[Tizen 2.4] Can't Connect to the Server - Unacceptable TLS certificate

[yzpit]

I have followed the instruction and successfully installed jellyfin on my tizen 2.4 Smart TV
The App starts and when i enter the https:// serveradress it immediately tells me:
"We're unable to connect to the selected server right now. Please ensure it is running and try again"
I can connect to the server via the Android App using the same address without difficulties
What should i do?
Thanks in advance

[dmitrylyzo]

When you click Connect, it tries <entered_address>/system/info/public to check if the server is available and shows this error message if it does not get a response.

I'd try to connect via build-in browser to check if the address is accessible on the TV.
Also try connecting via HTTP+port if it is a local server.

What do you use for HTTPS? Reverse proxy or built-in Jellyfin (Network settings).
Do you use BaseURL?

[yzpit]

When you click Connect, it tries <entered_address>/system/info/public to check if the server is available and shows this error message if it does not get a response.
I'd try to connect via build-in browser to check if the address is accessible on the TV. Also try connecting via HTTP+port if it is a local server.

In the build-in browser I'm able to reach the serveradress and log in
<entered_address>/system/info/public in build-in browser shows information about the server (LocalAddress, ServerName, ProductName, OperatingSystem, ID, StartupWizardCompleted: true)

What do you use for HTTPS? Reverse proxy or built-in Jellyfin (Network settings). Do you use BaseURL?

the server is in another Network. We use a Cloudflare Argo Tunnel for the external Connection

[dmitrylyzo]

I can definitely connect to an external server as https://demo.jellyfin.org/stable or a proxied one (not Cloudflared, owned by the one of app users).

Could you check the Cloudflare logs for that endpoint when you try to connect from the app?
Does it require some kind of authentication?

To check the app from the inside:
Could you use the script from this comment if you are on Linux or #46 (comment) if you are on Windows (you probably need to remove that 300 because it is unnecessary on Tizen 5+) and check what is response from that endpoint in the app (Network tab)?

[yzpit]

I can definitely connect to an external server as https://demo.jellyfin.org/stable or a proxied one (not Cloudflared, owned by the one of app users).
Could you check the Cloudflare logs for that endpoint when you try to connect from the app? Does it require some kind of authentication?

Theres no sign of my Tv in the server logs. I tried to connect to the demo server and got the same problem. So i guess its not the server.

To check the app from the inside: Could you use the script from this comment if you are on Linux or #46 (comment) if you are on Windows (you probably need to remove that 300 because it is unnecessary on Tizen 5+) and check what is response from that endpoint in the app (Network tab)?

I've run the script and tried the cloudflared serves and the demoserver. both connection failed with an unacceptable TLS certificate. Any idea how i can fix this?

[dmitrylyzo]

Could you try privilege-internet branch?

[yzpit]

Still no diffrance same error with the cloudflared and the demo.
On the debug site also no change
still unacceptable TLS certificate

[dmitrylyzo]

Since both servers are unavailable, the problem may be related to the root certificates (expired).
Is the TV firmware up to date?

UPD:
Also, make sure you enable TLS 1.2 on Cloudflare (Minimum TLS Version; TLS 1.3 is not supported by Tizen 2.4).

[yzpit]

Since both servers are unavailable, the problem may be related to the root certificates (expired). Is the TV firmware up to date?

The Tv states its up to date with a firmware version of 1250

UPD: Also, make sure you enable TLS 1.2 on Cloudflare (Minimum TLS Version; TLS 1.3 is not supported by Tizen 2.4).

The Minimum TLS Version is the default 1.0
So 1.2 should be possible

[dmitrylyzo]

The Tv states its up to date with a firmware version of 1250

Samsung has updated some older TV models (my 2017 Tizen 3 got an update) around September/October 2021.
Since Tizen 2.4 may not receive an update, there are at least 2 options (both untested):

1. Root the TV and install ISRG_Root_X1 certificate.
   Can be problematic. I don't know how this can be done (but would like to know 😈).
   For reference:
   I have /usr/share/ca-certificates/certs/4042bcee.0 file on my Tizen 4 (looked via sdb). The file name matches the name of the mentioned certificate on my Linux machine.
2. Set up some kind of forward (?) proxy (where the remote TV is) that will redirect HTTP from the TV to an HTTPS external address.
   TV <--HTTP--> Proxy <--HTTPS--> Remote server (Internet)
   Requires additional hardware or a smart router. I am not an expert in network stuff. In this case, you enter the proxy address in the app.

The Minimum TLS Version is the default 1.0
So 1.2 should be possible

Since Jellyfin app doesn't work even with TLS 1.0, TLS is not a problem. Return it to 1.2 (more secure, from what I hear) and, in theory, 1.2 should be supported even by Tizen 2.3.

[dmitrylyzo]

Possible solution #168 (if the problem is with the Let's Encrypt root certificate).
Testing required.

[yzpit]

Possible solution #168 (if the problem is with the Let's Encrypt root certificate). Testing required.

I tested it and it doesn't seem to solve the problem.
It also still shows the unacceptable TLS certificate in the debug.

[dmitrylyzo]

I tested it and it doesn't seem to solve the problem.
It also still shows the unacceptable TLS certificate in the debug.

Could you check if .trust-anchor/isrgrootx1.pem exists in WGT?

[yzpit]

Could you check if .trust-anchor/isrgrootx1.pem exists in WGT?

How can I check this?

[dmitrylyzo]

How can I check this?

WGT is just a ZIP-file. Extract it.

I checked on the Tizen 3 emulator and it doesn't seem to work.
Moreover, it seems that the thrust-anchor feature is limited to mobile and wearable devices. The Tizen 5 emulator refuses to install the app with an error [118, -22].

[yzpit]

WGT is just a ZIP-file. Extract it.

I checked it and it's there.