maxleonca 0 Posted February 15, 2021 Share Posted February 15, 2021 Hi, I have a Roku Ultra and it has been working without any problems until 2 days ago when suddenly I'm getting the error in the title. The Emby Client version for the Roku is 4.0.4, I'm unable to download the Beta to check due to my location. The server version is: 4.6.022(beta) and I'm using a cert by Let's Encrypt. Please advise Link to comment Share on other sites More sharing options...
Luke 37068 Posted February 15, 2021 Share Posted February 15, 2021 Hi, where do you see this message? Link to comment Share on other sites More sharing options...
Q-Droid 644 Posted February 16, 2021 Share Posted February 16, 2021 Did you update your LE certificate recently? Chances are you left out the intermediate (chain) cert. Link to comment Share on other sites More sharing options...
maxleonca 0 Posted February 16, 2021 Author Share Posted February 16, 2021 @luke, I get the error when I select the server on the Roku @q-droid, I'm due in 4 days but it has been working without problems for over 6 months and the renewal and conversion is automated. Link to comment Share on other sites More sharing options...
Luke 37068 Posted February 16, 2021 Share Posted February 16, 2021 Can you show a screenshot? Thanks. Link to comment Share on other sites More sharing options...
ebr 14913 Posted February 16, 2021 Share Posted February 16, 2021 12 hours ago, maxleonca said: but it has been working without problems for over 6 months It is possible that Roku changed something in how they validate it. Not having the entire chain is a problem on some devices. Link to comment Share on other sites More sharing options...
maxleonca 0 Posted February 16, 2021 Author Share Posted February 16, 2021 Here is the snapshot, I tried taking it with the utility from Roku but it doesn't see the pop up with the error, as a matter of fact it doesn't show anything. In any case here it is. Also after getting the crt from Let's encrypt this is how is converted: Quote openssl pkcs12 -export -out /path/to/save/emby.pfx -inkey /etc/letsencrypt/live/emby.mydomain.com/privkey.pem -in /etc/letsencrypt/live/emby.mydomain.com/fullchain.pem I Link to comment Share on other sites More sharing options...
Luke 37068 Posted February 16, 2021 Share Posted February 16, 2021 I understand that you're saying nothing has changed, however if Roku is suddenly rejecting the certificate there's nothing we can do to force it to accept it. Link to comment Share on other sites More sharing options...
btate1989 0 Posted February 7, 2022 Share Posted February 7, 2022 Did you ever fix this issue? I just bought a roku tv and this is the issue I keep running into. Link to comment Share on other sites More sharing options...
Luke 37068 Posted February 7, 2022 Share Posted February 7, 2022 16 minutes ago, btate1989 said: Did you ever fix this issue? I just bought a roku tv and this is the issue I keep running into. Hi there, what kind of SSL certificate are you using? Link to comment Share on other sites More sharing options...
noybman 4 Posted October 28, 2023 Share Posted October 28, 2023 I understand hesitation with reviving a necro thread but since this is the *only* thread that comes up on a google search with the EXACT error "-60: SSL certificate problem: unable to get local issuer certificate" text you get when trying to connect to a https emby server with a Roku device (and it hadn't been answered by the people that asked the question).... Leaving those of us with the same issue to dig-dig-dig to try to figure it out.... Here's my story, which is why I scratched my head so much up until now.... I've had a yearly SSL in place for a few years; I had SSL setup externally with Emby, and everyhing worked. (I.e., Samsung Smart TVs, the android app, apple TV, Roku, browser, etc). I recently setup NGINX so I could use a reverse proxy to internal service (including Emby) on the same SSL port. (so using emby.name.com or acme.name.com for example). Upon following setup on other threads in here, and overall nginx guides, I had a setup working PERFECTLY on everything listed above EXCEPT for ROKU. I'm guessing the problem may exist on other devices as well, but for the intent of this thread (the text Google returns), this appeared to be unique to Roku. How to find out if your issue is the same as mine, and maybe those who started this thread: I tested my certificate chain here: https://www.geocerts.com/ssl-checker It told me I did not have a complete chain, it returned an error: "A valid Root CA Certificate could not be located". (If yours is green for all entries, then the issue is something else). As suggested in another thread here I ran: echo | \ openssl s_client -servername domain.com -connect domain.com:port 2>/dev/null | \ openssl x509 -text Here's a suprising find.... Comparing the response against the KNOWN working Emby-with HTTPS direct (not using NGINX in the middle) vs. the NGINX proxy with HTTPS in the middle, the result was identical (no differences). (I expected a difference, since my keys were the same!). The solution is that you need to ensure the FULLCHAIN is being presented by your certificate (i.e., pem). Described here where someone else did similar troubleshooting: https://tsunderechen.gitlab.io/2020/04/nginx-ssl-certificate-fullchain-vs-cert/ There's many ways to get a fullchain cert, but in my case, I simply concatenaated them both like so: -----BEGIN CERTIFICATE----- ABCDEFG...12345 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ABCDEFG...12345 -----END CERTIFICATE----- The first entry was my domain pem, the second was the intermediate (CA Root) pem That was it. It works now. 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now