SSL Letsencrypt on Wowza 4.x Server – Frontend + Backend

Update July 1st, 2020

I created new pages for installation of Letsencrypt on CentOS7 and Ubuntu 18/20.04

Wowza 4.8.x – Ubuntu 18.04/20.04 – Letsencrypt

Wowza 4.8.x – CentOS7 – Letsencrypt

The post below is deprecated and not supported anymore.

Update june 22 2020,

I deleted the latest update, because somehow the letsencrypt setup doesn’t work anymore since 4.8.0. I have to do extended testing on this. So from today this page is not supported anymore. Feel free to leave a comment if you want. Whenever i have an update on this i will create a post. 

Update april 18, 2018

I found out that when Java8 had issues installing on Ubuntu 16.04. After that fixed, i wanted to install letsencrypt, but that part also has changed a bit. Will update this tutorial in the next coming days and probably have an update in 2 days (april 20). Tests went fine, but will double check with a fresh install of ubuntu, wowza and letsencrypt. The tutorial should work (i adjusted some commands and explanation).

I will also update this tutorial with how to setup a firewall (i use CSF) for my wowza usage

Update okt 20, 2017. I found out the letsencrypt certificate is not being updated automaticly. Added the upgrade process at the botttom of this page before trouble shooting

Update august 17,2017 – I had problems to get the backend running on ssl too, but i got that fixed. 

How to install Letsencrypt on a Wowza Streamingengine server

The problem:
I ran into the problem where i had a webserver and a domain running on an ssl certificate. From that point on i got errors that i couldn’t connect to my wowza server (which was non-SSL). So i had to figger out at least how to get the frontend of wowza also be able to send out streams based on an SSL certifate. Here you can see the issue i got in my jwplayer which runs on a domain with ssl certificate on it: 

Analyze:
So i started googling for it, but couldnt find a real solution for it to enable letsencrypt on wowza. You can use streamlock within wowza, but im just running a developer wowza server, so i wanted a different solution. The major part was the frontend. Would be nice to also use the backend on SSL (enginemanager). At this point i got it both working

So i did some testing, tweaking and got it figgered out. This is what i will explain:

  • installation of letsencrypt
  • 2 cronjobs for automatic renew and update letsencrypt automaticly
  • convert the SSL certificate to a JKS format
  • configure the Certificate within Wowza

Keep in mind:

  • Your server might will have an increase of virtual memory because of the ssl
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

I decided to make a complete installation guide of a Letsencrypt setup with the things i have found. Make sure to do this on a test environment first, i won’t take responsibility if it will brake your setup. This tutorial is just a guide on how you might can get it work within your environment! Last thing is that you should have root access to your server, knowledge of your firewall (i can recommend csf) so knowing how to open ports, is a must.

The installation is broken down into 2 parts (installation of LetsEncrypt and the configuration within Wowza)

References/Credits:

Installation LetsEncrypt SSL

Login to your wowza server with putty or other ssh client and go to the tmp directory or your home directory, i always prefer the tmp directory

cd /tmp

Make sure your server is up to date: 

apt-get update && sudo apt-get upgrade

Install Git and add the repo to your server

apt-get install git
git clone https://github.com/certbot/certbot /opt/letsencrypt

Navigate to your letsencrypt directory

cd /opt/letsencrypt

From here you have to change the domain name. My domainname (vps4.vanmarion.nl) points to my wowza server, so i will use that domain. You have to change that to yours.

sudo certbot certonly --standalone --preferred-challenges http -d vps4.vanmarion.nl

Now you have to set a valid emailaddress which will be administrative emailadress. It will be used if the certificate is giving you issues. Also agree with the terms.
The last Question is if you are willing to share. I set an Y. Its up to you what you want.

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): jeroen@vanmarion.nl

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel: A

——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
——————————————————————————-
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for vps1.vanmarion.nl
Waiting for verification…
Cleaning up challenges

 

After the installation you should see a similaire message like this:
The expiration date is over 90 days

- If you lose your account credentials, you can recover them through
  e-mails sent to somebody@example.com.
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/vps1.vanmarion.nl/fullchain.pem. Your
  cert will expire on 2017-10-29. To obtain a new version of the
  certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Let's
  Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

Some checks to see if your certificate has been created

List the /etc/letsencrypt/live directory:

ls /etc/letsencrypt/live

Each domain name you specified in Step 1 of the Create an SSL Certificate section has its own directory. List any of these domain name directories:

ls /etc/letsencrypt/live/vps1.vanmarion.nl

You should see it like this:

cert.pem chain.pem fullchain.pem privkey.pem

Each key (.pem) file serves a different purpose:

  • cert.pem: server certificate only
  • chain.pem: root and intermediate certificates only
  • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
  • privkey.pem: private key (do not share this with anyone!).

