SSL Letsencrypt on Wowza 4.x Server – Frontend + Backend

Update July 1st, 2020

I created new pages for installation of Letsencrypt on CentOS7 and Ubuntu 18/20.04

Wowza 4.8.x – Ubuntu 18.04/20.04 – Letsencrypt

Wowza 4.8.x – CentOS7 – Letsencrypt

The post below is deprecated and not supported anymore.

Update june 22 2020,

I deleted the latest update, because somehow the letsencrypt setup doesn’t work anymore since 4.8.0. I have to do extended testing on this. So from today this page is not supported anymore. Feel free to leave a comment if you want. Whenever i have an update on this i will create a post. 

Update april 18, 2018

I found out that when Java8 had issues installing on Ubuntu 16.04. After that fixed, i wanted to install letsencrypt, but that part also has changed a bit. Will update this tutorial in the next coming days and probably have an update in 2 days (april 20). Tests went fine, but will double check with a fresh install of ubuntu, wowza and letsencrypt. The tutorial should work (i adjusted some commands and explanation).

I will also update this tutorial with how to setup a firewall (i use CSF) for my wowza usage

Update okt 20, 2017. I found out the letsencrypt certificate is not being updated automaticly. Added the upgrade process at the botttom of this page before trouble shooting

Update august 17,2017 – I had problems to get the backend running on ssl too, but i got that fixed. 

How to install Letsencrypt on a Wowza Streamingengine server

The problem:
I ran into the problem where i had a webserver and a domain running on an ssl certificate. From that point on i got errors that i couldn’t connect to my wowza server (which was non-SSL). So i had to figger out at least how to get the frontend of wowza also be able to send out streams based on an SSL certifate. Here you can see the issue i got in my jwplayer which runs on a domain with ssl certificate on it: 

Analyze:
So i started googling for it, but couldnt find a real solution for it to enable letsencrypt on wowza. You can use streamlock within wowza, but im just running a developer wowza server, so i wanted a different solution. The major part was the frontend. Would be nice to also use the backend on SSL (enginemanager). At this point i got it both working

So i did some testing, tweaking and got it figgered out. This is what i will explain:

  • installation of letsencrypt
  • 2 cronjobs for automatic renew and update letsencrypt automaticly
  • convert the SSL certificate to a JKS format
  • configure the Certificate within Wowza

Keep in mind:

  • Your server might will have an increase of virtual memory because of the ssl
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

I decided to make a complete installation guide of a Letsencrypt setup with the things i have found. Make sure to do this on a test environment first, i won’t take responsibility if it will brake your setup. This tutorial is just a guide on how you might can get it work within your environment! Last thing is that you should have root access to your server, knowledge of your firewall (i can recommend csf) so knowing how to open ports, is a must.

The installation is broken down into 2 parts (installation of LetsEncrypt and the configuration within Wowza)

References/Credits:

Installation LetsEncrypt SSL

Login to your wowza server with putty or other ssh client and go to the tmp directory or your home directory, i always prefer the tmp directory

cd /tmp

Make sure your server is up to date: 

apt-get update && sudo apt-get upgrade

Install Git and add the repo to your server

apt-get install git
git clone https://github.com/certbot/certbot /opt/letsencrypt

Navigate to your letsencrypt directory

cd /opt/letsencrypt

From here you have to change the domain name. My domainname (vps4.vanmarion.nl) points to my wowza server, so i will use that domain. You have to change that to yours.

sudo certbot certonly --standalone --preferred-challenges http -d vps4.vanmarion.nl

Now you have to set a valid emailaddress which will be administrative emailadress. It will be used if the certificate is giving you issues. Also agree with the terms.
The last Question is if you are willing to share. I set an Y. Its up to you what you want.

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): jeroen@vanmarion.nl

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel: A

——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
——————————————————————————-
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for vps1.vanmarion.nl
Waiting for verification…
Cleaning up challenges

 

After the installation you should see a similaire message like this:
The expiration date is over 90 days

- If you lose your account credentials, you can recover them through
  e-mails sent to somebody@example.com.
- Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/vps1.vanmarion.nl/fullchain.pem. Your
  cert will expire on 2017-10-29. To obtain a new version of the
  certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
  configuration directory at /etc/letsencrypt. You should make a
  secure backup of this folder now. This configuration directory will
  also contain certificates and private keys obtained by Let's
  Encrypt, so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  Donating to EFF:                    https://eff.org/donate-le

Some checks to see if your certificate has been created

List the /etc/letsencrypt/live directory:

ls /etc/letsencrypt/live

Each domain name you specified in Step 1 of the Create an SSL Certificate section has its own directory. List any of these domain name directories:

ls /etc/letsencrypt/live/vps1.vanmarion.nl

You should see it like this:

cert.pem chain.pem fullchain.pem privkey.pem

Each key (.pem) file serves a different purpose:

  • cert.pem: server certificate only
  • chain.pem: root and intermediate certificates only
  • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
  • privkey.pem: private key (do not share this with anyone!).

