SSL Letsencrypt on Wowza 4.x Server – Frontend + Backend

How-to-Install-Lets-Encrypt-SSL-Certificate on Wowza Streaming Engine

How to install Letsencrypt on a Wowza Streamingengine server

The problem:

I ran into the problem where i had a webserver and a domain running on an ssl certificate. From that point on i got errors that i couldn’t connect to my wowza server (which was non-SSL). So i had to figger out at least how to get the frontend of wowza also be able to send out streams based on an SSL certifate.

Analyze:
So i started googling for it, but couldnt find a real solution for it to enable letsencrypt on wowza. You can use streamlock within wowza, but im just running a developer wowza server, so i wanted a different solution. The major part was the frontend. Would be nice to also use the backend on SSL (enginemanager). At this point i got it both working

So i did some testing, tweaking and got it figgered out. This is what i will explain:

  • installation of letsencrypt
  • convert the SSL certificate to a JKS format
  • configure the Certificate within Wowza

Keep in mind:

  • Your server might will have an increase of virtual memory because of the ssl
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

I decided to make a complete installation guide of a Letsencrypt setup with the things i have found. Make sure to do this on a test environment first, i won’t take responsibility if it will brake your setup. This tutorial is just a guide on how you might can get it work within your environment! Last thing is that you should have root access to your server, knowledge of your firewall (i can recommend csf) so knowing how to open ports, is a must.

The installation is broken down into 2 parts (installation of LetsEncrypt and the configuration within Wowza)

References/Credits:

Installation LetsEncrypt SSL

Login to your wowza server with putty or other ssh client and go to the tmp directory or your home directory, i always prefer the tmp directory

Make sure your server is up to date:

Install Git and add the repo to your server

Navigate to your letsencrypt directory

From here you have to change the domain name. My domainname (vps4.ewowza.com) points to my wowza server, so i will use that domain. You have to change that to yours.

Now you have to set a valid emailaddress which will be administrative emailadress. It will be used if the certificate is giving you issues. Also agree with the terms.
The last Question is if you are willing to share. I set an Y. Its up to you what you want.ro

After the installation you should see a similaire message like this:
The expiration date is over 90 days

Some checks to see if your certificate has been created

List the /etc/letsencrypt/live directory:

Each domain name you specified in Step 1 of the Create an SSL Certificate section has its own directory. List any of these domain name directories:

You should see it like this:

Each key (.pem) file serves a different purpose:

  • cert.pem: server certificate only
  • chain.pem: root and intermediate certificates only
  • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
  • privkey.pem: private key (do not share this with anyone!).

Let’s Encrypt issues certificates from intermediate certificate authorities. Intermediate certificates have been cross-signed by Identrust, which ensures compatibility between the end certificate and all major browsers

For good measure, display the file status of fullchain.pem: (change vps1.vanmarion.nl with your domain)

Wowza Configuration

Robymus made java converter file which converts je SSL to an JKS file. For more information, please visit his Github page. For this installation i like to keep my wowza java files in one place, so i will download the jar file to the lib directory

  • The letsencrypt-live-path parameter defaults to /etc/letsencrypt/live, as is in common Linux systems, might be different on others.
  • The output-path must be an existing and writable directory, here a new JKS keystore will be created for every certificate in the input directory.
  • Together with a file jksmap.txt containing the domain to keystore mapping to be used in the VHost.xml of Wowza Streaming Engine.
  • The generated JKS password will be ‘secret’.

So now we will put the files needed in the conf directory. You are free to do otherwise, just as long as you know the locations where you put the files, because you need the paths later on in this installation

So, lets see if the files are created:

We now need the content of the jksmap.txt file, so we can use that in the Wowza configuration (VHost.xml).

As you can see there is the data we need

  • keyStorePath: /usr/local/WowzaStreamingEngine/conf/vps1.ewowza.com.jks
  • keyStorePassword: secret

those are the only 2 lines you need (copy and save them somewhere local).

Open the Wowza VHost.xml and search for the 443 HostPort and comment out the <!– before HostPort and –> at the end of /HostPort

In the meanwhile you also have to edit the 2 lines:
<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
<KeyStorePassword>[password]</KeyStorePassword>

To:  (change vps1.ewowza.com to your domain)

So the new <!– 443 with SSL –> part should look like this after changing.

