SSL Cert Warning with wrong SNI name

Server Version#: 1.24.5.5173-8dcc73a59
Player Version#: app.plex.tv 4.68.0 on Firefox

After doing cleanup (removed cache from agents and ended up also removing Preferences.xml) I have a lot of logs stating that I’ have thw wrong SNI name as follows:

Oct 27, 2021 13:28:54.146 [0x7ff0255deb38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:39580 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 13:28:54.176 [0x7ff0255deb38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:39582 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 13:29:24.211 [0x7ff0255deb38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:39584 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 13:29:24.239 [0x7ff0255bbb38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:39586 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 13:29:54.447 [0x7ff0255bbb38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:39588 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 13:29:54.477 [0x7ff0255bbb38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:39590 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert

I think the certificate and redirection from the outside is botched on plex.tv proxy servers. Is it any way I can restore, or re-issue the certificate? It seems like I’m also getting other unauthorized users trying to connect to my place.

Thank you in advance,
m

You did indeed botch up your certificate.

Valid	Wed, 27 Oct 2021 20:08:15 +0000	Wed, 27 Oct 2021 20:08:29 +0000

I have reset it.

The current certificate validity is now:

Valid	Wed, 27 Oct 2021 21:06:16 +0000	Wed, 27 Oct 2021 21:06:28 +0000

Restart the server

So restarted the server, but I still got the same message?

What I did:

service plexmediaserver stop

tail /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs/Plex\ Media\ Server.log

Oct 27, 2021 16:42:05.128 [0x7fc976e0fb38] WARN - NAT: PMP, timed out waiting for response.
Oct 27, 2021 16:42:19.188 [0x7fc974d28b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:52498 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 16:42:19.215 [0x7fc974d28b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:52500 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 16:42:49.246 [0x7fc974d28b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:52502 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 16:42:49.276 [0x7fc974d05b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:52504 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 16:42:58.951 [0x7fc9776edb38] WARN - JobManager: Could not find job for handle 14675
Oct 27, 2021 16:42:58.962 [0x7fc9776edb38] WARN - JobManager: Could not find job for handle 14469
Oct 27, 2021 16:42:58.980 [0x7fc9776edb38] WARN - JobManager: Could not find job for handle 14563
Oct 27, 2021 16:42:58.980 [0x7fc9776edb38] WARN - JobManager: Could not find job for handle 14565
Oct 27, 2021 16:42:59.051 [0x7fc97ad6b6e8] INFO - Killing process: Plex Relay (pid: 14818)

Then waited for a bit and do the restart:

sleep 120 ; service plexmediaserver start ; sleep 10 ; tail n 40 -F /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Logs/Plex\ Media\ Server.log

