Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plex server not working if using SSL #1307

Closed
1 task done
Ladduro opened this issue Jan 25, 2025 · 10 comments
Closed
1 task done

plex server not working if using SSL #1307

Ladduro opened this issue Jan 25, 2025 · 10 comments
Labels
support

Comments

@Ladduro
Copy link

Ladduro commented Jan 25, 2025

Description

Enabling 'Use SSL' in settings for plex server will result in 'Failed to connect to Plex.' error.

Log file shows:

2025-01-25T13:37:14.136Z [error][API]: Something went wrong testing Plex connection {"errorMessage":"Hostname/IP does not match certificate's altnames: IP: 10.0.10.2 is not in the cert's list: "}

Plex is using his own self signed certificate and secured connections in Network tab is set to 'Preffered'

Version

2.3.0

Steps to Reproduce

  1. Go to Settings > Plex
  2. Check 'Use SSL'
  3. Save Changes

Screenshots

No response

Logs

2025-01-25T13:21:49.237Z [debug][AvailabilitySync]: Failure retrieving the non-4K movie [TMDB ID 402431] from Plex. {"errorMessage":"Hostname/IP does not match certificate's altnames: IP: 10.0.10.2 is not in the cert's list: "}
2025-01-25T13:40:00.016Z [error][Plex Scan]: Scan interrupted {"errorMessage":"Hostname/IP does not match certificate's altnames: IP: 10.0.10.2 is not in the cert's list: "}
2025-01-25T13:37:14.136Z [error][API]: Something went wrong testing Plex connection {"errorMessage":"Hostname/IP does not match certificate's altnames: IP: 10.0.10.2 is not in the cert's list: "}
2025-01-25T13:31:14.476Z [error][API]: Something went wrong testing Plex connection {"errorMessage":"Hostname/IP does not match certificate's altnames: IP: 172.16.3.1 is not in the cert's list: "}

Platform

desktop

Database

SQLite (default)

Device

Mac

Operating System

OSX

Browser

Brave

Additional Context

No response

Code of Conduct

  • I agree to follow Jellyseerr's Code of Conduct
@Ladduro Ladduro added awaiting triage This issue needs to be reviewed bug Something isn't working labels Jan 25, 2025
@fallenbagel fallenbagel removed bug Something isn't working awaiting triage This issue needs to be reviewed labels Jan 25, 2025
@fallenbagel
Copy link
Owner

fallenbagel commented Jan 25, 2025
edited
Loading

Not a bug. If you're using self signed certs you're gonna have to pass in the certs to nodejs.

This is more of a support question

@github-actions GitHub Actions
Copy link

👋 @Ladduro, we use the issue tracker exclusively for bug reports and feature requests. However, this issue appears to be a support request. Please use our support channels to get help with Jellyseerr.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 25, 2025
@github-actions github-actions bot locked as off-topic and limited conversation to collaborators Jan 25, 2025
Repository owner unlocked this conversation Jan 25, 2025
@fallenbagel
Copy link
Owner

fallenbagel commented Jan 25, 2025
edited
Loading

Add Environment=NODE_EXTRA_CA_CERTS=[your CA certificate file path] with the path to the .crt in /usr/local/share/ca-certificates/

@Ladduro
Copy link
Author

Ladduro commented Jan 25, 2025
edited
Loading

The cert is the plex issued one, I dont think I have access to it. Also it seems the plex cert is created by lets encrypt so it will renew every 3 months, making your suggestion a manual task every 3 months

Image

@fallenbagel
Copy link
Owner

fallenbagel commented Jan 25, 2025
edited
Loading

The cert is the plex issued one, I dont think I have access to it. Also it seems the plex cert is created by lets encrypt so it will renew every 3 months, making your suggestion a manual task every 3 months

Image

If it's let's encrypt it should work then. I have me suggestion because you mentioned it was selfsigned.