Ok. Done, save the file and restart the Streamingengine

Make sure you have opened port 443 on your firewall.

Backend (EngineManager) on SSL

To be able to run the Enginemanager on https too, you have to change the startmgr.sh file. The enginemanager runs on his own port (normally 8088), but for ssl we are going to use 8090. That is just for the enginemanager service but you will use that port next time.

Ok. Open the file startmgr.sh

In this file you will see 2 CMD commands. Because im using the StreamingEngine and not the cloud, i only have to change the second CMD command. We need the location of the jks file we created above here. So if you have done that right it should be like this: (my jks file vps1.ewowza.com.jks is located in the conf directory)

Note: its best to comment out the line to put # in front of the line. Then copy that same line to notepad, do your adjustments and paste it below it. So in case it won’t work, you can always rollback easy

Note: Make sure the complete command is on 1 line: (my new command)

So what did i do? I added this line after –httpPort=8088 and before –directoryListings=false

–httpsPort=8090  // will be the new port where the Enginemanager will run on for SSL access
–httpsKeyStore=”/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks”  // the location of my jks file
–httpsKeyStorePassword=”secret” // the password needed for the jks file

After this you can restart the WowzaEngine and manager

So your new urls would be:
Frontend: https://YOUR_WOWZA_IPADDRESS:443
Backend: https://YOUR_WOWZA_IPADDRESS:8090/enginemanager/

If all checks (see below SSL checks are ok, you could disable the http and switch the backend complete to https

If you only want to run the backend on SSL you have to edit the startmgr.sh file again and change the –httpPort=8088 to –httpPort=-1

and restart the enginemanager again

SSL Checks

If you want to do a check on your fresh installed SSL certificate, make sure to do a detailed test on it. Go to this url in your browser (change vps1.ewowza.com to your domain)

https://www.ssllabs.com/ssltest/analyze.html?d=vps1.ewowza.com

get some coffee, the complete check can take a while ;).
The SSL check results also shows some checks i have to fix on my server (its a fresh installed server, so i havent fixed the checks yet). So it will also give some advise on fixing your server

Make sure to fix the problems from the report or as far as possible. In my case it is a fresh server and i have some work/fixing to do:

Conclusion

I have the SSL installed. I changed my wowza url in jwplayer from http://vps1.ewowza.com:1935/vod/transformers_last_knight_2017.mp4/playlist.m3u8
to: https://vps1.ewowza.com:443/vod/transformers_last_knight_2017.mp4/playlist.m3u8

# mind the http to https and the port change 1935 to 443

And now it starts playing again.

Renewing your SSL certifate

I hoped by using the cronjobs the renewal process would go automatic, but that didnt happen. So this is what i did when renewing the SSL. First stop the wowza server, otherwise it cannot bind the address/port

And follow these steps

i did a renewal of the script by running it again.

It will ask you what you want. choose: 2

After that the installation will renew the SSL

Then rerun the letsencrypt-converter to create a new jksmap.txt

Check if the file has the date of now

And thats all you have to do. Restart wowza again and do an ssl check again, and check if the streams still play on your current urls and ports

SSL check. change domain_name to your wowza server address

https://www.ssllabs.com/ssltest/analyze.html?d=domain_name

Troubleshooting

If for some reason your ssl is not working or your stream is not being played, check these things

  • Make sure in your VHost.xml the comment tags are deleted in the SSL part. You can restart wowza without any problems, but if there is still an unclosed comment tag (<!– or –> ) in it, your ssl isn’t working.
  • Check if port 443 is open on your server:  http://www.yougetsignal.com/tools/open-ports/
  • Check if your firewall has port 443 open

 

If you have any comments or suggestions, feel free to leave a reply

You may also like...

1 Response

  1. mobile slots real money usa says:

    Greetings! I’ve been following your web site for a while now
    and finally got the bravery to go ahead and give you a shout out from
    Huffman Texas! Just wanted to mention keep up the excellent job!

Leave a Reply

Your email address will not be published. Required fields are marked *

en English
X