Oct 27, 2021 16:46:53.464 [0x7f7133afeb38] INFO - Plex Media Server v1.24.5.5173-8dcc73a59 - Ubuntu PC x86_64 - build: linux-x86_64 debian - GMT -07:00
Oct 27, 2021 16:46:53.464 [0x7f7133afeb38] INFO - Linux version: 18.04.6 LTS (Bionic Beaver), language: en-US
Oct 27, 2021 16:46:53.464 [0x7f7133afeb38] INFO - Processor        Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Oct 27, 2021 16:46:53.464 [0x7f7133afeb38] INFO - Compiler is - Clang 11.0.1 (https://plex.tv e0c29d5827bc4eaaa2ceb882cbeed224b0960173)
Oct 27, 2021 16:46:53.464 [0x7f7133afeb38] INFO - /usr/lib/plexmediaserver/Plex Media Server
Oct 27, 2021 16:46:53.540 [0x7f713713a6e8] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Oct 27, 2021 16:46:54.797 [0x7f7130d72b38] WARN - [MediaProviderManager] Unrecognized MediaProvider feature: availability
Oct 27, 2021 16:46:54.797 [0x7f7130d72b38] WARN - [MediaProviderManager] Unrecognized MediaProvider feature: availability-platforms
Oct 27, 2021 16:46:54.829 [0x7f7130e83b38] WARN - [MediaProviderManager] Unrecognized MediaProvider feature: availability
Oct 27, 2021 16:46:54.829 [0x7f7130e83b38] WARN - [MediaProviderManager] Unrecognized MediaProvider feature: availability-platforms
Oct 27, 2021 16:46:57.071 [0x7f71310d4b38] WARN - [EventSourceClient/pubsub] MyPlex: attempted a reachability check but we're not yet mapped.
Oct 27, 2021 16:46:57.162 [0x7f7130882b38] INFO - Sync: downloaded 0 sync list(s) with 0 sync items(s): 0 new, 0 updated, 0 deleted
Oct 27, 2021 16:47:03.269 [0x7f7130b85b38] INFO - LibraryUpdateManager path watching is disabled
Oct 27, 2021 16:47:05.250 [0x7f71302b2b38] INFO - [PlexRelay] Allocated port 27317 for remote forward to 127.0.0.1:32401
Oct 27, 2021 16:47:05.471 [0x7f713097db38] ERROR - downloadContainer: expected MediaContainer element, found Error
Oct 27, 2021 16:47:05.471 [0x7f713097db38] ERROR - IVA: Error downloading trailers for source 1.
Oct 27, 2021 16:47:05.573 [0x7f713097db38] ERROR - downloadContainer: expected MediaContainer element, found Error
Oct 27, 2021 16:47:05.573 [0x7f713097db38] ERROR - IVA: Error downloading trailers for source 2.
Oct 27, 2021 16:47:07.097 [0x7f7130ca0b38] ERROR - Error issuing curl_easy_perform(handle): 7
Oct 27, 2021 16:47:07.097 [0x7f7130ca0b38] WARN - HTTP error requesting GET https://192-168-1-2.070a15918a3c45058d0acbfbbd06b777.plex.direct:32400 (7, Couldn't connect to server) (Failed to connect to 192-168-1-2.070a15918a3c45058d0acbfbbd06b777.plex.direct port 32400: Connection refused)
Oct 27, 2021 16:47:07.976 [0x7f7130e07b38] ERROR - Unknown metadata type:
Oct 27, 2021 16:47:10.881 [0x7f7130d09b38] ERROR - Unknown metadata type:
Oct 27, 2021 16:47:11.122 [0x7f71302d5b38] INFO - AutoUpdate: no updates available
Oct 27, 2021 16:47:11.679 [0x7f7130d2cb38] ERROR - Unknown metadata type:
Oct 27, 2021 16:47:11.886 [0x7f7130cc3b38] WARN - NAT: PMP, timed out waiting for response.
Oct 27, 2021 16:47:12.098 [0x7f713095ab38] ERROR - Error issuing curl_easy_perform(handle): 28
Oct 27, 2021 16:47:19.500 [0x7f71310d4b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:53014 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 16:47:19.526 [0x7f71310d4b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:53016 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 16:47:43.834 [0x7f7130d2cb38] ERROR - Unknown metadata type:
Oct 27, 2021 16:47:49.600 [0x7f71310f7b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:53052 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 27, 2021 16:47:49.627 [0x7f71310d4b38] WARN - [CERT] TLS connection from [::ffff:192.168.1.9]:53054 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert

^C

I also checked that the perms are ok before hand with chown -R plex:plex /var/lib/plexmediaserver so I can discard that.

I was trying to check a p12 cert that is on my side, but it seems to be protected by either a key or a password that I don’t have:

ls -l /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Cache/cert-v2.p12

-rw-r--r-- 1 plex plex 5753 Oct 27 14:06 '/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Cache/cert-v2.p12'

openssl pkcs12 -info -in /var/lib/plexmediaserver/Library/Application\ Support/Plex\ Media\ Server/Cache/cert-v2.p12
Enter Import Password:
^C

Should I remove the cert-v2.p12?
or any other suggestion?

What certs do you have on the host / in a proxy / somewhere in the chain ?

I would very much like you to

1. Restart the server
2. Wait 2 minutes
3. Download the Server log ZIP file
4. Attach it here for me to review.

I can’t keep working with fragments. I need to see the entire context.

I haven’t installed my own cert, neither have configured a proxy. I just use what the PMS gives me.

Attached logs here: [redacted and removed]

@mave007

That’s one heck of a mess.

The server’s certificate is compromised.

1. Stop Plex
2. sudo bash
3. cd "/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Cache"
4. mv cert-v2.p12 cert-v2.p2-damaged
5. Start Plex.

It should now pick up the certificate I had it create for you earlier.

This will likely have cascade impact on other files so expect it.

Thank you @ChuckPa but that didn’t work neither. I have the new cert on the Cache but the error persists.

I guess at this point I will nuke the server completely, remove all traces of previous installations, logs and re-install everything from scratch so I can rebuild all the libraries from 0 over the weekend.

I appreciate your time, tho.

@mave007

I’m afraid that’s all you can do at this point unless you want to start swapping in the com.plexapp.plugins.library.db backups in hopes of getting one not damaged.

If you want to keep “Preferences.xml” then switch it back in after you’ve restarted, you can preserve the server’s identity and any established shares.

If you have none, please do remember to go to "Settings - Authorized Devices - Server (dropdown) and remove the server you’re about to rebuild so you don’t end up with UUID conflicts in the players.

Hi @ChuckPa an update here.