Let’s Encrypt issues certificates from intermediate certificate authorities. Intermediate certificates have been cross-signed by Identrust, which ensures compatibility between the end certificate and all major browsers

For good measure, display the file status of fullchain.pem: (change vps1.vanmarion.nl with your domain)

stat /etc/letsencrypt/live/vps1.vanmarion.nl/fullchain.pem

#which will give this output
File: ‘live/vps4.vanmarion.nl/cert.pem’ -> ‘../../archive/vps4.vanmarion.nl/cert1.pem’
 Size: 46 Blocks: 0 IO Block: 4096 symbolic link
Device: 801h/2049d Inode: 1298340 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-04-18 02:58:40.840073805 +0200
Modify: 2018-04-18 02:58:40.812073942 +0200
Change: 2018-04-18 02:58:40.812073942 +0200
 Birth: -

 

 

Cronjobs

These are needed to automaticly update letsencrypt en renew your SSL certificate is needed. Add these 2 lines to crontab and change vps1.vanmarion.nl to your own domain. I use the vi editor, so if you use nano you know how to edit the crontab file

crontab -e

#add these 2 lines
@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log
@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d vps4.vanmarion.nl >> /var/log/letsencrypt/letsencrypt-auto-update.log

 

So now every week letsencrypt is updated and everymonth the ssl is checked and updated

Ok. for now letsencrypt is installed. Time to switch to the Wowza setup

Wowza Configuration

Robymus made java converter file which converts je SSL to an JKS file. For more information, please visit his Github page. For this installation i like to keep my wowza java files in one place, so i will download the jar file to the lib directory

cd /usr/local/WowzaStreamingEngine/lib 
wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar
  • The letsencrypt-live-path parameter defaults to /etc/letsencrypt/live, as is in common Linux systems, might be different on others.
  • The output-path must be an existing and writable directory, here a new JKS keystore will be created for every certificate in the input directory.
  • Together with a file jksmap.txt containing the domain to keystore mapping to be used in the VHost.xml of Wowza Streaming Engine.
  • The generated JKS password will be ‘secret’.

So now we will put the files needed in the conf directory. You are free to do otherwise, just as long as you know the locations where you put the files, because you need the paths later on in this installation

cd /usr/local/WowzaStreamingEngine/lib
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

 

So, lets see if the files are created:

cd /usr/local/WowzaStreamingEngine/conf/
ls

#you should see these files (where vps1.vanmarion.nl should be your domain)

vps1.vanmarion.nl.jks
jksmap.txt

 

We now need the content of the jksmap.txt file, so we can use that in the Wowza configuration (VHost.xml). 

The jks file is needed for conversion. The jskmap you can read, because you need the settings in it, so we change that in the VHost.xml file
cd /usr/local/WowzaStreamingEngine/conf/
cat jksmap.txt

#result:
vps1.vanmarion.nl={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}

 

As you can see there is the data we need

  • keyStorePath: /usr/local/WowzaStreamingEngine/conf/vps4.vanmarion.nl.jks
  • keyStorePassword: secret

those are the only 2 lines you need (copy and save them somewhere local).

Open the Wowza VHost.xml and search for the 443 HostPort and comment out the <!– before HostPort and –> at the end of /HostPort

vi /usr/local/WowzaStreamingEngine/conf/VHost.xml

# remove the <!-- at the start and --> at the end of the HostPort element. 

<!-- 443 with SSL -->
            <!--
            <HostPort>
                <Name>Default SSL Streaming</Name>
                <Type>Streaming</Type>
                <ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
                <IpAddress>*</IpAddress>
                <Port>443</Port>
                <HTTPIdent2Response></HTTPIdent2Response>
                <SSLConfig>
                    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
                    <KeyStorePassword>[password]</KeyStorePassword>
                    <KeyStoreType>JKS</KeyStoreType>
                    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
                    <SSLProtocol>TLS</SSLProtocol>
                    <Algorithm>SunX509</Algorithm>
                    <CipherSuites></CipherSuites>
                    <Protocols></Protocols>
                </SSLConfig>
                <SocketConfiguration>
                    <ReuseAddress>true</ReuseAddress>
                    <ReceiveBufferSize>65000</ReceiveBufferSize>
                    <ReadBufferSize>65000</ReadBufferSize>
                    <SendBufferSize>65000</SendBufferSize>
                    <KeepAlive>true</KeepAlive>
                    <AcceptorBackLog>100</AcceptorBackLog>
                </SocketConfiguration>
                <HTTPStreamerAdapterIDs>cupertinostreaming,smoothstreaming,sanjosestreaming,dvrchunkstreaming,mpegdashstreaming</HTTPStreamerAdapterIDs>
                <HTTPProviders>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPCrossdomain</BaseClass>
                        <RequestFilters>*crossdomain.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPClientAccessPolicy</BaseClass>
                        <RequestFilters>*clientaccesspolicy.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPProviderMediaList</BaseClass>
                        <RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
                        <RequestFilters>*</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                </HTTPProviders>
            </HostPort>
            -->

