Can't connect to the server anymore on WebOS with HTTPS

[naku]

I can't connect anymore with https, I get stuck on the URL screen with "unable to connect" error.

This coincides with the expiry of Let's Encrypt cross-signed certificate a few months ago (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/), so I guess the new certificate is not recognized either by Jellyfin or the TV itself.

I'm on WebOS 05.40.09

As a workaround I allowed the server app to be accessed on HTTP, and it worked just fine.

[ferferga]

I doubt this is something we can actually fix

[naku]

Is this something that should be fixed in WebOS ? How can I diagnose, is there some logs ?

I'm also curious because I can work around the issue by loading Jellyfin in the WebOS browser

[Informatic]

webOS Browser uses separate trusted CA store to the rest of the OS. So far you have two options:

• Migrate to ZeroSSL which is (so far - still free) alternative to Let's Encrypt that issues certificates signed by UserTrust/Comodo CA, which will be trusted by legacy hardware up until year 2038.
• Root Your TV and overwrite system CA store

[Y0ngg4n]

same issue here

[anthonylavado]

@naku and @Y0ngg4n Was this through the app or just the browser?

As mentioned, we're likely unable to fix this as it depends on the webOS Certificate Authority storage, and unless LG issues an update for that, you'd have to either enable HTTP (even if only for local access), or follow the steps provided by @Informatic (ty for that).

[naku]

@naku and @Y0ngg4n Was this through the app or just the browser?

It works in the browser and not in the app.

I've enabled HTTP as a workaround.

[anthonylavado]

Looks like Plex is affected as well.

https://forums.plex.tv/t/important-information-about-plex-for-smart-tvs-after-september-30-2021/746506
https://support.plex.tv/articles/204080173-which-smart-tv-models-are-supported/

Note: Due to root certificate limitations with the device OS itself, only webOS 5.0+ devices support secure connections with a personal Plex Media Server. To allow connections to a personal server, devices running earlier webOS versions must be set to Allow Insecure Connections in the TV app settings and the Plex Media Server must be set to Preferred for the Secure Connections preference.

Other than suggesting the items above, it looks like we can't correct this. I will try to add a disclaimer/message to our documentation around server TLS and on the readme for this repo.

[anthonylavado]

I'll have to dig in further as to how Plex fixed it for webOS 5+ (if they moved everyone to ZeroSSL, specified another chain with Let's Encrypt or what). It sucks that no one is really sharing this info.

[Informatic]

Their TLS setup is actually fairly well documented: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/

Though I heard they've migrated to Let's Encrypt since that post. Isn't webOS 5+ supporting Let's Encrypt properly with some latest updates? (I am not following that endevours - just throwing a question out there :))

[anthonylavado]

I'm very familiar with that page, haha.

Apparently webOS 5+ is supposed to work?

https://twitter.com/stek29/status/1445469374194667520

So I don't really know what's going on.

[anthonylavado]

So LG have apparently commented that they will update older versions at a later date, but no timeframe has been given. See here: https://developer.lge.com/community/forums/RetrieveForumContent.dev?detailContsId=FC03023510&sMenuId=53&contsTypeCode=QUE&prodTypeCode=TV

At any rate, it would appear that the options given above are still the only solutions (in descending priority):

• Make sure your TV is updated if it is webOS 5 or newer
• Switch to ZeroSSL
• Root the TV and install the new certificate
• Enable HTTP (limiting it as needed)

[kexxar]

Just to add to this topic that I still have this issue, meaning that there has been no update on LG side. I have an LG C1 TV and have attempted the above mentioned solutions.

• Updated to latest version of WebOS. There are no updates when performing scanning for updates.
  • Software version: 03.34.95
  • WebOS version: 6.3.2-431 (kisscurl-kinglake)
• I have used Certbot with LetsEncrypt first, but migrated to ZeroSSL with no effect. I have used acme.sh to set up the ZeroSSL certificate. Maybe that also can have an impact. Same error with both LetsEncrypt and ZeroSSL.
• Rooting is not possible on the version of WebOS that I have.
• HTTP works, but would like to avoid using that approach.

It would appear that there is no real solution for this at the moment.
Another possible solution is to get an Android TV stick and see if that works. Probably does, because Android does update their root CAs.
However... I did try to open the url directly in the WebOS browser, just to see what would happen. The Jellyfin UI opens kind of normally. The fonts are incorrect (some kind of TimesNewRoman font) but other than that everything appears to work fine.
Now I'm not sure if this is a certificate issue or something else

[simonhorlick]

I was having issues after following the guide for reverse proxying jellyfin via nginx. The way the webos client loads the server scripts means you need to add a CORS header in the reverse proxy configuration like so:

    #add_header X-Frame-Options "SAMEORIGIN";
    add_header Cross-Origin-Resource-Policy "cross-origin" always;

This is using a new LG C2 and a Lets Encrypt certificate.