#Unexpected error generating plex auth app url: The SSL connection could not be established

I setup a docker image using the following docker run command:

  --name ersatztv \
  -e TZ=America/Vancouver \
  -p 8409:8409 \
  -v /docker/ersatztv:/root/.local/share/ersatztv \
  --restart always \
  jasongdove/ersatztv:latest-nvidia

I then went to the UI at http://localhost:8409 and proceeded to try to add my plex media library. When clicking the "Sign in to plex" button, nothing happened aside from a error in the UI and the same error in the docker containers logs:
error: Unexpected error generating plex auth app url: The SSL connection could not be established, see inner exception.

The docker container is running on my server and I've setup a ssh reverse tunnel so my PC where I'm configuring Ersatztv, uses a tunnel to http://localhost:8409. I'm not able to directly setup from the same network as my server is located at a different location than my PC. I don't know if this is causing the issue or not. I have also tried using Caddy reverse proxy and I get the same error.

Is the Etv instance running on the same machine as Plex?

Is it also a Docker container?

does the log file have any more details? this looks like an issue talking to plex's servers (https://plex.tv), not yours

yes it's running on same machine as plex. plex is not a docker container, only etv

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream```

   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.<SendCoreAsync>g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.<SendCoreAsync>g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)

   at Refit.RequestBuilderImplementation.<>c__DisplayClass14_0`2.<<BuildCancellableTaskFuncForMethod>b__0>d.MoveNext() in /_/Refit/RequestBuilderImplementation.cs:line 256
--- End of stack trace from previous location ---
   at ErsatzTV.Infrastructure.Plex.PlexTvApiClient.StartPinFlow() in /source/ErsatzTV.Infrastructure/Plex/PlexTvApiClient.cs:line 106
[13:50:51 ERR] Unexpected error generating plex auth app url: The SSL connection could not be established, see inner exception.

just to confirm, when i'm in the etv UI and click the sign into plex button, there is no external popup that attempts to open etc. the error simply happens right when i click the button an alert notification is shown with the error, and on the backend log, it shows that error in more detail as i've provided above.

yeah that makes sense as the first api call is needed to get the url for the popup

are you sure the date/time is correct in the container?

ill check

log entry now shows: [14:28:13 ERR] Error starting plex pin flow

server time: Tue Jun 25 02:28:20 PM PDT 2024

so it seems correct?

yeah that looks correct. hmm

           Universal time: Tue 2024-06-25 21:29:10 UTC
                 RTC time: Tue 2024-06-25 21:29:48
                Time zone: America/Vancouver (PDT, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: yes

maybe some cert expired - are you able to apt update && apt upgrade in the container?

ill try

you can also try this from the command line maybe, it gives me a 404, but i can connect curl -I https://plex.tv/api/v2

curl command not installed in container

from my OS:

HTTP/2 404
content-type: text/html; charset=utf-8
date: Tue, 25 Jun 2024 21:32:09 GMT
referrer-policy: origin-when-cross-origin
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: 08d6b717-0ced-42b0-8106-13c5594ee615
x-runtime: 0.004105
x-xss-protection: 1; mode=block
content-length: 1118

ill see if i can install into container curl

apt update fails quite a bit

Ign:5 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  InRelease
Ign:6 https://packages.microsoft.com/ubuntu/20.04/prod focal InRelease
Ign:1 https://security.ubuntu.com/ubuntu focal-security InRelease
Ign:2 https://archive.ubuntu.com/ubuntu focal InRelease
Err:7 https://security.ubuntu.com/ubuntu focal-security Release
  Could not handshake: A TLS fatal alert has been received. [IP: 192.168.3.200 443]
Err:9 https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  Release
  Could not handshake: A TLS fatal alert has been received. [IP: 192.168.3.200 443]
Err:10 https://packages.microsoft.com/ubuntu/20.04/prod focal Release
  Could not handshake: A TLS fatal alert has been received. [IP: 192.168.3.200 443]
Ign:3 https://archive.ubuntu.com/ubuntu focal-updates InRelease
Ign:4 https://archive.ubuntu.com/ubuntu focal-backports InRelease
Err:8 https://archive.ubuntu.com/ubuntu focal Release
  Could not handshake: A TLS fatal alert has been received. [IP: 192.168.3.200 443]
Err:11 https://archive.ubuntu.com/ubuntu focal-updates Release
  Could not handshake: A TLS fatal alert has been received. [IP: 192.168.3.200 443]
Err:12 https://archive.ubuntu.com/ubuntu focal-backports Release
  Could not handshake: A TLS fatal alert has been received. [IP: 192.168.3.200 443]
Reading package lists... Done
E: The repository 'http://security.ubuntu.com/ubuntu focal-security Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.

