SSL Letsencrypt on Wowza 4.x Server – Frontend + Backend

Update april 18, 2018

I found out that when Java8 had issues installing on Ubuntu 16.04. After that fixed, i wanted to install letsencrypt, but that part also has changed a bit. Will update this tutorial in the next coming days and probably have an update in 2 days (april 20). Tests went fine, but will double check with a fresh install of ubuntu, wowza and letsencrypt. The tutorial should work (i adjusted some commands and explanation).

I will also update this tutorial with how to setup a firewall (i use CSF) for my wowza usage

Update okt 20, 2017. I found out the letsencrypt certificate is not being updated automaticly. Added the upgrade process at the botttom of this page before trouble shooting

Update august 17,2017 – I had problems to get the backend running on ssl too, but i got that fixed. 

How to install Letsencrypt on a Wowza Streamingengine server

The problem:
I ran into the problem where i had a webserver and a domain running on an ssl certificate. From that point on i got errors that i couldn’t connect to my wowza server (which was non-SSL). So i had to figger out at least how to get the frontend of wowza also be able to send out streams based on an SSL certifate. Here you can see the issue i got in my jwplayer which runs on a domain with ssl certificate on it: 

Analyze:
So i started googling for it, but couldnt find a real solution for it to enable letsencrypt on wowza. You can use streamlock within wowza, but im just running a developer wowza server, so i wanted a different solution. The major part was the frontend. Would be nice to also use the backend on SSL (enginemanager). At this point i got it both working

So i did some testing, tweaking and got it figgered out. This is what i will explain:

  • installation of letsencrypt
  • 2 cronjobs for automatic renew and update letsencrypt automaticly
  • convert the SSL certificate to a JKS format
  • configure the Certificate within Wowza

Keep in mind:

  • Your server might will have an increase of virtual memory because of the ssl
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

I decided to make a complete installation guide of a Letsencrypt setup with the things i have found. Make sure to do this on a test environment first, i won’t take responsibility if it will brake your setup. This tutorial is just a guide on how you might can get it work within your environment! Last thing is that you should have root access to your server, knowledge of your firewall (i can recommend csf) so knowing how to open ports, is a must.

The installation is broken down into 2 parts (installation of LetsEncrypt and the configuration within Wowza)

References/Credits:

Installation LetsEncrypt SSL

Login to your wowza server with putty or other ssh client and go to the tmp directory or your home directory, i always prefer the tmp directory

Make sure your server is up to date: 

Install Git and add the repo to your server

Navigate to your letsencrypt directory

From here you have to change the domain name. My domainname (vps4.vanmarion.nl) points to my wowza server, so i will use that domain. You have to change that to yours.

Now you have to set a valid emailaddress which will be administrative emailadress. It will be used if the certificate is giving you issues. Also agree with the terms.
The last Question is if you are willing to share. I set an Y. Its up to you what you want.

After the installation you should see a similaire message like this:
The expiration date is over 90 days

Some checks to see if your certificate has been created

List the /etc/letsencrypt/live directory:

Each domain name you specified in Step 1 of the Create an SSL Certificate section has its own directory. List any of these domain name directories:

You should see it like this:

Each key (.pem) file serves a different purpose:

  • cert.pem: server certificate only
  • chain.pem: root and intermediate certificates only
  • fullchain.pem: combination of server, root and intermediate certificates (replaces cert.pem and chain.pem).
  • privkey.pem: private key (do not share this with anyone!).

Let’s Encrypt issues certificates from intermediate certificate authorities. Intermediate certificates have been cross-signed by Identrust, which ensures compatibility between the end certificate and all major browsers

For good measure, display the file status of fullchain.pem: (change vps1.vanmarion.nl with your domain)

 

Cronjobs

These are needed to automaticly update letsencrypt en renew your SSL certificate is needed. Add these 2 lines to crontab and change vps1.vanmarion.nl to your own domain. I use the vi editor, so if you use nano you know how to edit the crontab file

So now every week letsencrypt is updated and everymonth the ssl is checked and updated

Ok. for now letsencrypt is installed. Time to switch to the Wowza setup

Wowza Configuration

Robymus made java converter file which converts je SSL to an JKS file. For more information, please visit his Github page. For this installation i like to keep my wowza java files in one place, so i will download the jar file to the lib directory

  • The letsencrypt-live-path parameter defaults to /etc/letsencrypt/live, as is in common Linux systems, might be different on others.
  • The output-path must be an existing and writable directory, here a new JKS keystore will be created for every certificate in the input directory.
  • Together with a file jksmap.txt containing the domain to keystore mapping to be used in the VHost.xml of Wowza Streaming Engine.
  • The generated JKS password will be ‘secret’.