In the meanwhile you also have to edit the 2 lines:

<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
<KeyStorePassword>[password]</KeyStorePassword>

To:  (change vps1.vanmarion.nl to your domain)

<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/vps4.vanmarion.nl.jks</KeyStorePath>
<KeyStorePassword>secret</KeyStorePassword>

So the new <!– 443 with SSL –> part should look like this after changing.

<!-- 443 with SSL -->
            <HostPort>
                <Name>Default SSL Streaming</Name>
                <Type>Streaming</Type>
                <ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
                <IpAddress>*</IpAddress>
                <Port>443</Port>
                <HTTPIdent2Response></HTTPIdent2Response>
                <SSLConfig>
                    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/vps4.vanmarion.nl.jks</KeyStorePath>
                    <KeyStorePassword>secret</KeyStorePassword>
                    <KeyStoreType>JKS</KeyStoreType>
                    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
                    <SSLProtocol>TLS</SSLProtocol>
                    <Algorithm>SunX509</Algorithm>
                    <CipherSuites></CipherSuites>
                    <Protocols></Protocols>
                </SSLConfig>
                <SocketConfiguration>
                    <ReuseAddress>true</ReuseAddress>
                    <ReceiveBufferSize>65000</ReceiveBufferSize>
                    <ReadBufferSize>65000</ReadBufferSize>
                    <SendBufferSize>65000</SendBufferSize>
                    <KeepAlive>true</KeepAlive>
                    <AcceptorBackLog>100</AcceptorBackLog>
                </SocketConfiguration>
                <HTTPStreamerAdapterIDs>cupertinostreaming,smoothstreaming,sanjosestreaming,dvrchunkstreaming,mpegdashstreaming</HTTPStreamerAdapterIDs>
                <HTTPProviders>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPCrossdomain</BaseClass>
                        <RequestFilters>*crossdomain.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPClientAccessPolicy</BaseClass>
                        <RequestFilters>*clientaccesspolicy.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPProviderMediaList</BaseClass>
                        <RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
                        <RequestFilters>*</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                </HTTPProviders>
            </HostPort>

Ok. Done, save the file and restart the Streamingengine

service WowzaStreamingEngine restart

Make sure you have opened port 443 on your firewall. 

Backend (EngineManager) on SSL

To be able to run the Enginemanager on https too, you have to change the startmgr.sh file. The enginemanager runs on his own port (normally 8088), but for ssl we are going to use 8090. That is just for the enginemanager service but you will use that port next time. 

Ok. Open the file startmgr.sh

vi /usr/local/WowzaStreamingEngine/manager/bin/startmgr.sh

In this file you will see 2 CMD commands. Because im using the StreamingEngine and not the cloud, i only have to change the second CMD command. We need the location of the jks file we created above here. So if you have done that right it should be like this: (my jks file vps1.vanmarion.nl.jks is located in the conf directory)

Note: its best to comment out the line to put # in front of the line. Then copy that same line to notepad, do your adjustments and paste it below it. So in case it won’t work, you can always rollback easy

Note: Make sure the complete command is on 1 line: (my new command)

CMD="$_EXECJAVA -Dcom.wowza.wms.ConfigURL=\"\" -Dcom.wowza.wms.ConfigHome=$WMSMGR_HOME -Djava.io.tmpdir=$WMSMGR_HOME/temp 
-Dlog4j.configuration=file://$WMSMGR_HOME/conf/winstone.properties -Djava.net.preferIPv4Stack=true -jar $WMSMGR_HOME/lib/wms-winstone-1.0.5-boot.jar 
--prefix=/enginemanager --defaultWebApp=/enginemanager --tempDirectory=$WMSMGR_HOME/temp  --webroot=$WMSMGR_HOME/temp --warfile=$WMSMGR_HOME/lib/WMSManager.war 
--httpPort=8088 --httpsPort=8090 --httpsKeyStore="/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks" --httpsKeyStorePassword="secret" --directoryListings=false"