E: The repository 'https://packages.microsoft.com/ubuntu/20.04/prod focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://archive.ubuntu.com/ubuntu focal Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://archive.ubuntu.com/ubuntu focal-updates Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://archive.ubuntu.com/ubuntu focal-backports Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

my other docker containers run fine for other services, they're able to communicate with the WAN

this is an image that you pulled recently?

yes

just yesterday

using nvidia branch

[14:39:56 WRN] This is beta software and may be unstable
[14:39:56 WRN] Give feedback at https://github.com/ErsatzTV/ErsatzTV or https://discord.gg/hHaJm3yGy6
[14:39:56 INF] Database is at /root/.local/share/ersatztv/ersatztv.sqlite3
[14:39:56 INF] Using Lucene (embedded) search index backend
[14:39:56 INF] Applying database migrations
[14:39:56 INF] Server will listen on port 8409 - try UI at http://localhost:8409
[14:39:56 INF] Worker service started
[14:39:56 INF] FFmpeg worker service started
[14:39:56 INF] Search index worker service started
[14:39:59 INF] Done applying database migrations
[14:39:59 INF] Emptying transcode cache folder
[14:39:59 INF] Done emptying transcode cache folder
[14:39:59 INF] Cleaning channel cache
[14:39:59 INF] Initializing search index
[14:39:59 WRN] Search index failed to initialize; will delete and recreate
[14:39:59 INF] Located ffmpeg at /usr/local/bin/ffmpeg
[14:39:59 INF] Located ffprobe at /usr/local/bin/ffprobe
[14:39:59 INF] Done initializing search index
[14:39:59 INF] Migrating search index to version 43
[14:40:01 INF] Done migrating search index in 1 second
[14:40:01 INF] Emby service started; secrets are at /root/.local/share/ersatztv/emby-secrets.json
[14:40:01 INF] Plex service started; secrets are at /root/.local/share/ersatztv/plex-secrets.json
[14:40:01 INF] Scheduler service started
[14:40:01 INF] Jellyfin service started; secrets are at /root/.local/share/ersatztv/jellyfin-secrets.json
[14:40:01 INF] Scanner service started

the openssl version in the container seems old: "OpenSSL 1.1.1f 31 Mar 2020" not sure if that's part of the issue or the issue.

my system for example has latest package update: OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

but i'm surprised if that is the issue, as there should have been an issue for this already i'd imagine

Yeah, that's interesting. I'll try here later tonight

thx

You can use a newer image with the tag jasongdove/ersatztv:develop-nvidia

But it's not backward compatible, so you have to stay there until next release

ill give it a try now

Do you know why the apt update shows local addresses?

Maybe DNS issue

my local server is running a DNS server which my gateway uses for DNS

so that could be why it shows that

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL.
 ---> Interop+Crypto+OpenSslCryptographicException: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeDeleteSslContext& context, ReadOnlySpan`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream ```

   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(QueueItem queueItem)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken ```

   at System.Net.Http.DiagnosticsHandler.SendAsyncCore(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.<SendCoreAsync>g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.<SendCoreAsync>g__Core|5_0(HttpRequestMessage request, Boolean useAsync, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Refit.RequestBuilderImplementation.<>c__DisplayClass14_0`2.<<BuildCancellableTaskFuncForMethod>b__0>d.MoveNext() in /_/Refit/RequestBuilderImplementation.cs:line 256
--- End of stack trace from previous location ---
   at ErsatzTV.Infrastructure.Plex.PlexTvApiClient.StartPinFlow() in /source/ErsatzTV.Infrastructure/Plex/PlexTvApiClient.cs:line 106
[15:22:37 ERR] Unexpected error generating plex auth app url: The SSL connection could not be established, see inner exception.

thats from the develop branch

maybe i need to somehow force docker to not use the local dns

but it shouldn't have issues really

hmm that worked

i added:

  --name ersatztv \
  -e TZ=America/Vancouver \
  -p 8409:8409 \
  -v /docker/ersatztv:/root/.local/share/ersatztv \
  --restart always \
  --dns="1.1.1.1" \
  jasongdove/ersatztv:develop-nvidia

forced it to use --dns="1.1.1.1"

might be good to add to the install guide as a tip for DNS, but i guess it's more rare use cases where people have their own local server hosting DNS

and for whatever reason the container is having issues with local resolution

I'm definitely curious what the details are. Maybe dig a domain without the DNS override and see what it looks like. I also have internal DNS and don't require additional config, so it would be good to narrow it down

Glad it's working for you though

i tried dig, but container doesn't have dig or nslookup or even ping

Ah yeah, hard to apt install without DNS.

i use bind server, and then my server also has automatic IP renewal enabled, which the gateway has DNS1 as 192.168.3.200 (the local servers ip) and DNS2=1.1.1.1

Apt was trying to use dns1, is there a pihole or something too

no only bind server, which i've custom created rules for banlists to blacklist malware IP's etc

but my local server is able to use apt just fine

none of those domains should be blacklisted

have you considered editing /etc/resolv.conf in the container, manually, and then apt installing, then reverting the change...

that also sounds like you messed up it's listening

docker containers usually get something like nameserver 127.0.0.11 -- where .11 is usually run by docker itself, if you run your own bind, you're probably messing that up

yeah there's likely some misconfiguration somewhere ill have to review further so that I can understand why i'm needing to put the docker dns overrides