shocker 112 Posted October 1, 2021 Share Posted October 1, 2021 (edited) Hello, Since yesterday few TV's cannot connect to the Emby server anymore. The error message is: "Connection Failure - We're unable to connect to the selected server right now. Please ensure it is running and try again.". From the same internet location with any other device the connectivity works fine. From the affected LG's accessing the Emby server via web browser is working, the issue occurs only via Emby app. LG software versions impacted (so far): 05.10.25 06.00.15 05.40.09 And I've tested with an older one 03.23.45 and it's working fine. Emby app is 1.0.24 and the server is 4.7.0.13. Is there a new LG WebOS software update that is crashing the actual version of Emby? @Luke @ebr ? Thanks! Edited October 1, 2021 by shocker Link to comment Share on other sites More sharing options...
Tomate2 0 Posted October 1, 2021 Share Posted October 1, 2021 My TV version is 05.40.09 and also stoped Emby app working Link to comment Share on other sites More sharing options...
mbo 12 Posted October 1, 2021 Share Posted October 1, 2021 (edited) Do you secure your emby server with letsencrypt certificates? Edited October 1, 2021 by mbo Link to comment Share on other sites More sharing options...
Tomate2 0 Posted October 1, 2021 Share Posted October 1, 2021 Yes Link to comment Share on other sites More sharing options...
mbo 12 Posted October 1, 2021 Share Posted October 1, 2021 LE changed their root certificate some time ago and yesterday the old one expired. So you won't be able to use emby using LE SSL until there is an app update. @Lukeits time to push an update - really. If you need more testers just PM an i will install a dev account. I can offer C19 and G1 testing. Cheers Link to comment Share on other sites More sharing options...
shocker 112 Posted October 1, 2021 Author Share Posted October 1, 2021 (edited) 3 minutes ago, mbo said: LE changed their root certificate some time ago and yesterday the old one expired. So you won't be able to use emby using LE SSL until there is an app update. @Lukeits time to push an update - really. If you need more testers just PM an i will install a dev account. I can offer C19 and G1 testing. Cheers Thanks for the feedback! I’ll try to work-around the ssl for LG to see how it goes. What is strange that in v03.23.45 it’s working fine. Edited October 1, 2021 by shocker Link to comment Share on other sites More sharing options...
Tomate2 0 Posted October 1, 2021 Share Posted October 1, 2021 Thank you very much. Link to comment Share on other sites More sharing options...
shocker 112 Posted October 1, 2021 Author Share Posted October 1, 2021 Issue appeared on samsung as well. The let’s encrypt seems to be the root cause: https://www.theregister.com/2021/09/30/lets_encrypt_xero_slack_outages/ Link to comment Share on other sites More sharing options...
mbo 12 Posted October 1, 2021 Share Posted October 1, 2021 2 hours ago, shocker said: Issue appeared on samsung as well. The let’s encrypt seems to be the root cause: https://www.theregister.com/2021/09/30/lets_encrypt_xero_slack_outages/ It is a root certificate that expired. LE couldn't do anything about it in the end ... It was not "their" certificate and LE is not the only affected party. Anyway - its all about updating your software once in a while with the latest trusted root certificates There is a reason why old build of LG APPs do not work an the latest TVs: They (LG) do not want that their customers are running into problems with "unsupported" & "not updated" software. Sorry emby team - i know that the LG App Store is not a easy place to be but ... Link to comment Share on other sites More sharing options...
SamES 890 Posted October 1, 2021 Share Posted October 1, 2021 FYI, root certificates on the TV are part of the TV firmware, not something packaged as part of the Emby client. 1 Link to comment Share on other sites More sharing options...
mbo 12 Posted October 1, 2021 Share Posted October 1, 2021 @SamES how does it come that emby with LE is working fine in the LG webbrowser? Could it be that it is framework version dependant? Link to comment Share on other sites More sharing options...
SamES 890 Posted October 1, 2021 Share Posted October 1, 2021 Not sure, but it’s possible that different certificates are available to the browser compared to the app Link to comment Share on other sites More sharing options...
Luke 37049 Posted October 1, 2021 Share Posted October 1, 2021 3 minutes ago, SamES said: Not sure, but it’s possible that different certificates are available to the browser compared to the app Yes we've seen this on other platforms as well. Link to comment Share on other sites More sharing options...
Flintfamily 6 Posted October 2, 2021 Share Posted October 2, 2021 Do we have any timeline on a resolution for this? It would be nice to get an estimate at least? Link to comment Share on other sites More sharing options...
SamES 890 Posted October 2, 2021 Share Posted October 2, 2021 Have you tried using http instead of https? I don’t think this is something Emby can solve. Alternatively you could try another certificate provider but take note of all the expiry dates as this issue may become more common. LG will need to update the root certificates in a firmware update to resolve this. 1 Link to comment Share on other sites More sharing options...