So what did i do? I added this line after –httpPort=8088 and before –directoryListings=false

--httpsPort=8090 --httpsKeyStore="/usr/local/WowzaStreamingEngine/conf/vps4.vanmarion.nl.jks" --httpsKeyStorePassword="secret"

–httpsPort=8090  // will be the new port where the Enginemanager will run on for SSL access
–httpsKeyStore=”/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks”  // the location of my jks file
–httpsKeyStorePassword=”secret” // the password needed for the jks file

Example of my code

 

 

 

 

After this you can restart the WowzaEngine and manager

service WowzaStreamingEngine restart
service WowzaStreamingEngineManager restart

#make sure to check if both are started
ps aux

So your new urls would be:
Frontend: https://YOUR_WOWZA_IPADDRESS:443 
Backend: https://YOUR_WOWZA_IPADDRESS:8090/enginemanager/

If all checks (see below SSL checks are ok, you could disable the http and switch the backend complete to https

If you only want to run the backend on SSL you have to edit the startmgr.sh file again and change the –httpPort=8088 to –httpPort=-1

and restart the enginemanager again

SSL Checks

If you want to do a check on your fresh installed SSL certificate, make sure to do a detailed test on it. Go to this url in your browser (change vps1.vanmarion.nl to your domain)

https://www.ssllabs.com/ssltest/analyze.html?d=vps1.vanmarion.nl

get some coffee, the complete check can take a while ;).
The SSL check results also shows some checks i have to fix on my server (its a fresh installed server, so i havent fixed the checks yet). So it will also give some advise on fixing your server

Make sure to fix the problems from the report or as far as possible. In my case it is a fresh server and i have some work/fixing to do:

 

 

 

 

 

Conclusion

I have the SSL installed. I changed my wowza url in jwplayer from http://vps1.vanmarion.nl:1935/vod/transformers_last_knight_2017.mp4/playlist.m3u8
to: https://vps1.vanmarion.nl:443/vod/transformers_last_knight_2017.mp4/playlist.m3u8

# mind the http to https and the port change 1935 to 443

And now it starts playing again. 

 

 

 

 

 

Renewing your SSL certifate

I hoped by using the cronjobs the renewal process would go automatic, but that didnt happen. So this is what i did when renewing the SSL. First stop the wowza server, otherwise it cannot bind the address/port

service WowzaStreamingengine stop
service WowzaStreamingEngineManager stop

And follow these steps

i did a renewal of the script by running it again. 

cd /opt/letsencrypt
sudo certbot certonly --standalone --preferred-challenges http -d vps4.vanmarion.nl

It will ask you what you want. choose: 2

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/vps4.vanmarion.nl.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

After that the installation will renew the SSL

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for vps1.vanmarion.nl
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/vps1.vanmarion.nl/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/vps4.vanmarion.nl/privkey.pem
   Your cert will expire on 2018-07-18. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then rerun the letsencrypt-converter to create a new jksmap.txt

cd /usr/local/WowzaStreamingEngine/lib
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

Check if the file has the date of now

cd /usr/local/WowzaStreamingEngine/conf; ls -la

And thats all you have to do. Restart wowza again and do an ssl check again, and check if the streams still play on your current urls and ports

service WowzaStreamingengine start
service WowzaStreamingEngineManager start

SSL check. change domain_name to your wowza server address

https://www.ssllabs.com/ssltest/analyze.html?d=domain_name

Troubleshooting

If for some reason your ssl is not working or your stream is not being played, check these things

  • Make sure in your VHost.xml the comment tags are deleted in the SSL part. You can restart wowza without any problems, but if there is still an unclosed comment tag (<!– or –> ) in it, your ssl isn’t working.
  • Check if port 443 is open on your server:  http://www.yougetsignal.com/tools/open-ports/
  • Check if your firewall has port 443 open 

 

If you have any comments or suggestions, feel free to leave a reply

 

You may also like...

0 0 votes
Article Rating
Subscribe
Notify of
guest

25 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Yu Fei
Yu Fei
6 years ago

Hello, Thank’s you for your wowza with ssl instruction . I’ve one question .Do you face memory consume after switch to https streaming ? I’ve faced this problem . only 100+ viewer , wowza eat my memory about 48GB ( if without https , it will eat about 6-8GB) .

