Starting today, we are beginning a transition to use a new certificate authority (CA) for TLS certificates for Plex Media Server. New certificates will be issued by Let’s Encrypt. We’re beginning the rollout today with a small number of users running Plex Media Server (PMS) version 1.21.3.4021 and newer. By the end of the month, all new and renewed certificates will be from the new CA regardless of PMS version, though existing certs will continue to work until they approach expiration and are renewed. Users shouldn’t generally notice any significant changes, but we’re keeping an eye out for any possible compatibility issues; if you run into any problems related to the transition, please post in this thread describing them.
Along with the change of CA, we’re also making improvements to the way these new certificates are generated. This new mechanism produces smaller certificates with better performance, while also providing stronger security and privacy properties. Additionally, when these certificates are renewed, the new certificate will keep the same domain name as the previous one, which will avoid issues caused by stale client caches which you may have experienced during a certificate renewal in the past on older PMS versions. These generation improvements apply to PMS version 1.21.3.4021 and newer. We don’t anticipate any compatibility issues with this new mechanism, but again, if you encounter any problems, please post about them here.
[EDIT]
The new CA is now available to all users. Thanks to everyone who tested things out before our wider rollout; we haven’t seen any major issues reported!
Before I volunteer, I primarily play Plex content from the Community build for the RaspPi PlexMediaPlayer 2.55 and PlexMediaPlayer for Windows 2.58.
Whilst I can hope and imagine the Windows player might use the platform Windows keychain so might have the root cert for LetsEncrypt, I worry that the out-of-date LibreElec distro for the Pi might not.
Are these scenarios you’ve considered? How will the clients behave in the case of an invalid cert?
I’ve double-checked and the certificate bundles we provide on both of those apps do contain the ISRG root. Even for devices that don’t have it (most notably older Android versions), we’re using a chain that includes a cross-sign from the DST root for the foreseeable future; see more details about this compatibility measure in this Let’s Encrypt blog post. We may eventually remove the cross-signed root from our chain (and thus reduce its size further, improving connection performance for users) once usage of older devices has dropped and we’re confident that all of our supported platforms will work without it, but I wouldn’t worry about it for now.
Will this have any ill effect if I am using the custom certificate settings and providing my own? I would guess not as you guys are updating the cert for unreadable name/domain you guys assigned back when you had digicert sign somethings, but just wanted to check and be sure.
Is the rational for this change purely a cost cutting measure? I use LE a lot, nothing against it. Just seems like a lot of work for little benefit unless it’s cost related.
Should be! We haven’t seen any issues with it in our internal testing, but please let us know if you run into anything on any particular device or firmware.
I have been manually generating LE certificates for my server for some time now, so having it automated would be great. How would I switch back to not-manual certificates?
@Ridley i’ve rebooted my server but when i visit https://app.plex.tv/desktop the certificate still shows as being from DigiCert. However if i load the page directly from my server (https://plex-server:32400) then the certificate is from Let’s Encrypt. I do get a warning from Firefox because the certificate doesn’t match my server name (cert is for a plex.direct domain). Am i doing something wrong. Shouldn’t i get the new cert when launching via plex.tv?
Just remove your custom cert path in your server settings. Note that the automatic cert will still be generated and used even if you also have a custom cert.
Are you looking at the cert for app.plex.tv itself, or for your server? Those are completely separate; this change does not affect the cloud service hosting app.plex.tv itself.
“This new mechanism produces smaller certificates with better performance, while also providing stronger security and privacy properties.”
Is it correct that you’re moving from RSA to ECDSA certificates?
I just want to say thank you to the crypto folks at Plex. Even with the RSA certs, I can see they are 4096 bit, which is “extra”. Also I can see the connection I’m making to my PMS is TLS 1.3 TLS_AES_256_GCM_SHA384 with X25519 curve, which are all excellent.
