Self-signed certificates

[tedstriker]

Would it be possible to load a self-signed CA certificate into the app or at least ignore the validation. The reason is, that Android TV doesn't allow to import root certificates.
What do you guys think?

[nielsvanvelzen]

No, we will not add such feature to the app because it is unsafe. You can add your own certificates to the Android certificate store or get a free one from services like Let's Encrypt.

[tedstriker]

As far as I know, Android TV doesn't allow users to add their own CA.
Hence my question, to allow adding the CA cert to the app instead of the system.

But if you know a way to do add it to the TV itself, I'd be more than happy to go that route.

Let's Encrypt only works, if you expose a host to the internet. This hasn't happens yet.

Also I'm curious to learn how a skipped certificate validation is more unsafe than the already implemented way to connect without any encryption at all. Honestly I never understood that idea.

[tedstriker]

@nielsvanvelzen would you mind to give me a hint? Others might benefit from it as well.

[thornbill]

You do not need a publicly accessible website to get a valid certificate from Let's Encrypt: https://letsencrypt.org/docs/challenge-types/

[tedstriker]

It still seems like I either open ports 80 (HTTP-01) or 443 (TLS-ALPN-01) for the LE-bot or I need to buy a domain, use one of the supported DNS providers (DNS-01) and move the generated certificate to a directory, where Jellyfin can use it. How this is better than trusting my own, self-signed certificate is beyond my understanding.

As I lack the skills to change the app on my own, I'd be the beggar here. So I admit defeat. I asked what you guys think and you kindly let me know.

Meanwhile I just opened the unencrypted http port for my TV, so I can use the app. Entering credentials on an unencrypted channel feels wrong, but I'm not dying on that hill.

Thanks for your time and patience.

[Gylesie]

Hello @tedstriker, I have the same set-up as you and I understand the struggle. In the end, I concluded to the same workaround - having to have an unsecure connection for android tv clients. It is a pity that there is no way to force trust a certain certificate in the jellyfin client. Even more so, that there is no proper way to download a certificate into the trust store of an android tv itself. Don't get me wrong, I don't mean to criticize the devs, because most people probably wouldn't benefit from this.

[rvrosm]

use this method successfully installed root ca on android tv:

openssl x509 -inform PEM -subject_hash_old -in root.crt | head -1
Subject hash old = 9a5ba575
adb push root.crt /sdcard/Download/

adb root
adb shell
mount -o rw,remount /
cp /sdcard/Download/root.crt /system/etc/security/cacerts
cd /system/etc/security/cacerts
mv root.crt 9a5ba575.0
chmod 644 9a5ba575.0
reboot

this root.crt is caddyserver's ACME Server's root CA. I use caddyserver to serve jellyfin on https://jellyfin.lan