Ssl_error_bad_cert_domain

Hello,

I can’t access my plex site via https://NAME:32400/web with my own Lets Encrypt in Firefox. I get SSL_ERROR_BAD_CERT_DOMAIN. After removing the custom certification entries on plex, I still can’t access my site directly. I get an “Are you sure, that you trust this site?” message from Firefox.

Websites confirm their identity with certificates. Firefox does not trust this website because the certificate used by the website does not apply to NAME:32400. The certificate is only valid for * .db6974f39c4445369b4af8715a203ddd.plex.direct.
Error code: SSL_ERROR_BAD_CERT_DOMAIN

I guess its a problem with the new lets encrypt certification from plex.

Server Version#: 1.21.3.4046
Player Version#: Web 4.51.1

I have been trying to figure out why my Plex server did this. I have not made changes to my server in years and one day it randomly quit working. My certificate I created from my own internal CA just stopped working and now I have an error identical to yours. This started yesterday when Plex pushed a cert of *.3e6bd374f1834a91be7ef321fba8ef41.plex.direct that was published on the same day. It completely ignores my own internal certificate.

When using your own cert with Plex (I recently learned this).

Three things are required:

1. The cert
2. The key
3. The full chain (from CA → Cert).

In my case, I also use Let’s Encrypt.
By providing the CA in the openssl command line, PMS accepts and uses my cert

I use:

openssl pkcs12 -export -out filename.p12 -inkey input.key -in input.crt -certfile "Acmecert_+O=Let's+Encrypt,+CN=Let's+Encrypt+Authority+X3,+C=US.crt"

I used this command via crontab and it’s working for a couple of months. But since plex pushed their own certification, I get the error above.

openssl pkcs12 -export -out /var/lib/plexmediaserver/certificate.pfx -inkey /etc/letsencrypt/live/NAME/privkey.pem  -in /etc/letsencrypt/live/NAME/cert.pem -certfile /etc/letsencrypt/live/NAME/chain.pem -password pass: ABCDEF

Check something for me:

1. Do you have containers (Docker) or other subnets on the machine.
2. Are the errors coming from those subnets?

I had to look at my system again.

1. I have docker containers (10.0.3.x, 10.0.5.x)
2. PMS was issuing cert violations against those two adapters
3. PMS preferred adapter (Settings - Server - Network - Show Advanced) was “Any”

Setting the Preferred adapter as the primary subnet resolved it.

Screenshot from 2021-02-21 11-13-35813×527 353 KB

I don’t use containers on the server. I have an other subnet for vpn, but I get this problem in the same subnet as my server is.

I have only one network adapter and this one is also choosed.

Bildschirmfoto vom 2021-02-22 09-15-37869×575 519 KB

I can confirm that the issue appeared in a recent change to Plex.

I was trying to migrate a plex server with a working custom cert setup on version 1.21.3.4014 to a new server, on the latest version 1.21.3.4046.

I spent hours trying to understand why I couldn’t get the custom certificate to work on the new server, while it was working perfectly before. The symptoms were as described here, which is that plex is serving content with its own plex.direct certificate even when accessed via the custom url domain, for which the custom certificate has been issued.

I tried to isolate the problem, and finally confirmed that something broke between these two versions. Indeed, I ended up downgrading the new server, in-place, to version 1.21.3.4014 and, without changing anything to its configuration or to the certificates, my custom certificate started to be picked up.

Here are the relevant CERT logs from both versions

1.21.3.4014 (WORKING):

Feb 24, 2021 18:31:49.867 [0x7f17c2208100] DEBUG - [CERT] Loaded a user-provided certificate.
Feb 24, 2021 18:31:49.867 [0x7f17c2208100] DEBUG - [CERT/OCSP] no URL available
Feb 24, 2021 18:31:49.867 [0x7f17c2208100] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Feb 24, 2021 18:31:55.529 [0x7f17b9ffb700] DEBUG - CERT: Certificate did not exist, fetching a new one.
Feb 24, 2021 18:31:56.009 [0x7f17baffd700] DEBUG - [CERT] Installed certificate with fingerprint <redacted>.
Feb 24, 2021 18:31:56.009 [0x7f17baffd700] DEBUG - [CERT] Installed new private key.
Feb 24, 2021 18:31:56.010 [0x7f17baffd700] DEBUG - [CERT] Subject name is /CN=*.<redacted>.plex.direct
Feb 24, 2021 18:31:56.010 [0x7f17baffd700] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
Feb 24, 2021 18:31:56.010 [0x7f17baffd700] INFO - [CERT/OCSP] No relevant response in cache.
Feb 24, 2021 18:31:56.010 [0x7f17baffd700] INFO - [CERT/OCSP] Couldn't install the cached response; fetching from network.
Feb 24, 2021 18:31:56.010 [0x7f17baffd700] DEBUG - [CERT] Installed intermediate certificate.
Feb 24, 2021 18:31:56.011 [0x7f178ffff700] DEBUG - [CERT/OCSP] HTTP requesting GET http://r3.o.lencr.org/<redacted>
Feb 24, 2021 18:31:56.014 [0x7f17baffd700] DEBUG - [CERT] Loaded a user-provided certificate.
Feb 24, 2021 18:31:56.014 [0x7f17baffd700] DEBUG - [CERT/OCSP] no URL available
Feb 24, 2021 18:31:56.014 [0x7f17baffd700] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Feb 24, 2021 18:31:56.014 [0x7f17baffd700] DEBUG - [CERT] MyPlex: Updating device connections (from timer: 0)
Feb 24, 2021 18:31:56.015 [0x7f17baffd700] DEBUG - [CERT] HTTP requesting PUT https://plex.tv/devices/<redacted>?Connection[][uri]=http://[<redacted ip>:32400&Connection[][uri]=http://[[<redacted ip>]:32400&Connection[][uri]=http://[<redacted ip>]:32400&httpsEnabled=1&httpsRequired=0&dnsRebindingProtection=1&X-Plex-Token=xxxxxxxxxxxxxxxxxxxx
Feb 24, 2021 18:31:56.190 [0x7f17baffd700] DEBUG - [CERT] HTTP 200 response from PUT https://plex.tv/devices/<redacted>?Connection[][uri]=http://[<redacted ip>&Connection[][uri]=http://[[<redacted ip>]:32400&Connection[][uri]=http://[[<redacted ip>]:32400&httpsEnabled=1&httpsRequired=0&dnsRebindingProtection=1&X-Plex-Token=xxxxxxxxxxxxxxxxxxxx
Feb 24, 2021 18:31:56.382 [0x7f178ffff700] DEBUG - [CERT/OCSP] HTTP 200 response from GET http://r3.o.lencr.org/<redacted>
Feb 24, 2021 18:31:56.382 [0x7f178ffff700] INFO - [CERT/OCSP] Successfully retrieved response.

