I’m hosting my plex server behind traefik utilizing a Let’s Encrypt wild card certificate, when switching. In traefik it’s possible to use the preferredChain* setting to get a certificate from a specific chain, ISRG Root X1/ISRG Root X2(the new one) - when using a certificate form the X2 the android app is unable to connect remotely. Connecting with browser on the same android device works with issues.
I’ve verified that switching traefik back to using X1 chain restores remote connectivity.
Relevant settings for reproduction of the issue:
Remote access disabled in plex
In plex network settings:
Traefik certificate resolvers:
certificatesResolvers:
letsencrypt:
acme:
email: email@example.com
preferredChain: ‘ISRG Root X2’
storage: /etc/traefik/acme.json
keyType: ‘EC256’
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
resolvers:
- “1.1.1.1:53”
- “1.0.0.1:53”
I’m hosting my plex server behind traefik utilizing a Let’s Encrypt wild card certificate, when switching. In traefik it’s possible to use the preferredChain* setting to get a certificate from a specific chain, ISRG Root X1/ISRG Root X2(the new one) - when using a certificate form the X2 the android app is unable to connect remotely. Connecting with browser on the same android device works with issues.
I’ve verified that switching traefik back to using X1 chain restores remote connectivity.
Relevant settings for reproduction of the issue:
Remote access disabled in plex
In plex network settings:
Traefik certificate resolvers:
certificatesResolvers:
letsencrypt:
acme:
email: email@example.com
preferredChain: ‘ISRG Root X2’
storage: /etc/traefik/acme.json
keyType: ‘EC256’
dnsChallenge:
provider: cloudflare
# Used to make sure the dns challenge is propagated to the rights dns servers
resolvers:
- “1.1.1.1:53”
- “1.0.0.1:53”
I don’t think Plex will work with a wildcard certificate. Plex needs the certificate to be associated to a specific domain (IIRC matching that of the custom server access url.
The domain name being used for the custom certificate. It will be published to plex.tv using the port you currently have mapped under Settings > Server > Remote Access. The domain name must match a name in the custom certificate file.
Using a wildcard certificate works without issue. It is running with plex.domain.com and a wildcard cert for *.domain.com right now. It’s only when specifying the preferred chain to use the new let’s encrypt root ca (x2) there is an issue.
Plex’s own solution used wild card certificates for the plex.direct domain, and I’ve also successfully tested it with my own custom domain wildcard certificate.
