Server Version#: 1.32.8.7639
Player Version#: 10.5.0.4996
Hi, I’m publishing my PMS through HAProxy on my pfSense firewall, and I’m using a certificate generated from its custom CA. When I open the Plex app on my phone, I get the following errors in HAProxy log:
You can only use certificates which are “trusted” by the various devices and web browsers which are used as Plex clients. It is near impossible to upload a custom certificate to e.g. a TV device and similarly closed app ecosystems.
Which means that you cannot use self-signed certificates. You will have to use a proper certificate, like LetsEncrypt or one of the commercial ones. And it has to be made for your custom domain name.
Pretty sure. Enable the debug logs of the Plex app and inspect them after trying to contact the server. Certificate errors will certainly show up in there.
Make sure you did put your custom FQDN into the settings of your server, as per my above link. As far as I can see, you didn’t do that yet.
Keep in mind that doing so does only solve this for this device. As soon as you want to use an additional device, you’ll have to do it again. Some devices types don’t allow this at all. And things will quickly become almost unmanageable if you start sharing your media with other people.
Is there anything more I can do to troubleshoot the issue? In any case, Chrome doesn’t show the certificate alert while Plex still gives SSL handshake failure errors… This makes me think that the Plex app has its own certificates db…
as posted already, the plex app may not use (you have proven here that it does not) the system certificate store. Its a limitation of a row of frameworks/languages for now (for example dart/flutter uses a static certificate store and DOES NOT use the systemstore). The only solution is that you get a official certificate for your domain. I do the same, using HAProxy with wildcard certificate for my domain (in this case lets encrypt with DNS challenge). For that i configured certbot which will issue the certificate automatically and then restarts the HA Proxy. With that even apps with a static cert store can verify the certificate.
I am sure, if they dont add a possibility to add custom certs to your plex app, this will not work with custom root CAs for now.
Either you get yourself a official certificate for your domain or you have to live with the fact that the plex app (ios or android) will not work and you use the browser. I dont see any more options here.
Well, wouldn’t it be possible to have an option instead, to accept invalid certificates, as lots of other apps do? It would be so much more convenient!
That’s maybe true, but nothing you or me can do, we can just use official certificates for that and if you already have a domain and a HA Proxy running, just issue a free official certificate…
