Jump to content

LG App/Browser Cannot Connect


ophiuchia
 Share

Recommended Posts

ophiuchia

Hi All,

I'm a bit at a loss. Two remote devices (a LG Smart TV and a LG Smart projector) located in Europe cannot connect anymore to a Emby server running in the US. The Emby server has an Nginx reverse proxy with let's encrypt that forwards remote https requests to another machine in http on its own network (both running linux). This setup ran for years with no/minor interruptions and is rock solid.

The LG remote devices lost the ability to access the server roughly in line with the expiration of the X3 root certificate (see thread below). However, my let's encrypt uses the ISRG Root X1 certificate for quite some time now.

I get the following error message in the app running on the LG smart device: "Connection Failure - We're unable to connect to the selected server right now. Please ensure it is running and try again."
I also get the following error message in the browser of the same devices: "The server's security certificate is no valid! Incorrect time setting may cause the error. Please check your time setting and make sure that the current time is correct."
Other devices on the same networks (computers, mobile phones) can access the server without problems.

Any idea/recommendation on what could be the problem would be well appreciated.

Thank you!

 

 

Link to comment
Share on other sites

Hi, the problem isn't necessarily your certificate, but rather what the TV's support and trust (or not). Did you look at the workarounds in the topic where some users have been using ZeroSSL?

Link to comment
Share on other sites

ophiuchia

I did only see the ZeroSSL workaround. I'm trying to avoid moving from let's encrypt as I'm running a nontrivial system that is well tested.

Are there other workarounds? Is there any way to check what root certificates a specific TV/app supports?

Thanks

 

Edited by ophiuchia
Link to comment
Share on other sites

ophiuchia

I'll use that as last resort (but would need to put a VPN in place first).

Just out of curiosity: is there a way to check what certificates an emby app accepts/trusts?
(I assume the emby app inherent the accepted/trusted certificates from the TV)

 

Link to comment
Share on other sites

Quote

I assume the emby app inherent the accepted/trusted certificates from the TV

Correct yes. Now for the bad news. @SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use.

Link to comment
Share on other sites

adminExitium
On 18/11/2021 at 02:13, ophiuchia said:

However, my let's encrypt uses the ISRG Root X1 certificate for quite some time now.

Just to clarify, LetsEncrypt actually has two chains for it's ISRG root, one is the ISRG root by itself (self-signed) and the other is cross-signed via the now expired DST root (which is the default for many acme clients). You may be using the DST cross-signed version which is why your certificate stopped working.

You can try using the self-signed certificate with only the ISRG root and see if that works but I doubt it since it's relatively new. The exact method of switching the chain depends on your acme client. For acme.sh, it's this: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain

Link to comment
Share on other sites

20 hours ago, Luke said:

@SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use.

Actually this is not entirely true for LG (although they don't make it easy).  Samsung on the other hand give you nothing.

You didn't mention which webOS version your devices are, but some time ago I extracted a list of certs for webOS 3.5 and webOS 5.0

https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/&do=findComment&comment=1074023

They may have changed since the, but it is probably unlikely.

 

Edited by SamES
Link to comment
Share on other sites

ophiuchia
On 11/18/2021 at 1:27 PM, Luke said:

Correct yes. Now for the bad news. @SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use.

Thank you for the feedback. In particular, thank you @SamES for posting the link that has the LG Web OS root certificates (https://webostv.developer.lge.com/discover/specifications/web-engine/). I reviewed them and, unfortunately, none contain the popular Let's Encrypt ISRG Root X1 (https://letsencrypt.org/certificates/). The ISRG Root X1 root certificate used to work because it is cross-signed by DST Root CA X3 but stopped when the DST certificate expired.

I filed a LG support request to include the ISRG certificates in Web OS.

A few things related to the other thread:
- @shocker suggest to update the certificates but only the second method proposed by @adminExitium should work (switch to zerossl) and @rossome's solution should not work unless I'm missing something.
- @matty_r reported that the browser still works - I cannot reproduce this.

Out of curiosity, has anyone tried/experience with nginx reverse proxies and acme.sh/zerossl?

 

Edited by ophiuchia
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...