So now we will put the files needed in the conf directory. You are free to do otherwise, just as long as you know the locations where you put the files, because you need the paths later on in this installation

So, lets see if the files are created:

We now need the content of the jksmap.txt file, so we can use that in the Wowza configuration (VHost.xml). 

As you can see there is the data we need

  • keyStorePath: /usr/local/WowzaStreamingEngine/conf/vps4.vanmarion.nl.jks
  • keyStorePassword: secret

those are the only 2 lines you need (copy and save them somewhere local).

Open the Wowza VHost.xml and search for the 443 HostPort and comment out the <!– before HostPort and –> at the end of /HostPort

In the meanwhile you also have to edit the 2 lines:
<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
<KeyStorePassword>[password]</KeyStorePassword>

To:  (change vps1.vanmarion.nl to your domain)

So the new <!– 443 with SSL –> part should look like this after changing.

Ok. Done, save the file and restart the Streamingengine

Make sure you have opened port 443 on your firewall. 

Backend (EngineManager) on SSL

To be able to run the Enginemanager on https too, you have to change the startmgr.sh file. The enginemanager runs on his own port (normally 8088), but for ssl we are going to use 8090. That is just for the enginemanager service but you will use that port next time. 

Ok. Open the file startmgr.sh

In this file you will see 2 CMD commands. Because im using the StreamingEngine and not the cloud, i only have to change the second CMD command. We need the location of the jks file we created above here. So if you have done that right it should be like this: (my jks file vps1.vanmarion.nl.jks is located in the conf directory)

Note: its best to comment out the line to put # in front of the line. Then copy that same line to notepad, do your adjustments and paste it below it. So in case it won’t work, you can always rollback easy

Note: Make sure the complete command is on 1 line: (my new command)

So what did i do? I added this line after –httpPort=8088 and before –directoryListings=false

–httpsPort=8090  // will be the new port where the Enginemanager will run on for SSL access
–httpsKeyStore=”/usr/local/WowzaStreamingEngine/conf/vps1.vanmarion.nl.jks”  // the location of my jks file
–httpsKeyStorePassword=”secret” // the password needed for the jks file

Example of my code

 

 

 

 

After this you can restart the WowzaEngine and manager

So your new urls would be:
Frontend: https://YOUR_WOWZA_IPADDRESS:443 
Backend: https://YOUR_WOWZA_IPADDRESS:8090/enginemanager/

If all checks (see below SSL checks are ok, you could disable the http and switch the backend complete to https

If you only want to run the backend on SSL you have to edit the startmgr.sh file again and change the –httpPort=8088 to –httpPort=-1

and restart the enginemanager again

SSL Checks

If you want to do a check on your fresh installed SSL certificate, make sure to do a detailed test on it. Go to this url in your browser (change vps1.vanmarion.nl to your domain)

https://www.ssllabs.com/ssltest/analyze.html?d=vps1.vanmarion.nl

get some coffee, the complete check can take a while ;).
The SSL check results also shows some checks i have to fix on my server (its a fresh installed server, so i havent fixed the checks yet). So it will also give some advise on fixing your server

Make sure to fix the problems from the report or as far as possible. In my case it is a fresh server and i have some work/fixing to do:

 

 

 

 

 

Conclusion

I have the SSL installed. I changed my wowza url in jwplayer from http://vps1.vanmarion.nl:1935/vod/transformers_last_knight_2017.mp4/playlist.m3u8
to: https://vps1.vanmarion.nl:443/vod/transformers_last_knight_2017.mp4/playlist.m3u8

# mind the http to https and the port change 1935 to 443

And now it starts playing again. 

