Jump to content

Several LG TV's cannot connect to server


shocker
Go to solution Solved by shocker,

Recommended Posts

SamES
45 minutes ago, matty_r said:

This is not solved. Still having issues here despite switching preferred-chain.

Correct, the root cert on the TV needs replacing, which can only be done by a firmware update, unless you can find an existing root cert that you can utilise in your chain.

Unlike Samsung, LG publish their roots here, but not sure how well this list is maintained.

Refer link at bottom of page (https://webostv.developer.lge.com/discover/specifications/web-engine/)

Last December I extracted some of them, but this may have been updated since.  If you can get your cert signed by an intermediate cert, which is signed by one of these root certs then you should be OK

webos35_certlist by issuer.txt

webos50_certlist by issuer.txt

Edited by SamES
Link to comment
Share on other sites

matty_r
6 minutes ago, SamES said:

Correct, the root cert on the TV needs replacing, which can only be done by a firmware update, unless you can find an existing root cert that you can utilise in your chain.

Unlike Samsung, LG publish their roots here, but not sure how well this list is maintained.

Refer link at bottom of page (https://webostv.developer.lge.com/discover/specifications/web-engine/)

Last December I extracted some of them, but this may have been updated since.  If you can get your cert signed by an intermediate cert, which is signed by one of these root certs then you should be OK

webos35_certlist by issuer.txt 18.95 kB · 0 downloads

webos50_certlist by issuer.txt 20.2 kB · 0 downloads

What I don't understand is that the built in web browser actually still worked successfully. So i'm guessing the web browser has updated its root certs seperate from what the app utilizes?

Link to comment
Share on other sites

adminExitium

Did you double check that the "preferred-chain" actually worked and the X3 root is no longer part of your chain? If so, you shouldn't require a replacement root cert on the TV since the ISRG root is still valid.

 

You can always get yourself a ZeroSSL certificate instead which is free and works: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA.

 

That's what I did on my server to keep everything working fine. 

  • Agree 1
Link to comment
Share on other sites

11 hours ago, Flintfamily said:

Apparently the PLEX LG app has a setting to allow insecure connections, emby doesn't have similar does it?

 

You can use http instead of https. Just setup your LG emby client without https when you configure your server. You can do it by "add a new server" or similar and use the http port and of your server.

Link to comment
Share on other sites

shocker
11 hours ago, Lessaj said:

Hi,

I've updated the ca-certificates package on my web server and it no longer has the X3 certificate in the bundle - I checked with the trust command before I updated and I found it there but didn't see it after the update - so the steps you previously mentioned to add it to the blacklist after updating the package did not work, I suppose that should be done first. I have another web server which I hadn't updated yet and I grabbed the certificate from there with the same command and running "update-ca-trust extract" printed messages that it was overriding trust for the X3 anchor a few times. I actually recently renewed my certificates and I see they were already using the X1 root certificate and while I don't see the X3 certificate as an issuer for that certificate when looking at the certificate chain in my browser I do still see it when using openssl to either connect to the web server or to look at the root certificate directly which I pulled from fullchain.pem with openssl x509. I tried to renew them again after adding "preferred_chain = ISRG Root X1" and/or trying with the command line argument but I still see it in the chain. Should this not appear anymore after this? My connection is still failing from my LG TV. At the moment I've switched to http on the TV but my external LG TV users are still impacted since I only allow https externally.

Certificate chain
 0 s:/CN=REDACTEDFORSECURITY
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

 

openssl x509 -in root.crt -noout -subject -issuer
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

Just to ensure that everything is clean, switch to https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA 

Link to comment
Share on other sites

Lessaj
35 minutes ago, shocker said:

Just to ensure that everything is clean, switch to https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA 

Yep I just switched over to ZeroSSL and it's working now. Odd that the X3 certificate was still coming up in the chain but at the end of the day it's still an easy free SSL certificate and is also easily replaced.

Link to comment
Share on other sites

matty_r
6 hours ago, adminExitium said:

Did you double check that the "preferred-chain" actually worked and the X3 root is no longer part of your chain? If so, you shouldn't require a replacement root cert on the TV since the ISRG root is still valid.

 

You can always get yourself a ZeroSSL certificate instead which is free and works: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA.

 

That's what I did on my server to keep everything working fine. 

Says R3 - ISRG Root X1. Still won't connect.

Link to comment
Share on other sites

SamES
1 hour ago, shocker said:

Just to ensure that everything is clean, switch to https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA 

It looks like they also have a cross-signed intermediate certificate signed by Comodo which provides support for older/legacy devices, so if you still have issues getting this to work with older devices make sure this is in your chain (Refer Legacy Client Compatibility Cross-Signed Root Certificates – ZeroSSL)     

Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services. (Expires 2029)

Link to comment
Share on other sites

adminExitium
1 hour ago, matty_r said:

Says R3 - ISRG Root X1. Still won't connect.

Probably best to switch to ZeroSSL then.

 

6 minutes ago, SamES said:

make sure this is in your chain

Any certificates obtained via ACME already have that in the chain btw.

  • Like 1
Link to comment
Share on other sites

20 hours ago, mbo said:

You can use http instead of https. Just setup your LG emby client without https when you configure your server. You can do it by "add a new server" or similar and use the http port and of your server.

