SSL error when attempting to connect to PMS dashboard

Trying again with fresh thread hoping that a more concise request yields more help:

I had to change my Plex password and since then SSL on my local PMS console no longer works. I followed the troubleshooting guide for the “no soup for you” issue but it didn’t help. My final act of desperation was to turn off secure connections via the HtTP console and delete the client token for my local PMS console but all that accomplished was removed all “knowledge” of my PMS server media from app.plex.tv as well as via the HTTP console on the local PMS server. Neither knows my PMS server’s existence but I can now access media from other clients on the LAN that still had a placeholder for my PMS but all play count info was lost so all media is shown as unwatched. Ouch.

In my other post there is more background (it is “as it happened” so it’s tedious”) but hopefully this post will be enough to tell if my PMS is salvageable or of I have to remove my installation and start over. (Again.) And, if I do have to nuke it from orbit (again) is there some way to preserve what remains of my metadata this time?

Finally, for what it’s worth, here are my PMS logs at startup. PMS appears to be attempting to connect to my public IP (I put “xxx” the last octet for what it’s worth) and it is attempting to ”parse device schema” from a port on my LAN gateway. Debug logs show attempts to connect to the remote access port (32400) on loopback but fails.

Feb 09, 2020 12:26:01.551 [0x7f9a383a1700] INFO - Plex Media Server v1.18.6.2368-97add474d - Ubuntu PC x86_64 - build: linux-x86_64 debian - GMT -08:00
Feb 09, 2020 12:26:01.551 [0x7f9a383a1700] INFO - Linux version: 18.04.3 LTS (Bionic Beaver), language: en-US
Feb 09, 2020 12:26:01.551 [0x7f9a383a1700] INFO - Processor Intel(R) Core(TM) i7-7700T CPU @ 2.90GHz
Feb 09, 2020 12:26:01.551 [0x7f9a383a1700] INFO - /usr/lib/plexmediaserver/Plex Media Server
Feb 09, 2020 12:26:04.877 [0x7f9a127fc700] ERROR - getaddrinfo(172-17-0-1.abcdefghijklmnopqrstuvwxyz012345.plex.direct) failed: -2
Feb 09, 2020 12:26:06.235 [0x7f9a2da7a700] ERROR - Error issuing curl_easy_perform(handle): 35
Feb 09, 2020 12:26:06.235 [0x7f9a2da7a700] WARN - HTTP error requesting GET https://199-83-220-xxx.4f26111badbf478491f39c2658e1cd34.plex.direct:32400/identity (0, No error) (OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 199-83-220-xxx.4f26111badbf478491f39c2658e1cd34.plex.direct:32400 )
Feb 09, 2020 12:26:07.866 [0x7f9a1fbdd700] INFO - Refreshing paths watched by LibraryUpdateManager
Feb 09, 2020 12:26:08.054 [0x7f99ecff9700] ERROR - [Notify] Failed to add watch for "/mnt/plex_media/TV Shows/Rick and Morty/Season 01" (13: Permission denied)
Feb 09, 2020 12:26:08.054 [0x7f99ecff9700] ERROR - [Notify] Failed to add watch for "/mnt/plex_media/TV Shows/Rick and Morty/Season 02" (13: Permission denied)
Feb 09, 2020 12:26:08.055 [0x7f99ecff9700] ERROR - [Notify] Failed to add watch for "/mnt/plex_media/TV Shows/Rick and Morty/Season 04" (13: Permission denied)
Feb 09, 2020 12:26:12.836 [0x7f9a1e3da700] ERROR - Error issuing curl_easy_perform(handle): 52
Feb 09, 2020 12:26:12.836 [0x7f9a1e3da700] WARN - HTTP error requesting GET http://192.168.250.1:1990/0bf9a260-52cd-4df0-8eb1-0daed3f09ee5/WFADevice.xml (0, No error) (Empty reply from server)
Feb 09, 2020 12:26:12.837 [0x7f9a1e3da700] ERROR - SSDP: Error parsing device schema for http://192.168.250.1:1990/0bf9a260-52cd-4df0-8eb1-0daed3f09ee5/WFADevice.xml
Feb 09, 2020 12:28:01.556 [0x7f99effff700] ERROR - Sync: could not get sync list 18784542, sync item 35624264 to update status
Feb 09, 2020 12:28:01.556 [0x7f99effff700] ERROR - Sync: could not get sync list 18784542, sync item 35624276 to update status
Feb 09, 2020 12:28:01.556 [0x7f99effff700] ERROR - Sync: could not get sync list 18784542, sync item 35624281 to update status

And it basically goes on from there.

Grateful for any suggestions at this point,

In your modem/router, create an exception rule which allows private domain “plex.direct”

Do you have a proxy or a certificate of you own active in this configuration?

Thanks @ChuckPa

Should Plex.direct resolve to my internal PMS host IP?

There is no additional proxy for Plex traffic. It’s a pretty generic configuration.

@ChuckPa I am at a point where I feel like I need to fish or cut bait here. I would really like to avoid losing media metadata, access privileges for my users, all of those plugins and their configurations, etc… by having to scrap the mess and start over but if I can’t find anything that sounds like it applies to this problem I don’t really see another option since I foolishly have been backing up my media only and not /var/lib/Plex-whatever since the last time I had to rebuild. (FAIL.)

Thus far I have not seen any documentation that address when the local console won’t even load due to the SSL error so if you can even point me to anything relevant it would be a start. Thanks.

@hinder90

I apologize for the delay. I am doing as much as I can as quickly as I can.
I have forum as well as engineering duties.

I’m not asking you to create a domain entry for plex.direct.

I am specifically recommending you create an exception in your DNS rebinding protection rules to allow the private domain “plex.direct”.

On a pfSense , in the DNS Resolver/Server module, it looks like this:

Screenshot from 2020-02-13 00-56-04920×186 7 KB

I ran into this earlier tonight so need ask you as well.

1, What’s the LAN IP / subnet for the server?
2. What’s the LAN IP / subnet for the machine you’re trying to access (regain control from) ?

If the two are different subnets -or- it’s not an RFC-1918 subnet (192.168.x.x, 172.16.x.x -> 172.31.x.x, or 10.x.x.x) then you need to ssh-tunnel to it to regain control. This is PMS default security. It thinks you’re a remote user trying to take over control (as if it’s out on a hosted VPS somewhere) . It uses the common LAN subnet address as basis for trusting the connection is the owner.

Thanks @ChuckPa for checking back.

I only have one LAN class C CIDR: 192.168.250.0/24. The plex server is 192.168.250.12. This is the host I am trying to access so that I can manage either directly or over app.plex.tv. All I can do is connect via HTTP which doesn’t allow me to manage local media. I can see media (which metadata issues) on my existing local plex clients like my iPad but not locally.

My router is a ASUS Merlin WRT so I use dnsmasq. I tried making a local domain entry for plex.direct but it was not clear what it should resolve to, I tried the plex server itself (192.168.250.12) but that changed nothing.

My plex server is headless so trying curl -kv https://localhost:32400 shows roughly the same original info:

 * Rebuilt URL to: https://localhost:32400/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 32400 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:32400
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:32400

I am just really baffled as to why this is happening locally, including localhost. I am not sure what I can be allowed to securely connect to my PMS server at all just to have it connect back to to app.plex.tv but I am at a loss. If it’s just too weird to figure out, is it possible to regenerate the certs without destroying the rest of my configuration?

Thanks,
Matt

Don’t be sorry! But yes, I have used the IP over the name but the results are in fact identical. As I responded to @ChuckPa the behavior even the same on localhost.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.