LG WEBOS 4.0 and below. Letsencrypt root certificated expired.

[Justin Tan]

Found multiplex application that use letsencrypt stop working in 30 September 2021 on LG WebOS 3.5. This appear to be wide spread multiplex version of WEBOS. 

See 

link hidden, please login to view

AND 

As PLEX blaming to be LG fault. LG please provide solution to only 2 year old TV

LG

Our current app is available on 4K/UHD LG television models running the following system software:

• webOS 3.0
• webOS 3.5
• webOS 4.0
• webOS 5.0

No 720p or 1080p (“full HD”) sets are supported for our current app at this time.

Note: Due to root certificate limitations with the device OS itself, only webOS 5.0+ devices support secure connections with a personal Plex Media Server. To allow connections to a personal server, devices running earlier webOS versions must be set to Allow Insecure Connections in the TV app settings and the Plex Media Server must be set to Preferred for the Secure Connections preference.

[Onkel]

Same here on my 2 year old 65SK8000PLB with firmware 05.40.09

I cannot load any websites with Letsencrypt encrypted certificates.

Examples:

• link hidden, please login to view

This is a good example for unsufficient product lifecycle management.

[Dillspooch]

I've got 

I've got this problem too with my OLED55E6V (AKA: the E6). I bought it in 2017. I find it baffling that a modern smart TV like has this problem. Built in obsolescence? LG should sort this out. I spent thousands of £ on this.

I have a Plex Media Server. I've tried the server and app settings to allow insecure connections but that isn't working.

Isn't this just a case of LG updating certificates?

The TV received a firmware update recently. Surely LG can resolve this?

 

[micneon]

It should be very easy for LG to exchange the root certificates with an update. However, the question is whether this will happen....

Connections to older Plex servers still seem to work.
Also to those in the same network that are up to date but do not have their own certificates.

Whether this is really the problem is questionable.
However, SSL should be the most important thing these days and that must be running!

[Pavel Zelenka]

Same issue for my OLED65B7, webOS 3.9.0

[C Smith]

19 hours ago, micneon said:

Whether this is really the problem is questionable.

It definitely is the problem.  Here's what works to recreate it on my 55B6, on firmware 5.60.25.

Manually set your TV clock to Sept 30, 9AM EDT (convert to your time zone if needed).

Goto any Wikipedia page using the browser. Works.

Manually set your TV clock to Sept 30, 11AM EDT (convert to your time zone if needed).

Goto any Wikipedia page using the browser. Does NOT work, you get a security error that cannot be bypassed.

Now manually set your TV clock back to Sept 30, 9AM EDT again (convert to your time zone if needed).

Goto any Wikipedia page using the browser. Works again.

A root cert (DST Root CA X2) expired around 10AM EDT on September 30th. Servers using Let's Encrypt certs (which includes Wikipedia) should be testable using either that root or the newer ISRG Root X1 - which, by the way, has been around since June 2015. If you have not updated the trusted root list attached to the browser since 2015, then you will see this failure, because after 10AM Sept 30th, only the ISRG Root X1 is still valid.

LG has had FIVE YEARS to fix this problem before it happened.

[micneon]

I just switched the server to a different certificate provider than Lets encrypt in hopes that LG would eventually get this sorted out.

[Kevin McCray]

Wanted to chime in to also make LG aware that this cert issue also broke my app for many of my users. I cannot tell my users that buying a new TV is the only answer. The app's API calls stopped working for WebOS4 and below, which is many of my user base.

[GTG]

is this issue getting fixed , I am also getting the same issue.

[Tim Wilkens]

I have a C9 and rooted the TV once the RootMy.TV exploit came out. Thanks to this, Im able the overwrite all the expired certificates and everything works great again

[WillyWonka]

I have a C9 and rooted the TV once the RootMy.TV exploit came out. Thanks to this, Im able the overwrite all the expired certificates and everything works great again

Where do I get the updated certificated, and where do I put them in the fillesystem?

Sent from my LM-V600 using Tapatalk

[tam]

If your TV is rooted, you can use a bash script I wrote to remove the expired LetsEncrypt cert and add two new certs to the TV's truststore.  Open a shell on your TV and run the following four commands:

cd /tmp

wget  

link hidden, please login to view

chmod +x update-ca-certs.sh

./update-ca-certs.sh

After updating the certs, the TV will reboot, and you should be good to go.

[BluEEyE]

On 10/20/2021 at 10:31 PM, tam said:

If your TV is rooted, you can use a bash script I wrote to remove the expired LetsEncrypt cert and add two new certs to the TV's truststore.  Open a shell on your TV and run the following four commands:

cd /tmp

wget  

link hidden, please login to view

chmod +x update-ca-certs.sh

./update-ca-certs.sh

After updating the certs, the TV will reboot, and you should be good to go.

Can you please make some tutorial how to do it step by step for fresh people ? 

[micneon]

i doesn´t work if you not have root your TV 

 

[BluEEyE]

I'm working to do this but this may help not only me

[Fem]

On 10/20/2021 at 9:31 PM, tam said:

If your TV is rooted, you can use a bash script I wrote to remove the expired LetsEncrypt cert and add two new certs to the TV's truststore.  Open a shell on your TV and run the following four commands:

cd /tmp

wget  

link hidden, please login to view

chmod +x update-ca-certs.sh

./update-ca-certs.sh

After updating the certs, the TV will reboot, and you should be good to go.

Hi TAM,

I found a few issues with your script,

1. wget doesn't work on my TV I get - wget: not an http or ftp url:

2. Tried to overcome that by just downloading the script and SCP it to the TV that worked fine BUT you have wget again in the update-ca-certs.sh so I had to download and SCP the certs to the correct folders - NOW the final issue I see is and cannot understand is how is  /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh going to run and apply the setting? what will trigger this script?

Thanks, From what I can find you are the only one really working on this issue - Really appreciate it!

UPDATE:

To over come the wget issue I just used 'curl -k  --output update-ca-certs.sh'

I also update the 'update-ca-certs.sh' and replaced wget with curl --output' script (attached)   update-ca-certs.txt

still not seeing the certificates updated

 

 

 

[tam]

Hi Fem,

Thanks for pointing out the issue with wget. I may have installed wget myself some time ago and forgotten, so maybe it is a different version to the one you have. I have updated the script and instructions to use curl instead.

The script at /media/cryptofs/apps/usr/palm/services/com.palmdts.devmode.service/start-devmode.sh was created by the rooting process I used. So this file existed before I made any changes myself. It gets executed automatically each time the TV is switched on, so I just appended a few commands to the end of that script (to overlay the new certs and cert config onto the underlying readonly filesystem, and to force the system to recognise these new certs each time). If you used a different mechanism to get root, then maybe you have some script that executes on startup that you could append these commands to instead.

[starrtiktokk]

I cannot tell my users that buying a new TV is the only answer. The app's API calls stopped working for WebOS4 and below, which is many of my user base.

link hidden, please login to view

  

[WillyWonka]

33 minutes ago, starrtiktokk said:

The app's API calls stopped working for WebOS4 and below, which is many of my user base.

Which app is that?

[BluEEyE]

Someone know if LG is going to fix it ?