Kodi 18: SSL certificate failed to validate

[aDarkling]

New installation of plexkodiconnect. I'm trying to get it working.

When it tries to find a Plex media server or I try to start the search manually, it fails with "Could not find any Plex Server in the network. Abort?"

Background info:

• I can see & access the PMS through plex.tv browser from the same TV box (with the "limited connection" warning)
• Android Plex client on the same TV box works fine.
• I can access the PMS server's smb share directly from the TV box I'm setting this up on.
• I tried logging out & logging in both the PMS & plexkodiconnect as suggested on a plex troubleshooting page.
• Tried manually setting up ip address & directplay. The library synced, but nothing would play.
• I've been restarting Kodi after every change.
• I've reset Kodi & plexkodiconnect to clear out any old settings.
• Kodi version is Leia. It was upgraded automatically from Krypton, but I never installed any Addons on it other than Backup. I've just had it pointing to the Movies & TV smb directories on the PMS box before.

Log is attached. kodi.log

Edit by Croneter:

See below for solutions

[aDarkling]

Also, I see you've advised others to go to PKC settings -> Advanced to turn on PKC Debug logging. I don't see that option in my installation. Its the Stable version I downloaded 2 days ago.

[croneter]

You only need to enable Kodi debug logging. Reboot and try again, then share the log.

See here https://github.com/croneter/PlexKodiConnect/wiki/How-to-Report-A-Bug

[croneter]

Manually setting the PMS ip and port works?

[croneter]

Ah sorry I see that this DID work. What did not work is using direct paths. Please make sure you've add-on paths enabled, not direct paths.

[BlackSmith]

I'm not sure, if my problem is related with this. But after upgrade to Kodi 18 stable (PlexKodiConnect 2.6.1), the PlexKodiConnect can not connect to my Plex server. If I tried to set the server manually or choose from the list, the configuration window was closed.

I'm not sure, which version of PlexKodiConnect I had before, but I had Kodi 18 R5 and all worked fine. I solved this problem by downgrade PlexKodiConnect to version 2.4.11.

Environment: XBox One with Kodi 18

[aDarkling]

OK - Powered off & on Kodi, let it give me the Abort message, then navigated to PKC Settings and asked to choose a server manually to get a second Abort message, and then powered off & copied the log file.

Weird - there's no token tags that I was warned to replace in the log file. Does that just not report now?

kodi.log

[croneter]

@Blacksmith Please also share a log file of the issue with debug logging enabled. See https://github.com/croneter/PlexKodiConnect/wiki/How-to-Report-A-Bug

[croneter]

Well, PKC is unable to find/connect to any PMS in your LAN - a debug log won't change that.

The problem now is that Kodi 18 is now checking SSL certificates before e.g. start playing an item. If you plug-in your PMS IP & port manually and use a Plex standard config, your Plex SSL certificate won't match for the local IP (e.g. 192.168.1.2 instead of <something>.plex.direct).

To check this: try using your browser to connect to your Plex Web using the local IP of the PMS like https://192.168.1.2:32400. I get "the same" SSL certificate error that Kodi complains about:

This SSL certificate is only valid *.5609443c3e624a2a9dd21e1e2a92<cut>.plex.direct.

I'm looking into this

[croneter]

If you somehow manage to make Direct Paths work for you, that would be a workaround 🙂

[croneter]

@aDarkling This issue of yours cannot be solved easily by PKC. Kodi 18 started verifying SSL certificates. I have not yet found a way to circumvent that (which is good, from a security perspective 😉 ).

PKC will not offer "indirect connections" as they are limited to 1 or 2 Mbits for streaming - not enough by far for most people...

There are 4 possible solutions

Try one of the following:

1. Change/fix your own network setup so Plex "indirect connections" become normal connections when you use another Plex client.
   • This is most likely done by disabling DNS rebind protection in your router. See e.g. https://forums.plex.tv/t/why-does-my-plex-media-server-think-a-local-pc-is-remote/206269/2#Comment_1516941
   • PKC should then be able to connect to your PMS "normally" by Pick PMS from a list in the PKC settings, no manual input needed
2. Alternatively, manually enter your PMS ip and port in PKC and deactivate Enable HTTPS in PKC
   • be aware that your network traffic is then not encrypted/secure. This should usually be no big issue if you're connecting PKC and Kodi in your home LAN
   • make sure that the PMS allows non-secure HTTP connections (changing PMS settings using Plex Web):
3. If you know what you are doing from a networking perspective and you have e.g. Plex use a custom SSL certificate (e.g. Let's Encrypt), you can make sure that your router uses "Reverse NAT".
   • An external URL/IP like www.yourpms.com will thus be correctly translated to a LAN-internal IP such as 192.168.1.2 - while the SSL certificate is still valid
   • To use PKC, simply manually enter the external URL/IP like www.yourpms.com
4. If you know what you are doing, you can add the PMS' SSL certificate to the Kodi OS' trusted certificate store. This is highly dependent on the OS Kodi is running on.

[croneter]

Note to self :wink:: the undocumented Kodi Curl option verifypeer=false does NOT work if

• added to sources.xml
• appended to Kodi library paths

[aDarkling]

Thanks for that wonderful & detailed response!

So if I wanted it to work as it had in previous Kodi versions, I'd have to setup a SSL certificate on the PMS server & then add it to Kodi's cert store -- which most people may not be able to do manually unless there was some sort of SSL Cert addon.

The other options you presented are a lot more accessible. I went with #2. I may try the Cert thing at a later date & give a writeup.

Thanks!

