Plex Secure connection issues with NGINX

[christeasdale]

I and many other Plex user have been having issues with the "New Player" in the Plex AndroidTV app. After a lot of research I found out that Plex "New Player" actually does a check before playback to make sure the connection is secure. If not it fails playback,

So by design Gooby's intention was to have the Plex server running behind the NGINX reverse proxy but if the official guide is followed that isn't the case. In 21-plex-beta.yaml. 21-plex-hw.yaml, 21-plex.yaml for the Docker containers all have this line:

-ADVERTISE_IP=https://plex.${MYDOMAIN}:8443

Okay if you have your domain set in Gooby for plex.MYDOMAIN the certificate pulled is only going to apply to plex.MYDOMAIN and you DNS will direct all secure traffic coming in on port 443 through NGNIX which then arrives to port 8443 and directs to your Docker container running on default Plex port 32400.

So to make this work correctly for me at least I had to change to this:

Plex yaml file line "-ADVERTISE_IP=https://plex.${MYDOMAIN}" which changes "Plex Settings->Network->Custom server access URLs to "https://plex.MYDOMAIN" which Plex.tv then uses on its website to let your Plex clients know how to find your Plex server securely using you LetsCrypt certificate.

This only works if you DISABLE, Plex's built in "Remote Access" completely.

If you keep the normal Gooby settings and use Plex's "Remote Access" your Plex traffic isn't going through NGNIX. The only reason it works at all this way is because of what many think is a bug in Docker, Ports exposed in Docker containers (in our Plex Gooby case 8443) are open to the public internet.

Plex's method of providing certificates is quite complicated with Wildcards, etc. So with the Gooby default settings applied and Plex "Remote Access" I found that going to plex.MYDOMAIN and attempting to login into my Plex Server the connection was NOT SECURE. Instead of using my LetsCrypt Certificate it was using a Plex INC owned certificate that was not valid because of course it didn't match the custom domain name plex.MYDOMAIN. It is unclear to me why in Plex server GUI or many apps it still shows a secure connection but it sure doesn't seem the correct way to deploy things. I think we are using multiple certificates and different routes to get to the Plex server instead of the NGNIX reverse proxy.

I know this works because I setup my Vultr Firewall and blocked all ports except for 443 and my setup worked and stock Gooby setup does not! I am not sure how we should proceed? I am no web expert so maybe I am missing something? I did however notice that none of the other services on Gooby, Emby, Jellyfin etc etc specify a port number after MYDOMAIN, so making sure all traffic goes through the NGINX reverse proxy.

[bdschuster]

So, I do know your trouble....this was a pain for a while at the end of last year for me...I did end up figuring out what we need to do, and have been using it for a while now, and discussed with @TechPerplexed for a moment, but I believe we are still planning on switching to a different proxy which would take care of this issue for a longer time than how it's setup now. Let us ponder on this for a moment, but yes, I know your trouble.

[christeasdale]

Okay good to know I am not crazy. So I have modified "/var/local/Gooby/Docker/components/21-plex.yaml" so I have everything working with "-ADVERTISE_IP=https://plex.${MYDOMAIN}" on my server. So would anything short of a full reinstall of Gooby change this file on me?

[bdschuster]

If that's working for you, awesome. I went a different direction and just created a PKCS#12 cert out of the letsencrypt certs and have been using that. Otherwise, if your way is working, no, nothing will change that file on you unless we make a major update, minor updates won't change that file.

[christeasdale]

You know I looked into using that option as well but first I wasn't sure what local folders were mapped to the Plex Docker container but you photo helped me figure that one out. Second don't you have to manually update the PKCS#12 file each time the Letsencrypt certs expire/renew? I was also concerned that my setup would make Plex clients think they were connecting to a LAN Plex server but I guess with the "Plex Settings->Network->Custom server access URLs to "https://plex.MYDOMAIN" it still seems that Plex Web and other clients are aware that the Plex server is "Remote". Also so much work was put into setting up Gooby with the NGINX reverse proxy it seems good to use it. Seems using the Vultr Firewall ahead of my VPS shouldn't have any downsides? I have just port 22 (open only to my home IP) and Port 443. Things seem to be working perfectly. My several FireTV users even noticed that movies start quicker on the Plex New Player in Android. I guess the one negative is the Plex settings GUI isn't unhappy and gives me the red "!" because my "remote access" is disabled. Weird that Plex doesn't consider that some folks might not want remote access.

