Secure Remote Access/SSL Cert Problem

Server Version#: 1.21.3.4014
Player Version#: N/A
Hi all,

I’ve put this same question to r/plex on Reddit in case it seems familiar to someone

I’m at a loss here. I really don’t know what else to do, and my google skills seemed to have tapped out.

Currently running Plex 1.21.3.4014 on Ubuntu 20.04 LTS (I know, not the latest version of Plex, but the headache I’ve gone through to get HDR tone mapping to work on this version makes me reluctant to upgrade at this point)

My file store is a QNAP NAS that I recently had to rebuild. I lost a drive, had to get it replaced, and rebuild the array. This morning, it (finally) finished, and all my files are back where they should be. I’ve verified the mounted cifs shares are there, Plex is up, and everything plays fine. Locally.

Remote access wasn’t working, though. After lots of trial and error, I found that after disabling secure connections (which has always been set to “Preferred”), the remote access came right back. So the problem seems to be isolated to some point in the certificate chain…? Right now, with secure connections set to “Disabled,” remote access is working fine, verified with a remote users, as well as my own cell phone off the wifi

I know precisely jack squat about SSL, so this is where I’m lost. The logs on the server show a few instances of the below error today during the time I was troubleshooting, which I can see might be a symptom, but I have no idea where else to go from here, or even if I’m just chasing my tail at this point.

May 23, 2021 12:51:01.249 [0x7f61f77fe700] WARN - HTTP error requesting GET https://<local_ip_of_server>.d6c52eb88cc340629be6fa70e3579303.plex.direct:32400 (60, SSL peer certificate or SSH remote key was not OK) (SSL certificate problem: unable to get local issuer certificate)

I have made zero changes to my Plex/Ubuntu config since the NAS went. There are pending updates (including the aforementioned Plex), but I have not applied them. The only thing I did between when the NAS went offline and now was stop the Plex service (in case the library decided to randomly do anything ■■■■■■ while the file store was unavailable). The only other difference between then and now is that music files didn’t make it to the new NAS, so there was a library that had no files anymore. Multiple restarts of both the Plex service and the entire host have yielded no changes. I’ve verified that all the required ports and protocols are properly open with UFW on the system, including 80/443.

I have a pihole in my network that does dns, but not dhcp. The Plex server is configured manually and bypasses it and go to 1.1.1.1 and 8.8.8.8 directly. I’ve verified that there are no entries for requests for the Plex host in pihole. The one thing I haven’t done is put the server into pihole, but it’s configured to use Cloudflare, which is the first name server in the Plex host network config anyway. Reading the support article about using secure connections makes me think a dns rebinding issue is probably not my problem, but I’m not sure how to confirm that.

I have had remote users playing with no complaints before this entire episode, so although I can’t verify absolutely that this wasn’t happening before, I’m taking the “no news was good news” approach to assuming that this is a new problem.

Any assistance/suggestions/admonishments you could throw my way would be greatly appreciated

May I see more of the logs please ? That singular snippet isn’t enough.
I would prefer the entire log file which contains that startup sequence .

I checked the server’s certificate and it is valid (Generated) as of 20-May-2021

Sure thing. They’re attached. Thanks

I should add, the system time was verified as correct and configured to auto update. There is no security software installed - it’s a barebones LTS server with no additional security software installed, no vpn functionality installed or configure
Plex Media Server Logs_2021-05-23_20-02-47.zip (4.3 MB)
d, and no network proxy info configured. Nothing beyond the basic packages required for remote file sharing (with the library files being on a separate NAS), and Plex functionality.

Shoot that’s not quite true. Speedtest and Tautulli are installed, with all the required packages to go with them

Thank you for that.

In examining the file, I see PMS is fully up and running HTTPS to Plex.tv

Here, you see:

1. installing the certificate it has
2. Found it to be insufficient (which is normal for startup)
3. Went out and got a new key from plex.tv (which I see your account has ready)
   4, Pinning the cert and setting letsencrypt as the CA.
4. Installing and running normally from here on.

