2024-09-26, 02:58 PM
(This post was last modified: 2024-09-27, 04:08 PM by raulx222. Edited 6 times in total.)
(2024-09-26, 02:23 PM)TheDreadPirate Wrote: I'm wondering if your clients don't trust the one of the CAs from Let's Encrypt. The intermediate CA in my cert is has a validity date starting earlier this year. If your Android TV clients haven't received any OS updates in a while they may not have that CA in their trust store. And this would require that your proxy offers the full chain.
In Nginx (my proxy) it is possible to offer both the chain.pem and the fullchain.pem. Other users with this issue with their ATV clients were able to resolve the problem by configuring their apache or nginx proxy to offer both chains.Code:Validity
Not Before: Mar 13 00:00:00 2024 GMT
Not After : Mar 12 23:59:59 2027 GMT
Subject: C = US, O = Let's Encrypt, CN = E6
What I'm reading seems to indicate that Caddy does not present the chain cert that includes the root, which is also the case for Nginx and Apache, by default. But I'm having trouble finding documentation for configuring Caddy to offer the fullchain.
It is possible from Caddy to serve my own .pem file but the problem is that for now everything is done automatically, my caddy script is minimal, I don't know where to get from or how to prepare the .pem file myself.
Edit:
I was wondering why the demo.jellyfin.org/stable works on all ATVs that my server has problem with. And I inspected the SSL and the demo site also has only 2 certs (intermediate and leaf) and still work. Also the demo site has certificate from LetsEncrypt issued by ISRG Root X1 which is the same in my server. The only difference that i found is that the demo site has RSA certificate, I forced RSA on my server and still doesn't work (i checked with SSL inspector site and it confirms that is RSA).
I don't know what to do further... If you want I can PM you my server address so you can check if you see other differences between certificates on my server and the demo one.