But please pay attention to the security aspect! http is totally unencrypted, so your username and password are sent without any safety. This makes Man-in-the-middle attacks very easy to get your credentials, for example.

Link to comment
Share on other sites

ShadowKindjal
On 10/2/2021 at 9:46 AM, adminExitium said:

If you are using acme.sh for your certificates, you have two options:

* Use a different preferred chain for letsencrypt i.e. "ISRG Root X1": Changing acme.sh Preferred Chain

* Use zerossl (an alternative free Acme Certificate Provider) for your certificates: acme.sh ZeroSSL CA

Thank you sir. Switching to ZeroSSL solved my problem on all my devices.

Link to comment
Share on other sites

rossome

After updating your Let's Encrypt certificate with the "ISRG Root X1" and creating the new .pfx file; I use the following to do this(changing example.com to my own domain.tld)...

openssl pkcs12 -password pass: -export -out /var/lib/emby/certs/example.com.pfx -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/cert.pem -certfile /etc/letsencrypt/live/example.com/chain.pem && chown emby:emby /var/lib/emby/certs/example.com.pfx && systemctl restart emby-server

...you will need to shutdown the emby service clear out the cached .pfx file located at:

/var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca/

Then start the service again. TV apps appear to be working again for me.

 

NOTE in my system.xml file I have the following defined (also found in the webui admin dashboard under "Network => Custom ssl certificate path"):

 <CertificatePath>/var/lib/emby/certs/example.com.pfx</CertificatePath>
Edited by rossome
Link to comment
Share on other sites

Mookdog

Hi Guys

My daughter called me today and said my grandson couldnt get on emby to watch his shows this morning. Seems the ssl certificate that I switched to last week using certbot didnt work with her LG tv. So me I am not well versed in getting ssl certs through a linux distro (I am a windows guys) but after reading a ton of stuff I managed to get a SSL cert via Zerossl using acme.sh. Called her and told her to test and all is working well now. Thanks to u guys on this forum for pushing me in the right direction

 

Mook

  • Like 1
Link to comment
Share on other sites

If you cannot change your Emby sever certificate to one signed by a valid certificate authority certificate trusted by your TV, then if your TV is rooted, you can update the trusted CA certs on the TV itself.

I wrote a bash script for my rooted B9, to remove the expired LetsEncrypt cert and add two new certs to the TV's truststore. It may work for other devices.

On a rooted B9 or C9 you can open a shell on your TV and run the following four commands:

cd /tmp

wget https://raw.githubusercontent.com/tf318/lg/main/update-ca-certs.sh

chmod +x update-ca-certs.sh

./update-ca-certs.sh

 

After updating the certs, the TV will reboot, and you should be good to go.

As I have no other LG devices on which to test this (filesystem layouts may be different), you may want to inspect the bash script and manually edit and run individual commands within instead, or at least use it as a guide for what to do on your own TV.

Link to comment
Share on other sites

  • 3 weeks later...
plittlefield

Same here for my friends using LG TVs.

I have the newer preferred chain of ISRG Root X1 on my Linux server and all LG TV app users cannot connect.

I have checked it's their TVs by asking them to use their phones (either app or Chrome web browser) instead and they work fine.

I am not allowing http traffic externally, so I guess they will have to wait for an LG TV firmware update.

Link to comment
Share on other sites

 

On 10/2/2021 at 3:46 PM, adminExitium said:

If you are using acme.sh for your certificates, you have two options:

* Use a different preferred chain for letsencrypt i.e. "ISRG Root X1": Changing acme.sh Preferred Chain

When I did try this for the last time, my certificate already used ISRG Root X1 (which is cross-signed by the now obsolete DST Root CA X3) and it still didn't work.

 

On 10/2/2021 at 3:46 PM, adminExitium said:

* Use zerossl (an alternative free Acme Certificate Provider) for your certificates: acme.sh ZeroSSL CA

 

54 minutes ago, adminExitium said:

Or just switch to ZeroSSL ... 

This is not always possible. I'm using "Traefik" as a reverse proxy for example and it doesn't support ZeroSSL, only Let's Encrypt.

Link to comment
Share on other sites

plittlefield

@adminExitium so, after a quick read it looks like I can use acme.sh to generate a ZeroSSL certificate using Gandi Live DNS verification and generate a PFX file to work with Emby...

... all with a few commands!

 I'll come back once I've successfully done all this and post my sanitised commands.

 Nice one.

Link to comment
Share on other sites

adminExitium
1 hour ago, tobby said:

This is not always possible. I'm using "Traefik" as a reverse proxy for example and it doesn't support ZeroSSL, only Let's Encrypt.

You are mistaken. Traefik does support switching to ZeroSSL. I don't have the config handy anymore and I don't use it myself but I have helped numerous people switch to it.

Link to comment
Share on other sites

44 minutes ago, adminExitium said:

You are mistaken. Traefik does support switching to ZeroSSL. I don't have the config handy anymore and I don't use it myself but I have helped numerous people switch to it.

Thank you for that information! Here: https://doc.traefik.io/traefik/https/acme/ it only shows Let's encrypt, but I will give it another try. Since it's also using acme it should be possible to point to a different acme provider.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...