May 23, 2021 14:17:06.379 [0x7fd33965f100] DEBUG - Running migrations. (EPG 0)
May 23, 2021 14:17:06.387 [0x7fd33965f100] DEBUG - ChangestampAllocator: initialized to 3299864
May 23, 2021 14:17:06.387 [0x7fd33965f100] DEBUG - Opening 2 database sessions to library (com.plexapp.plugins.library.blobs), SQLite 3.26.0, threadsafe=1
May 23, 2021 14:17:06.389 [0x7fd33965f100] DEBUG - Running migrations. (EPG 0)
May 23, 2021 14:17:06.410 [0x7fd33965f100] DEBUG - [CERT] Installed certificate with fingerprint 95:e5:e5:26:89:94:dd:e5:29:cd:fb:ab:d5:9f:66:6f:f0:ab:46:5c.
May 23, 2021 14:17:06.410 [0x7fd33965f100] DEBUG - [CERT] Installed new private key.
May 23, 2021 14:17:06.410 [0x7fd33965f100] DEBUG - [CERT] Subject name is /CN=*.1ec67d56168648c8b3dc8edf94585d6c.plex.direct
May 23, 2021 14:17:06.410 [0x7fd33965f100] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
May 23, 2021 14:17:06.410 [0x7fd33965f100] INFO - [CERT/OCSP] No relevant response in cache.
May 23, 2021 14:17:06.410 [0x7fd33965f100] INFO - [CERT/OCSP] Couldn't install the cached response; fetching from network.
May 23, 2021 14:17:06.410 [0x7fd33965f100] DEBUG - [CERT] Installed intermediate certificate.
May 23, 2021 14:17:06.410 [0x7fd33965f100] DEBUG - HttpServer: Listening on port 32400.
May 23, 2021 14:17:06.410 [0x7fd330b6e700] DEBUG - MyPlex: mapping state set to 'Unknown'.
May 23, 2021 14:17:06.410 [0x7fd33965f100] DEBUG - HttpServer: Listening on port 32401.
May 23, 2021 14:17:06.411 [0x7fd330b6e700] DEBUG - Relay: read 53 cached entries from hosts file
May 23, 2021 14:17:06.411 [0x7fd330b6e700] DEBUG - [CERT/OCSP] HTTP requesting GET http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUebRZ5nu25eQBc4AIiMgaWPbpm24CEgPweh3af4wnoe4N4NKB4h6Wog%3D%3D
May 23, 2021 14:17:06.414 [0x7fd32a7fc700] DEBUG - Grabber: Cleaning up orphaned grabs.
May 23, 2021 14:17:06.415 [0x7fd33965f100] DEBUG - Media Provider: Registering provider com.plexapp.plugins.library
May 23, 2021 14:17:06.415 [0x7fd33965f100] DEBUG - Auth: Refreshing tokens inside the token-based authentication filter.
May 23, 2021 14:17:06.415 [0x7fd33965f100] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/access_tokens?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:06.415 [0x7fd329ffb700] DEBUG - HTTP requesting GET https://plex.tv/media/providers?X-Plex-Token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:06.415 [0x7fd33965f100] DEBUG - MyPlex: updating with 14 access tokens
May 23, 2021 14:17:06.415 [0x7fd32a7fc700] DEBUG - Grabber: Cleaned up 0 decrepit directories in 0.0 sec.
May 23, 2021 14:17:06.415 [0x7fd33965f100] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:06.416 [0x7fd33965f100] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/subscriptions?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:06.416 [0x7fd319ffb700] DEBUG - Auth: Refreshing tokens inside the token-based authentication filter.
May 23, 2021 14:17:06.416 [0x7fd319ffb700] DEBUG - HTTP requesting GET https://plex.tv/api/v2/server/access_tokens?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:06.416 [0x7fd33965f100] DEBUG - Opening 1 database sessions to library (), SQLite 3.26.0, threadsafe=1
May 23, 2021 14:17:06.417 [0x7fd2f3fff700] DEBUG - File "/usr/lib/plexmediaserver/Resources/Plug-ins-58bd20c02" changed: -1 => 2021-02-08 11:26:44 (1612808804).
May 23, 2021 14:17:06.417 [0x7fd2f3fff700] DEBUG - File "/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Plug-ins" changed: -1 => 2020-03-21 22:59:23 (1584853163).
May 23, 2021 14:17:06.417 [0x7fd2f3fff700] DEBUG - Scanning for plug-ins in "/usr/lib/plexmediaserver/Resources/Plug-ins-58bd20c02"
May 23, 2021 14:17:06.424 [0x7fd2f3fff700] DEBUG - Scanning for plug-ins in "/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Plug-ins"
May 23, 2021 14:17:06.424 [0x7fd2f3fff700] DEBUG - PluginRepository::setStartState: 1, startingSystem
May 23, 2021 14:17:06.424 [0x7fd2f3fff700] DEBUG - Starting plug-in /usr/lib/plexmediaserver/Resources/Plug-ins-58bd20c02/System.bundle.
May 23, 2021 14:17:06.424 [0x7fd2f3fff700] DEBUG - [com.plexapp.system] Setting plug-in to always running (daemon mode).
May 23, 2021 14:17:06.425 [0x7fd2f3fff700] DEBUG - Starting file watcher for com.plexapp.system
May 23, 2021 14:17:06.425 [0x7fd2f3fff700] DEBUG - Spawned plug-in com.plexapp.system with PID 921
May 23, 2021 14:17:06.425 [0x7fd2f3fff700] DEBUG - [com.plexapp.system] Sending command: GET /:/prefixes
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - Reading 486 bytes in the body, code is 200
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - [com.plexapp.system] Plug-in running on port 46331.
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG -  * Plug-in handles prefix: /system
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG -  * Plug-in handles prefix: /player
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - Read configuration for [com.plexapp.system], had 2 prefixes
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - Done with 1 synchronous plug-in starts, starting the rest in parallel.
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - PluginRepository::setStartState: 2, startingPlugins
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - Updating the list of agents known by the system.
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - [com.plexapp.system] Sending command over HTTP (GET): /system/agents
May 23, 2021 14:17:07.481 [0x7fd2f3fff700] DEBUG - HTTP requesting GET http://127.0.0.1:46331/system/agents
May 23, 2021 14:17:07.481 [0x7fd33965f100] DEBUG - Image transcode cache directory: "/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Cache/PhotoTranscoder"
May 23, 2021 14:17:07.481 [0x7fd33965f100] DEBUG - Transcoder: Cleaning old transcode directories.
May 23, 2021 14:17:07.483 [0x7fd33965f100] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/access_tokens?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:07.483 [0x7fd33965f100] DEBUG - MyPlex: updating with 14 access tokens
May 23, 2021 14:17:07.483 [0x7fd33965f100] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:07.483 [0x7fd33965f100] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/server/users/subscriptions?auth_token=xxxxxxxxxxxxxxxxxxxx
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - MyPlex: using cached data for request for https://plex.tv/api/v2/user?includeSubscriptions=1&includeProviders=1
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - MyPlex: username is thumper_spot, login is dlake@lake.ca, home is 0, no pin
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - MyPlex: start public ip check and mapping - current mapped state: 'Unknown'.
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - MyPlex: mapping state set to 'Not Mapped'.
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - PublicAddressManager: Starting.
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - PublicAddressManager: Obtaining public address and mapping port.
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - NetworkInterface: Starting watch thread.
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - Network change.
May 23, 2021 14:17:07.484 [0x7fd33965f100] DEBUG - NetworkInterface: Notified of network changed (force=0)
May 23, 2021 14:17:07.484 [0x7fd2f1ffb700] DEBUG - HTTP requesting GET https://plex.tv/api/v2/user?includeSubscriptions=1&includeProviders=1
May 23, 2021 14:17:07.484 [0x7fd2f17fa700] DEBUG - NetworkInterface: Watching for changes on the interfaces.
May 23, 2021 14:17:07.484 [0x7fd31bfff700] DEBUG - PublicAddressManager: Obtaining public IP.
May 23, 2021 14:17:07.484 [0x7fd31bfff700] DEBUG - HTTP requesting GET http://plex.tv/pms/:/ip
May 23, 2021 14:17:07.485 [0x7fd33965f100] DEBUG - Detected primary interface: 192.168.1.67
May 23, 2021 14:17:07.485 [0x7fd33965f100] DEBUG - Network interfaces:
May 23, 2021 14:17:07.485 [0x7fd33965f100] DEBUG -  * 1 lo (127.0.0.1) (loopback: 1)
May 23, 2021 14:17:07.485 [0x7fd33965f100] DEBUG -  * 2 enp1s0 (192.168.1.67) (loopback: 0)

