## How NOT To Install Self-Signed Certs On Our Plex Server

I have just installed a Plex server, on the host-machine I have on my LAN, that host-machine being named ‘Phoenix’. The purpose of this server is to allow me to access Media Files – i.e. Movies and Photos – Not Just from anyplace within my LAN, but from any place outside my LAN as well, which only I will have access to – as we don’t share our Plex passwords with friends.

Some people might wonder why this is useful to me, especially since Plex is a paid-for service, and since I already have a VPN. And the reason is simply the fact, that to access certain resources on my LAN by way of the VPN, can be slow and cumbersome. It might work for a Samba share, just to fetch a file, but if the objective was to watch a movie which I own, and the original format of which I did pay for, then to leave my tablet with a modified network configuration, and logged in to my VPN, for the duration of the entire movie, would become quite impractical. So Plex was my chosen answer.

One problem which some Plex users could run in to, is the idea that when outside their LAN, they first contact a Web-server, which then redirects them to their private IP address. This idea can lead to another idea, which would be that the following connection from their client-program to their Home LAN is not secure, for which reason some Plex users might want to set up an SSL / TLS certificate to secure that second, redirected connection.

The problem with that last part is, that if our Plex server version is reasonably up-to-date, then we don’t need to do this, because Plex has already done so. There exist several tutorials on the Web, one of which explains to us how to set up a self-signed cert, and another which explains to us how Plex on the Web has already got us covered.

My misfortune last night was the fact that I stumbled on these tutorials, roughly in the order in which they occur above: First, to try to install a self-signed cert, then to learn that Plex already has a system in place with “DigiCert”.

The way in which Plex is intended to work with basic users like me, we all have URLs with the Plex site, that run roughly like so:

*.625d406a00ac415b978ddb368c0d1289.plex.direct

1. The user first connects to the Web-server-URL, for which Plex inc. has a certificate, which in turn encrypts communication from that point on.
2. The URL is then not just redirected, but actually rebound, with the IP address of our Home LAN, so that the same cert encrypts the media-flow to our personal server.

What this means is that for most small-scale uses, we don’t need to acquire our own certificate, to secure a direct connection to our LAN. We can just configure our server like so:

If we feel that we need greater security, we can change the settings to “Required”, meaning that all connections to our Plex server, except from the same computer (from ‘localhost’), and except from within our LAN, will need to be secure in order to proceed. And then most of us still won’t have to fill in any of the fields below, to set up a custom cert.

But there is a disadvantage to settings ‘Secure Connection’ to ‘Required’. The simple usage-scenarios can be given, that we want to connect to our media-server using an app that doesn’t support TLS, or through the ‘Plex Web’ site, but from within our own LAN. What Plex Web will try to do, is to rebind the IP-address to the IP-address  which our server has on the WAN, and to give us a secure connection that way – even though we’re connecting to a place on our own LAN!

This can easily fail, because It can go against router policy, to rebind IP addresses to our own LAN. It can also go against browser policies, in the form of ‘Application Boundary Security’, where an external site is not supposed to gain access to resources on our LAN…

But as it stands, each of my Android clients was already set up by default, to ‘Allow Insecure Connections: Never’, my Roku works, and there is no need to use Plex Web from home.

I suppose the reader might wonder, what would happen if indeed, he was to set up a Custom Certificate for his Plex server at home…

## Surprising Revelation about the Apache Listening IPs

One of the details in my Apache configuration which I had placed emphasis on, was that this Web-server is supposed to listen on all IPv4 as well as all IPv6 interfaces, on the host-machine I name ‘Phoenix’. And so in the configuration file ‘/etc/apache2/ports.conf‘, I have set up so:


# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet




And, in the file ‘sites-enabled/000-default.conf‘ I have stated:


<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com




But, when I run the command ‘netstat‘, what that command seems to reveal is:


dirk@Phoenix:~$netstat -l --tcp --numeric | grep 80 tcp6 0 0 :::80 :::* LISTEN dirk@Phoenix:~$ netstat -l --tcp --numeric | grep 443
tcp6       0      0 :::443                  :::*                    LISTEN
dirk@Phoenix:~$  What I expect to see, is instead:  dirk@Phoenix:~$ netstat -l --tcp --numeric | grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
dirk@Phoenix:~$netstat -l --tcp --numeric | grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp6 0 0 :::443 :::* LISTEN dirk@Phoenix:~$




Yet, contrarily to what catastrophic expectations might suggest, I find that my site is accessible to IPv4 addresses to begin with. Not only that, but I routinely use the internal, IPv4 loopback-address, and the URL:



http://127.0.1.1/blog/




To access my own blog. The surprising fact about this setup, is that it still works, and I could come up with some creative ideas, about why this has been working all along.

• The router could be forwarding all the IPv4 traffic from the WAN, to a LAN-specific IPv6 address belonging to my host-machine,
• The way the kernel works could be such, that if any server is listening on ‘:::80‘, it is also automatically listening on ‘0.0.0.0:80‘.

My actual router settings only show my host as having an IPv4, LAN address.

I don’t understand it, but as long as this has not been creating any malfunctions, I’m not going to dig deeper into the subject for now. If indeed, my server was no longer listening on any IPv4 WAN addresses, I would have obtained notifications to that effect by now.

Dirk

(Edit : )

This has just been confirmed as the standard behavior of Apache (to use just one socket), as described in this external BB posting.