Issues with certificates on smart TV (Chrome 53)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.wsmm.de/

I ran this command: -

It produced this output: -

My web server is (include version): Apache 2.4.56

The operating system my web server runs on is (include version): Ubuntu 20.04.6

My hosting provider, if applicable, is: Hetzner (Root Server)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Calling the websites from a Smart-TV browser (running Chrome 53) causes an "your connection is not private" issue

1 Like
2

Hello @rbl.schwarz welcome to the Let's Encrypt community. :slightly_smiling_face:

That is an old version of Certbot see Certbot 2.4.0 Release

That is a very old version of Chrome; I am not sure is is supported.
Please, to the best of your abilities, update Chrome.

I know this isn't the ideal answer you would be looking for; it is the best I have to offer.

Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

2 Likes
3

I already updated the certbot version via snap and forced the certificate to be renewed - nothing changed

It is not possible to upgrade the browser on a SmartTV - and we are using a lot of them in out company for Digital Signage.

2 Likes
4

There are other Free ACME Certificate Authorities, and possibly one of them might not have the issue you are seeing. Here is a comparative list of some

2 Likes
5

It sounds like your TV Browser does a poor job of validating certs. You could consider using the "short chain" for Let's Encrypt. Or, you may have to switch to another free CA which your TV understands.

The "short chain" is selected using the --preferred-chain 'ISRG Root X1' on your certbot command line. You could also manually remove the last cert in the "fullchain.pem" as a test. That gives the same effect as the "short chain"

The --preferred-chain option needs Certbot v1.12 or later.

6 Likes
6

Thanks - will try that. But happens on BrowserStack with Chrome 53 (OS MacoOS) as well - the page is not trusted, so I think it's because of the browser version.

2 Likes
7

I realize that SmartTV manufacture is unlikely to listen, but could try filling an issue with them.

1 Like
8

The solution with the --preferred-chain works like a charm! Thanks.

7 Likes
9

The use of the "short chain" has some tradeoffs. The "long chain" has an extra intermediate cert DST Root CA X3 to provide compatibility with older Android systems. If your websites also need to support these older Android (in addition to your TVs) you will need to use another Certificate Authority. See topics below

4 Likes
10

Thanks for the hint and help.

4 Likes
11

Where did you get that idea?

2 Likes
12

In this case @Bruce5051 mentioned earlier in the thread that 0.40.0 is an old version of Certbot (something you often mention in threads when people are using this version). You're both certainly right that this is a very old Certbot version, but people reading that information may have to guess why it was mentioned. In this case I imagine @rbl.schwarz may have thought that old versions of Certbot somehow produce less compatible certificates, which is not the case but doesn't seem like an unreasonable thing for someone to guess!

Upgrading to a newer Certbot can definitely be useful, but it might be helpful to mention the upshot of using an old Certbot version so that people don't have to speculate. E.g. something like

  • 0.40.0 is a pretty old Certbot version (though it may be the newest one available from your OS package manager); while this is probably not related to your current problem, there may be reliability benefits in the future from upgrading to a newer version.

or

  • 0.40.0 is a pretty old Certbot version (though it may be the newest one available from your OS package manager); upgrading to a newer version might make it more likely to understand your web server configuration properly, and so more likely to successfully obtain and install the certificates in your web server automatically.
4 Likes
13

@schoen I will refrain from mentioning that from now on.
Mostly I try to supply observations of the situation, some are only ancillary; I hope to help the OP debug their issue(s).

1 Like
14

chrome 53 is released in 2016, I don't think that TV have isrg root at all (it's before mozilla added isrg root x1 into NSS)

2 Likes
15

I think @schoen meant for you to say more, not less [about the potential relevance].

3 Likes
16

Well, if the short chain is working, ISRG Root X1 must be in its trust store.

I think Chrome can get updates to its security components separately from its main version number, and often uses its host operating system trust store, though I don't have any idea how any of that works on an embedded device like a TV.

4 Likes
17

Thanks for the explanation. I did not think the version was related - it did just remind me, that I wanted to update the version on my server anyway :wink:

2 Likes
18

I just tried it desperately - as nothing I tried before worked. I was damn sure it will not help anyway.

19

Ah, the tendency of my dyslexia on my thinking offers some difficulties for me with some styles of communications with some other normal homo sapiens. :see_no_evil: :face_with_spiral_eyes:

1 Like
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.