ophiuchia 2 Posted November 17, 2021 Share Posted November 17, 2021 Hi All, I'm a bit at a loss. Two remote devices (a LG Smart TV and a LG Smart projector) located in Europe cannot connect anymore to a Emby server running in the US. The Emby server has an Nginx reverse proxy with let's encrypt that forwards remote https requests to another machine in http on its own network (both running linux). This setup ran for years with no/minor interruptions and is rock solid. The LG remote devices lost the ability to access the server roughly in line with the expiration of the X3 root certificate (see thread below). However, my let's encrypt uses the ISRG Root X1 certificate for quite some time now. I get the following error message in the app running on the LG smart device: "Connection Failure - We're unable to connect to the selected server right now. Please ensure it is running and try again." I also get the following error message in the browser of the same devices: "The server's security certificate is no valid! Incorrect time setting may cause the error. Please check your time setting and make sure that the current time is correct." Other devices on the same networks (computers, mobile phones) can access the server without problems. Any idea/recommendation on what could be the problem would be well appreciated. Thank you! Link to comment Share on other sites More sharing options...
Luke 37056 Posted November 17, 2021 Share Posted November 17, 2021 Hi, the problem isn't necessarily your certificate, but rather what the TV's support and trust (or not). Did you look at the workarounds in the topic where some users have been using ZeroSSL? Link to comment Share on other sites More sharing options...
ophiuchia 2 Posted November 17, 2021 Author Share Posted November 17, 2021 (edited) I did only see the ZeroSSL workaround. I'm trying to avoid moving from let's encrypt as I'm running a nontrivial system that is well tested. Are there other workarounds? Is there any way to check what root certificates a specific TV/app supports? Thanks Edited November 17, 2021 by ophiuchia Link to comment Share on other sites More sharing options...
Luke 37056 Posted November 17, 2021 Share Posted November 17, 2021 Allowing http would be one. Link to comment Share on other sites More sharing options...
ophiuchia 2 Posted November 17, 2021 Author Share Posted November 17, 2021 I'll use that as last resort (but would need to put a VPN in place first). Just out of curiosity: is there a way to check what certificates an emby app accepts/trusts? (I assume the emby app inherent the accepted/trusted certificates from the TV) Link to comment Share on other sites More sharing options...
Luke 37056 Posted November 18, 2021 Share Posted November 18, 2021 Quote I assume the emby app inherent the accepted/trusted certificates from the TV Correct yes. Now for the bad news. @SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use. Link to comment Share on other sites More sharing options...
adminExitium 173 Posted November 18, 2021 Share Posted November 18, 2021 On 18/11/2021 at 02:13, ophiuchia said: However, my let's encrypt uses the ISRG Root X1 certificate for quite some time now. Just to clarify, LetsEncrypt actually has two chains for it's ISRG root, one is the ISRG root by itself (self-signed) and the other is cross-signed via the now expired DST root (which is the default for many acme clients). You may be using the DST cross-signed version which is why your certificate stopped working. You can try using the self-signed certificate with only the ISRG root and see if that works but I doubt it since it's relatively new. The exact method of switching the chain depends on your acme client. For acme.sh, it's this: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain Link to comment Share on other sites More sharing options...
SamES 890 Posted November 19, 2021 Share Posted November 19, 2021 (edited) 20 hours ago, Luke said: @SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use. Actually this is not entirely true for LG (although they don't make it easy). Samsung on the other hand give you nothing. You didn't mention which webOS version your devices are, but some time ago I extracted a list of certs for webOS 3.5 and webOS 5.0 https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/&do=findComment&comment=1074023 They may have changed since the, but it is probably unlikely. Edited November 19, 2021 by SamES Link to comment Share on other sites More sharing options...
ophiuchia 2 Posted November 20, 2021 Author Share Posted November 20, 2021 (edited) On 11/18/2021 at 1:27 PM, Luke said: Correct yes. Now for the bad news. @SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use. Thank you for the feedback. In particular, thank you @SamES for posting the link that has the LG Web OS root certificates (https://webostv.developer.lge.com/discover/specifications/web-engine/). I reviewed them and, unfortunately, none contain the popular Let's Encrypt ISRG Root X1 (https://letsencrypt.org/certificates/). The ISRG Root X1 root certificate used to work because it is cross-signed by DST Root CA X3 but stopped when the DST certificate expired. I filed a LG support request to include the ISRG certificates in Web OS. A few things related to the other thread: - @shocker suggest to update the certificates but only the second method proposed by @adminExitium should work (switch to zerossl) and @rossome's solution should not work unless I'm missing something. - @matty_r reported that the browser still works - I cannot reproduce this. Out of curiosity, has anyone tried/experience with nginx reverse proxies and acme.sh/zerossl? Edited November 20, 2021 by ophiuchia 1 Link to comment Share on other sites More sharing options...
Luke 37056 Posted February 14 Share Posted February 14 Hi, for those running a projector please try searching the LG store. According to LG we're in the store for projectors running WebOS 4+. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now