Mister Steve 28 Posted June 6, 2023 Share Posted June 6, 2023 Emby for LG 1.0.37, Model lg24lm520s-wu WebOS (kitchen) TV Attempting to get HTTPS working for internal access to my Emby server, I enabled remote access under Server->Network config to unhide the certificate options, generated a self-signed certificate and installed it on the server. When connecting from the LG app via HTTPS port 8920 I immediately get “Connection Failure – We’re unable to connect to the selected server right now. Please ensure it is running and try again”. I suspect the certificate is rejected yet there is no log or debug information that I can find to diagnose, even with debug logging enabled. https to 8920 works great from the same subnet using my browser, Android phone, and Shield clients. Connect to Server dialog: Host: https://emby.local Port: 8920 Suggestions anyone? Thanks Link to comment Share on other sites More sharing options...
ebr 14927 Posted June 6, 2023 Share Posted June 6, 2023 3 hours ago, Mister Steve said: Attempting to get HTTPS working for internal access Why? Certificate would need to be validated with a domain name for which there will be no DNS locally. Link to comment Share on other sites More sharing options...
SamES 891 Posted June 6, 2023 Share Posted June 6, 2023 This is quite an old model, so just be aware that some of the root certificates on the TV may have expired - for example, it's unlikely a LetsEncrypt certificate will works as LG has only updated the root certificate in recent year models. Link to comment Share on other sites More sharing options...
Mister Steve 28 Posted June 6, 2023 Author Share Posted June 6, 2023 52 minutes ago, ebr said: Why? Certificate would need to be validated with a domain name for which there will be no DNS locally. I run DNS (pihole) and I can create a certificate authority if needed. I'm not up to date on LG's certificate handling, perhaps I need to do some research. "Why" is a different conversation - devices such as smart TVs and IOT devices can not be trusted on a network with anything valuable that could be stolen or ransomed. Most of these devices contain execution environments that get updated without our control. We normally know little about the vendor's governance and cannot trust that the vendors will even know of compromises in a timely basis. Many or most of these devices gather "analytical" information on behalf of vendor. These devices are in a perfect position to allow hackers access inside of a trusted network. Even the FBI has warned that smart TVs should not be added to a trusted network zone. Emby's model of supporting SSL/TLS only for Internet clients is outdated. Secured connections should be supported for all clients. Link to comment Share on other sites More sharing options...
Mister Steve 28 Posted June 6, 2023 Author Share Posted June 6, 2023 6 minutes ago, SamES said: This is quite an old model, so just be aware that some of the root certificates on the TV may have expired - for example, it's unlikely a LetsEncrypt certificate will works as LG has only updated the root certificate in recent year models. Any suggestions on how to tell why the HTTPS connection is refused? The TV still gets updates from LG, FWIW. Link to comment Share on other sites More sharing options...
SamES 891 Posted June 6, 2023 Share Posted June 6, 2023 8 minutes ago, Mister Steve said: Any suggestions on how to tell why the HTTPS connection is refused? The TV still gets updates from LG, FWIW. No way to know, but don't assume that LG have updated the certificates when they provide a firmware update. Link to comment Share on other sites More sharing options...
SamES 891 Posted June 6, 2023 Share Posted June 6, 2023 Refer to this page and the specific note at the bottom https://webostv.developer.lge.com/develop/specifications/tls 1 Link to comment Share on other sites More sharing options...
Q-Droid 653 Posted June 6, 2023 Share Posted June 6, 2023 (edited) A self-signed certificate is not going to be in any device's trust store unless you manually add either your root or the certificate itself. If you can't add a cert to the LG TV trust store/CA bundle then it's not going to work. Edited June 6, 2023 by Q-Droid 2 1 Link to comment Share on other sites More sharing options...
Mister Steve 28 Posted June 7, 2023 Author Share Posted June 7, 2023 3 hours ago, SamES said: Refer to this page and the specific note at the bottom https://webostv.developer.lge.com/develop/specifications/tls Arrgh, this is the ONLY bit of information posted that has been constructive or helpful (thank you SamES). PLEASE Emby folks and "Top Contributors" please stop trying to school me as to why I should just give up trying to use a secure protocol with Emby. Apparently you've not learned much in the last couple of weeks. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted June 7, 2023 Share Posted June 7, 2023 You will always have trouble with a self signed cert. Get a domain if you don't have one for a few bucks then get a free Let's Encrypt certificate. There are too many IoT devices as well as services like Alexia & Google Home that won't drive you crazy with a self signed cert. Spend a couple bucks on a domain and get it setup properly, so it will just work! You can use it both external and internal as long as you have an internal DNS server. Link to comment Share on other sites More sharing options...
ebr 14927 Posted June 7, 2023 Share Posted June 7, 2023 9 hours ago, Carlo said: Get a domain if you don't have one for a few bucks then get a free Let's Encrypt certificate. He's trying to use SSL for LAN traffic. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted June 8, 2023 Share Posted June 8, 2023 12 hours ago, ebr said: He's trying to use SSL for LAN traffic. Yes I understand that. @Q-Droid, @SamESand I are trying to help him out with a solution that will not have the issues a self-signed cert will have with different devices and services. It might take a couple tries at using different certs to work but the Let's Encrypt certificate is easy to get and free and with any luck might now be supported on his device. Link to comment Share on other sites More sharing options...
SamES 891 Posted June 8, 2023 Share Posted June 8, 2023 2 hours ago, Carlo said: Yes I understand that. @Q-Droid, @SamESand I are trying to help him out with a solution that will not have the issues a self-signed cert will have with different devices and services. It might take a couple tries at using different certs to work but the Let's Encrypt certificate is easy to get and free and with any luck might now be supported on his device. I'm fairly certain that the LetsEncrypt root CA on that TV will have expired and not been updated as it's a fairly old model (2017?). But we can only try....or use ZeroSSL Link to comment Share on other sites More sharing options...
Carlo 4330 Posted June 9, 2023 Share Posted June 9, 2023 I think you're right but silently hoping LG would push new root CA files if possible as it's only 6 years old. 1 Link to comment Share on other sites More sharing options...
unisoft 286 Posted June 14, 2023 Share Posted June 14, 2023 Digicert works fine on 2016 OLED models and 2017 LCD - it's what I use, but its for external access to server over WAN. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now