Let’s Encrypt issues certificates from intermediate certificate authorities. Intermediate certificates have been cross-signed by Identrust, which ensures compatibility between the end certificate and all major browsers

For good measure, display the file status of fullchain.pem: (change vps1.vanmarion.nl with your domain)

stat /etc/letsencrypt/live/vps1.vanmarion.nl/fullchain.pem

#which will give this output
File: ‘live/vps4.vanmarion.nl/cert.pem’ -> ‘../../archive/vps4.vanmarion.nl/cert1.pem’
 Size: 46 Blocks: 0 IO Block: 4096 symbolic link
Device: 801h/2049d Inode: 1298340 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-04-18 02:58:40.840073805 +0200
Modify: 2018-04-18 02:58:40.812073942 +0200
Change: 2018-04-18 02:58:40.812073942 +0200
 Birth: -

 

 

Cronjobs

These are needed to automaticly update letsencrypt en renew your SSL certificate is needed. Add these 2 lines to crontab and change vps1.vanmarion.nl to your own domain. I use the vi editor, so if you use nano you know how to edit the crontab file

crontab -e

#add these 2 lines
@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log
@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d vps4.vanmarion.nl >> /var/log/letsencrypt/letsencrypt-auto-update.log

 

So now every week letsencrypt is updated and everymonth the ssl is checked and updated

Ok. for now letsencrypt is installed. Time to switch to the Wowza setup

Wowza Configuration

Robymus made java converter file which converts je SSL to an JKS file. For more information, please visit his Github page. For this installation i like to keep my wowza java files in one place, so i will download the jar file to the lib directory

cd /usr/local/WowzaStreamingEngine/lib 
wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar
  • The letsencrypt-live-path parameter defaults to /etc/letsencrypt/live, as is in common Linux systems, might be different on others.
  • The output-path must be an existing and writable directory, here a new JKS keystore will be created for every certificate in the input directory.
  • Together with a file jksmap.txt containing the domain to keystore mapping to be used in the VHost.xml of Wowza Streaming Engine.
  • The generated JKS password will be ‘secret’.

So now we will put the files needed in the conf directory. You are free to do otherwise, just as long as you know the locations where you put the files, because you need the paths later on in this installation

cd /usr/local/WowzaStreamingEngine/lib
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

 

So, lets see if the files are created:

cd /usr/local/WowzaStreamingEngine/conf/
ls

#you should see these files (where vps1.vanmarion.nl should be your domain)

vps1.vanmarion.nl.jks
jksmap.txt

 

We now need the content of the jksmap.txt file, so we can use that in the Wowza configuration (VHost.xml). 

The jks file is needed for conversion. The jskmap you can read, because you need the settings in it, so we change that in the VHost.xml file
cd /usr/local/WowzaStreamingEngine/conf/
cat jksmap.txt

#result:
vps1.vanmarion.nl={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}

 

As you can see there is the data we need

  • keyStorePath: /usr/local/WowzaStreamingEngine/conf/vps4.vanmarion.nl.jks
  • keyStorePassword: secret

those are the only 2 lines you need (copy and save them somewhere local).

