shdwlynx

Thanks to everyone on this forum for alerting us to this new version!

TL;DR: The new update from LG works! I have a OLED65E6P (the most beautiful TV I've ever owned in every way) and while the HomeBrew fix worked when I did it last year, it stopped working for some reason several months ago. I never tried repeating the steps, so it could have worked if I ran through it again. I just went in and turned off update-blocking and updated to LG's WebOS 3 05.65.10 (.15 is not available for my TV, apparently) and now SSL works properly in my web browser and Plex is now fully functional again. HomeBrew puked (so be ready for that), but I could probably put that back on if I wanted to.

Unfortunately, I haven't had time to dig in and have just fallen back to using my old Xbox One to watch Plex. I was hoping someone smarter than me would have figured it out by now.

First, thanks for replying, Tam, and thanks for all the work you did! I'm really not sure why the DST_Root_CA_X3.pem file was present at all as it was zero bytes in size, so I just renamed it to *.pem.garbage (I'm sure I could have just deleted it, but I have a hard time letting go sometimes, heh). I'm just confused as to why I can now use curl to access LetsEncrypt websites without an issue (which makes me think your scripts did indeed work) but Plex is still angry about it. I need to dig into Plex logs (if any actually exist within the app or on the file system) to see what it's unhappy about. If you have advice about WebOS app logging in general, I would appreciate hearing any.

Thanks for the update. At least we know that we can install the update (and then do the factory reset with all the pain that brings) and still get back to a rooted state where we can still install the cert override. I may still do this just to be as up to date as possible, and since my Plex doesn't work anyhow...

Continuing my quest, I checked out the filesystem. Running the Find Mount command to search for overlays yielded the following: root@LGwebOSTV:~# findmnt -t overlay ... |-/etc/ssl overlay overlay rw,relatime,lowerdir=/etc/ssl,upperdir=/home/certfix-overlay/etc_ssl,workdir=/h... `-/usr/share/ca-certificates overlay overlay rw,relatime,lowerdir=/usr/share/ca-certificates,upperdir=/home/certfix-overlay/... This states that the /usr/share/ca-certificates directory is overlayed by /home/certfix-overlay/usr_share_ca-certificates, and looking at the contents of the two directories confirms that the overlay is working as expected (/usr/share/ca-certificates includes the two certificate files): root@LGwebOSTV:~# ls /home/certfix-overlay/usr_share_ca-certificates/ isrgrootx1.crt lets-encrypt-r3.crt root@LGwebOSTV:~# ls /usr/share/ca-certificates/ isrgrootx1.crt lets-encrypt-r3.crt mozilla sdp More importantly, it states that /etc/ssl is supposed to be overlayed by /home/certfix-overlay/etc_ssl, but looking at the two directories confirms that it is not working as expected: root@LGwebOSTV:~# ls /home/certfix-overlay/etc_ssl/certs/ DST_Root_CA_X3.pem ca-certificates.crt isrgrootx1.pem lets-encrypt-r3.pem root@LGwebOSTV:~# cd /etc/ssl/certs root@LGwebOSTV:/etc/ssl/certs# ls DST_Root_CA_X3.pem ca-certificates.crt isrgrootx1.pem lets-encrypt-r3.pem ls: DST_Root_CA_X3.pem: No such file or directory ls: ca-certificates.crt: No such file or directory isrgrootx1.pem lets-encrypt-r3.pem I went back to /var/lib/webosbrew/init.d/overlay-letsencrypt-ca-certs-fix and disabled it execution with chmod -x then rebooted the TV with reboot now. Once it turned back on, of course now the overlay mounts didn't automatically run. My plan is to run each command individually in the file to see how each one works. Ultimately, I changed the mounting in the fix script above so that it's a bit more limited, mounting to /etc/ssl/certs instead of /etc/ssl: mount -t overlay overlay -o lowerdir=/etc/ssl/certs,upperdir=/home/certfix-overlay/etc/ssl/certs,workdir=/home/certfix-overlay/work-etc_ssl_certs /etc/ssl/certs I had to create that workdir, as it did not already exist: root@LGwebOSTV:~# mkdir /home/certfix-overlay/work-etc_ssl_certs I have no idea why this works/made any difference, but now curl now happily accessed letsencrypt.com: root@LGwebOSTV:~# curl https://letsencrypt.org <!DOCTYPE html> <html dir="ltr" lang="en-US"> (whole bunch of web page goodness) </html> And yet, Plex is still not working correctly. So, I am currently grasping at straws. Anyone have any?

