Help with HTTPS to LG TV

[Mister Steve 28]

Emby for LG 1.0.37, Model lg24lm520s-wu WebOS (kitchen) TV

 

Attempting to get HTTPS working for internal access to my Emby server, I enabled remote access under Server->Network config to unhide the certificate options, generated a self-signed certificate and installed it on the server.

When connecting from the LG app via HTTPS port 8920 I immediately get “Connection Failure – We’re unable to connect to the selected server right now. Please ensure it is running and try again”. I suspect the certificate is rejected yet there is no log or debug information that I can find to diagnose, even with debug logging enabled. https to 8920 works great from the same subnet using my browser, Android phone, and Shield clients.

Connect to Server dialog:
Host: https://emby.local
Port: 8920

Suggestions anyone?

Thanks

[ebr 14927]

3 hours ago, Mister Steve said:

Attempting to get HTTPS working for internal access

Why?

Certificate would need to be validated with a domain name for which there will be no DNS locally.

[SamES 891]

This is quite an old model, so just be aware that some of the root certificates on the TV may have expired - for example, it's unlikely a LetsEncrypt certificate will works as LG has only updated the root certificate in recent year models.

 

[Mister Steve 28]

52 minutes ago, ebr said:

Why?

Certificate would need to be validated with a domain name for which there will be no DNS locally.

I run DNS (pihole) and I can create a certificate authority if needed. I'm not up to date on LG's certificate handling, perhaps I need to do some research.

"Why" is a different conversation - devices such as smart TVs and IOT devices can not be trusted on a network with anything valuable that could be stolen or ransomed.  Most of these devices contain execution environments that get updated without our control. We normally know little about the vendor's governance and cannot trust that the vendors will even know of compromises in a timely basis.  Many or most of these devices gather "analytical" information on behalf of vendor. These devices are in a perfect position to allow hackers access inside of a trusted network. Even the FBI has warned that smart TVs should not be added to a trusted network zone. Emby's model of supporting SSL/TLS only for Internet clients is outdated.  Secured connections should be supported for all clients.

[Mister Steve 28]

6 minutes ago, SamES said:

This is quite an old model, so just be aware that some of the root certificates on the TV may have expired - for example, it's unlikely a LetsEncrypt certificate will works as LG has only updated the root certificate in recent year models.

 

Any suggestions on how to tell why the HTTPS connection is refused? The TV still gets updates from LG, FWIW.

[SamES 891]

8 minutes ago, Mister Steve said:

Any suggestions on how to tell why the HTTPS connection is refused? The TV still gets updates from LG, FWIW.

No way to know, but don't assume that LG have updated the certificates when they provide a firmware update. 

[SamES 891]

Refer to this page and the specific note at the bottom

https://webostv.developer.lge.com/develop/specifications/tls

[Q-Droid 653]

A self-signed certificate is not going to be in any device's trust store unless you manually add either your root or the certificate itself. If you can't add a cert to the LG TV trust store/CA bundle then it's not going to work.

Edited June 6, 2023 by Q-Droid

[Mister Steve 28]

3 hours ago, SamES said:

Refer to this page and the specific note at the bottom

https://webostv.developer.lge.com/develop/specifications/tls

Arrgh, this is the ONLY bit of information posted that has been constructive or helpful (thank you SamES).  PLEASE Emby folks and "Top Contributors" please stop trying to school me as to why I should just give up trying to use a secure protocol with Emby. Apparently you've not learned much in the last couple of weeks.

[Carlo 4330]

You will always have trouble with a self signed cert.
Get a domain if you don't have one for a few bucks then get a free Let's Encrypt certificate.
There are too many IoT devices as well as services like Alexia & Google Home that won't drive you crazy with a self signed cert.

Spend a couple bucks on a domain and get it setup properly, so it will just work!

You can use it both external and internal as long as you have an internal DNS server.

[ebr 14927]

9 hours ago, Carlo said:

Get a domain if you don't have one for a few bucks then get a free Let's Encrypt certificate.

He's trying to use SSL for LAN traffic.

[Carlo 4330]

12 hours ago, ebr said:

He's trying to use SSL for LAN traffic.

Yes I understand that.
@Q-Droid, @SamESand I are trying to help him out with a solution that will not have the issues a self-signed cert will have with different devices and services.
It might take a couple tries at using different certs to work but the  Let's Encrypt certificate is easy to get and free and with any luck might now be supported on his device.

 

[SamES 891]

2 hours ago, Carlo said:

Yes I understand that.
@Q-Droid, @SamESand I are trying to help him out with a solution that will not have the issues a self-signed cert will have with different devices and services.
It might take a couple tries at using different certs to work but the  Let's Encrypt certificate is easy to get and free and with any luck might now be supported on his device.

 

I'm fairly certain that the LetsEncrypt root CA on that TV will have expired and not been updated as it's a fairly old model (2017?). But we can only try....or use ZeroSSL

[Carlo 4330]

I think you're right but silently hoping LG would push new root CA files if possible as it's only 6 years old.

[unisoft 286]

Digicert works fine on 2016 OLED models and 2017 LCD - it's what I use, but its for external access to server over WAN.