Several LG TV's cannot connect to server

[tobby 14]

17 hours ago, tobby said:

Thank you for that information! Here: https://doc.traefik.io/traefik/https/acme/ it only shows Let's encrypt, but I will give it another try. Since it's also using acme it should be possible to point to a different acme provider.

After a lot of try & error I got it running:
- ZeroSSL doesn't support the TLS-Challenge, so DNS-Challenge or HTTP-Challenge has to be used
- You will need a CAA-record in your DNS settings of your domain containing:

0 issue "sectigo.com"

I tried with "zerossl.com" instead of "sectigo.com" first, which didn't work. If you are using Let's Encrypt, too, you also need a CAA record containing

0 issue "letsencrypt.org"

- Traefik supports multiple certificate resolvers, but they must use the same email address or traefik won't start without any error message.
- external account binding (EAB) for ZeroSSL is only valid once, so don't delete your acme.json or you have to regenerate the eab credentials.

So this means:
- add a CAA record to the DNS of your domain for sectigo.com (see above)
- create an account at app.zerossl.com/signup and login at app.zerossl.com/login
- generate EAB credentials at https://app.zerossl.com/developer and note them somewhere
- use the following Traefik configuration example:

docker-compose.yaml:

version: '3.5'

networks:
  proxy:
    external:
      name: proxy

services:
  traefik:
    container_name: traefik
    image: traefik:v2.5
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/dynamic:/dynamic:ro
      - ./config/traefik.yml:/traefik.yml:ro
      - ./acme:/acme
      - ./logs:/logs

config/traefik.yaml:

log:
  level: WARN
  filePath: "/logs/traefik.log"

accessLog:
  filePath: "/logs/access.log"

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /dynamic
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: your@mailaddress.end
      tlsChallenge: {}
      storage: /acme/letsencrypt.json

  zerossl:
    acme:
      email: your@mailaddress.end # must (!) be the same!
      httpChallenge:
        entryPoint: web
      eab:
        kid: your-kid-key
        hmacEncoded: your-hmac
      caServer: https://acme.zerossl.com/v2/DV90
      storage: /acme/zerossl.json

config/dynamic/emby.yaml:

http:
  routers:
    emby:
      entryPoints:
        - websecure
      rule: "Host(`external.emby.domain`)"
      tls:
        certResolver: zerossl
      service: emby

  services:
    emby:
      loadBalancer:
        servers:
          - url: "http://internal.embydomain.orip:8096"

Haven't tried it on the LG TV yet, but my certificate got issued for my emby domain, while all other services remain at Let's Encrypt, so everything should work.

Edited November 10, 2021 by tobby

[plittlefield 44]

Woah, now that's some work right there! Nice one @tobby

I am hoping to have a play with acme.sh + ZeroSSL + DNS + pfx files at some point this week

[plittlefield 44]

OK, I have good news and bad news and better news...

The good news is that the acme.sh script is awesome (even has a Docker image for it) and I got Gandi Live DNS verification working for my domain.

The bad news is that ZeroSSL is down right now and not working, so my friends with LG televisions and the built-in Emby app are still not working for my server.

The better news is that my friends have all purchased Google Chromecasts for £30 and can now use the iOS or Android Emby app to cast to their TVs instead.

So, I think in the end... that's good news?

Paully

Edited November 16, 2021 by plittlefield

[plittlefield 44]

At last, I have had time to finally get the ZeroSSL working using the acme.sh script with Gandi LiveDNS verification.

Instructions are on my Wiki page here:-

https://wiki.indie-it.com/wiki/ZeroSSL

I am just waiting to here back from my friends with LG televisions to see if the app SSL connection problem has been fixed.

Edited November 22, 2021 by plittlefield

[tobby 14]

On Saturday I tried my Traefik reverse proxy setup (see above) and it's working great on LG tvs, too.

[plittlefield 44]

UPDATE

Yessss, LG problems with Let's Encrypt SSL has been fixed by using ZeroSSL instead.

Now, friends using LG televisions can use the Emby app again.

Thanks to all who suggested ZeroSSL 

[V4mpire 0]

I have the same issue, it was pointed out to me by someone else as I haven't used it in quite a while, we both use TV's, basically the same, they just have the larger screen model, I have gone through the process of switching to using ZeroSSL to no avail, just says connection failure, even when trying to put in the connection details manually and using http instead of https.

I run EMBY on my windows pc as had no use for a home linux server in years and all my storage is on my main pc anyway.

It was running fine before and after everywhere else, so I know it can't be a server issue as I can access it remotely and locally with other devices, just not the LG TV's, any other help/ideas would be great.

