’ and it is tied to my QNAP account, not my PLEX account. This certificate is renewed every 3 years and I have never had a problem with any remote access or QNAP hosted applications when renewing the cert. The process for procuring this cert doesn’t require me to generate a .CSR, create a key, etc. so it is a different process than if I had purchased one on my own from a provider like Verisign or DigiCert. (NOTE: I cannot access my PMS at all right now, so I am not able to see any of my PMS settings for network or security via the browser)

Second, no changes have been made to this QTS SSL certificate for more than 2.5 years and I have done nothing on the NAS that should have broken SSL, other than installing the “PlexMediaServer-1.24.5.5173-8dcc73a59-x86_64.qpkg” at about 5:40 PM on 10/27. My PLEX has not worked since that time.

To summarize, ALL of my other QNAP applications, including remote access to the NAS using the mtw.myqnapcloud.com certificate are working fine. I am confident that the QTS SSL certificate itself is fine, but the PLEX application isn’t working with it and I get an error stating that, “mtw.myqnapcloud.com closed the connection - ERR_CONNECTION_CLOSED”. This only started after installing the latest QNAP PLEX.qpkg noted above. When I try to access PMS, the browser tells me it can’t find a certificate for “https://mtw.myqnapcloud.com:32400/web/index.html#!/”, even though the same SSL common name “https://mtw.myqnapcloud.com*” works fine for other apps. I can login to Surveillance Station at “Surveillance Station” just fine (same SSL cert name) and the certificate is OK. I can hit the URL for my QNAP via “http://mtw.myqnapcloud.com/cgi-bin/” and the certificate shows as VALID and HTTPS works (same SSL cert name). All of this is through the QNAP hosted ‘myqnapcloud’ service. The same cert should work for the PLEX service too.

Is there a way for me to “reassociate” my PLEX server to my account so that it re-reads the certificates that are in place? There is no other account associated with my PLEX Media Server. I am trying to get this working again without having to rebuild my entire PMS. The library is extensive and very well organized with a lot of custom meta data, tagging, etc. I have backups (two copies) taken every night, but I would need some hand holding to restore all of that on a clean PMS installation, if it had to come to that. Sorry for the lengthy reply, but the I think the detail is needed to paint a clearer picture of the problem. Thank you.

You can manually sign the server into your account.

Let me know if you’re comfortable with SSH, Nano/Vi, or need the QTS Text Editor app

The screenshots below show a good SSL certificate for mtw.myqnapcloud.com.

mtw.myqnapcloud SSL OK for Surveillance Station875×571 59.9 KB

mtw.myqnapcloud SSL OK for QTS1068×468 90.7 KB

However, when trying to launch PLEX using the same cert, it fails because it can’t complete the TLS handshake due to a missing cert. Are you saying that I need to manually SSH into the QNAP to make some changes with a PLEX certificate file? If so, I am comfortable with SSH and VIM, but not too familiar with the application file system. I will need some hand-holding on what to don once in there.

I am going to write the instructions for you here in this post,

You’ll see it update in a couple minutes.

========================

1. Stop Plex
2. SSH into the NAS as admin (not an administrative user) because you need ‘root’ privilege.
3. cd /share/*/.qpkg/Plex*/Li*/Plex*
4. Using vi, carefully remove the following Name="Value" pairs from “Preferences.xml”

• PlexOnlineUsername
• PlexOnlineMail
• PlexOnlineToken
• PlexOnlineHome (this might not exist – ok if it doesn’t)

5. Save the file
6. Keep the SSH session open, we’ll need it in a moment.
7. Start Plex but do not attempt to access it. It must sit idle
8. In a separate browser tab, open Claim | Plex
9. It will present you with a claim token, COPY that to your browser
10. You now have 5 minutes to complete this next task (token expires)
11. Return to the ssh session
12. curl -X POST 'http://127.0.0.1:32400/myplex/claim?token=PASTE_TOKEN_HERE'
13. It will look like:

curl -X POST  'http://127.0.0.1:32400/myplex/claim?token=claim-xxxxxxxx'

14. Hit enter and let it work. Curl will post that to PMS. PMS will use the token to talk to Plex.tv and get then update the server credentials (Preferences.xml)
15. When it’s complete, you’ll get a whole bunch of “Feature Flags” printed out. This is good news.
16. The server is now again claimed to your account.

ChuckPa, we have made progress! I can see my PLEX server again at https://app.plex.tv/desktop/#!/ and the certificate is good now.

When I try to hit it through the https://mtw.myqnapcloud.com:32400/web/ URL it doesn’t like the new plex.direct cert. It says, " This server couldn’t prove that it’s mtw.myqnapcloud.com ; its security certificate is from *.485633fc16fb45e584803966bae8853b.plex.direct . This may be caused by a misconfiguration or an attacker intercepting your connection." Is there something I can do to get this common name mismatch cleared up? I wasn’t getting this before the issue started on 10/27 and I can’t remember what I may have done to get past this before.
Thank you for your help, I really appreciate it!

