SSL Certificate Errors

Server Version#: 1.23.4.4712
Player Version#: 4.60.3 (Plex Web)

So I’ve had a huge issue as of today with my server not connecting to anything and it appears due to certificate issues.

For context I have done these steps to try and troubleshoot:

1. Removed and reclaimed the server
2. Restarted multiple times
3. Adjusted all “Secure” settings
4. Reset the NTP Client on my Ubuntu VM
5. Changed NAT’d port
6. Pulled a packet capture to try and look at the network traffic.
7. Double checked pfSense’s DNS rebinding advanced setting

Finally I turned on verbose logging and started looking at log traffic and at first glance it looks like I am hitting some type of rate limit uploading the certificate that the server gets from Plex.

Based on the logs below it looks like I am hitting some type of rate limit on the API that is breaking my servers certificate.

Anyone out there have any insight?

Log output:

Jul 04, 2021 03:30:01.461 [0x7f76fe063b38] DEBUG - Completed: [**Redacted**:18638] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (7 live) TLS GZIP 20000ms 5 bytes (pipelined: 273)
Jul 04, 2021 03:30:01.474 [0x7f76fe040b38] DEBUG - Auth: authenticated user 1 as **Redacted**
Jul 04, 2021 03:30:01.474 [0x7f76fcd88b38] DEBUG - Request: [**Redacted**:18638 (WAN)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (7 live) TLS GZIP Signed-in Token (**Redacted**)
Jul 04, 2021 03:30:01.474 [0x7f76fcd88b38] DEBUG - Content-Length is -1 (of total: -1).
Jul 04, 2021 03:30:16.965 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:16.966 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:16.967 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:17.053 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:21.475 [0x7f76fe063b38] DEBUG - Completed: [**Redacted**:18638] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (7 live) TLS GZIP 20001ms 5 bytes (pipelined: 274)
Jul 04, 2021 03:30:21.479 [0x7f76fe040b38] DEBUG - Auth: authenticated user 1 as **Redacted**
Jul 04, 2021 03:30:21.479 [0x7f76fcd88b38] DEBUG - Request: [**Redacted**:18638 (WAN)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (7 live) TLS GZIP Signed-in Token (**Redacted**)
Jul 04, 2021 03:30:21.479 [0x7f76fcd88b38] DEBUG - Content-Length is -1 (of total: -1).
Jul 04, 2021 03:30:41.480 [0x7f76fe063b38] DEBUG - Completed: [**Redacted**:18638] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) TLS GZIP 20001ms 5 bytes (pipelined: 275)
Jul 04, 2021 03:30:41.483 [0x7f76fe040b38] DEBUG - Auth: authenticated user 1 as **Redacted**
Jul 04, 2021 03:30:41.483 [0x7f76fcd88b38] DEBUG - Request: [**Redacted**:18638 (WAN)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) TLS GZIP Signed-in Token (**Redacted**)
Jul 04, 2021 03:30:41.483 [0x7f76fcd88b38] DEBUG - Content-Length is -1 (of total: -1).
Jul 04, 2021 03:30:46.962 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:46.964 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:46.970 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:47.067 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:30:50.217 [0x7f76fce97b38] DEBUG - CERT: Forcing refresh.
Jul 04, 2021 03:30:50.219 [0x7f76fce97b38] DEBUG - CERT: Certificate expires soon, fetching a new one.
Jul 04, 2021 03:30:50.219 [0x7f76fce97b38] DEBUG - HTTP requesting GET **API Formatted URL**
Jul 04, 2021 03:30:50.793 [0x7f76fce97b38] DEBUG - HTTP/1.1 (0.6s) 200 response from GET **API Formatted URL**
Jul 04, 2021 03:30:50.794 [0x7f76fce97b38] DEBUG - HTTP requesting PUT **API Formatted URL**
Jul 04, 2021 03:30:50.959 [0x7f76fce97b38] DEBUG - HTTP/1.1 (0.2s) 429 response from PUT **API Formatted URL** (reused)
Jul 04, 2021 03:30:50.959 [0x7f76fce97b38] ERROR - CERT: Error acquiring new certificate: Failed to upload CSR: 429, <?xml version="1.0" encoding="UTF-8"?>
<errors>
  <error code="1003" message="API rate limit exceeded"/>
</errors>
Jul 04, 2021 03:31:01.484 [0x7f76fe063b38] DEBUG - Completed: [**Redacted**:18638] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (7 live) TLS GZIP 20001ms 5 bytes (pipelined: 276)
Jul 04, 2021 03:31:01.498 [0x7f76fe040b38] DEBUG - Auth: authenticated user 1 as **Redacted**
Jul 04, 2021 03:31:01.498 [0x7f76fcd88b38] DEBUG - Request: [**Redacted**:18638 (WAN)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (7 live) TLS GZIP Signed-in Token (**Redacted**)
Jul 04, 2021 03:31:01.498 [0x7f76fcd88b38] DEBUG - Content-Length is -1 (of total: -1).
Jul 04, 2021 03:31:02.572 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:31:02.581 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:31:16.932 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:31:16.934 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:31:16.936 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown
Jul 04, 2021 03:31:17.029 [0x7f76fe040b38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown

