According to this announcement all LG webOS TVs with a version lower than 5 will no longer be able to make secure connections to Plex Media Servers. I have two TV sets, both still supported by LG (having received firmware updates in August) and running webOS 5 that have had to be switched to insecure connections to operate.
Can admins please clarify exactly which software versions they consider to still be supported or, alternatively, if this is another problem.
Some more detail about why the listed TVs/software versions would no longer operate securely after the cut-off date would also be useful. I imagine it’s due to an expired SSL certificate that needs updating, but a detailed explanation would be useful.
So it seems that the firmware version on the TV interface does not equate to the webOS version. While my TV is running “05.40.09” it as actually running webOS 4.4.0
The is counterintuitive and unhelpful on LG’s part.
You can find out what webOS version your TV is running by looking in settings on your PMS web UI and selecting Authorized Devices, then find your TV.
While my TV’s OS version does match the versions noted by Plex as no longer supported (ie. less than 5), I still challenge the assertion that they’re “unsupported”. Unsupported by who? LG pushed out a firmware update to my sets in August as I mentioned, so is this a cut off that Plex has set, rather than the manufacturer?
LG uses confusing versioning for their firmware updates, which is different from the WebOS version.
Besides this, I still don’t accept what Plex is saying, at least for WebOS 4.4, which is running on my TV.
The built-in Browser is able to browse any Let’s Encrypt website, including my self hosted services. Therefore it’s trusting the new Let’s Encrypt root ca. Why this is done by the browser and not by the Plex app? This doesn’t sound good to me.
Deleting cert-v2.p12 didn’t fixed it for me. Anyone get it working with platform version <5.x? This is the device:
LG 49UJ6519_49 TV from 2018
Software Version 06.00.15
Model 49UJ6519-ZA
webOS TV-Version 3.9.0-62905 (dreadlocks2-dudhwa)
Plex App Client-Version 5.25.2
Plattform Version 3.9.0
I only get connection to the Plex server (Synology NAS / not at the local network) if I set it up to use an unsecured connection as described in the announcement. So an 3 year old TV set is now already too old because platform version is lower than 5? How old are devices with version 5.x?
What else can I do? What is the possible risk of using an unsecured connection? Is it worth enough to put in in a VPN?
So the problem appears to be that Plex use a free letsencrypt ssl cert for Plex direct, which is how they make everyone connect to their servers nowadays. But the letsencrypt root certificate expired on the 30th of September and a new root cert needs to be installed by the device manufacturer on all devices that access services protected by letsencrypt services.
I have no problem with letsencrypt ssl certificates, it’s an amazing service providing a mechanism for free secure internet communications. I’m a bit annoyed, however, that Plex, a commercial entity that I pay for a service, are using these free certs and providing commercial services using them. If Plex had used certs from a commercial CA for their services they’d be more likely to find the supporting infrastructure update by the equipment manufacturers.
This issue is not just because the TV manufacturers haven’t pushed the new root certificate out to their devices, but also because Plex cheaped out on all of us paying Plex Pass users and used a free CA instead of buying a commercial wildcard cert.
I was wondering whether is there any way to update the root certificate on the device itself. Would this be a solution?
Or the root certificate is embedded in the Plex app itself?
I’d say it was a combination of both. LG really ought to push out a root certificate update to their devices, but change management and testing on a platform like webOS is probably massively complicated and time consuming.
Similarly, Plex could use different certificates, but that’s also a massive change for them.
Both parties, by their past actions, have contributed to a problem that, in the present, isn’t simple to fix. I don’t think it’s right to point fingers at either party for not quickly fixing it now, but there’s a clear blame to be apportioned for their past actions, imho.
i had similar issues with a website i look after.
we used LE certs and everything was fine up until 30th.
after that older android devices could no longer access the site securely, as older android version didn’t have support for the new root cert.
the solution was to move from LE to ZeroSSL, problem solved.
Thank you for the tip, I tried to move to ZeroSSL now. Even moved to a different domain to circumvent any cache that might store the certificates, but sadly it did not help on my TV.
I always thought that Plex handles the login part only. All other data (films, series, etc) is coming directly from the PMS instance (if no relay used).
The login works, I see the users, but nothing else. This is why I thought that it is about the cert the PMS instance uses. Isn’t it?
Also the insecure connection refers to the connection between the client and PMS, not to client → Plex.
Yeah, it used to be a direct connection from the client to the PMS (and can still operate like that if you manually add servers to your clients), but Plex changed it up a few years so that everything but the actual media runs via their services using the “Plex direct” system. They dynamically create ssl certificates for each connection between client and server. There’s more (ironically outdated now) information here but it’s worth a read to understand what they’re doing. The three bonuses of it are that:
a) you get secure comms between your clients and all the servers you access
b) you don’t need to buy your own SSL certs
c) you’re not using (and trusting) self-signed certs
It’s quite clever, but breaks when your CA issues a new root and the device manufacturers don’t push it out
…and it’s interesting to note they originally used DigiCert as their CA, but later moved to LetsEncrypt. I can only assume this was a money saving exercise.
As I pointed out up-thread, I have nothing at all against LetsEncrypt, I think they’re doing amazing work, but I can’t think of a single compelling reason to move from a commercial CA to LE other than lowering cost. Can you?