NET_ERR_CERT_COMMON_NAME_INVALID877×570 62.6 KB

Now you are seeing what happens when you cross certificates …

It’s triggering a MITM (Man In The Middle) alert which is exactly what should happen.
(originate with one certificate but get a reply with a different certificate)

When you add your mtw.myqnapcloud.com certificate to Plex, the alert will go away because PMS will handle switching back and forth as it should be handled,.

I have a certificate as well. I saw what you’re now seeing on my PMS.

1. Certificate for the host is using our certificates
2. Plex’s certificate is for Plex communication - independent of the host
3. Importing our certificate into Plex allows us to open using our FQDN / routed through the host and then transition to Plex’s certificate without the alarm.

ChuckPa, thank you for the additional insight in your last update, but at this point I think I’ll ignore the mtw.myqnapcloud.com MITM issue. I can live without the PLEX being accessible through that route. I am not sure what is happening here, we were up and running and now the server is not accessible again from https://app.plex.tv/desktop/#!/. I have stopped the PMS, re-enabled debug, and have restarted. The PMS.log is attached.

PMS_Debug_Log_112221.log (418.2 KB)

Would it make sense for me to perform the following steps again?

========================

1. Stop Plex
2. SSH into the NAS as admin (not an administrative user) because you need ‘root’ privilege.
3. cd /share/*/.qpkg/Plex*/Li*/Plex*
4. Using vi, carefully remove the following Name="Value" pairs from “Preferences.xml”

• PlexOnlineUsername
• PlexOnlineMail
• PlexOnlineToken
• PlexOnlineHome (this might not exist – ok if it doesn’t)

5. Save the file
6. Keep the SSH session open, we’ll need it in a moment.
7. Start Plex but do not attempt to access it. It must sit idle
8. In a separate browser tab, open Claim | Plex
9. It will present you with a claim token, COPY that to your browser
10. You now have 5 minutes to complete this next task (token expires)
11. Return to the ssh session
12. curl -X POST 'http://127.0.0.1:32400/myplex/claim?token=PASTE_TOKEN_HERE'
13. It will look like:

curl -X POST  'http://127.0.0.1:32400/myplex/claim?token=claim-xxxxxxxx'

14. Hit enter and let it work. Curl will post that to PMS. PMS will use the token to talk to Plex.tv and get then update the server credentials (Preferences.xml)
15. When it’s complete, you’ll get a whole bunch of “Feature Flags” printed out. This is good news.
16. The server is now again claimed to your account.

========================

Your logs are showing the server as unclaimed.

Yes, perform the procedure again to manually claim.

Be Advised –

1. If you are on the same subnet with it
2. And that subnet is RFC-1918 compliant (which it is)
3. You can continue.

HOWEVER, I found part of your problem.

1. You have both ethernet adapters connected to the same subnet. This is a No-No.

Nov 22, 2021 13:54:55.270 [0x7f00273596e8] DEBUG - Detected primary interface: 192.168.0.68
Nov 22, 2021 13:54:55.270 [0x7f00273596e8] DEBUG - Network interfaces:
Nov 22, 2021 13:54:55.270 [0x7f00273596e8] DEBUG -  * 1 lo (127.0.0.1) (loopback: 1)
Nov 22, 2021 13:54:55.270 [0x7f00273596e8] DEBUG -  * 2 eth1 (192.168.0.145) (loopback: 0)
Nov 22, 2021 13:54:55.270 [0x7f00273596e8] DEBUG -  * 3 eth0 (192.168.0.68) (loopback: 0)

1. Pull eth1 (LAN 2) for now. use only 1 adapter (eth0 - which is the default)
2. Edit the Preferences.xml file
3. Remove the identity info again (but it should unclaimed based on PMS log behavior)
4. Start Plex
5. BEFORE you access the server – SIGN OUT of Plex/web (upper right)
6. Open a new Incognito window
7. In that incognito window - open http://192.168.0.68:32400/web
8. Now go through the process of claiming via the web gui (which includes signing in and accepting the “Got It”.
9. Continue through to the dashboard (don’t change anything along the way)
10. When at the dashboard, Keep that window open —
11. Switch to the other window and verify normal (not incognito) behavior.

After you have authentication & ownership settled, I highly recommend bonding those two adapters to be one . It will grossly simplify the networking layer for you in all regards (certificates and normal plex authentication)

Thank you again ChuckPa! I have claimed the server once again and things are working great. I can’t say for sure why I had to do this again, but I hope it will hold now. I have disabled ETH1 and everything is now using ETH0 per your recommendation. You are a life saver!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.