Tomate2 0 Posted October 2, 2021 Share Posted October 2, 2021 7 minutes ago, SamES said: Have you tried using http instead of https? I don’t think this is something Emby can solve. Alternatively you could try another certificate provider but take note of all the expiry dates as this issue may become more common. LG will need to update the root certificates in a firmware update to resolve this. Yes. It’s work with http Link to comment Share on other sites More sharing options...
Solution shocker 112 Posted October 2, 2021 Author Solution Share Posted October 2, 2021 Changing the IdentTrust DST Root CA X3 with another one solve the issue. Thanks guys for the help! Link to comment Share on other sites More sharing options...
SamES 890 Posted October 2, 2021 Share Posted October 2, 2021 3 hours ago, shocker said: Changing the IdentTrust DST Root CA X3 with another one solve the issue. Thanks guys for the help! Thanks for the update. Great to hear that you found a solution. For the benefit of others, can you please describe what you steps you took to replace this? Link to comment Share on other sites More sharing options...
shocker 112 Posted October 2, 2021 Author Share Posted October 2, 2021 Sure, For CentOS 7: yum -y update (to update ca-certificates to ca-certificates-2021.2.50-72.el7_9.noarch) # cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup # trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem # update-ca-trust extract Ensure certbot is 1.19.0 and run: certbot renew --preferred-chain "ISRG Root X1" or update in /etc/letsencrypt/renewal/your_domain.conf and add under [renewalparams] the preffered chain parameter: preferred_chain = ISRG Root X1 But in order to ensure that no additional issues will be occurred by this, i've switched completely to a DigiCert certificate 1 1 Link to comment Share on other sites More sharing options...
adminExitium 173 Posted October 2, 2021 Share Posted October 2, 2021 If you are using acme.sh for your certificates, you have two options: * Use a different preferred chain for letsencrypt i.e. "ISRG Root X1": Changing acme.sh Preferred Chain * Use zerossl (an alternative free Acme Certificate Provider) for your certificates: acme.sh ZeroSSL CA 3 Link to comment Share on other sites More sharing options...
Gisprojesse 0 Posted October 3, 2021 Share Posted October 3, 2021 So I have an LG TV. It's one of the ones that is not working anymore. How do I fix this? Link to comment Share on other sites More sharing options...
SamES 890 Posted October 3, 2021 Share Posted October 3, 2021 1 hour ago, Gisprojesse said: So I have an LG TV. It's one of the ones that is not working anymore. How do I fix this? I think you have to use http for now Link to comment Share on other sites More sharing options...
shocker 112 Posted October 3, 2021 Author Share Posted October 3, 2021 3 hours ago, Gisprojesse said: So I have an LG TV. It's one of the ones that is not working anymore. How do I fix this? Should work, ensure you have updated your ca-certificates on your server. Link to comment Share on other sites More sharing options...
Lessaj 58 Posted October 3, 2021 Share Posted October 3, 2021 1 hour ago, shocker said: Should work, ensure you have updated your ca-certificates on your server. Hi, I've updated the ca-certificates package on my web server and it no longer has the X3 certificate in the bundle - I checked with the trust command before I updated and I found it there but didn't see it after the update - so the steps you previously mentioned to add it to the blacklist after updating the package did not work, I suppose that should be done first. I have another web server which I hadn't updated yet and I grabbed the certificate from there with the same command and running "update-ca-trust extract" printed messages that it was overriding trust for the X3 anchor a few times. I actually recently renewed my certificates and I see they were already using the X1 root certificate and while I don't see the X3 certificate as an issuer for that certificate when looking at the certificate chain in my browser I do still see it when using openssl to either connect to the web server or to look at the root certificate directly which I pulled from fullchain.pem with openssl x509. I tried to renew them again after adding "preferred_chain = ISRG Root X1" and/or trying with the command line argument but I still see it in the chain. Should this not appear anymore after this? My connection is still failing from my LG TV. At the moment I've switched to http on the TV but my external LG TV users are still impacted since I only allow https externally. Certificate chain 0 s:/CN=REDACTEDFORSECURITY i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 openssl x509 -in root.crt -noout -subject -issuer subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 Link to comment Share on other sites More sharing options...
Flintfamily 6 Posted October 3, 2021 Share Posted October 3, 2021 I'm using a managed server slot and after modifying my host IP I can now use the non-secure http method, they have said everything their side is up to date and it's an LG firmware issue. There have been comments on a PLEX forum that essentially the TV's are no longer supported by LG (Samsung TV's are also affected) despite my TV only being a couple of years old. Pretty unbelieveable really considering the cost of a high end Smart TV. Apparently the PLEX LG app has a setting to allow insecure connections, emby doesn't have similar does it? A list of the TV's with PLEX app issues, I would assume Emby client apps would be similarly affected. Product Platform Platform Version App Version Plex for LG webOS All versions lower than 5.0 Plex for LG NetCast All versions Plex for Samsung Tizen 2.4 Plex for Opera TV Opera TV Store All versions Plex for Smart TVs netgem All versions Plex for TiVo TiVo All versions Plex for VIDAA VIDAA All versions lower than 5.0 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now