Open the Wowza VHost.xml and search for the 443 HostPort and comment out the <!– before HostPort and –> at the end of /HostPort

vi /usr/local/WowzaStreamingEngine/conf/VHost.xml

# remove the <!-- at the start and --> at the end of the HostPort element. 

<!-- 443 with SSL -->
            <!--
            <HostPort>
                <Name>Default SSL Streaming</Name>
                <Type>Streaming</Type>
                <ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
                <IpAddress>*</IpAddress>
                <Port>443</Port>
                <HTTPIdent2Response></HTTPIdent2Response>
                <SSLConfig>
                    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
                    <KeyStorePassword>[password]</KeyStorePassword>
                    <KeyStoreType>JKS</KeyStoreType>
                    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
                    <SSLProtocol>TLS</SSLProtocol>
                    <Algorithm>SunX509</Algorithm>
                    <CipherSuites></CipherSuites>
                    <Protocols></Protocols>
                </SSLConfig>
                <SocketConfiguration>
                    <ReuseAddress>true</ReuseAddress>
                    <ReceiveBufferSize>65000</ReceiveBufferSize>
                    <ReadBufferSize>65000</ReadBufferSize>
                    <SendBufferSize>65000</SendBufferSize>
                    <KeepAlive>true</KeepAlive>
                    <AcceptorBackLog>100</AcceptorBackLog>
                </SocketConfiguration>
                <HTTPStreamerAdapterIDs>cupertinostreaming,smoothstreaming,sanjosestreaming,dvrchunkstreaming,mpegdashstreaming</HTTPStreamerAdapterIDs>
                <HTTPProviders>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPCrossdomain</BaseClass>
                        <RequestFilters>*crossdomain.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPClientAccessPolicy</BaseClass>
                        <RequestFilters>*clientaccesspolicy.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPProviderMediaList</BaseClass>
                        <RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
                        <RequestFilters>*</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                </HTTPProviders>
            </HostPort>
            -->

In the meanwhile you also have to edit the 2 lines:

<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
<KeyStorePassword>[password]</KeyStorePassword>

To:  (change vps1.vanmarion.nl to your domain)

<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/vps4.vanmarion.nl.jks</KeyStorePath>
<KeyStorePassword>secret</KeyStorePassword>

So the new <!– 443 with SSL –> part should look like this after changing.

<!-- 443 with SSL -->
            <HostPort>
                <Name>Default SSL Streaming</Name>
                <Type>Streaming</Type>
                <ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
                <IpAddress>*</IpAddress>
                <Port>443</Port>
                <HTTPIdent2Response></HTTPIdent2Response>
                <SSLConfig>
                    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/vps4.vanmarion.nl.jks</KeyStorePath>
                    <KeyStorePassword>secret</KeyStorePassword>
                    <KeyStoreType>JKS</KeyStoreType>
                    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
                    <SSLProtocol>TLS</SSLProtocol>
                    <Algorithm>SunX509</Algorithm>
                    <CipherSuites></CipherSuites>
                    <Protocols></Protocols>
                </SSLConfig>
                <SocketConfiguration>
                    <ReuseAddress>true</ReuseAddress>
                    <ReceiveBufferSize>65000</ReceiveBufferSize>
                    <ReadBufferSize>65000</ReadBufferSize>
                    <SendBufferSize>65000</SendBufferSize>
                    <KeepAlive>true</KeepAlive>
                    <AcceptorBackLog>100</AcceptorBackLog>
                </SocketConfiguration>
                <HTTPStreamerAdapterIDs>cupertinostreaming,smoothstreaming,sanjosestreaming,dvrchunkstreaming,mpegdashstreaming</HTTPStreamerAdapterIDs>
                <HTTPProviders>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPCrossdomain</BaseClass>
                        <RequestFilters>*crossdomain.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPClientAccessPolicy</BaseClass>
                        <RequestFilters>*clientaccesspolicy.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPProviderMediaList</BaseClass>
                        <RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
                        <RequestFilters>*</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                </HTTPProviders>
            </HostPort>

Ok. Done, save the file and restart the Streamingengine

service WowzaStreamingEngine restart

Make sure you have opened port 443 on your firewall. 

Backend (EngineManager) on SSL

To be able to run the Enginemanager on https too, you have to change the startmgr.sh file. The enginemanager runs on his own port (normally 8088), but for ssl we are going to use 8090. That is just for the enginemanager service but you will use that port next time. 

