matty_r 0 Posted October 3, 2021 Share Posted October 3, 2021 This is not solved. Still having issues here despite switching preferred-chain. Link to comment Share on other sites More sharing options...
SamES 890 Posted October 3, 2021 Share Posted October 3, 2021 (edited) 45 minutes ago, matty_r said: This is not solved. Still having issues here despite switching preferred-chain. Correct, the root cert on the TV needs replacing, which can only be done by a firmware update, unless you can find an existing root cert that you can utilise in your chain. Unlike Samsung, LG publish their roots here, but not sure how well this list is maintained. Refer link at bottom of page (https://webostv.developer.lge.com/discover/specifications/web-engine/) Last December I extracted some of them, but this may have been updated since. If you can get your cert signed by an intermediate cert, which is signed by one of these root certs then you should be OK webos35_certlist by issuer.txt webos50_certlist by issuer.txt Edited October 3, 2021 by SamES Link to comment Share on other sites More sharing options...
matty_r 0 Posted October 3, 2021 Share Posted October 3, 2021 6 minutes ago, SamES said: Correct, the root cert on the TV needs replacing, which can only be done by a firmware update, unless you can find an existing root cert that you can utilise in your chain. Unlike Samsung, LG publish their roots here, but not sure how well this list is maintained. Refer link at bottom of page (https://webostv.developer.lge.com/discover/specifications/web-engine/) Last December I extracted some of them, but this may have been updated since. If you can get your cert signed by an intermediate cert, which is signed by one of these root certs then you should be OK webos35_certlist by issuer.txt 18.95 kB · 0 downloads webos50_certlist by issuer.txt 20.2 kB · 0 downloads What I don't understand is that the built in web browser actually still worked successfully. So i'm guessing the web browser has updated its root certs seperate from what the app utilizes? Link to comment Share on other sites More sharing options...
adminExitium 173 Posted October 3, 2021 Share Posted October 3, 2021 Did you double check that the "preferred-chain" actually worked and the X3 root is no longer part of your chain? If so, you shouldn't require a replacement root cert on the TV since the ISRG root is still valid. You can always get yourself a ZeroSSL certificate instead which is free and works: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA. That's what I did on my server to keep everything working fine. 1 Link to comment Share on other sites More sharing options...
mbo 12 Posted October 3, 2021 Share Posted October 3, 2021 11 hours ago, Flintfamily said: Apparently the PLEX LG app has a setting to allow insecure connections, emby doesn't have similar does it? You can use http instead of https. Just setup your LG emby client without https when you configure your server. You can do it by "add a new server" or similar and use the http port and of your server. Link to comment Share on other sites More sharing options...
shocker 113 Posted October 3, 2021 Author Share Posted October 3, 2021 11 hours ago, Lessaj said: Hi, I've updated the ca-certificates package on my web server and it no longer has the X3 certificate in the bundle - I checked with the trust command before I updated and I found it there but didn't see it after the update - so the steps you previously mentioned to add it to the blacklist after updating the package did not work, I suppose that should be done first. I have another web server which I hadn't updated yet and I grabbed the certificate from there with the same command and running "update-ca-trust extract" printed messages that it was overriding trust for the X3 anchor a few times. I actually recently renewed my certificates and I see they were already using the X1 root certificate and while I don't see the X3 certificate as an issuer for that certificate when looking at the certificate chain in my browser I do still see it when using openssl to either connect to the web server or to look at the root certificate directly which I pulled from fullchain.pem with openssl x509. I tried to renew them again after adding "preferred_chain = ISRG Root X1" and/or trying with the command line argument but I still see it in the chain. Should this not appear anymore after this? My connection is still failing from my LG TV. At the moment I've switched to http on the TV but my external LG TV users are still impacted since I only allow https externally. Certificate chain 0 s:/CN=REDACTEDFORSECURITY i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 openssl x509 -in root.crt -noout -subject -issuer subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 Just to ensure that everything is clean, switch to https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA Link to comment Share on other sites More sharing options...