[blj 3]

Well, im experiencing the same.. I dont think the solution (in my case) is to change preferred chain to a new certificate. The new root cert isnt trusted på LG oled C8, it will only validate the expired... I wish LG would update their TVs with new certs (the x1 has been around since 2015 and they havent included it.. pathetic)

[Luke 37022]

Emby for LG TV's 1.0.31 has been released. Stay tuned to the blog for the release announcement.

[exillerate 3]

I ended up solving this by rooting my tv, and updating the certificates. In the end it was pretty easy, even though I'm a complete noob. Here is a step by step. Warning: Do this at your own risk. 

1. Open the browser on your TV. Enter rootmy.tv. Slide to root. You can use the same address in your browser to read more. 

2. Go to the homebrew app and settings. Enable telnet. Reboot tv.

3. Download an ssh client for your PC, like putty and open it. 

4. To find the address you need to connect to. Go to tv settings and network. Click on your internet connection (wifi or ethernet). There you will see an ip address. 

5. In putty type in the address and choose telnet as connection.

6. You should now be connected and be able to type a command. You can use the script from here: https://gist.github.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9

Simply type "curl -qs "https://gist.githubusercontent.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9/raw/install.sh?$(date +%s)" | sh -"

The script should run and update certificates. 

7. Reboot tv. That's it. Everything should work now. You should turn off telnet again in homebrew settings. 

[mgworek 121]

On 2/20/2022 at 1:56 PM, exillerate said:

I ended up solving this by rooting my tv, and updating the certificates. In the end it was pretty easy, even though I'm a complete noob. Here is a step by step. Warning: Do this at your own risk. 

1. Open the browser on your TV. Enter rootmy.tv. Slide to root. You can use the same address in your browser to read more. 

2. Go to the homebrew app and settings. Enable telnet. Reboot tv.

3. Download an ssh client for your PC, like putty and open it. 

4. To find the address you need to connect to. Go to tv settings and network. Click on your internet connection (wifi or ethernet). There you will see an ip address. 

5. In putty type in the address and choose telnet as connection.

6. You should now be connected and be able to type a command. You can use the script from here: https://gist.github.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9

Simply type "curl -qs "https://gist.githubusercontent.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9/raw/install.sh?$(date +%s)" | sh -"

The script should run and update certificates. 

7. Reboot tv. That's it. Everything should work now. You should turn off telnet again in homebrew settings. 

Ok just found this thread. My friend hasn't been able to connect on his tv for months while every other device in his house works. Is this the workaround? I am using SWAG docker on unraid for my certs oh wait, I just noticed SWAG works with ZeroSSL now. I guess I can switch to that and fix his issue. ok!

Edited March 12, 2022 by mgworek

[hong777 0]

On 21/02/2022 at 02:56, exillerate said:

I ended up solving this by rooting my tv, and updating the certificates. In the end it was pretty easy, even though I'm a complete noob. Here is a step by step. Warning: Do this at your own risk. 

1. Open the browser on your TV. Enter rootmy.tv. Slide to root. You can use the same address in your browser to read more. 

2. Go to the homebrew app and settings. Enable telnet. Reboot tv.

3. Download an ssh client for your PC, like putty and open it. 

4. To find the address you need to connect to. Go to tv settings and network. Click on your internet connection (wifi or ethernet). There you will see an ip address. 

5. In putty type in the address and choose telnet as connection.

6. You should now be connected and be able to type a command. You can use the script from here: https://gist.github.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9

Simply type "curl -qs "https://gist.githubusercontent.com/stek29/761232c6f7e1ffbc36b98da2a3a0f4d9/raw/install.sh?$(date +%s)" | sh -"

The script should run and update certificates. 

7. Reboot tv. That's it. Everything should work now. You should turn off telnet again in homebrew settings. 

Very good, the problem that https can't log in is completely solved, thank you

[Napo_Leon 5]

Since October 1st, I reverted to ZeroSLL to circumvent the LG WebOS problem.

But today, when I wanted to renew the certificate again, I was told you can only use the free 90-day certificate three (3x) times....
So either pay $120 per year minimum or revert back to Let'sEncrypt.

Isn't there a possibility to 'allow insecure connection' in the LG Emby app (like in Plex)?  

[adminExitium 173]

Check into any of the acme clients like acme or certbot. ZeroSSL allows unlimited 90-day certificates if they have been issued via the acme protocol.

[Luke 37022]

8 hours ago, Napo_Leon said:

Since October 1st, I reverted to ZeroSLL to circumvent the LG WebOS problem.