[ontap-lab]

I'm not sure, if my problem is related with this. But after upgrade to Kodi 18 stable (PlexKodiConnect 2.6.1), the PlexKodiConnect can not connect to my Plex server. If I tried to set the server manually or choose from the list, the configuration window was closed.

I'm not sure, which version of PlexKodiConnect I had before, but I had Kodi 18 R5 and all worked fine. I solved this problem by downgrade PlexKodiConnect to version 2.4.11.

Environment: XBox One with Kodi 18

Could please tell me where you found version 2.4.11 ? I have been stuck unable to use PKC since november. , when I scroll back the versions in PKC addon on kodi , it only goes back as far as 2.8.0 EDIT , found version 2.4.10 , but still says ( after adding code to plex.tv in browser and it saying linked ) when server name pops up in kodi and i click on it " not yet authorised for server please go to plex.tv/link".

[ontap-lab]

REgarding the above issues, I went back to krypton 17.6 , on the assumption that the issue was leia 18 related and am afraid PKC still is unable to detect the fact that my server is linked and won't populate the addon.

[rayban099]

I may have found a solution for this that doesn't involve complex manipulation of Kodi, Plex, or devices. This past week, I noticed that subtitles wouldn't download next to the files when I attempted to grab them using Kodi. This is a feature that has always worked for me, so I didn't understand why it all of a sudden stopped working. After investigating and eliminating things such as permissions issues on my NAS, I noticed that the path for the media content no longer referenced my NAS but were using some Plex direct path URL. As a result of this, Kodi no longer had direct access to my path. This meant it was unable to save subtitles next to files, or access any of my local data (clearart, extra fanart, etc.) The only images available were those supplied by Plex.

I reset PKC and tried to fix the problem. I thought it was a certificate problem, so I set up PKC to use a Let's Encrypt certificate within the PKC setup. This resulted in a problem where PKC was unable to find any Plex servers on my network. My guess is Plex only expects certificates that are signed by Plex's Let's Encrypt certificate authority. Custom/personal certificates won't work. So, I reset PKC again and used all of the defaults for Direct Path and got it syncing again. I still didn't have access to local data via Kodi because the path was wrong, but I had one more idea. Configuring custom certificates within Plex network settings. This worked for me. Kodi is now doing everything it used to do.

Step by Step fix:

• Configure a server.pfx certificate file in the Plex Network settings. This can be from Let's Encrypt, self-signed or from a CA (Certificate Authority).
• Restart Plex
• Reset PKC
• Configure PKC using all of the defaults required for Direct-Path configuration. (Note: Provide configurations for renaming your NAS, paths, and credentials as per usual)
• Restart Kodi
• Supply any inputs required to allow PKC to sync Kodi with Plex, as per usual

PKC defaults to SSL and uses its own certificate which it applies to a unique server name used to identify your installation. However, because a server.pfx certificate has been installed in Plex, it no longer replaces your local path with the Plex URL for direct connection. Your server path, which has been validated in the Plex Network configuration, is populated and Kodi now can see and operate on your direct path as usual. I hope this helps.

[Snowman3456]

Same issue here. How does one accomplish #4 for a ubuntu OS ? (my router does not have #1 as an option):

I don't know what I am doing but 3 is seemingly much more complicated than 4 and 2 is a compromise I am not willing to make as it affects WAN connections.

Just trying to use PKC for LAN so entering the server IP should resolve correctly and be able to disregard cert validation. I have my LAN IP range whitelisted for not needing authentication according to the plex server setting.

@aDarkling This issue of yours cannot be solved easily by PKC. Kodi 18 started verifying SSL certificates. I have not yet found a way to circumvent that (which is good, from a security perspective 😉 ).

PKC will not offer "indirect connections" as they are limited to 1 or 2 Mbits for streaming - not enough by far for most people...

There are 4 possible solutions

Try one of the following:

1. Change/fix your own network setup so [**Plex "indirect connections"** ](https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/) become normal connections when you use another Plex client.

   * This is most likely done by disabling `DNS rebind protection` in your router. See e.g. https://forums.plex.tv/t/why-does-my-plex-media-server-think-a-local-pc-is-remote/206269/2#Comment_1516941
   * PKC should then be able to connect to your PMS "normally" by `Pick PMS from a list` in the PKC settings, no manual input needed
4. If you **know what you are doing**, you can [add the PMS' SSL certificate to the Kodi OS' trusted certificate store](https://forum.kodi.tv/showthread.php?tid=331918&pid=2735088#pid2735088). This is highly dependent on the OS Kodi is running on.

[croneter]

Same issue here. How does one accomplish #4 for a ubuntu OS ? (my router does not have #1 as an option):

@Enigma0 How about this manual here? https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line

[Snowman3456]

@croneter Thanks - as it happens, just resetting PKC and restarting Kodi seems to have allowed PKC to find the server anyway!

[gomaaz]

important advice! If the user unauthorized server. double check that all network URLs in network tab are listed (comma seperated). Even if you try to connect without ssl (http) you have to type the domain in network tab with http://

[blixten85]

I think i got it working on my LibreELEC device (raspberry pi 4).

I got forced encryption set on, in my PLEX media server (raspberry pi 5) I got Strict TLS-configuration on

On the LibreELEC device:

openssl ecparam -genkey -name prime256v1 -out cacert.pem
cp cacert.pem /storage/.config/
reboot

I did a reset on the PKC addon (which hang itself after some time and i rebooted the LibreELEC once more) Went through the PKC setup again and it worked.

Now i am playing over LAN, but the PLEX server still forces encryption so this should work over the internet aswell i guess.

EDIT: I am on Kodi Nexus 20 for the LibreELEC and Version 1.40.1.8227 for the PLEX