Jump to content

TCL Roku TV: SSL Certificate Problem: Certificated has Expired


nickbmx2100
 Share

Recommended Posts

nickbmx2100

Looks like my  Roku TV 7117X  is no longer able to connect to my  remote Emby Server via SSL.  SSL certificate was generated by Synology Lets Encrypt.  I wanted to create this thread to make awareness and so others with same problem can find this. This all seems to be related to the Lets Encrypt certificate issues  from September 30.  Other clients like IOS app and Chrome browsers can successfully connect with SSL.  Looking through other threads other users are reporting with same issues.  No sure if there is a way to fix. 

TCL Roku TV Software Version: 10.0.0 Build 4209-30

Emby App Version 4.0  Build 31

 

 

Link to comment
Share on other sites

nickbmx2100

@ebr  Looking that the above thread. It mentions  attempting to import the new Root certificates to "Client Certificate Store".  I'm not sure what this means, But am assuming its a directory inside the Smart TV?  I don't have a way to have a root access to the TV.

But here you can download the new ROOT CA and Intermediate for ISRG X1 and X2 and import it to your Clients Certificates Store.After you did this, you will be able to reach all the Lets Encrypt sites again. (Maybe a Browser or App Restart is needed) "

 

Reading though other threads today I found this, where it mentions a folder on the server. I will look into  possible solution 

 

 

Link to comment
Share on other sites

nickbmx2100

I used this SSL checker  https://decoder.link/sslchecker/  to check what certs my emby server is reporting . It still shows the expired Root CA  .  But I could not find where the certs are stored on the server. I was also looking for temp folder but could not located it. My Emby Server is on Synology DSM7 installed via Package Center

Subject Common Name R3
Subject Organization Let's Encrypt
Issuer Common Name DST Root CA X3
Issuer Organization Digital Signature Trust Co.
Not Before: Oct 07, 2020 19:21:40 GMT
Not After: Sep 29, 2021 19:21:40 GMT

Screenshot from 2021-10-03 22-23-14.png

Link to comment
Share on other sites

FrostByte

You should be able to see and delete any certificates right from DSM

Click Control Panel > Security > Certificate > Action

certs.jpg.1c276d5bb186566ca938876f2df36c5c.jpg

 

 

Link to comment
Share on other sites

FrostByte

The certs are in the following folder:

/usr/syno/etc/certificate/

look in there.  You should see a folder with the .pem files for each cert

Edited by FrostByte
Link to comment
Share on other sites

nickbmx2100

I was looking for the X509 store.  I found it  at /volume1/@apphome/EmbyServer/.dotnet/corefx/cryptography/x509stores/ca

Inside the folder is  the PEM file. I renamed it backup.txt   and restarted Emby Server  to test.

ash-4.4# pwd
/volume1/@apphome/EmbyServer/.dotnet/corefx/cryptography/x509stores/ca
ash-4.4# del 48504E974C0DAC5B5CD476C8202274B24C8C7172.pfx 
ash: del: command not found
ash-4.4# mv 48504E974C0DAC5B5CD476C8202274B24C8C7172.pfx backup.txt
ash-4.4# ls
backup.txt

Link to comment
Share on other sites

nickbmx2100

Now when to run SSL checker  https://decoder.link/sslchecker/   the updated ISRG Root X1 cert is now being used by server 

Subject Organization Let's Encrypt
Issuer Common Name ISRG Root X1
Issuer Organization Internet Security Research Group
Not Before: Sep 04, 2020 00:00:00 GMT
Not After: Sep 15, 2025 16:00:00 GMT

ValidR3Root.png

  • Like 1
Link to comment
Share on other sites

nickbmx2100
Posted (edited)

This resolved my issues. I was able to Successfully connect my Roku TV/ Emby App to my Remote Emby Server using  HTTPS .     

Recap: So even after updated cert gets saved via the Network menu under "Custom ssl certificate path"     The server still holds on to old expired  PFX   at the X509store directory.   There should be a way for Emby to clear that directory if a new PFX is updated by Admin.  A Server restart does not update it.  I had SSH with my to that specific directory as "Root" to clear it. Then restart EmbyServer

Edited by nickbmx2100
  • Like 1
Link to comment
Share on other sites

  • 1 month later...

I ran into this problem as well.  @nickbmx2100's solution to this worked for me as well.

@Luke what are those files in that directory?

root@emby:/var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca# ll
total 20
drwxr-xr-x 2 emby emby 4096 Dec  2 22:26 ./
drwxr-xr-x 3 emby emby 4096 Oct 30  2020 ../
-rw------- 1 emby emby 1344 Apr 29  2021 48504E974C0DAC5B5CD476C8202274B24C8C7172.pfx-backup
-rw------- 1 emby emby 1520 Dec  2 22:26 A053375BFE84E8B748782C7CEE15827A6AF5A405.pfx
-rw------- 1 emby emby 1384 Oct 30  2020 E6A3B45B062D509B3382282D196EFE97D5956CCB.pfx-backup


I moved two extant ones out of the way via rename and restarted.  This new one showed up.

Link to comment
Share on other sites

30 minutes ago, svdasein said:

I ran into this problem as well.  @nickbmx2100's solution to this worked for me as well.

@Luke what are those files in that directory?

root@emby:/var/lib/emby/.dotnet/corefx/cryptography/x509stores/ca# ll
total 20
drwxr-xr-x 2 emby emby 4096 Dec  2 22:26 ./
drwxr-xr-x 3 emby emby 4096 Oct 30  2020 ../
-rw------- 1 emby emby 1344 Apr 29  2021 48504E974C0DAC5B5CD476C8202274B24C8C7172.pfx-backup
-rw------- 1 emby emby 1520 Dec  2 22:26 A053375BFE84E8B748782C7CEE15827A6AF5A405.pfx
-rw------- 1 emby emby 1384 Oct 30  2020 E6A3B45B062D509B3382282D196EFE97D5956CCB.pfx-backup


I moved two extant ones out of the way via rename and restarted.  This new one showed up.

They're not ours. They're used by the .NET runtime.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...