I decided to try downloading and running the update-ca-certs.sh script again and I got the following message: ---------- FIX FAILED ---------- Error: Homebrew Channel init.d directory does not exist /var/lib/webosbrew/init.d Before running this script, ensure you have rooted your TV. To root your TV, visit https://rootmy.tv/ in your TV's browser. To learn more about this script, visit https://github.com/tf318/lg Well, that's interesting. My Homebrew Channel comes up just fine on the TV and shows "Root status" as "OK". Oddly, while the /var/lib/webosbrew directory did exist, init.d was definitely gone, and I have no idea why/how that happened... but my guess would be that my kids turned the TV on/off quickly a few times and kicked it into Failsafe Mode and maybe that screwed things up. I recommend following the advice provided by rootmy.tv: So, I turned on Quick Start+ and then went back to my very first step, going to rootmy.tv to reinstall Homebrew. After that process completed (two reboots later), I was able to still ssh into the TV. I downloaded and ran the update-ca-certs.sh script again (things in /tmp often get nuked upon reboot) without any issues. But Plex is still not working. Which is weird because /var/lib/webosbrew/init.d/overlay-letsencrypt-ca-certs-fix exists, and its contents look fine: #!/bin/bash # Overlay our custom CA certificate configuration (to replace outdated CA certs) and update trust store mount --bind /home/certfix-overlay/fixed-ca-certificates.conf /etc/ca-certificates.conf mount -t overlay overlay -o lowerdir=/etc/ssl,upperdir=/home/certfix-overlay/etc_ssl,workdir=/home/certfix-overlay/work-etc_ssl /etc/ssl mount -t overlay overlay -o lowerdir=/usr/share/ca-certificates,upperdir=/home/certfix-overlay/usr_share_ca-certificates,workdir=/home/certfix-overlay/work-usr_share_ca-certificates /usr/share/ca-certificates update-ca-certificates So, I checked and all those directories and expected files are in the right place. I tried accessing https://letsencrypt.com since it (obviously) must use a Let's Encrypt SSL certificate itself, and got an interesting response: root@LGwebOSTV:~# curl https://letsencrypt.com curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none The ca-certificates.crt file does not exist in /etc/ssl/certs so I went hunting. find / -name "ca-certificates.crt" The file does exist in /home/certfix-overlay/etc_ssl and the mount commands above should be mapping that directory to /etc/ssl/certs. So, I ran a mount command to see if the mounts are actually working: root@LGwebOSTV:~# mount | grep cert /dev/mmcblk0p51 on /etc/ca-certificates.conf type ext4 (rw,nosuid,relatime,data=ordered) overlay on /etc/ssl type overlay (rw,relatime,lowerdir=/etc/ssl,upperdir=/home/certfix-overlay/etc_ssl,workdir=/home/certfix-overlay/work-etc_ssl) overlay on /usr/share/ca-certificates type overlay (rw,relatime,lowerdir=/usr/share/ca-certificates,upperdir=/home/certfix-overlay/usr_share_ca-certificates,workdir=/home/certfix-overlay/work-usr_share_ca-certificates) overlay on /var/palm/jail/netflix/etc/ssl type overlay (ro,nosuid,relatime,lowerdir=/etc/ssl,upperdir=/home/certfix-overlay/etc_ssl,workdir=/home/certfix-overlay/work-etc_ssl) overlay on /var/palm/jail/com.webos.app.browser/etc/ssl type overlay (ro,nosuid,relatime,lowerdir=/etc/ssl,upperdir=/home/certfix-overlay/etc_ssl,workdir=/home/certfix-overlay/work-etc_ssl) overlay on /var/palm/jail/com.webos.app.screensaver/etc/ssl type overlay (ro,nosuid,relatime,lowerdir=/etc/ssl,upperdir=/home/certfix-overlay/etc_ssl,workdir=/home/certfix-overlay/work-etc_ssl) And they are there, as expected. The mount command meant to affect /etc/ssl is meant to pile the contents of /home/certfix-overlay/etc_ssl on top of /etc/ssl, effectively "temporarily adding" four files (one of which is ca-certifiactes.crt) to /etc/ssl: root@LGwebOSTV:/home/certfix-overlay/etc_ssl/certs/# ls DST_Root_CA_X3.pem ca-certificates.crt isrgrootx1.pem lets-encrypt-r3.pem And yet, it clearly wasn't working, because both DST_Root_CA_X3.pem and ca-certificates.crt were not present in /etc/ssl. I kept digging. I discovered that two of those files were not actually in /home/certfix-overlay/etc_ssl but instead were coming from /usr/share/ca-certificates instead: root@LGwebOSTV:/etc/ssl/certs# stat lets-encrypt-r3.pem File: 'lets-encrypt-r3.pem' -> '/usr/share/ca-certificates/lets-encrypt-r3.crt' root@LGwebOSTV:/etc/ssl/certs# stat isrgrootx1.pem File: 'isrgrootx1.pem' -> '/usr/share/ca-certificates/isrgrootx1.crt' Yeah, I'm confused. I think I'm on the right track, but I am going to have to sleep on this and look at it with a fresh brain tomorrow.