Lessaj 59 Posted October 3, 2021 Share Posted October 3, 2021 35 minutes ago, shocker said: Just to ensure that everything is clean, switch to https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA Yep I just switched over to ZeroSSL and it's working now. Odd that the X3 certificate was still coming up in the chain but at the end of the day it's still an easy free SSL certificate and is also easily replaced. Link to comment Share on other sites More sharing options...
matty_r 0 Posted October 3, 2021 Share Posted October 3, 2021 6 hours ago, adminExitium said: Did you double check that the "preferred-chain" actually worked and the X3 root is no longer part of your chain? If so, you shouldn't require a replacement root cert on the TV since the ISRG root is still valid. You can always get yourself a ZeroSSL certificate instead which is free and works: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA. That's what I did on my server to keep everything working fine. Says R3 - ISRG Root X1. Still won't connect. Link to comment Share on other sites More sharing options...
SamES 890 Posted October 3, 2021 Share Posted October 3, 2021 1 hour ago, shocker said: Just to ensure that everything is clean, switch to https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA It looks like they also have a cross-signed intermediate certificate signed by Comodo which provides support for older/legacy devices, so if you still have issues getting this to work with older devices make sure this is in your chain (Refer Legacy Client Compatibility Cross-Signed Root Certificates – ZeroSSL) Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services. (Expires 2029) Link to comment Share on other sites More sharing options...
adminExitium 173 Posted October 3, 2021 Share Posted October 3, 2021 1 hour ago, matty_r said: Says R3 - ISRG Root X1. Still won't connect. Probably best to switch to ZeroSSL then. 6 minutes ago, SamES said: make sure this is in your chain Any certificates obtained via ACME already have that in the chain btw. 1 Link to comment Share on other sites More sharing options...
tobby 14 Posted October 4, 2021 Share Posted October 4, 2021 20 hours ago, mbo said: You can use http instead of https. Just setup your LG emby client without https when you configure your server. You can do it by "add a new server" or similar and use the http port and of your server. But please pay attention to the security aspect! http is totally unencrypted, so your username and password are sent without any safety. This makes Man-in-the-middle attacks very easy to get your credentials, for example. Link to comment Share on other sites More sharing options...
ShadowKindjal 19 Posted October 4, 2021 Share Posted October 4, 2021 On 10/2/2021 at 9:46 AM, adminExitium said: If you are using acme.sh for your certificates, you have two options: * Use a different preferred chain for letsencrypt i.e. "ISRG Root X1": Changing acme.sh Preferred Chain * Use zerossl (an alternative free Acme Certificate Provider) for your certificates: acme.sh ZeroSSL CA Thank you sir. Switching to ZeroSSL solved my problem on all my devices. Link to comment Share on other sites More sharing options...
rossome 3 Posted October 5, 2021 Share Posted October 5, 2021 (edited) After updating your Let's Encrypt certificate with the "ISRG Root X1" and creating the new .pfx file; I use the following to do this(changing example.com to my own domain.tld)... openssl pkcs12 -password pass: -export -out /var/lib/emby/certs/example.com.pfx -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/cert.pem -certfile /etc/letsencrypt/live/example.com/chain.pem && chown emby:emby /var/lib/emby/certs/example.com.pfx && systemctl restart emby-server ...you will need to shutdown the emby service clear out the cached .pfx file located at: /var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca/ Then start the service again. TV apps appear to be working again for me. NOTE in my system.xml file I have the following defined (also found in the webui admin dashboard under "Network => Custom ssl certificate path"): <CertificatePath>/var/lib/emby/certs/example.com.pfx</CertificatePath> Edited October 5, 2021 by rossome Link to comment Share on other sites More sharing options...
AppleSeed 0 Posted October 5, 2021 Share Posted October 5, 2021 Thanks @adminExitium for the tips ! With acme/zerossl, it work fine Link to comment Share on other sites More sharing options...
Mookdog 90 Posted October 13, 2021 Share Posted October 13, 2021 Hi Guys My daughter called me today and said my grandson couldnt get on emby to watch his shows this morning. Seems the ssl certificate that I switched to last week using certbot didnt work with her LG tv. So me I am not well versed in getting ssl certs through a linux distro (I am a windows guys) but after reading a ton of stuff I managed to get a SSL cert via Zerossl using acme.sh. Called her and told her to test and all is working well now. Thanks to u guys on this forum for pushing me in the right direction Mook 1 Link to comment Share on other sites More sharing options...
