Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

Receiving incorrect TLS certificate from website

by |Published

This is a strange issue that (so far) is specific only to plex.tv website. I am seeing this same problem from various devices on my network. Ultimately, simply trying to access https://plex.tv in my browser results in a security error related to the TLS certificate. Upon further digging, it seems that the server is providing incorrect TLS certificate for this site (and the results aren’t consistent):

$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:ab:09:ea:f2:c6:3c:f2:d4:4f:60:63:b9:36:5b:40
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
Validity
Not Before: Oct 26 00:00:00 2021 GMT
Not After : Nov 24 23:59:59 2022 GMT
Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d0:3e:04:76:d6:d5:53:73:f9:01:21:c0:b5:6f:
3c:07:82:43:c5:c5:43:ba:34:55:47:bc:0e:8b:b5:
ac:f8:70:23:c4:b1:5c:a9:54:ac:9e:f7:e7:a3:7a:
ff:bd:b7:d4:23:33:0b:5c:18:dc:71:2d:ff:e7:9d:
74:5e:28:03:e5:e6:55:de:07:79:9b:d3:80:43:95:
8a:9d:5e:97:33:61:b7:ce:4e:9f:ca:7c:c1:14:b5:
d1:97:aa:1a:96:45:a4:99:7f:8b:92:d0:34:68:a2:
56:d8:d7:c0:e1:4a:bf:4f:73:42:43:b0:31:66:53:
73:fb:b5:12:a6:a9:da:29:67:bc:b8:a1:0f:f0:ff:
1e:fc:92:ac:b4:fa:07:18:f5:a3:b4:19:b2:f4:53:
42:b6:aa:eb:a1:3b:4a:fa:e3:4a:86:84:fc:4a:b3:
a6:c8:fe:64:fa:9f:68:d5:ba:f4:17:63:54:44:7c:
03:57:3b:44:12:c8:ab:b8:e9:ab:28:09:ee:f1:9d:
fa:e2:dd:bd:e3:3c:d6:81:74:1f:6c:90:e0:8e:19:
b3:3c:ba:84:4d:76:6f:9b:a4:68:f9:2b:45:04:4b:
ba:d4:a4:10:e0:c5:f5:8d:c7:22:6a:31:9b:55:57:
b8:cf:4e:99:61:37:9a:76:7a:1f:db:eb:fc:dc:7f:
90:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:59:A4:66:06:52:A0:7B:95:92:3C:A3:94:07:27:96:74:5B:F9:3D:D0
X509v3 Subject Key Identifier:
13:8A:D5:41:DB:F8:09:44:45:58:09:2C:8A:60:AB:63:3A:5C:5E:41
X509v3 Subject Alternative Name:
DNS:*.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.sca1b.amazontrust.com/sca1b-1.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Authority Information Access:
OCSP - URI:http://ocsp.sca1b.amazontrust.com
CA Issuers - URI:http://crt.sca1b.amazontrust.com/sca1b.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version   : v1 (0x0)
Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
Timestamp : Oct 26 09:27:20.701 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:C0:80:22:90:66:67:44:5D:F2:02:CC:
4F:B7:65:7A:B3:85:19:26:3D:1F:75:A1:1D:11:17:0D:
BC:E0:54:5E:EC:02:20:38:E9:B5:AB:13:75:98:CB:EF:
77:EB:65:24:DE:16:8F:3E:CF:3A:1A:53:ED:BB:4F:80:
7D:55:6D:16:55:5F:9D
Signed Certificate Timestamp:
Version   : v1 (0x0)
Log ID    : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:
7A:CC:1B:27:CB:F7:9E:88:42:9A:0D:FE:D4:8B:05:E5
Timestamp : Oct 26 09:27:20.775 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:61:14:E9:12:D0:15:D7:BC:9D:A7:B5:DC:
23:DC:49:F1:11:C9:6C:9E:3D:D7:3E:2D:5B:13:57:3B:
10:EB:8A:77:02:20:32:E2:8F:B4:98:77:99:D8:6E:3B:
2B:84:E3:27:D8:9E:FF:E2:5C:95:B9:9F:2E:47:6F:93:
BD:12:20:CC:F7:CD
Signed Certificate Timestamp:
Version   : v1 (0x0)
Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
Timestamp : Oct 26 09:27:20.711 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:7A:28:AA:62:3E:A6:45:B3:43:98:AE:F7:
41:68:5C:BF:CD:90:E8:EB:00:B8:51:C0:69:08:F8:81:
AE:98:12:40:02:21:00:A5:EC:A7:4F:15:F2:4E:E2:8D:
95:19:70:EA:62:F6:4F:88:97:07:38:87:97:4B:53:25:
E0:CB:28:29:C0:19:B3
Signature Algorithm: sha256WithRSAEncryption
16:3f:02:df:0d:04:d4:fd:a4:d7:1b:71:ba:55:ec:3f:8f:2c:
37:89:bb:83:1a:67:93:9b:cc:3a:e5:d2:8a:0a:02:ac:ee:f7:
ed:05:64:11:0f:c5:6f:99:96:85:60:cc:b2:c2:4c:d4:47:db:
8b:8a:25:9b:8d:30:ad:1c:e1:0d:e9:d4:c7:38:b3:a3:6c:a4:
b9:25:20:55:fe:12:5d:5c:95:79:b2:55:f9:74:49:7c:83:20:
b1:1e:e2:0e:2c:33:7d:87:ab:fb:ab:98:44:bd:2b:8c:13:8c:
c7:f1:dc:1d:b3:1b:20:61:72:2d:b7:49:66:ea:be:7f:3a:7b:
52:d5:ba:c6:77:0a:c6:6d:f6:07:dc:fa:78:18:ce:08:22:6a:
95:1a:37:d2:b0:68:d8:f6:0f:0b:74:53:6f:fb:57:61:a2:9f:
de:d3:26:8f:08:f4:d9:bc:6a:27:d8:fc:78:23:04:4a:b8:7c:
c9:e9:ff:06:8d:88:2f:42:d7:d4:19:62:bd:ff:d1:7b:ea:26:
de:be:d6:c0:bd:cc:dc:b8:2f:8e:b9:58:27:b2:e6:bb:60:08:
90:a9:c3:37:98:55:b0:6f:9e:55:a0:57:81:f4:39:71:34:5b:
b1:85:30:a7:0f:23:6b:59:b8:86:4e:05:5e:40:04:36:4b:1e:
d9:4f:8b:11