[christeasdale]

If that's working for you, awesome. I went a different direction and just created a PKCS#12 cert out of the letsencrypt certs and have been using that. Otherwise, if your way is working, no, nothing will change that file on you unless we make a major update, minor updates won't change that file.

@bdschuster Can you explain briefly how you set up the custom certs in PKCS#12 format? I am curious, did you automate the process when the LetsEncrypt certs get update? I figure then we can close this since it seems on the roadmap with @TechPerplexed that Gooby will go to a new proxy at some point. But I figure this post will be helpful for others that might be having the same issue with Plex AndroidTV "New Player". Thanks

[christeasdale]

Okay seems we have a couple temp solutions for potential issues. Hope it helps, Happy Holidays 2020!

[ltheakston]

I used @christeasdale solution which seemed to work for a while, but as of the latest Plex updates, I'm am now getting the same issue again. I now cannot switch to the old player as this is no longer available. i've checked my Plex yaml file and the change still exists, but is obviously no longer a solution.

[christeasdale]

A week ago I ended up having to use a new domain name since the cert didn't update correctly from letsencrypt.org again and I was over their weekly limit for my current domain name. I haven't gone back to see if I can get my old domain name to work once again. Sounds like you might be having the same issue.

[DPMUC]

Hey guys... will there be any update on this? - i love gooby - and really like to stay with it :) - but this leads to so many android based issues... is there any „timeline“ for a new gooby setup? Thx a lot for your great work 👍

[bdschuster]

@christeasdale, sorry, i missed your comment asking me how i created the cert. It's pretty simple. Go to your cert directory, 'cd /var/local/Gooby/Docker/certs/plex.YOURDOMAIN/' ' sudo openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in cert.pem -certfile fullchain.pem' It will prompt you for your export password, this can be anything you want it to be, just remember it. move the certificate.pfx file to a directory that Plex container can see (ie: /var/local/Gooby/Plex). 'sudo chown YOURUSERNAME:YOURUSERNAME /var/local/Gooby/Plex/certificate.pfx' or wherever you decided to put the cert. Now as my screenshot shows if you put it in the /var/local/Gooby/Plex folder, then use '/config/certificate.pfx' for location. Encryption key is the export password you used. and the domain should be "https://plex.YOURDOMAIN.COM:8443' No need restart plex, just save, and should be good. This should work for everyone else @DPMUC and @ltheakston . Let me know if you have any issues.

Havn't had an issue or anything since I did this back in March of 2020

[ltheakston]

Thanks @bdschuster @christeasdale but my issue turned out to be unrelated. My Google drive storage got deleted and I hadn't noticed. It's all working fine now.

[bdschuster]

Thanks @bdschuster @christeasdale but my issue turned out to be unrelated. My Google drive storage got deleted and I hadn't noticed. It's all working fine now.

Whoa! how did it get deleted!?

[ltheakston]

Thanks @bdschuster @christeasdale but my issue turned out to be unrelated. My Google drive storage got deleted and I hadn't noticed. It's all working fine now.

Whoa! how did it get deleted!?

I had a team drive that was not entirely legit. I was expecting it to get deleted at some point, it was only £2.50 for life after all, that's why I have backups.

[thunderstorm654]

@bdschuster I followed your instructions to create the cert in September, this was all working until the past few days. Now Android is refusing to connect unless insecure connections are allowed in the apps. Also when I access Plex.mydomain:8443 I'm getting the invalid certificate error (which is picking up the plex.direct cert and not mine). Just wanted to ask if this is all still working for you? Banging my head against the wall the past two days trying to see why this isn't working anymore. The certs did get auto renewed last week, so I did also try regenerating the pfx using same command but it makes no difference with old or new .pfx. Any ideas I'd be super grateful!

[christeasdale]

You said your certs renewed? I have had issues with the certificate not renewing correctly because I had all ipv6 ports closed and had to open port 80 and 443 for it to update the certs correctly. I have also a couple times had to just use a different web address in Gooby/Plex to get a new working certificate. Not sure any of this will help you but I hope you can getting working I have been where you are at a few times.