Luke 37065 Posted October 13, 2021 Share Posted October 13, 2021 Thanks for the feedback. Link to comment Share on other sites More sharing options...
kirkj 9 Posted October 13, 2021 Share Posted October 13, 2021 Same problem here, with LG's and Samsung's TVs. Solved with acme/zerossl. Thanks you all. Link to comment Share on other sites More sharing options...
tamby 0 Posted October 21, 2021 Share Posted October 21, 2021 If you cannot change your Emby sever certificate to one signed by a valid certificate authority certificate trusted by your TV, then if your TV is rooted, you can update the trusted CA certs on the TV itself. I wrote a bash script for my rooted B9, to remove the expired LetsEncrypt cert and add two new certs to the TV's truststore. It may work for other devices. On a rooted B9 or C9 you can open a shell on your TV and run the following four commands: cd /tmp wget https://raw.githubusercontent.com/tf318/lg/main/update-ca-certs.sh chmod +x update-ca-certs.sh ./update-ca-certs.sh After updating the certs, the TV will reboot, and you should be good to go. As I have no other LG devices on which to test this (filesystem layouts may be different), you may want to inspect the bash script and manually edit and run individual commands within instead, or at least use it as a guide for what to do on your own TV. Link to comment Share on other sites More sharing options...
plittlefield 44 Posted November 9, 2021 Share Posted November 9, 2021 Same here for my friends using LG TVs. I have the newer preferred chain of ISRG Root X1 on my Linux server and all LG TV app users cannot connect. I have checked it's their TVs by asking them to use their phones (either app or Chrome web browser) instead and they work fine. I am not allowing http traffic externally, so I guess they will have to wait for an LG TV firmware update. Link to comment Share on other sites More sharing options...
adminExitium 173 Posted November 9, 2021 Share Posted November 9, 2021 Or just switch to ZeroSSL ... 1 Link to comment Share on other sites More sharing options...
plittlefield 44 Posted November 9, 2021 Share Posted November 9, 2021 Interesting.... I will have a look. Link to comment Share on other sites More sharing options...
tobby 14 Posted November 9, 2021 Share Posted November 9, 2021 On 10/2/2021 at 3:46 PM, adminExitium said: If you are using acme.sh for your certificates, you have two options: * Use a different preferred chain for letsencrypt i.e. "ISRG Root X1": Changing acme.sh Preferred Chain When I did try this for the last time, my certificate already used ISRG Root X1 (which is cross-signed by the now obsolete DST Root CA X3) and it still didn't work. On 10/2/2021 at 3:46 PM, adminExitium said: * Use zerossl (an alternative free Acme Certificate Provider) for your certificates: acme.sh ZeroSSL CA 54 minutes ago, adminExitium said: Or just switch to ZeroSSL ... This is not always possible. I'm using "Traefik" as a reverse proxy for example and it doesn't support ZeroSSL, only Let's Encrypt. Link to comment Share on other sites More sharing options...
plittlefield 44 Posted November 9, 2021 Share Posted November 9, 2021 @adminExitium so, after a quick read it looks like I can use acme.sh to generate a ZeroSSL certificate using Gandi Live DNS verification and generate a PFX file to work with Emby... ... all with a few commands! I'll come back once I've successfully done all this and post my sanitised commands. Nice one. Link to comment Share on other sites More sharing options...
adminExitium 173 Posted November 9, 2021 Share Posted November 9, 2021 1 hour ago, tobby said: This is not always possible. I'm using "Traefik" as a reverse proxy for example and it doesn't support ZeroSSL, only Let's Encrypt. You are mistaken. Traefik does support switching to ZeroSSL. I don't have the config handy anymore and I don't use it myself but I have helped numerous people switch to it. Link to comment Share on other sites More sharing options...
tobby 14 Posted November 9, 2021 Share Posted November 9, 2021 44 minutes ago, adminExitium said: You are mistaken. Traefik does support switching to ZeroSSL. I don't have the config handy anymore and I don't use it myself but I have helped numerous people switch to it. Thank you for that information! Here: https://doc.traefik.io/traefik/https/acme/ it only shows Let's encrypt, but I will give it another try. Since it's also using acme it should be possible to point to a different acme provider. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now