Ok. Open the file startmgr.sh

vi /usr/local/WowzaStreamingEngine/manager/bin/startmgr.sh

In this file you will see 2 CMD commands. Because im using the StreamingEngine and not the cloud, i only have to change the second CMD command. We need the location of the jks file we created above here. So if you have done that right it should be like this: (my jks file vps1.vanmarion.nl.jks is located in the conf directory)

Note: its best to comment out the line to put # in front of the line. Then copy that same line to notepad, do your adjustments and paste it below it. So in case it won’t work, you can always rollback easy

Note: Make sure the complete command is on 1 line: (my new command)

CMD="$_EXECJAVA -Dcom.wowza.wms.ConfigURL=\"\" -Dcom.wowza.wms.ConfigHome=$WMSMGR_HOME -Djava.io.tmpdir=$WMSMGR_HOME/temp 
-Dlog4j.configuration=file://$WMSMGR_HOME/conf/winstone.properties -Djava.net.preferIPv4Stack=true -jar $WMSMGR_HOME/lib/wms-winstone-1.0.5-boot.jar 
--prefix=/enginemanager --defaultWebApp=/enginemanager --tempDirectory=$WMSMGR_HOME/temp  --webroot=$WMSMGR_HOME/temp --warfile=$WMSMGR_HOME/lib/WMSManager.war 
--httpPort=8088 --httpsPort=8090 --httpsKeyStore="/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks" --httpsKeyStorePassword="secret" --directoryListings=false"

So what did i do? I added this line after –httpPort=8088 and before –directoryListings=false

--httpsPort=8090 --httpsKeyStore="/usr/local/WowzaStreamingEngine/conf/vps4.vanmarion.nl.jks" --httpsKeyStorePassword="secret"

–httpsPort=8090  // will be the new port where the Enginemanager will run on for SSL access
–httpsKeyStore=”/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks”  // the location of my jks file
–httpsKeyStorePassword=”secret” // the password needed for the jks file

Example of my code

 

 

 

 

After this you can restart the WowzaEngine and manager

service WowzaStreamingEngine restart
service WowzaStreamingEngineManager restart

#make sure to check if both are started
ps aux

So your new urls would be:
Frontend: https://YOUR_WOWZA_IPADDRESS:443 
Backend: https://YOUR_WOWZA_IPADDRESS:8090/enginemanager/

If all checks (see below SSL checks are ok, you could disable the http and switch the backend complete to https

If you only want to run the backend on SSL you have to edit the startmgr.sh file again and change the –httpPort=8088 to –httpPort=-1

and restart the enginemanager again

SSL Checks

If you want to do a check on your fresh installed SSL certificate, make sure to do a detailed test on it. Go to this url in your browser (change vps1.vanmarion.nl to your domain)

https://www.ssllabs.com/ssltest/analyze.html?d=vps1.vanmarion.nl

get some coffee, the complete check can take a while ;).
The SSL check results also shows some checks i have to fix on my server (its a fresh installed server, so i havent fixed the checks yet). So it will also give some advise on fixing your server

Make sure to fix the problems from the report or as far as possible. In my case it is a fresh server and i have some work/fixing to do:

 

 

 

 

 

Conclusion

I have the SSL installed. I changed my wowza url in jwplayer from http://vps1.vanmarion.nl:1935/vod/transformers_last_knight_2017.mp4/playlist.m3u8
to: https://vps1.vanmarion.nl:443/vod/transformers_last_knight_2017.mp4/playlist.m3u8

# mind the http to https and the port change 1935 to 443

And now it starts playing again. 

 

 

 

 

 

Renewing your SSL certifate

I hoped by using the cronjobs the renewal process would go automatic, but that didnt happen. So this is what i did when renewing the SSL. First stop the wowza server, otherwise it cannot bind the address/port

service WowzaStreamingengine stop
service WowzaStreamingEngineManager stop

And follow these steps

i did a renewal of the script by running it again. 

cd /opt/letsencrypt
sudo certbot certonly --standalone --preferred-challenges http -d vps4.vanmarion.nl

It will ask you what you want. choose: 2

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/vps4.vanmarion.nl.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

After that the installation will renew the SSL

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for vps1.vanmarion.nl
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/vps1.vanmarion.nl/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/vps4.vanmarion.nl/privkey.pem
   Your cert will expire on 2018-07-18. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then rerun the letsencrypt-converter to create a new jksmap.txt

cd /usr/local/WowzaStreamingEngine/lib
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

Check if the file has the date of now

cd /usr/local/WowzaStreamingEngine/conf; ls -la

And thats all you have to do. Restart wowza again and do an ssl check again, and check if the streams still play on your current urls and ports

service WowzaStreamingengine start
service WowzaStreamingEngineManager start

SSL check. change domain_name to your wowza server address

https://www.ssllabs.com/ssltest/analyze.html?d=domain_name

Troubleshooting

If for some reason your ssl is not working or your stream is not being played, check these things

  • Make sure in your VHost.xml the comment tags are deleted in the SSL part. You can restart wowza without any problems, but if there is still an unclosed comment tag (<!– or –> ) in it, your ssl isn’t working.
  • Check if port 443 is open on your server:  http://www.yougetsignal.com/tools/open-ports/
  • Check if your firewall has port 443 open 

 

If you have any comments or suggestions, feel free to leave a reply

 

You may also like...