What does bother me is why it’s not using , what should already exist, a cached certificate.

Is this all running as user plex:plex ? Have you customized your local installation in any way?

to confirm please: The issue is with your certificate or with Plex’s ?

Hi Chuck,

Thanks for looking into this. Interesting that nothing appears to be an obvious problem. To answer your questions, yes, it appears everything is running under plex:plex

image1630×378 84.2 KB

I have not made any customizations to the local installation in any way. The only time I’ve ever been into the files is to pull an rsync copy of the data directory. I did that once a few months ago. Other than that, Tautulli is running under it’s own user and group (not related to Plex directly, but it’s the only other really substantial piece of software that’s running on the box)

Oh? You pulled a copy of the Library structure?

Did you update all the ownerships?

sudo chown -R plex:plex /var/lib/plexmediaserver

That would explain why I’m seeing it asking for a fresh copy instead of using what should be stored locally already.

After the above completes, Restart Plex

I did the chown and tried again, but it gave me the same result

image1122×446 87.3 KB

New logs are attached, after restarting the Plex service (in case you want to see if anything is different)

Plex Media Server Logs_2021-05-23_22-11-49.zip (3.4 MB)

Can we clarify the wording of this thread please?

Do you have:

1. Problems with Remote Access

-or-

2. SSL connections

All remote is SSL. Secure Connections control is for LAN

Ok maybe I’m not understanding something about how this all works.

Libraries are shared with other Plex users who have their own accounts, and are external to myself (ie. not living with me/on my same network)

When “Secure Connections” under Settings → Network is set to “Preferred” or “Required,” Remote Access in Settings → Remote Access is “unavailable outside your network.” During this time, local access (myself, inside the local network with multiple clients, including Infuse and Plex for iOS and Plex Web on MacOS) works fine. External users who have my libraries shared to them can not see my server in their Plex clients. It says my server is not accessible.

When “Secure Connections” is set to “Disabled,” remote access is now “Fully accessible outside your network,” local access to play videos works fine, same as above, and external users can access my server through their own Plex clients. Remote access is enabled through a manually-specified port, 32400. The port is properly forwarded on my router, and enabled in ufw on the Plex host.

I would answer your question directly with “2. SSL connections,” but honestly, I’m not sure what you mean by “All remote is SSL. Secure Connections control is for LAN.” My admitted ignorance on the topic makes me not understand why secure connections are for the LAN when it’s Internet traffic (in the form of external users and remote access) that should be secured before non-routable LAN traffic.

I may not be writing as clearly as I should be either. I apologize as the hour is late here.

I’m going to send you a PM so we can discuss some private information.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.