+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: Paid CA-signed SSL certificate issue (/t-paid-ca-signed-ssl-certificate-issue)
Paid CA-signed SSL certificate issue - jo_gurt - 2025-04-15
Hi!
I had Jellyfin running fine for months with Let's Encrypt SSL certificate on my custom paid domain. The server is exposed under:
https://watch.my.domain:8920
All clients could connect fine, no issues.
However I needed SSL cert for other things as well, so I got a paid wildcard CA-signed certificate from SS2BUY PrimeSSL cert (the cheapest option, nothing fancy required): *.my.domain
Web client works fine, shows website as secure and the cert is correct (attachment).
However, none of the android client work (both phone and tv). When I switch back to Let's Encrypt, it works again.
I tried adding full cert chain to PFX file, but didn't help.
Any suggestions where to go from there?
Server version: 10.10.3, hosted on Proxmox, latest available android apps.
RE: Paid CA-signed SSL certificate issue - TheDreadPirate - 2025-04-15
Check if the root CA they use is in your phone and TV's trust store. If not, you can try adding their root CA.
FYI, Let's Encrypt does wildcard certs if your DNS provider has a plugin for certbot. My DNS provider is Cloudflare, which has a certbot plugin, and I use wild card certs provided by LE.
RE: Paid CA-signed SSL certificate issue - jo_gurt - 2025-04-16
Yeah, I think installing the SSL2BUY CA helped on Android phone. However I cannot see a way to install CA cert on Android TV (Shield or Google TV).
Weird though that for instance browsers on the same phone don't report anything wrong with the cert. It's only jellyfin that does not like it.
I have the same cert installed on my QNAP and QNAP client apps are perfectly fine with the cert.
RE: Paid CA-signed SSL certificate issue - TheDreadPirate - 2025-04-16
Does the cert you provide to Jellyfin include the full trust chain?
RE: Paid CA-signed SSL certificate issue - jo_gurt - 2025-04-16
Yup, tried that.
RE: Paid CA-signed SSL certificate issue - TheDreadPirate - 2025-04-16
Not sure what else to suggest.
If the device trusted the root, but not the intermediate CA, the full chain should have bridged that trust gap.
If it doesn't trust the root nor the intermediate, and you can't manually add certs, I'm not sure you can address that without switching cert providers. Again, Let's Encrypt does do wildcard certs if your DNS provider has a certbot plugin.
However, IIRC you can add certs to Android TV devices when you put the device in developer mode.