1.21.3.4046 (NOT WORKING)

Feb 24, 2021 18:22:24.615 [0x7ff2eb6ff100] DEBUG - [CERT] Installed certificate with fingerprint <redacted>.
Feb 24, 2021 18:22:24.615 [0x7ff2eb6ff100] DEBUG - [CERT] Installed new private key.
Feb 24, 2021 18:22:24.615 [0x7ff2eb6ff100] DEBUG - [CERT] Subject name is /CN=*.<redacted>.plex.direct
Feb 24, 2021 18:22:24.615 [0x7ff2eb6ff100] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
Feb 24, 2021 18:22:24.615 [0x7ff2eb6ff100] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Feb 24, 2021 18:22:24.641 [0x7ff2eb6ff100] DEBUG - [CERT] Loaded a user-provided certificate.
Feb 24, 2021 18:22:24.641 [0x7ff2eb6ff100] DEBUG - [CERT/OCSP] no URL available
Feb 24, 2021 18:22:24.641 [0x7ff2eb6ff100] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Feb 24, 2021 18:22:30.193 [0x7ff2e1ffb700] DEBUG - CERT: Certificate will not expire soon; we'll check again in a week.
Feb 24, 2021 18:22:30.196 [0x7ff2e8c00700] DEBUG - [CERT] Installed certificate with fingerprint <redacted>.
Feb 24, 2021 18:22:30.196 [0x7ff2e8c00700] DEBUG - [CERT] Installed new private key.
Feb 24, 2021 18:22:30.196 [0x7ff2e8c00700] DEBUG - [CERT] Subject name is /CN=*.<redacted>.plex.direct
Feb 24, 2021 18:22:30.196 [0x7ff2e8c00700] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
Feb 24, 2021 18:22:30.197 [0x7ff2e8c00700] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Feb 24, 2021 18:22:30.202 [0x7ff2e8c00700] DEBUG - [CERT] Loaded a user-provided certificate.
Feb 24, 2021 18:22:30.202 [0x7ff2e8c00700] DEBUG - [CERT/OCSP] no URL available
Feb 24, 2021 18:22:30.202 [0x7ff2e8c00700] WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
Feb 24, 2021 18:22:30.202 [0x7ff2e8c00700] DEBUG - [CERT] MyPlex: Last published value didn't change, we're done.
Feb 24, 2021 18:23:50.288 [0x7ff2e9401700] DEBUG - CERT: incomplete TLS handshake: sslv3 alert certificate unknown

If I may?

It looks like what you have, which might have previously worked, won’t now.
I recently added a cert to my PMS and it took several tries (and a few questions) until I understood the requirement.

I am using 1.21.4.4079

1. Cert, Key, and Complete Chain (the intermediate CA) in the file you give to PMS
2. Apply the cert to the host
3. Give PMS the path of the cert file and its password
4. Specify the FQDN URL to the server (which utilizes the FQDN the cert is valid for)

I am willing to share this via PM if needed.

Could you please tell me/us what exactly I/we have to do?
I got this command from a website or a forum post.

openssl pkcs12 -export -out /var/lib/plexmediaserver/certificate.pfx -inkey /etc/letsencrypt/live/NAME/privkey.pem  -in /etc/letsencrypt/live/NAME/cert.pem -certfile /etc/letsencrypt/live/NAME/chain.pem -password pass: ABCDEF

My knowledge about generation certificates and SSL is basic

Thanks

That’s the right command.

You’re probably familiar with the two main elements: CRT & KEY.
You also need the intermediate (chain) part which connects all the dots.

that will be included with the cert you got

I cannot support teaching custom certs. Sorry

That’s funny… I tried my command again and the error is gone.
Maybe this was a bug by Plex?
Now I’m using version 1.21.4.4079

Coming from a guy who just spent the last 2 hours reloading after killing DNS on his workstation, I have another option to suggest ---- PEBKAC

Can’t confirm this
The problem was on workstations, which never visited my plex site and I was not alone with this error

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.