Same novice ... different issue

I was able to do the initial setup of Plex on one of our Synology NAS and we have been testing the playback of videos, photos, etc. We installed the pfx version of the cert using the instructions here → Plex/Synology - Custom domain with HTTPS - Imgur and all was fine.

During my first post for another issue, I was told I was running a quite old version of Plex as I installed from Synology Package Center. As novice to Plex and not wanting to damage what we have accomplish, I contacted Synology support to find out the correct way to update Plex and, in short, they told me to use Plex for that.

We were running 1.29.2.6364-700, have installed the pft version of our SSLS.com certificate and everything was working nicely … until the update to 1.41.0.8994-70008994.

Now all browsers are throwing privacy errors:
Edge → net::ERR_CERT_COMMON_NAME_INVALID
Chrome → similar but re-directs to app.plex.tv, then back to our URL stating “not secure”

A weird thing we notice is that when checking the certificate in Edge, we get no reference to our common name or about Sectigo as the issuer but …

We have re-produce the pfx, stop, start, retype the “Custom certificate location”, “Custom certificate encryption key” and “Custom certificate domain” with no luck.

Any ideas are appreciatted

I looked at your plex.tv account.

It does have the certificate attached to the server.

The plex.direct domain is for PMS ↔ client app communications only.
If you’re getting errors in your logs from specific clients – have the clients force-terminate and restart so they can download the new plex.direct cert.

It’s not something you should be using to access PMS securely.

When you add your own domain’s certificate, did you:

1. Include the CA, Cert, and Key in the P12 file?
2. Give that info to PMS (in Network settings)
3. Give PMS the alternate URL to access your server which references your FQDN?

Chuck: Thanks.

As said, before the update all was good. And yes, CA, Cert and Key were included. Actually, the command used was → pkcs12 -export -out innovateit.pfx -in cert.pem -inkey privkey.pem -certfile chain.pem -name “innovate-it.us”.

Network settings look like:

image734×313 18.7 KB

I am not sure as to # 3 though.

Have never looked at the logs … will try to do that.

What do you mean by “It’s not something you should be using to access PMS securely.”. What is I shouldn’t do?

I downloaded the logs … 103 files … not easy to understand what should I look for.

Again, none of this was happening before updating

And … if you could …
It does have the certificate attached to the server. → How can I see that?
have the clients force-terminate and restart so they can download the new plex.direct cert → How?

Ok … I am ready to give up. I have installed OpenSSL as per Installing OpenSSL for Windows - A Handy Guide (monovm.com)

I have generated the PFX and I always get the error with the certificate showing this:
Installing OpenSSL for Windows - A Handy Guide (monovm.com)
When my MAS certificate shows this:

Why is the PFX not showing Sectigo? Now, just for the sake of doing it, I set this ALL FALSE info

and the error is exactly the same. So, again, NOVICE here, but it seems to me the server is not able to read the PFX at all.
So where is the PFX needs to be placed? Because I am placing in the same PlexMediaServer folder as it is the only folder that the Plex system user has R/W over.

for some reason the R10 certificate shown when error was not loaded into the post

Apologies for delay, I’ve been very busy all day and it’s past end of my day.

Could you please restart Plex, give it a few minutes, then download (Plex/web browser → Settings - [server] - Troubleshooting (lower left) - Download Logs.
(PMS will make a ZIP file for you)

Take that file and attach it here.
I’ll go through it.

Chuck: Thanks, and no need to apologize. I appreciate you taking the time to help me.
Logs are attached.
Plex Media Server Logs_2024-10-05_08-14-25.zip (4.1 MB)

Please use these logs
Plex Media Server Logs_2024-10-05_08-29-20.zip (4.1 MB)
instead … I did not restart Plex nor waited few minutes before.

Chuck: For you to have the scope of our problem. We have 14 customers using Synology Video Station which Synology just removed from DSM 7.2.2. Those 14 NAS must be update to 7.2.2 for security reasons next week.
We are also using Video Station and we decided to go through the process ourselves, get the minimum familiarization to guide our customers through.
We are against the wall here and we are stuck with the error after the update to a package supplied by Plex for Synology.
I want to roll everything back and I am very familiar to the Synology side, but I do not know what needs to be done to close/erase/remove whatever is needed on the Plex’s side so that we can repeat the same steps we did until before the update and move on. I do not want anything left on Plex’s side before restarting, not even usernames, account or whatever else in on Plex’s side.
We were forced out of Synology Video Station and the support we had for it into a free Plex with support limited to forums. Again, as novices, we do not know if getting “a pass” also get us some different level of support.
Please, do not take me wrong. I just do not know better and need to come up to a conclusion real fast.

Been literally ALL DAY working on a system.

Rereading your post, it sounds like a much different conversation is needed.
This open forum is not the proper venue,

I will open a PM to you

Thanks, Chuck. Will be attentive.

@phe85

Upper right corner of the forum – Green dot – That’s me

ALL,

I had a telephone conversation with phe85.

This sounded a lot worse than it was.

The solution was simple:

1. Create a correct Plex “P12” certificate file with Key, Cert. and CA
2. Place that P12 where PMS could see it (/PlexMediaServer/Cert/cert.p12)
   – I don’t mind if putting a user cert up here above AppData.
3. Use openssl to create the P12
4. Give PMS the path
5. Tell PMS the domain
6. Specify the full FQDN URL to access PMS with
7. Restart PMS.

Chuck,

As novices, we tend to panic a bit. Your knowledge and help were instrumental and appreciated.

Dear Chuck,

First of all, please have a very happy Holidays.

I am trying to help a friend setup his own PMS on his Synology NAS. Have followed all the notes I took from our interaction but I am getting an error:

Dec 09, 2024 20:23:57.282 [139780349119120] DEBUG - [CERT] Subject name is /CN=*.af27584c8b6047149ce24c7442e52f4f.plex.direct
Dec 09, 2024 20:23:57.282 [139780349119120] DEBUG - [CERT] Installed certificate with fingerprint 85:c3:ae:a5:29:00:02:69:67:d2:bb:93:8a:50:79:59:01:5c:c7:a1.
Dec 09, 2024 20:23:57.282 [139780349119120] DEBUG - [CERT/OCSP] Stapling requests will be made to ‘http://r10.o.lencr.org/’.
Dec 09, 2024 20:23:57.282 [139780349119120] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Dec 09, 2024 20:23:57.282 [139780349119120] ERROR - [CERT] PKCS12_parse failed: error:11800071:PKCS12 routines::mac verify failure
Dec 09, 2024 20:23:57.282 [139780349119120] ERROR - [CERT] Found a user-provided certificate, but couldn’t install it.

I exported his *.pem and used the installation of openssl in my desktop PC to generate the P12 and uploaded to the Cert folder.

What am I doing wrong or missing?

Plex Media Server.log (358.1 KB)

Full Plex Media Server log

This error ?

1. Make certain to include the CA with the P12 file (not PEM)
2. Don’t forget the password or this way

openssl pkcs12 -export -out mydomain.p12 -inkey mydomain.key -in mydomain.crt -certfile "Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt"
[chuck@lizum cert.2003]$

Notice I include the CA from LE which was used to sign my certificate.
This provides the traceability PMS requires to confirm it’s an authentic certifcate

Thanks Chuc.
This is what I did based on our conversation for my NAS:
openssl pkcs12 -export -out innovateit.p12 -in cert.pem -inkey privkey.pem -certfile chain.pem

The only thing different on what I did for him was that every PEM is coming from his certificate and of course, the out name. My cert and his are issued by ssls.com/SECTIGO

I can send you the file if needed be.