But today, when I wanted to renew the certificate again, I was told you can only use the free 90-day certificate three (3x) times....
So either pay $120 per year minimum or revert back to Let'sEncrypt.

Isn't there a possibility to 'allow insecure connection' in the LG Emby app (like in Plex)?  

Hi, yes, by setting your server setting to prefer secure connections, but not require them.

[Peppe 4]

Hi all,

does someone have a small guide on how to properly install traefik (+zerossl) with emby on an unraid system? Im totally lost with it, and would like to have a reversed proxy with whitelisted IPs for LG TVs, which cannot connect

Thanks

P.

Edited August 29, 2022 by Peppe

[Luke 37022]

On 8/29/2022 at 10:21 AM, Peppe said:

Hi all,

does someone have a small guide on how to properly install traefik (+zerossl) with emby on an unraid system? Im totally lost with it, and would like to have a reversed proxy with whitelisted IPs for LG TVs, which cannot connect

Thanks

P.

Hi, how far have you gotten?

[Luke 37022]

Emby for LG TV's 1.0.37 has been released. Stay tuned to the blog for the release announcement.

Can you please try out the new update and let us know how it compares? Thanks !

[Peppe 4]

Hi,

sorry to reopen this older topic...but still no luck to gain access to my emby server from older samsung or LG tvs. Someone has a hint or a tutorial, how to set it up in Unraid/Swag/Acme/Emby? Which settings need to be changed exactly? Here the log from Swag...check attachment.

Thanks

swag.log

[Luke 37022]

11 hours ago, Peppe said:

Hi,

sorry to reopen this older topic...but still no luck to gain access to my emby server from older samsung or LG tvs. Someone has a hint or a tutorial, how to set it up in Unraid/Swag/Acme/Emby? Which settings need to be changed exactly? Here the log from Swag...check attachment.

Thanks

swag.log 3.1 kB · 0 downloads

HI, what type of certificate is it? Have you checked that your LG and Samsung TV's trust this certificate? This is going to be the biggest roadblock to SSL with Samsung and LG.

[Peppe 4]

Hi Luke,

 

issue has been solved, after i changed in Cloudflare the A and CNAME to DNS only...as the certs have been created by cloudflare and not zerossl...

[D1sk 4]

I have also been unable to connect to my server via the lG Emby app for months. The server is not in my home network.
I have no SSL certificate in the emby server. I do this with Ngnix Reserve Proxy where I create a ssl certificate with Lets encrypt. With the same tool I specify the internal port of the Emby server and on which port EMby is visible against look.
I can reach Emby from any other device like mobile, tablet and PC from outside my network. But not via LG-TV. If I enter the domain with the port I can not connect or if I use the IP that comes from the provider.
When I try with pin code at LG several servers are loaded but I can't click on any of them. I do not know what else I can do?

[SamES 890]

3 hours ago, D1sk said:

I have also been unable to connect to my server via the lG Emby app for months. The server is not in my home network.
I have no SSL certificate in the emby server. I do this with Ngnix Reserve Proxy where I create a ssl certificate with Lets encrypt. With the same tool I specify the internal port of the Emby server and on which port EMby is visible against look.
I can reach Emby from any other device like mobile, tablet and PC from outside my network. But not via LG-TV. If I enter the domain with the port I can not connect or if I use the IP that comes from the provider.
When I try with pin code at LG several servers are loaded but I can't click on any of them. I do not know what else I can do?

The issue here is not Emby, it's the LG TV.   The fact that you are using a Let's Encrypt certificate is the problem.   Some time ago Lets Encrypt root certificates expired and they haven't been updated in the TV, so any connections via https will fail.  You will need to try another certificate type such as ZeroSSL that still has a current root certificate in the TV

[D1sk 4]

31 minutes ago, SamES said:

The issue here is not Emby, it's the LG TV.   The fact that you are using a Let's Encrypt certificate is the problem.   Some time ago Lets Encrypt root certificates expired and they haven't been updated in the TV, so any connections via https will fail.  You will need to try another certificate type such as ZeroSSL that still has a current root certificate in the TV

Thanks for the info

What if I root my LG?
Would it work then too?

I know the warranty expires but I don't give a damn about it, this warranty is not worth anything anyway because no one from LG will exchange a 77 inch.

[SamES 890]

6 minutes ago, D1sk said:

Thanks for the info

What if I root my LG?
Would it work then too?

I know the warranty expires but I don't give a damn about it, this warranty is not worth anything anyway because no one from LG will exchange a 77 inch.

I have no idea whether you would be able add a new root certificate by doing that