Terribly sorry for the months of delay in replying to you, but this sounds like a permissions issue or a missing directory (as Stirfriedrice determined). In case anyone else has that issue, before you execute the On your computer step 5. "vi /home/root/.ssh/authorized_keys" command to edit the file, execute this command first which will create the .ssh directory (and its parents, if necessary): mkdir -p /home/root/.ssh As for the "ssh" command prompting for a password, that can only be because either your local computer is not sending the encryption key as its form of authentication or the TV's ssh server is not accepting it (or cannot access it). Check to ensure that the encryption key files are in the right place both on your local computer and on the TV. You can also run your ssh client on your computer in a "verbose" mode with the following command (replace 1.2.3.4 with your TV's IP address): ssh -v 1.2.3.4 This will tell you a lot more about what's going on when ssh tries to connect. If you're up for even more verbosity, you can use "-vv" or get maximum verbosity with: "-vvv" (which I don't recommend because it will spit out quite a mess!) Also, make sure your TV's IP address hasn't changed (mine did since I wrote my original instructions). If it did, then ssh will not even try to provide it with the encryption key. Check and update the .ssh\config file on your computer to use the TV's updated IP address and then try again. The last thing you can try is to ensure that the TV's encryption key and directory has the correct permissions (you'll have to enable and use telnet for this): chmod 700 /home/root/.ssh chmod 600 /home/root/.ssh/authorized_keys And then try to connect via ssh again. Absolute worst-case scenario - just turn telnet back on and use that instead of ssh, then turn telnet back off again! It's a dirty little secret: You can use telnet to do everything you need to for this exercise, but all Linux nerds (I'm one by default although I prefer Windows all day) will beg you to use ssh instead as telnet is completely insecure and extremely hackable. No idea, but I suspect that the answer is "yes." Give it a shot and let us know! So, why have I returned? Well, honestly because my Plex client app broke again, which is odd since I have it locked down as expected so it should still be working. I was hoping that someone else had this issue and came back here to talk about how they fixed it already! Looks like I have some work to do myself (if I cannot find it after more searching on the web). But... Did it work? Or break things for you? I suspect it will break things since...

Which step 8?

