Jump to content

Several LG TV's cannot connect to server


shocker
Go to solution Solved by shocker,

Recommended Posts

shocker

Hello,

  Since yesterday few TV's cannot connect to the Emby server anymore. The error message is: "Connection Failure - We're unable to connect to the selected server right now. Please ensure it is running and try again.".

  From the same internet location with any other device the connectivity works fine. From the affected LG's accessing the Emby server via web browser is working, the issue occurs only via Emby app.

LG software versions impacted (so far):

  • 05.10.25
  • 06.00.15
  • 05.40.09

And I've tested with an older one 03.23.45 and it's working fine. Emby app is 1.0.24 and the server is 4.7.0.13.

Is there a new LG WebOS software update that is crashing the actual version of Emby?

@Luke @ebr ?

Thanks!

Edited by shocker
Link to comment
Share on other sites

mbo

Do you secure your emby server with letsencrypt certificates?

Edited by mbo
Link to comment
Share on other sites

mbo

LE changed their root certificate some time ago and yesterday the old one expired. So you won't be able to use emby using LE SSL until there is an app update.

 

@Lukeits time to push an update - really. If you need more testers just PM an i will install a dev account. I can offer C19 and G1 testing.

Cheers

Link to comment
Share on other sites

shocker
Posted (edited)
3 minutes ago, mbo said:

LE changed their root certificate some time ago and yesterday the old one expired. So you won't be able to use emby using LE SSL until there is an app update.

 

@Lukeits time to push an update - really. If you need more testers just PM an i will install a dev account. I can offer C19 and G1 testing.

Cheers

Thanks for the feedback! I’ll try to work-around the ssl for LG to see how it goes. What is strange that in v03.23.45 it’s working fine.

Edited by shocker
Link to comment
Share on other sites

mbo
2 hours ago, shocker said:

Issue appeared on samsung as well. The let’s encrypt seems to be the root cause: https://www.theregister.com/2021/09/30/lets_encrypt_xero_slack_outages/

It is a root certificate that expired. LE couldn't do anything about it in the end ... It was not "their" certificate and LE is not the only affected party.

Anyway - its all about updating your software once in a while with the latest trusted root certificates ;)

There is a reason why old build of LG APPs do not work an the latest TVs: They (LG) do not want that their customers are running into problems with "unsupported" & "not updated" software. Sorry emby team - i know that the LG App Store is not a easy place to be but ...

 

Link to comment
Share on other sites

SamES

FYI, root certificates on the TV are part of the TV firmware, not something packaged as part of the Emby client. 

  • Thanks 1
Link to comment
Share on other sites

mbo

@SamES how does it come that emby with LE is working fine in the LG webbrowser?  Could it be that it is framework version dependant?

Link to comment
Share on other sites

SamES

Not sure, but it’s possible that different certificates are available to the browser compared to the app

Link to comment
Share on other sites

3 minutes ago, SamES said:

Not sure, but it’s possible that different certificates are available to the browser compared to the app

Yes we've seen this on other platforms as well.

Link to comment
Share on other sites

Flintfamily

Do we have any timeline on a resolution for this? It would be nice to get an estimate at least?

Link to comment
Share on other sites

SamES

Have you tried using http instead of https?  I don’t think this is something Emby can solve. Alternatively you could try another certificate provider but take note of all the expiry dates as this issue may become more common. 
 

LG will need to update the root certificates in a firmware update to resolve this. 

  • Like 1
Link to comment
Share on other sites

Tomate2
7 minutes ago, SamES said:

Have you tried using http instead of https?  I don’t think this is something Emby can solve. Alternatively you could try another certificate provider but take note of all the expiry dates as this issue may become more common. 
 

LG will need to update the root certificates in a firmware update to resolve this. 

Yes. It’s work with http

Link to comment
Share on other sites

  • Solution
shocker

Changing the IdentTrust DST Root CA X3 with another one solve the issue. Thanks guys for the help!

Link to comment
Share on other sites

SamES
3 hours ago, shocker said:

Changing the IdentTrust DST Root CA X3 with another one solve the issue. Thanks guys for the help!

Thanks for the update.  Great to hear that you found a solution.

For the benefit of others, can you please describe what you steps you took to replace this?

Link to comment
Share on other sites

shocker

Sure,

  For CentOS 7: 

yum -y update (to update ca-certificates to ca-certificates-2021.2.50-72.el7_9.noarch)

# cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup
# trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem
# update-ca-trust extract

Ensure certbot is 1.19.0 and run: certbot renew --preferred-chain "ISRG Root X1"

or update in /etc/letsencrypt/renewal/your_domain.conf and add under [renewalparams] the preffered chain parameter:

preferred_chain = ISRG Root X1

But in order to ensure that no additional issues will be occurred by this, i've switched completely to a DigiCert certificate :)

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Gisprojesse

So I have an LG TV. It's one of the ones that is not working anymore. How do I fix this? 

Link to comment
Share on other sites

SamES
1 hour ago, Gisprojesse said:

So I have an LG TV. It's one of the ones that is not working anymore. How do I fix this? 

I think you have to use http for now

Link to comment
Share on other sites

shocker
3 hours ago, Gisprojesse said:

So I have an LG TV. It's one of the ones that is not working anymore. How do I fix this? 

Should work, ensure you have updated your ca-certificates on your server.

Link to comment
Share on other sites

Lessaj
1 hour ago, shocker said:

Should work, ensure you have updated your ca-certificates on your server.

Hi,

I've updated the ca-certificates package on my web server and it no longer has the X3 certificate in the bundle - I checked with the trust command before I updated and I found it there but didn't see it after the update - so the steps you previously mentioned to add it to the blacklist after updating the package did not work, I suppose that should be done first. I have another web server which I hadn't updated yet and I grabbed the certificate from there with the same command and running "update-ca-trust extract" printed messages that it was overriding trust for the X3 anchor a few times. I actually recently renewed my certificates and I see they were already using the X1 root certificate and while I don't see the X3 certificate as an issuer for that certificate when looking at the certificate chain in my browser I do still see it when using openssl to either connect to the web server or to look at the root certificate directly which I pulled from fullchain.pem with openssl x509. I tried to renew them again after adding "preferred_chain = ISRG Root X1" and/or trying with the command line argument but I still see it in the chain. Should this not appear anymore after this? My connection is still failing from my LG TV. At the moment I've switched to http on the TV but my external LG TV users are still impacted since I only allow https externally.

Certificate chain
 0 s:/CN=REDACTEDFORSECURITY
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

 

openssl x509 -in root.crt -noout -subject -issuer
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

Link to comment
Share on other sites

Flintfamily

I'm using a managed server slot and after modifying my host IP I can now use the non-secure http method, they have said everything their side is up to date and it's an LG firmware issue. There have been comments on a PLEX forum that essentially the TV's are no longer supported by LG (Samsung TV's are also affected) despite my TV only being a couple of years old. Pretty unbelieveable really considering the cost of a high end Smart TV.

Apparently the PLEX LG app has a setting to allow insecure connections, emby doesn't have similar does it?

A list of the TV's with PLEX app issues, I would assume Emby client apps would be similarly affected.

Product Platform Platform Version App Version
Plex for LG webOS All versions lower than 5.0  
Plex for LG NetCast All versions  
Plex for Samsung Tizen 2.4  
Plex for Opera TV Opera TV Store All versions  
Plex for Smart TVs netgem All versions  
Plex for TiVo TiVo All versions  
Plex for VIDAA VIDAA   All versions lower than 5.0
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...