25 Responses

  1. Yu Fei says:

    Hello, Thank’s you for your wowza with ssl instruction . I’ve one question .Do you face memory consume after switch to https streaming ? I’ve faced this problem . only 100+ viewer , wowza eat my memory about 48GB ( if without https , it will eat about 6-8GB) .

    • maca says:

      Hi,
      Thx for the feedback.
      ssl probably will consume more ram because of the encryption. Is your server using more ram for caching or is your server actually running out of memory? I don’t have a big wowza server running like that, but i will do some testing on one of my vps machines (only have 4gb ram on the biggest one). i assume it will use more ram. Will do some research on it.

  2. Hey Maca,

    Not sure if you’ve gone any further in this, but I used some of your suggestions in here, so I thought I contribute a bit. In terms of automating letsencrypt (BTW, I use certbot which is from eff and seems to be more stable….just google “certbot linux installation” and pick the eff.org link) SSL cert issue, I used the DNS challenge. I have a dedicated Wowza server that does not have anything else installed on it and I do control the DNS zone files for our domain.

    The command I use to initially get the cert is :

    certbot certonly –preferred-challenges=dns –manual -d wowza.server.domain.com

    This process (after the email registration questions) prompts you to create a TXT field in your DNS with a random string value they give you. Once you’ve done that and updated your DNS server, you continue the process for certbot (certbot actually stops and waits for you to do the DNS stuff and come back to it), which then goes on to do the verification. You do not remove the TXT field out of DNS, all future renewal challenges are done using this method. You just have to give your DNS server enough time to update and flush it’s cache before you let certbot continue to “verify” the random value for the TXT field, otherwise it fails and you have to do the whole thing over again with a new random value (which is a bit of a PITA).

    Once you have the cert you can just use the following in cron to renew and import (thanks for the info about the jar tool to import):

    22 1 * * * /usr/bin/certbot renew
    @weekly /usr/bin/java -jar /usr/local/WowzaStreamingEngine/lib/wowza-letsencrypt-converter-0.1.jar -v \
    /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/ > /dev/null 2>&1

    Since your challenge process is not independent of Wowza server (or apache/httpd), the renew process runs without prompts.

    Thanks for the info on robymus’ import tool….

    • maca says:

      Hi Many,
      Thx for your feedback and commands. Highly appreciate that!. Will certainly try it. Im always in for new things to try. I wonder though about the renewal. I was in contact with robymus on this and he said that you might still have to renew the wowza certificate manually. But there’s only one way to find out what works and what doesn’t.

      At the moment im working on a new wowza dashboard renewal. The current code was a good first try. And still i don’t see anything else around, so i will renew that part, maybe with extra server support. So… for that i will reinstall my dev wowza server and give your setup a try. Will let you know. Can i contact you by email if i have any questions?
      Regards,
      Jeroen / Maca

  3. Very nice write-up. I certainly appreciate this site.
    Stick with it!

  4. Arcadio says:

    Your are the best!!.. works perfect

  5. Manoj Kumar says:

    i renew a certificate but still days is not increased why i want to know?

    • maca says:

      Hi,
      what are the exact steps you did for renewal? The tutorial is over 2 years old and i haven’t checked it lately, so can you point out what is going wrong?

  6. Alencar says:

    Hi, dont work in my Centos 7 witch Wowza 4.8.0…. various erros…..

    • maca says:

      I can’t help you if you don’t tell me what the errors are.

      • maca says:

        Ok. did a test with CentOS7 and there is a slightly different approach now (since 4.7.3)
        Will do an update on the Wowza with SSL frontend and backend for CentOS7 and for Ubuntu 18.04 and 20.4 and the latest wowza and Java. I think that will cover it all then.

        I also found out that when i updated the site a couple of days ago, the code tag wasn’t working anymore, so the tutorial became a bit messy now.

  7. Alencar says:

    do you think i better try to install ubuntu server and wowza 4.8.0?

    do you think that your tutorial will work for me?

