LG App/Browser Cannot Connect

[ophiuchia 2]

Hi All,

I'm a bit at a loss. Two remote devices (a LG Smart TV and a LG Smart projector) located in Europe cannot connect anymore to a Emby server running in the US. The Emby server has an Nginx reverse proxy with let's encrypt that forwards remote https requests to another machine in http on its own network (both running linux). This setup ran for years with no/minor interruptions and is rock solid.

The LG remote devices lost the ability to access the server roughly in line with the expiration of the X3 root certificate (see thread below). However, my let's encrypt uses the ISRG Root X1 certificate for quite some time now.

I get the following error message in the app running on the LG smart device: "Connection Failure - We're unable to connect to the selected server right now. Please ensure it is running and try again."
I also get the following error message in the browser of the same devices: "The server's security certificate is no valid! Incorrect time setting may cause the error. Please check your time setting and make sure that the current time is correct."
Other devices on the same networks (computers, mobile phones) can access the server without problems.

Any idea/recommendation on what could be the problem would be well appreciated.

Thank you!

 

 

[Luke 36991]

Hi, the problem isn't necessarily your certificate, but rather what the TV's support and trust (or not). Did you look at the workarounds in the topic where some users have been using ZeroSSL?

[ophiuchia 2]

I did only see the ZeroSSL workaround. I'm trying to avoid moving from let's encrypt as I'm running a nontrivial system that is well tested.

Are there other workarounds? Is there any way to check what root certificates a specific TV/app supports?

Thanks

 

Edited November 17, 2021 by ophiuchia

[Luke 36991]

Allowing http would be one.

[ophiuchia 2]

I'll use that as last resort (but would need to put a VPN in place first).

Just out of curiosity: is there a way to check what certificates an emby app accepts/trusts?
(I assume the emby app inherent the accepted/trusted certificates from the TV)

 

[Luke 36991]

Quote

I assume the emby app inherent the accepted/trusted certificates from the TV

Correct yes. Now for the bad news. @SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use.

[adminExitium 170]

On 18/11/2021 at 02:13, ophiuchia said:

However, my let's encrypt uses the ISRG Root X1 certificate for quite some time now.

Just to clarify, LetsEncrypt actually has two chains for it's ISRG root, one is the ISRG root by itself (self-signed) and the other is cross-signed via the now expired DST root (which is the default for many acme clients). You may be using the DST cross-signed version which is why your certificate stopped working.

You can try using the self-signed certificate with only the ISRG root and see if that works but I doubt it since it's relatively new. The exact method of switching the chain depends on your acme client. For acme.sh, it's this: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain

[SamES 888]

20 hours ago, Luke said:

@SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use.

Actually this is not entirely true for LG (although they don't make it easy).  Samsung on the other hand give you nothing.

You didn't mention which webOS version your devices are, but some time ago I extracted a list of certs for webOS 3.5 and webOS 5.0

https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/&do=findComment&comment=1074023

They may have changed since the, but it is probably unlikely.

 

Edited November 19, 2021 by SamES

[ophiuchia 2]

On 11/18/2021 at 1:27 PM, Luke said:

Correct yes. Now for the bad news. @SamES has researched this in the past and unfortunately LG doesn't publish a list of certificates that it accepts, but he might have some tips on which ones to use.

Thank you for the feedback. In particular, thank you @SamES for posting the link that has the LG Web OS root certificates (https://webostv.developer.lge.com/discover/specifications/web-engine/). I reviewed them and, unfortunately, none contain the popular Let's Encrypt ISRG Root X1 (https://letsencrypt.org/certificates/). The ISRG Root X1 root certificate used to work because it is cross-signed by DST Root CA X3 but stopped when the DST certificate expired.

I filed a LG support request to include the ISRG certificates in Web OS.

A few things related to the other thread:
- @shocker suggest to update the certificates but only the second method proposed by @adminExitium should work (switch to zerossl) and @rossome's solution should not work unless I'm missing something.
- @matty_r reported that the browser still works - I cannot reproduce this.

Out of curiosity, has anyone tried/experience with nginx reverse proxies and acme.sh/zerossl?

 

Edited November 20, 2021 by ophiuchia

[Luke 36991]

Hi, for those running a projector please try searching the LG store. According to LG we're in the store for projectors running WebOS 4+. Thanks.