Forum Discussion

RokuTomC's avatar
RokuTomC
Community Moderator
6 years ago

[Potential service disruption] — Upcoming SSL certificate expiration could impact channel operations

This Saturday, May 30 at 10:48:38 2020 GMT, the widely-used "AddTrust External CA Root” certificate will expire. If your Roku channel still includes this certificate at this time it will have connection issues. These issues may manifest themselves in a variety of ways, including failures with channel launches, video playback, image rendering, or analytics.

Here are some details about the expiration and how it impacts OpenSSL 1.0.0 platforms like Roku OS:

https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020

Certificates that have multiple chains of trust where the "AddTrust External CA Root” certificate is in only one trust chain will get an SSL handshake failure on Roku OS, but not on other platforms that can authenticate the second trust chain.

Please check that the trust chain for any SSL certificates used to support your channel do not include the "AddTrust External CA Root" certificate. You can check this by hitting the SSL endpoints your channel uses with the script shown at the bottom of this post. The script must run on in a linux environment with OpenSSL installed.

If you find a cert that lists the "AddTrust External CA Root" certificate, please update the certificate to avoid any connection issues. As an exception to our standard policy, Roku will publish channel updates that resolve issues related to this cert expiration throughout the weekend. If you submit a channel update during the weekend, please also open a ticket with our Partner Success team to request that they publish your channel.

If it is impossible for you to update the certificate and you could avoid validating the trust chain on a connection, you could modify your BrightScript channel using: roUrlTransfer.EnablePeerVerification(False)

Please be sure to share this message with your Roku engineering team. If you have any questions pertaining to this issue, you can submit a question to Roku’s Partner Success team.

Thanks for your prompt attention to this issue. Below is the script you can use to hit your SSL endpoints:

 

#/bin/bash

openssl s_client -no_alt_chains -showcerts -verify 5 -servername ${1} -connect ${1}:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done

 

Roku Developer Program

31 Replies

  • andro23's avatar
    andro23
    Channel Surfer
    6 years ago

    Hi,

    Thanks for the heads-up. Will this affect SSL connections using common:/certs/ca-bundle.crt?

    Example: 

    object.SetCertificatesFile("common:/certs/ca-bundle.crt")
object.AddHeader("X-Roku-Reserved-Dev-Id", "")
object.InitClientCertificates()

     Thanks!

    • RokuTomC's avatar
      RokuTomC
      Community Moderator
      6 years ago

      Good question, thanks for asking.

      The common:/certs/ca-bundle.crt file does currently contain the cert which is expiring. We may deploy a patch Roku OS 9.3 update which removes this cert, but there are no commitments just yet and you should not rely on this from Roku.
       
      The main urgency is around fixing the cert in your servers. In our internal testing, we did not encounter major issues when the cert was included client-side.
       
      So, while there is a non-zero risk of your channels being impacted if they’re using our common cert bundle file, the risk is low.
    • pcnweb's avatar
      pcnweb
      Channel Surfer
      6 years ago

      Yes, confirmed today by all my apps not working - they have really screwed up more than normal with this one.

      • pcnweb's avatar
        pcnweb
        Channel Surfer
        6 years ago

        So what is the fix when you are using their cert:

        url.SetCertificatesFile("common:/certs/ca-bundle.crt")

        which I'm sure is 90%+ of their base.

    • OddScott's avatar
      OddScott
      Roku Guru
      6 years ago

      After some further experimentation, it seems that my problem was caused, at least in part, by an SSL certificate purchased last year from Namecheap.com and configured into the CDN. After installing a new SSL certificate purchased from GoDaddy.com today, the problem is resolved!

    • RokuTomC's avatar
      RokuTomC
      Community Moderator
      6 years ago

      Unfortunately, your only option is to add this API call to your channel source. If this isn't possible or isn't resolving your issue, then the only remaining option is to wait until Roku OS 9.3.0 v4170 is fully deployed. 4170 includes a ca-cert bundle update.

      Note also that any end-user on a set-top box or streaming stick can currently manually update to 9.3.0v4170. Roku TVs will fast-follow with a patch.

      • tifroz's avatar
        tifroz
        Streaming Star
        6 years ago

        Sorry if I am being dense, but I think you are suggesting that the httpAgent of a VideoNode can be configured to work around the expired certificate? If so, can you provide an example of the API call you are referring to?

        My current understanding is that the EnablePeerVerification() API is only available to roTransferUrl objects, which do not affect VideoNode requests to streaming servers. Correct me if I am wrong here?

  • brianstegman's avatar
    brianstegman
    Streaming Star
    6 years ago

    RokuTomC  I submitted an update yesterday at 5pm and notified partner success but still have not heard back from them nor has the update gone out.  I have customers complaining.  Do you know when I can expect to hear back from someone?  In the message above it states they are working over the weekend.

    Thanks

  • brianstegman's avatar
    brianstegman
    Streaming Star
    6 years ago

    RokuTomC Still nothing.  I have some very unhappy customers.  I guess this is not true "As an exception to our standard policy, Roku will publish channel updates that resolve issues related to this cert expiration throughout the weekend. If you submit a channel update during the weekend, please also open a ticket with our Partner Success team to request that they publish your channel."  Very disappointing.