Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by tam

  1. On 5/1/2022 at 8:29 PM, shdwlynx said:

    More importantly, it states that /etc/ssl is supposed to be overlayed by /home/certfix-overlay/etc_ssl, but looking at the two directories confirms that it is not working as expected:

    root@LGwebOSTV:~# ls /home/certfix-overlay/etc_ssl/certs/
    DST_Root_CA_X3.pem   ca-certificates.crt  isrgrootx1.pem       lets-encrypt-r3.pem
    root@LGwebOSTV:~# cd /etc/ssl/certs
    root@LGwebOSTV:/etc/ssl/certs# ls DST_Root_CA_X3.pem ca-certificates.crt isrgrootx1.pem lets-encrypt-r3.pem
    ls: DST_Root_CA_X3.pem: No such file or directory
    ls: ca-certificates.crt: No such file or directory
    isrgrootx1.pem       lets-encrypt-r3.pem

    When things are working (i.e. you have manually run the update-ca-certs.sh script, the TV has rebooted, and it has automatically run the post-boot /var/lib/webosbrew/init.d/overlay-letsencrypt-ca-certs-fix script), then:

    DST_Root_CA_X3.pem should not exist in /etc/ssl/certs - the post-boot script explicitly removes its entry from the (overlaid) /etc/ca-certificates.conf, and the content of /etc/ssl/certs is dynamically updated post-boot, based on this configuration file, by the update-ca-certificates command run in the post-boot script. DST_Root_CA_X3.pem is explicitly excluded because it has expired.

    * ca-certificates.crt should exist in /etc/ssl/certs - it is created dynamically post-boot, by the update-ca-certificates command run in the post-boot script.

    So clearly, as you say, the post-update script was not running correctly for you. I assume this is because the TV must have been in failsafe mode at the time.

    I am not entirely sure that the TV's default GUI web browser uses this same system-wide certificate truststore, but may instead have its own (which LG may take more care about updating). So, if one has updated LG firmware, it may be entirely possible that the GUI browser will talk to sites using the new LetsEncrypt certs without any "workarounds" like my script (if LG have updated the browser's proprietary certificate truststore as part of that firmware update). 

    I unfortunately do not have access to a Plex server using a new LetsEncrypt cert, so can't try to replicate the issue. I am using it with an Emby server using a new LetsEncrypt cert, and the latest incarnation of the script works well for me (I too enabled the Quite Start+ functionality on the TV as I got fed up of failsafe mode kicking in all the time - the experience has been much smoother since).

  2. Hi Fem,

    Thanks for pointing out the issue with wget. I may have installed wget myself some time ago and forgotten, so maybe it is a different version to the one you have. I have updated the script and instructions to use curl instead.

    The script at /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh was created by the rooting process I used. So this file existed before I made any changes myself. It gets executed automatically each time the TV is switched on, so I just appended a few commands to the end of that script (to overlay the new certs and cert config onto the underlying readonly filesystem, and to force the system to recognise these new certs each time). If you used a different mechanism to get root, then maybe you have some script that executes on startup that you could append these commands to instead.

  3. If your TV is rooted, you can use a bash script I wrote to remove the expired LetsEncrypt cert and add two new certs to the TV's truststore.  Open a shell on your TV and run the following four commands:

    cd /tmp

    wget  https://raw.githubusercontent.com/tf318/lg/main/update-ca-certs.sh

    chmod +x update-ca-certs.sh


    After updating the certs, the TV will reboot, and you should be good to go.

  • Create New...