    • maca says:

      From what i see the situation for ubuntu is also changed. Will run a test on that one too. It’s up to you what to use for OS. If you are comfortable with CentOS feel free to use that.

  8. Alencar says:

    But I didn’t get it at Centos 7.
    I do everything right, but when I modify the Wowza panel to use port 8090 in https, then the Wowza page doesn’t open anymore, nor the page in http.

    this step to modify the file that manages the page in http and https is very confusing when placing the CMD code.

    • maca says:

      Hi Alencar,
      according my (old) tutorial you are doing it correct, but the method has changed. The startmgr.sh doesn’t need to be changed anymore, now you have to change the tomcat properties. I will write a new tutorial this weekend.

  9. Alencar says:

    Hello, your new tutorial was wonderful.
    I managed to follow him perfect.

    However, stremaing on port 1935 does not work either over http or https

    Was something missing?

    When I put the URL in Player Wowza it doesn’t play.

  10. Alencar says:

    I took the test now.

    I’m using Centos 7 with Wowza 4.8.0

    If I go to https://player.wowza.com and assemble the player with my stremaing, the Wowza player does not play.

    But if I take my URL and open it on VLC then it will play.

    However it only accepts if it is http, if I put https in my url then it does not work at all.

    Is this method only for the Wowza SSL panel?

    You can’t stremaing https on port 1935, right?

    MY URL WORKING ONLY VLC:
    http://IP-ADDRESS:1935/XXXXXX/XXXXXX/playlist.m3u8

    I NEED THIS URL:, AND I NEED WORKING IN PLAYER WOWZA:
    https://IP-ADDRESS:1935/XXXXXX/XXXXXX/playlist.m3u8

    edit(maca): i removed your ipaddress and streamname. I would advise not to use them in comments.

  11. Alencar says:

    I didn’t understand why you deleted my last question …

  12. Alencar says:

    I just asked that this tutorial only works for the Wowza management panel?

    I really wanted to be able to stremaing port 1935 in ssl.

    But in the wowza player, video stremaing does not work on either http or https.

    I can only see my stremaing at http on port 1935 by VLC.

    • maca says:

      Ok, let me recap some things:
      Q: “Is this method only for the Wowza SSL panel?”
      A: At the time i wrote this tutorial (3 years ago) It was for frontend (in jwplayer, vlc) and for backend (enginemanager).
      – I don’t support wowza player, because for some parts of wowza you need a subscription (which i don’t have), and the player is buggy. I most of the time use jwplayer or vlc for testing/playback. So for extra information regarding wowza player i refer to: https://www.wowza.com/docs/getting-started-with-wowza-player
      A note on that page: Effective April 2, 2020, new Wowza Player licenses no longer available. So i don’t know if wowza will keep supporting the player

      Q: “You can’t stremaing https on port 1935, right?”
      A: It shouldn’t be a problem.

      If you really are in a hurry i would advise you to use Streamlock from wowza. It used to be a payed subscription, but it is free now. So if letsencrypt is not for you and you don’t feel like debugging, please feel free to use StreamLock.

      I have to test what the problem is with this version if it is ssl related, or OS related. I have very limited free time to test this. I have send you a quick fix (by email), but that didn’t work for you. So at this point i don’t have a solution for you.

  13. Alencar says:

    Hello, yes I did your step by step and Wowza 4.8 worked on https with LetsEncript perfectly.

    The only thing that doesn’t work is streaming over https on port 1935.

    So the only thing that works on ssl is the Wowza control panel, the streaming has to be done only on http on port 1935.

    I wanted to make Wowza work entirely in ssl, both the panel and the stremaing on port 1935.

    The Wowza player will be discontinued, I’m still kind of desperate for another solution, as I can’t use any other player to distribute my streaming.

    Wowza Player will stop working in January 2021.

    • maca says:

      Hi Alencar,
      I just finished a clean setup on Centos 7 with Wowza 4.8.0 and 4.8.5
      It allows me to stream over ssl over port 443 or over port 1935

      In case you want to use port 1935:
      In the enginemanager go to Virtual Host setup > Edit the Host ports.
      Add port 443 > enable SSL and place the jks location including the password there
      Port 1935 is standard present, also enable the SSL and place the location of the jks file

      I will start creating a new page for this. This page is getting viewed many times and im getting more questions about current setups.

Leave a Reply

Your email address will not be published. Required fields are marked *