[Solved] Unable to add a custom SSL certificate

Plex Media Server Remote Access
1

Server Version#: 1.24.5.5160
Player Version#: 4.68.0

I have set a .p12 file in the Custom certificate location, and the Custom certificate encryption key, aswell as ensured that the domain I am adding is included in certificate file. I have also ensured plex has ownership over these files.

In addition, I tested the certificate to validate in Nginx and it was added/validated without issue.

The only real logs I see about this are:
Oct 22, 2021 07:57:01.109 [0x7fe735634b38] Debug — CERT: incomplete TLS handshake from x.x.x.x: stream truncated
Oct 22, 2021 07:57:01.663 [0x7fe735634b38] Debug — CERT: incomplete TLS handshake from x.x.x.x: stream truncated

Not sure how to troubleshoot this further, ive tried many things from the cert end.

Any help would be greatly appreciated.

2

@SomethingElse

I looked at your account.

You had two certificates in there; one danging from pre-Sept 30.

I removed both.

Restart the server and see if that clears up the base PMS certificate.
( You will see PMS fetch a new Plex certificate as it starts )

4

Hey @ChuckPa ,

The goal here is not to use the plex Lets Encrypt cert, its to move to my custom Comodo cert.

Checking after restart and requests to my Custom certificate domain are still failing.

Thanks for your help.

5

  1. PMS and all the apps will always use Plex’s certificate for PMS-Plex.tv communication. That is not changable

  2. When you add your P12 to PMS, three pieces are required and verified before PMS will accept your certificate.

  • Contains Key
  • Contains CRT
  • Contains Intermediate CA (PMS will validate against that required CA)
  1. You lastly add the custom access URL which is your FQDN, in the “Custom Access URL” field.

All you get by adding your certificate is certification (identification) that the initial contact to your server’s access URL is who the URL claims it to be.

PMS will switch back and forth as needed between the certificates but all remote apps will still use Plex’s cert for communication with Plex.tv

6

@ChuckPa Thank you for the information.

To clarify, my main goal is to remove the *,plex.direct connections over lets encrypt as they are causing issues.

I will confirm the instructions above.

7

I have now confirmed the above:

My .p12 now contains the full chain, CRT, Key & I have added my custom access URL as my FQDN.

Checking the logs now, in addition the SSL errors I was getting above i’m getting:

CERT: Already refreshed certificate today, not refreshing again

8

What are the plex.direct errors?

These are not usually certificate-rooted errors but DNS rebinding errors.

Can you show me what you’re seeing please ?
(seeing the full logs ZIP file, from startup → first 3 minutes is most helpful --DEBUG , not VERBOSE logging)

9

The errors with *plex.direct are related to the CA expiry in lets encrypt: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

I’m hoping by adding my own Comodo SSL I can restore functionality on Samsung & LG WebOS that have not updated to support the new lets encrypt root CA.

attached logs:

10

If you’re having that error then, respectfully, it’s on your end now with your cert.

I have reset your Plex certs as I previously stated.

Valid	Fri, 22 Oct 2021 16:07:47 +0000	Fri, 22 Oct 2021 16:08:03 +0000

Has the PMS host been restarted since reset ?
Is there a cache involved?

11

As supplemental, I use LE for my cert. My automation also downloads their CA when updating the cert for my machine.

[chuck@lizum cert.2003]$ cat Make-p12 
openssl pkcs12 -export -out MyDomain.p12 -inkey MyDomain-production.key -in MyDomain-production.crt -certfile "Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt"
[chuck@lizum cert.2004]$

Has your R3 CA expired?

12

@ChuckPa The issue is that when the LE root cert expired, old devices were not updated to support the new root cert.

It turned out my issue with installing my custom cert was misunderstanding that "Custom certificate encryption key " does not refer to my certs private key as it would normally when installing an SSL, but in-fact is a token created during SSL creation using the plex machineID. More on this here: How to Use Self-signed SSL Certificates for Plex Media Server | hobo.house

After reading the guide(skipping everything LE related) , and making some tweaks to the script, I was able to get my Sectigo cert running properly and now traffic is being no longer routed through plex.direct, and is using my custom domain.

13

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.