-----BEGIN CERTIFICATE----- MIIGKzCCBROgAwIBAgIQAasJ6vLGPPLUT2BjuTZbQDANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMTEwMjYwMDAwMDBaFw0yMjExMjQy MzU5NTlaMEUxQzBBBgNVBAMMOioucHJvZC1yb3V0ZS0xYnVuNHFlZWtnOXBhLTIz NTM5NDQ2OC5ldS13ZXN0LTEuY29udm94LnNpdGUwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDQPgR21tVTc/kBIcC1bzwHgkPFxUO6NFVHvA6Ltaz4cCPE sVypVKye9+ejev+9t9QjMwtcGNxxLf/nnXReKAPl5lXeB3mb04BDlYqdXpczYbfO Tp/KfMEUtdGXqhqWRaSZf4uS0DRoolbY18DhSr9Pc0JDsDFmU3P7tRKmqdopZ7y4 oQ/w/x78kqy0+gcY9aO0GbL0U0K2quuhO0r640qGhPxKs6bI/mT6n2jVuvQXY1RE fANXO0QSyKu46asoCe7xnfri3b3jPNaBdB9skOCOGbM8uoRNdm+bpGj5K0UES7rU pBDgxfWNxyJqMZtVV7jPTplhN5p2eh/b6/zcf5CdAgMBAAGjggMUMIIDEDAfBgNV HSMEGDAWgBRZpGYGUqB7lZI8o5QHJ5Z0W/k90DAdBgNVHQ4EFgQUE4rVQdv4CURF WAksimCrYzpcXkEwRQYDVR0RBD4wPII6Ki5wcm9kLXJvdXRlLTFidW40cWVla2c5 cGEtMjM1Mzk0NDY4LmV1LXdlc3QtMS5jb252b3guc2l0ZTAOBgNVHQ8BAf8EBAMC BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD0GA1UdHwQ2MDQwMqAw oC6GLGh0dHA6Ly9jcmwuc2NhMWIuYW1hem9udHJ1c3QuY29tL3NjYTFiLTEuY3Js MBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcw AYYhaHR0cDovL29jc3Auc2NhMWIuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAC hipodHRwOi8vY3J0LnNjYTFiLmFtYXpvbnRydXN0LmNvbS9zY2ExYi5jcnQwDAYD VR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAKXm+8J45OSHw VnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF8u+zzfQAABAMARzBFAiEAwIAikGZn RF3yAsxPt2V6s4UZJj0fdaEdERcNvOBUXuwCIDjptasTdZjL73frZSTeFo8+zzoa U+27T4B9VW0WVV+dAHUAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUA AAF8u+zzxwAABAMARjBEAiBhFOkS0BXXvJ2ntdwj3EnxEclsnj3XPi1bE1c7EOuK dwIgMuKPtJh3mdhuOyuE4yfYnv/iXJW5ny5Hb5O9EiDM980AdgBByMqx3yJGShDG oToJQodeTjGLGwPr60vHaPCQYpYG9gAAAXy77POHAAAEAwBHMEUCIHooqmI+pkWz Q5iu90FoXL/NkOjrALhRwGkI+IGumBJAAiEApeynTxXyTuKNlRlw6mL2T4iXBziH l0tTJeDLKCnAGbMwDQYJKoZIhvcNAQELBQADggEBABY/At8NBNT9pNcbcbpV7D+P LDeJu4MaZ5ObzDrl0ooKAqzu9+0FZBEPxW+ZloVgzLLCTNRH24uKJZuNMK0c4Q3p 1Mc4s6NspLklIFX+El1clXmyVfl0SXyDILEe4g4sM32Hq/urmES9K4wTjMfx3B2z GyBhci23SWbqvn86e1LVusZ3CsZt9gfc+ngYzggiapUaN9KwaNj2Dwt0U2/7V2Gi n97TJo8I9Nm8aifY/HgjBEq4fMnp/waNiC9C19QZYr3/0XvqJt6+1sC9zNy4L465 WCey5rtgCJCpwzeYVbBvnlWgV4H0OXE0W7GFMKcPI2tZuIZOBV5ABDZLHtlPixE=
-----END CERTIFICATE-----