Checking.

My I have the non-edited logs ?

I’ll open a PM to you.

Certificate Reset.

You may restart your Server.

I’m working with one of the engineers right now.

We’re investigating why this is happening.

Awesome thank you! I’m restarting now will let you know if I run into any other problems.

Hopefully this is a one off.

Could you please reset me Server too. I have an invalid SSL certificate using my domain (started today) has been working fine. Thanks

I’ve started seeing the same issue in the last 24h… I am unable to connect securely to my server.

Can anything be done from my side, or is the issue on Plex’ side?

For what it is worth, this is the kind of stuff I am seeing in my log:

WARN - [CERT] TLS connection came in with unrecognized plex.direct SNI name xxxxxxxxxxxx.plex.direct’; using installed plex.direct cert
DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown

No mention of API rate exceeded in my log though.

Version 1.23.4.4712

@gsd69

Your certificate looked good. Issued 4-July with zero retries. If you have other certificate issues, please check anything you might have added yourself.

I reset it anyway. Please restart the server.

@scope1

I have reset your certificate.
Please restart the server

@ChuckPa : Thanks, working again now.

Hello, it appears I may be experiencing a similar issue to the above two people. Can you please check my certificate? The error I am seeing in the log is -

Jul 10, 2021 02:12:23.183 [0x7f9f4f4fcb38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown

I am unable to use app.plex.tv to connect to the server; it errors saying “app.plex.tv is unable to connect to “plexbuntu” securely”

@trek604

Reset, you may restart the server

I’ve been having a similar issue, but my message is:
CERT: incomplete TLS handshake: tlsv1 alert unknown ca

Would resetting the cert help?

@Inisbas

I have reset your certificate. You may restart the server.

I’ve been having a similar issue, but my message is:

Jul 17, 2021 14:53:00.687 [0x7fe3499b7b38] WARN - [CERT] TLS connection came in with unrecognized plex.direct SNI name ‘116-202-194-116.45f0acb736e64d6eb75cbc7b017e50e3.plex.direct’; using installed plex.direct cert
Jul 17, 2021 14:53:00.710 [0x7fe3499dab38] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown

Think I hit this bug as well. In the logs I saw both
-CERT: incomplete TLS handshake: tlsv1 alert unknown ca
-sslv3 alert certificate unknown

Server was running 1.23.4.4805
Plex app on my Roku TV worked
Plex app on my iphone 7 worked
Plex for Kodi on my 2017 shield tv worked
Plex app on my S9+ did not work -version 8.20.0.26605
Official Plex app on my 2017 shield tv did not work

I did a force downgrade to 1.23.3.4707 and all clients are working as expected. In my experience it was only the native android apps exhibiting this error.

I have the 1.23.3.4707 and both webapp and samsung app are not working.
Logs show the same error : DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown

Please, I have the same problem (app.plex.tv is unable to connect to “zzzz” securely), but open browser from local host is working normal (http://127.0.0.1:00000/web/index.html#!/) (I replaced the server name and port for security). Many thanks…

Here in the forum:

Please also see: https://status.plex.tv

Make no changes until the outage resolved and server restarted thereafter

I am also having Secure connection issues as of today…
When trying to connect to chromecast via plexapp on phone/tablet
Allow Insecure Connection?
Chromecast is unable to connect to Plex Media Server securely. Would you like to connect insecurely?

I’m getting this as well, even after status.plex.tv shows the fix has been implemented.

Anyone got any ideas?