Many Ayromlou
5 years ago

Hey Maca,

Not sure if you’ve gone any further in this, but I used some of your suggestions in here, so I thought I contribute a bit. In terms of automating letsencrypt (BTW, I use certbot which is from eff and seems to be more stable….just google “certbot linux installation” and pick the eff.org link) SSL cert issue, I used the DNS challenge. I have a dedicated Wowza server that does not have anything else installed on it and I do control the DNS zone files for our domain.

The command I use to initially get the cert is :

certbot certonly –preferred-challenges=dns –manual -d wowza.server.domain.com

This process (after the email registration questions) prompts you to create a TXT field in your DNS with a random string value they give you. Once you’ve done that and updated your DNS server, you continue the process for certbot (certbot actually stops and waits for you to do the DNS stuff and come back to it), which then goes on to do the verification. You do not remove the TXT field out of DNS, all future renewal challenges are done using this method. You just have to give your DNS server enough time to update and flush it’s cache before you let certbot continue to “verify” the random value for the TXT field, otherwise it fails and you have to do the whole thing over again with a new random value (which is a bit of a PITA).

Once you have the cert you can just use the following in cron to renew and import (thanks for the info about the jar tool to import):

22 1 * * * /usr/bin/certbot renew
@weekly /usr/bin/java -jar /usr/local/WowzaStreamingEngine/lib/wowza-letsencrypt-converter-0.1.jar -v \
/usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/ > /dev/null 2>&1

Since your challenge process is not independent of Wowza server (or apache/httpd), the renew process runs without prompts.

Thanks for the info on robymus’ import tool….

electromusicnetwork.net
5 years ago

Very nice write-up. I certainly appreciate this site.
Stick with it!

Arcadio
Arcadio
5 years ago

Your are the best!!.. works perfect

Lamadya
4 years ago

How to run My stream HLS with Https Like This
https://myserver:1935/live/mystream/playlist.m3u8

Manoj Kumar
4 years ago

i renew a certificate but still days is not increased why i want to know?

Alencar
Alencar
3 years ago

Hi, dont work in my Centos 7 witch Wowza 4.8.0…. various erros…..

Alencar
Alencar
3 years ago

do you think i better try to install ubuntu server and wowza 4.8.0?

do you think that your tutorial will work for me?

Alencar
Alencar
3 years ago

But I didn’t get it at Centos 7.
I do everything right, but when I modify the Wowza panel to use port 8090 in https, then the Wowza page doesn’t open anymore, nor the page in http.

this step to modify the file that manages the page in http and https is very confusing when placing the CMD code.

Alencar
Alencar
3 years ago

Hello, your new tutorial was wonderful.
I managed to follow him perfect.

However, stremaing on port 1935 does not work either over http or https

Was something missing?

When I put the URL in Player Wowza it doesn’t play.

Alencar
Alencar
3 years ago

I took the test now.

I’m using Centos 7 with Wowza 4.8.0

If I go to https://player.wowza.com and assemble the player with my stremaing, the Wowza player does not play.

But if I take my URL and open it on VLC then it will play.

However it only accepts if it is http, if I put https in my url then it does not work at all.

Is this method only for the Wowza SSL panel?

You can’t stremaing https on port 1935, right?

MY URL WORKING ONLY VLC:
http://IP-ADDRESS:1935/XXXXXX/XXXXXX/playlist.m3u8

I NEED THIS URL:, AND I NEED WORKING IN PLAYER WOWZA:
https://IP-ADDRESS:1935/XXXXXX/XXXXXX/playlist.m3u8

edit(maca): i removed your ipaddress and streamname. I would advise not to use them in comments.

Alencar
Alencar
3 years ago

I didn’t understand why you deleted my last question …

Alencar
Alencar
3 years ago

I just asked that this tutorial only works for the Wowza management panel?

I really wanted to be able to stremaing port 1935 in ssl.

But in the wowza player, video stremaing does not work on either http or https.

I can only see my stremaing at http on port 1935 by VLC.

Alencar
Alencar
3 years ago

Hello, yes I did your step by step and Wowza 4.8 worked on https with LetsEncript perfectly.

The only thing that doesn’t work is streaming over https on port 1935.

So the only thing that works on ssl is the Wowza control panel, the streaming has to be done only on http on port 1935.

I wanted to make Wowza work entirely in ssl, both the panel and the stremaing on port 1935.

The Wowza player will be discontinued, I’m still kind of desperate for another solution, as I can’t use any other player to distribute my streaming.

Wowza Player will stop working in January 2021.