Running that same command again and I get slightly different results:

$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:3c:cd:0c:d9:b4:37:2a:6a:b0:3d:c2:a6:5e:84:9b:27:70:2c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = "Trustwave Organization Validation SHA256 CA, Level 1", emailAddress = ca@trustwave.com
Validity
Not Before: Feb 22 12:08:05 2021 GMT
Not After : Mar 24 12:07:05 2022 GMT
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d8:3a:5c:1a:07:d2:43:07:e6:4c:60:04:f7:88:
09:4e:1c:80:85:65:b3:52:f8:1a:e1:db:a9:f8:91:
e9:c4:da:d4:11:f7:e0:af:b3:02:ea:e5:b5:7b:48:
3b:c8:f6:21:4f:f4:f2:1c:c6:df:c7:e7:81:fb:b3:
6b:3f:ee:a9:78:a7:1b:15:f6:e2:be:08:92:97:f1:
97:39:49:4a:2c:78:60:c7:c2:c2:5d:77:8a:33:30:
6d:c1:1c:05:d7:7e:1b:52:e4:75:61:39:c4:a8:5d:
96:ab:ef:1d:56:d1:ff:35:f4:43:e2:81:ac:ce:ac:
7c:79:3d:2c:23:fd:cb:24:83:d3:f1:36:46:69:f9:
0e:ff:67:e0:b3:b3:38:ab:39:c3:43:36:2c:c0:22:
0b:fe:bb:1e:a7:e6:ae:d0:39:8b:e1:9d:98:d8:6f:
d3:3d:04:5b:45:e8:b2:a1:e6:15:7b:ef:4b:f5:0d:
c5:89:54:92:05:8a:24:14:52:cc:d5:66:3b:9d:8c:
d5:9f:7c:10:15:a8:8c:eb:57:e6:7b:c5:19:58:f2:
48:01:ee:36:d5:8d:9f:14:3c:26:ba:73:5c:09:68:
67:be:c2:c0:99:af:23:96:4f:18:2e:bc:b5:be:c1:
b3:23:b2:cb:5e:ec:0c:a9:0c:fe:7c:d0:bd:bb:d4:
84:e7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
54:23:E1:8A:6D:76:AA:55:60:A4:00:DC:2B:CC:C4:7E:DE:3A:91:8B
X509v3 Authority Key Identifier:
keyid:CA:CE:1D:18:03:77:1E:1C:F3:7C:58:B2:9A:70:A8:08:80:16:F4:AE
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: https://certs.securetrust.com/CA
X509v3 Subject Alternative Name:
DNS:*.bankersalmanac.com, DNS:bankersalmanac.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.securetrust.com/OVCA2_L1.crl
Authority Information Access:
OCSP - URI:http://ocsp.securetrust.com/
CA Issuers - URI:http://certs.securetrust.com/issuers/OVCA2_L1.crt
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version   : v1 (0x0)
Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
Timestamp : Feb 22 18:08:05.907 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:D1:76:7D:FF:E8:3F:BF:B5:02:BF:34:
A1:95:F9:64:FD:4D:F4:E9:66:6A:41:CD:C8:DB:1C:87:
44:37:12:D2:0E:02:21:00:FA:DA:55:1E:85:9C:5F:CF:
60:4A:38:B7:E1:88:A3:A1:5A:A8:BF:3E:B5:CD:CF:2B:
C5:5C:E2:84:B5:AD:B6:7C
Signed Certificate Timestamp:
Version   : v1 (0x0)
Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
Timestamp : Feb 22 18:08:05.462 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:78:A7:23:96:7F:4A:5C:F2:3D:03:71:95:
89:88:4C:D8:02:65:6C:D7:0F:F3:30:E4:66:58:FA:73:
84:EA:E0:C6:02:20:4C:C4:A6:04:5F:B3:76:55:D4:A7:
C2:25:E1:EF:C7:0F:67:25:2D:08:A4:4C:55:91:C9:C8:
A1:B8:5F:91:E8:1C
Signature Algorithm: sha256WithRSAEncryption
9a:d0:31:15:2e:c8:d0:b4:63:22:8d:c1:b0:11:44:a3:13:8d:
35:83:1a:5d:52:77:64:29:30:ae:03:fb:80:3a:de:9f:56:4b:
18:a3:99:0a:ad:a4:a6:3e:bb:cf:69:bd:94:3d:35:42:18:6e:
87:10:17:35:5f:a7:32:a8:95:50:d5:68:df:a8:82:52:db:71:
ce:a5:b8:46:b4:bc:db:a6:c0:de:d1:41:25:bc:a5:cf:d8:80:
d2:de:e0:36:ca:c1:ed:e8:4e:9b:26:2b:40:29:7b:be:4a:2e:
52:9b:fe:19:a7:b3:41:01:f9:74:14:3b:2b:cb:2a:2d:9c:af:
bb:8e:8c:43:0b:48:55:04:8b:37:a4:1b:27:3a:2b:92:e8:d0:
42:6d:fb:0a:68:be:fe:8c:71:0e:a2:05:6d:b7:49:7e:75:b6:
d7:dd:42:35:48:e6:00:30:40:7c:66:6b:6b:94:e8:4a:c5:28:
30:28:10:d2:c4:71:61:e8:59:22:d7:b9:53:ab:57:29:4c:22:
35:6e:9b:e1:e8:d7:b3:36:48:8c:94:24:ac:f3:e4:13:75:11:
be:c1:ca:93:0c:18:da:ac:9d:a2:21:1b:6a:ee:dd:de:ed:55:
95:fc:34:9b:94:b3:d8:4c:f1:05:dc:b1:37:1c:21:a9:7b:83:
a7:99:d7:36
-----BEGIN CERTIFICATE-----
MIIGajCCBVKgAwIBAgITBzzNDNm0NypqsD3Cpl6EmydwLDANBgkqhkiG9w0BAQsF
ADCBtTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD
aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xPTA7BgNV
BAMTNFRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTSEEyNTYgQ0Es
IExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20wHhcNMjEw
MjIyMTIwODA1WhcNMjIwMzI0MTIwNzA1WjBvMR0wGwYDVQQDDBQqLmJhbmtlcnNh
bG1hbmFjLmNvbTEfMB0GA1UEChMWTE5SUyBEYXRhIFNlcnZpY2VzIEx0ZDEPMA0G
A1UEBxMGU3V0dG9uMQ8wDQYDVQQIEwZTdXJyZXkxCzAJBgNVBAYTAkdCMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DpcGgfSQwfmTGAE94gJThyAhWWz
Uvga4dup+JHpxNrUEffgr7MC6uW1e0g7yPYhT/TyHMbfx+eB+7NrP+6peKcbFfbi
vgiSl/GXOUlKLHhgx8LCXXeKMzBtwRwF134bUuR1YTnEqF2Wq+8dVtH/NfRD4oGs
zqx8eT0sI/3LJIPT8TZGafkO/2fgs7M4qznDQzYswCIL/rsep+au0DmL4Z2Y2G/T
PQRbReiyoeYVe+9L9Q3FiVSSBYokFFLM1WY7nYzVn3wQFaiM61fme8UZWPJIAe42
1Y2fFDwmunNcCWhnvsLAma8jlk8YLry1vsGzI7LLXuwMqQz+fNC9u9SE5wIDAQAB
o4ICtjCCArIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRUI+GKbXaqVWCkANwrzMR+
3jqRizAfBgNVHSMEGDAWgBTKzh0YA3ceHPN8WLKacKgIgBb0rjBDBgNVHSAEPDA6
MDgGBmeBDAECAjAuMCwGCCsGAQUFBwIBFiBodHRwczovL2NlcnRzLnNlY3VyZXRy
dXN0LmNvbS9DQTAzBgNVHREELDAqghQqLmJhbmtlcnNhbG1hbmFjLmNvbYISYmFu
a2Vyc2FsbWFuYWMuY29tMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc2Vj
dXJldHJ1c3QuY29tL09WQ0EyX0wxLmNybDB3BggrBgEFBQcBAQRrMGkwKAYIKwYB
BQUHMAGGHGh0dHA6Ly9vY3NwLnNlY3VyZXRydXN0LmNvbS8wPQYIKwYBBQUHMAKG
MWh0dHA6Ly9jZXJ0cy5zZWN1cmV0cnVzdC5jb20vaXNzdWVycy9PVkNBMl9MMS5j
cnQwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwBvU3asMfAxGdiZAKRRFf93FRwR
2QLBACkGjbIImjfZEwAAAXfK7U8TAAAEAwBIMEYCIQDRdn3/6D+/tQK/NKGV+WT9
TfTpZmpBzcjbHIdENxLSDgIhAPraVR6FnF/PYEo4t+GIo6FaqL8+tc3PK8Vc4oS1
rbZ8AHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF3yu1NVgAA
BAMARjBEAiB4pyOWf0pc8j0DcZWJiEzYAmVs1w/zMORmWPpzhOrgxgIgTMSmBF+z
dlXUp8Il4e/HD2clLQikTFWRycihuF+R6BwwDQYJKoZIhvcNAQELBQADggEBAJrQ
MRUuyNC0YyKNwbARRKMTjTWDGl1Sd2QpMK4D+4A63p9WSxijmQqtpKY+u89pvZQ9
NUIYbocQFzVfpzKolVDVaN+oglLbcc6luEa0vNumwN7RQSW8pc/YgNLe4DbKwe3o
TpsmK0Ape75KLlKb/hmns0EB+XQUOyvLKi2cr7uOjEMLSFUEizekGyc6K5Lo0EJt
+wpovv6McQ6iBW23SX51ttfdQjVI5gAwQHxma2uU6ErFKDAoENLEcWHoWSLXuVOr
VylMIjVum+Ho17M2SIyUJKzz5BN1Eb7BypMMGNqsnaIhG2ru3d7tVZX8NJuUs9hM
8QXcsTccIal7g6eZ1zY=
-----END CERTIFICATE-----

More succinctly this should hopefully better highlight the issue I’m seeing:

$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB

Why are banksalmanac.com and convox.site TLS certificates being provided when accessing plex.tv domain? Also, if I use www subdomain I get correct results:

$ openssl s_client -servername www.plex.tv -connect www.plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = plex.tv

There seems to be something strange going on between my local ISP (Comcast) and whatever is in between plex.tv server (Cloudflare? AWS?). Does anyone have any idea what is happening here? I’d reach out to Plex team directly on this but I obviously can’t access their support forums to post this question.

You may also like