Nobody knows if LG is going to fix it, but honestly, the community already has. I'll summarize what I did which was based on everyone's helpful instructions above, meant for someone who knows little to nothing about telnet, ssh, etc. (If you are familiar with those applications, this will be a breeze. If not, just follow the instructions and search the web if you'd like to learn more about the commands used.) Note that most of these instructions are taken from https://github.com/RootMyTV/RootMyTV.github.io and may be slightly different depending on your TV. On your TV... Turn on your TV Open the web browser app Browse to rootmy.tv Slide the little "Slide to root" bar to the right if you have the kind of remote that lets you use an on-screen pointer or just press the number 5 on your remote Accept the security prompt The exploit will proceed automatically and the TV will reboot itself; choose to reboot a second time to finalize the installation of the Homebrew Channel (the TV may turn off instead of rebooting - if this happens, just turn the TV back on again) Your TV should now have Homebrew Channel app installed, and an unauthenticated(!) root telnet service exposed Go to the TV's network settings and write down its IP address Note that your TV must be turned on in order to connect to it remotely; when it's off, it's all the way off (although there may be a non-power-saving setting you can enable to keep the TV's operating system running when it's off so that it will turn on faster, in which case you might be able to connect to it even when it's off). On your computer... Enable telnet (sorry Mac users, you'll need to figure this out on your own) Click on the Windows Start Menu Type "Windows Features" and click on "Turn Windows features on and off" Scroll down to Telnet client and check the box Click OK Open a command prompt (Win+R then type "cmd") Generate an encryption key pair that will be used to connect securely to the TV Type "mkdir .ssh" to create the secure shell directory if it's not there already Type "ssh-keygen -t rsa -f .\.ssh\lgtv_rsa" (the file name can be anything you want, but that's what I used) Type "notepad .ssh\config" Paste the following contents into the newly created file: Host 1.2.3.4 User root IdentityFile C:\Users\yourusername\.ssh\lgtv_rsa Replace "1.2.3.4" with your TV's IP address you wrote down in step 8 above Replace "yourusername" with the directory name where your user data is stored Save the file and quit Notepad Type "type .ssh\lgtv_rsa.pub" (it will spit out some ugly text - this is your public encryption key) Select all the text and copy it to your clipboard - you'll need this shortly Type "telnet 1.2.3.4", where 1.2.3.4 is your TV's IP address you wrote down in step 8 above, to connect to your TV (No username or password is required to connect as the "root" user - we'll fix this security hole in a moment) Type "vi /home/root/.ssh/authorized_keys" Once the new empty file opens, type the letter "i" to enter insert mode Press Ctrl-V to paste in the clipboard contents, which is the public key generated in step 3 Press the "Esc" (Escape) key to exit insert mode Type ":wq!" and press Enter to write the file and then quit the editor immediately Type "exit" to exit the telnet application Type "exit" again to exit the command prompt Back on your TV... Open the Homebrew Channel Go to Settings (the Gear icon) Disable Telnet Enable SSH Server Enable Block system updates Reboot the TV Back on your computer, apply Tam's SSL fix... Disable telnet (follow the instructions in "On your computer" above but uncheck the box next to Telnet client instead of checking it this time) Open a command prompt (Win+R then type "cmd") Type "ssh 1.2.3.4" (not telnet this time!), where 1.2.3.4 is your TV's IP address, to connect to your TV (again, no username or password is required, but it's still secure since the encryption key you generated above is used) Follow Tam's instructions above, repeated here (I suggest copy/pasting the "wget" line from the browser into your command prompt window): (Now, if you're like me, the "wget" command will fail because the version running on the TV doesn't have the capability of connecting to secure HTTPS web sites. Skip to the Alternate Instructions if you have the same issue with the "wget" command.) cd /tmp wget https://raw.githubusercontent.com/tf318/lg/main/update-ca-certs.sh chmod +x update-ca-certs.sh ./update-ca-certs.sh Alternate instructions If the "wget" command failed, follow these steps instead: Open Tam's script file in this browser in another tab: https://raw.githubusercontent.com/tf318/lg/main/update-ca-certs.sh Copy the text and then close that tab Return to the command prompt... Type "vi /tmp/update-ca-certs.sh" Once the new empty file opens, type the letter "i" to enter insert mode Press Ctrl-V to paste in the clipboard contents, which is the Tam's script Press the "Esc" (Escape) key to exit insert mode Type ":wq!" and press Enter to write the file and then quit the editor immediately Type the following two commands: chmod +x update-ca-certs.sh ./update-ca-certs.sh Whether using Tam's original instructions or my Alternate version, the TV will reboot (twice, maybe) and Plex should now open and be happy. At least mine was. Thanks again, RootMy.TV team and Tam, for all your research and hard work!