This is still not a bug because I have (and several others are running plex with ssl through Jellyseerr AND overseerr [literally everyone using overseerr])

Can you docker exec -it jellyseerr sh then apk update && apk add curl then curl -L https://yourplex.com

And would suggest to troubleshoot this to hop onto discord.

@Ladduro
Copy link
Author

Ladduro commented Jan 25, 2025 

/app # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/x86_64/APKINDEX.tar.gz
v3.21.2-132-ge7c2a305a2e [https://dl-cdn.alpinelinux.org/alpine/v3.21/main]
v3.21.2-133-g82634e1215d [https://dl-cdn.alpinelinux.org/alpine/v3.21/community]
OK: 25395 distinct packages available
/app # apk add curl
(1/9) Installing brotli-libs (1.1.0-r2)
(2/9) Installing c-ares (1.34.3-r0)
(3/9) Installing libunistring (1.2-r0)
(4/9) Installing libidn2 (2.3.7-r0)
(5/9) Installing nghttp2-libs (1.64.0-r0)
(6/9) Installing libpsl (0.21.5-r3)
(7/9) Installing zstd-libs (1.5.6-r2)
(8/9) Installing libcurl (8.11.1-r0)
(9/9) Installing curl (8.11.1-r0)
Executing busybox-1.37.0-r9.trigger
OK: 15 MiB in 28 packages
/app # curl -L https://10.0.10.2:32400/
curl: (60) SSL: no alternative certificate subject name matches target ipv4 address '10.0.10.2'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

@fallenbagel
Copy link
Owner 

/app # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/x86_64/APKINDEX.tar.gz
v3.21.2-132-ge7c2a305a2e [https://dl-cdn.alpinelinux.org/alpine/v3.21/main]
v3.21.2-133-g82634e1215d [https://dl-cdn.alpinelinux.org/alpine/v3.21/community]
OK: 25395 distinct packages available
/app # apk add curl
(1/9) Installing brotli-libs (1.1.0-r2)
(2/9) Installing c-ares (1.34.3-r0)
(3/9) Installing libunistring (1.2-r0)
(4/9) Installing libidn2 (2.3.7-r0)
(5/9) Installing nghttp2-libs (1.64.0-r0)
(6/9) Installing libpsl (0.21.5-r3)
(7/9) Installing zstd-libs (1.5.6-r2)
(8/9) Installing libcurl (8.11.1-r0)
(9/9) Installing curl (8.11.1-r0)
Executing busybox-1.37.0-r9.trigger
OK: 15 MiB in 28 packages
/app # curl -L https://10.0.10.2:32400/
curl: (60) SSL: no alternative certificate subject name matches target ipv4 address '10.0.10.2'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Yeah so the issue is if curl can't verify it then nodejs can't either. This issue is not a bug but the certs provided is not proper and there is nothing we can do about it. You'll have to figure out why the ssl lets encrypt ssl provided by plex is not being verified like that because it should technically.

A workaround for now could be:
Adding the env var NODE_TLS_REJECT_UNAUTHORIZED=0 should work but keep in mind
Setting this disables all cert checks for the whole application.

@gauthier-th
Copy link
Collaborator

Are you sure the SSL certificate is generated for your IP too? Not just for your domain?
From the error you sent it seems that your IP is not included in the certificate, hence the error.

Try to use only the domain name instead of the IP, or regenerate the Letsencrypt certificate to include your IP

@Ladduro
Copy link
Author

Ladduro commented Jan 25, 2025

I am not the one generating the cert, it was generated when I created my plex server and claimed it.

@Ladduro
Copy link
Author

Ladduro commented Jan 26, 2025

Leaving this for others that may face the same issue as me. My OPNsense router was preventing DNS rebinds. I had to create a plex.conf file under /usr/local/etc/unbound.opnsense.d with this content:

server:
    private-domain: "plex.direct"

Restart unbound and now all is working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Ladduro @gauthier-th @fallenbagel