 

 

 

 

 

Renewing your SSL certifate

I hoped by using the cronjobs the renewal process would go automatic, but that didnt happen. So this is what i did when renewing the SSL. First stop the wowza server, otherwise it cannot bind the address/port

 

And follow these steps

i did a renewal of the script by running it again. 

It will ask you what you want. choose: 2

After that the installation will renew the SSL

Then rerun the letsencrypt-converter to create a new jksmap.txt

Check if the file has the date of now

And thats all you have to do. Restart wowza again and do an ssl check again, and check if the streams still play on your current urls and ports

SSL check. change domain_name to your wowza server address

https://www.ssllabs.com/ssltest/analyze.html?d=domain_name

Troubleshooting

If for some reason your ssl is not working or your stream is not being played, check these things

  • Make sure in your VHost.xml the comment tags are deleted in the SSL part. You can restart wowza without any problems, but if there is still an unclosed comment tag (<!– or –> ) in it, your ssl isn’t working.
  • Check if port 443 is open on your server:  http://www.yougetsignal.com/tools/open-ports/
  • Check if your firewall has port 443 open 

 

If you have any comments or suggestions, feel free to leave a reply

 

You may also like...

7 Responses

  1. Yu Fei says:

    Hello, Thank’s you for your wowza with ssl instruction . I’ve one question .Do you face memory consume after switch to https streaming ? I’ve faced this problem . only 100+ viewer , wowza eat my memory about 48GB ( if without https , it will eat about 6-8GB) .

    • maca says:

      Hi,
      Thx for the feedback.
      ssl probably will consume more ram because of the encryption. Is your server using more ram for caching or is your server actually running out of memory? I don’t have a big wowza server running like that, but i will do some testing on one of my vps machines (only have 4gb ram on the biggest one). i assume it will use more ram. Will do some research on it.

  2. Hey Maca,

    Not sure if you’ve gone any further in this, but I used some of your suggestions in here, so I thought I contribute a bit. In terms of automating letsencrypt (BTW, I use certbot which is from eff and seems to be more stable….just google “certbot linux installation” and pick the eff.org link) SSL cert issue, I used the DNS challenge. I have a dedicated Wowza server that does not have anything else installed on it and I do control the DNS zone files for our domain.

    The command I use to initially get the cert is :

    certbot certonly –preferred-challenges=dns –manual -d wowza.server.domain.com

    This process (after the email registration questions) prompts you to create a TXT field in your DNS with a random string value they give you. Once you’ve done that and updated your DNS server, you continue the process for certbot (certbot actually stops and waits for you to do the DNS stuff and come back to it), which then goes on to do the verification. You do not remove the TXT field out of DNS, all future renewal challenges are done using this method. You just have to give your DNS server enough time to update and flush it’s cache before you let certbot continue to “verify” the random value for the TXT field, otherwise it fails and you have to do the whole thing over again with a new random value (which is a bit of a PITA).

    Once you have the cert you can just use the following in cron to renew and import (thanks for the info about the jar tool to import):

    22 1 * * * /usr/bin/certbot renew
    @weekly /usr/bin/java -jar /usr/local/WowzaStreamingEngine/lib/wowza-letsencrypt-converter-0.1.jar -v \
    /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/ > /dev/null 2>&1

    Since your challenge process is not independent of Wowza server (or apache/httpd), the renew process runs without prompts.

    Thanks for the info on robymus’ import tool….

    • maca says:

      Hi Many,
      Thx for your feedback and commands. Highly appreciate that!. Will certainly try it. Im always in for new things to try. I wonder though about the renewal. I was in contact with robymus on this and he said that you might still have to renew the wowza certificate manually. But there’s only one way to find out what works and what doesn’t.

      At the moment im working on a new wowza dashboard renewal. The current code was a good first try. And still i don’t see anything else around, so i will renew that part, maybe with extra server support. So… for that i will reinstall my dev wowza server and give your setup a try. Will let you know. Can i contact you by email if i have any questions?
      Regards,
      Jeroen / Maca

  3. Very nice write-up. I certainly appreciate this site.
    Stick with it!

  4. Arcadio says:

    Your are the best!!.. works perfect

Leave a Reply

Your email address will not be published. Required fields are marked *