I removed the whole plexmediaserver installation in my Ubuntu 18 this way:

cp '/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Preferences.xml' /opt
apt remove plexmediaserver
apt clean
rm -rf /var/lib/plexmediaserver/*
rm -rf /usr/lib/plexmediaserver/*
find /etc -name 'plex*' -exec rm {} \;
apt update
cd /opt/plexupdate/deb
apt install ./plexmediaserver_1.24.5.5173-8dcc73a59_amd64.deb # This started the server right away?
service plexmediaserver stop
cp /opt/Preferences.xml '/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/'
service plexmediaserver start

As a side note. This might be a bug: Seems like every version of 1.24.* is missing the following file:
IOError: [Errno 2] No such file or directory: '/usr/lib/plexmediaserver/Resources/Plug-ins-8dcc73a59/WebClient.bundle/Contents/Info.plist' which I had to recover from an old .deb from 1.23. version. End of side note.

Then I left overnight all the Libraries rebuilding.

I woke up this morning to check the status of my fresh install and I still see the same error!!

Oct 29, 2021 09:05:29.448 [0x7fcafed0db38] WARN - [CERT] TLS connection from 192.168.1.9:39874 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert
Oct 29, 2021 09:05:29.471 [0x7fcafeceab38] WARN - [CERT] TLS connection from 192.168.1.9:39876 came in with unrecognized plex.direct SNI name '192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct'; using installed plex.direct cert

Attached are the logs of my freshly installed server
[redacted and removed]

Should we do the remove Cache folder and Preferences.xml again while you reset the cert?
Thank you in advance,
M

You MUST have DNS rebinding protection blocking in your modem/router.
That’s the only explanation.

Can you create an exception rule (most modem/routers allow it) to allow *.plex.direct

On pfSense, I allow private-network: *.plex.direct

When you say router, you mean the DNS resolver on my network, right?

I use unbound, on the same server, so I just added the following:

cat /etc/unbound/unbound.conf.d/dns-rebinding.conf

server:
  private-domain: "plex.direct"

service unbound restart

So if I do the following:

dig 192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct @192.168.1.9 +short
192.168.1.9

Is that the expected behavior?

Is this the expected response?

curl -k -v https://192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct:32400/identity
*   Trying 192.168.1.9...
* TCP_NODELAY set
* Connected to 192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct (192.168.1.9) port 32400 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.723fc011010642139654e6ffb2ef503f.plex.direct
*  start date: Oct 29 05:32:47 2021 GMT
*  expire date: Jan 27 05:32:46 2022 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /identity HTTP/1.1
> Host: 192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct:32400
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 200 OK
< X-Plex-Protocol: 1.0
< Content-Type: text/xml;charset=utf-8
< Content-Length: 188
< Connection: Keep-Alive
< Keep-Alive: timeout=20
< Cache-Control: no-cache
< Date: Fri, 29 Oct 2021 17:04:20 GMT
<
<?xml version="1.0" encoding="UTF-8"?>
<MediaContainer size="0" claimed="1" machineIdentifier="f9c39f7276acbfc236e507c59ed4cb12b6fdb2c7" version="1.24.5.5173-8dcc73a59">
</MediaContainer>
* Connection #0 to host 192-168-1-9.d7ede18c3ab140f1964a21e4966c632c.plex.direct left intact

(Note I had to use -k to avoid the cert check)

I think that’s right. I’ve honestly not done the deep dive into DNS rebinding mitigation.

My pfSense, which also uses unbound, is set as follows:

Screenshot from 2021-10-29 13-25-191155×316 37.5 KB

I did the same curl command with the outside ip address and it worked!

this is so weird :-S

Why my server is locally having issues with the cert (from connections source generated from the same machine) and not from the outside?

default adapter?

you KNOW it’s going to be something stupid

Changed the Interface from ANY to the specific eth0.

After some deep lsof and tcpdump I think I found the source of the system creating the query for this thing: /usr/lib/plexmediaserver/Plex Tuner Service

Can I turn off that?

argh, no way to disable that cleanly. I think i’m going this way:

Hack it with a shell script as the test

I already did!

#!/bin/bash

if pgrep -f "Plex Tuner Service"; then
	logger -t plexfix -p syslog.info -- Plex Tuner process found, now disabled.
	chmod -x "/usr/lib/plexmediaserver/Plex Tuner Service"
	pkill -9 -f "Plex Tuner Service"
	mv "/usr/lib/plexmediaserver/Plex Tuner Service" "/usr/lib/plexmediaserver/Plex Tuner Service.old"
fi

if [ ! -f /usr/lib/plexmediaserver/Plex\ Tuner\ Service ] ; then
	cat > /usr/lib/plexmediaserver/Plex\ Tuner\ Service << EOF
#!/bin/bash
exit 0
EOF

	chmod +x /usr/lib/plexmediaserver/Plex\ Tuner\ Service
fi

and even when I’m happy to not have that service unnecesarily running, it didn’t work.

Well, I guess is not THAT early to start drinking. I give up (…for today)

Please confirm for me?

• The source of the SNI error is the Plex Tuner Service?