Wowza 4.8.x – CentOS7 – Letsencrypt

Update june 19, 2023: I have created an update series for Letsencrypt. Please follow the new tutorial. 

https://vanmarion.nl/blog/blog/letsencrypt-ssl-for-wowza-frontend-backend/


I had many questions in my previous topic about the ssl configuration in Ubuntu or CentOS. So i decided to update this, create new installers and see if the configuration of SSL has changed. And indeed it had. I prefer Ubuntu myself, but i use CentOS as well. It’s up to you which OS you want to use. 

This first post will be the configuration of LetsEncrypt on CentOS 7.x 

The ubuntu version i will publish soon after this. I don’t have the time to create video’s, so writing things down is easier for me. Feel free to place a comment (comments will be approved first, to avoid spam).

If you need a clean install of CentOS, checkout the installer scripts: https://github.com/nlmaca/Wowza_Installers which i have created  Those includes Firewall (CSF), Java 11 and Wowza installation. All you need is a valid license key or developer key. 

Requirements

  • CentOS 7.x server installed
  • Wowza 4.8.x installed
  • Firewall open ports: 8088, 8090, 443, 80, 1935
  • a domainname pointing to your wowza server (we need this for SSL activation)

What will i show you:

  • Installation of letsencrypt on CentOS
  • SSL converter to JKS file
  • configuration of frontend (playback) and backend (enginemanager) over SSL
  • Testing  of playback url’s (vlc, jwplayer)

Keep in mind:

  • Your server might will have an increase of virtual memory because of the ssl
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

Start of installation

Open an ssh connection to your Server and run scripts as root 

# update your server
yum update
yum install git

# clone the certbot repository and configure certbot
git clone https://github.com/certbot/certbot /opt/letsencrypt
cd /opt/letsencrypt

yum --enablerepo=extras install epel-release
yum install certbot

# create an SSL certificate. change SUB.DOMAIN.EXT to the domain that points to your server
sudo -H ./letsencrypt-auto certonly --standalone -d SUB.DOMAIN.EXT

# Some questions will be asked. Fill them in accordingly
# Answer some of the questions:
```
enter email: set-your-email
agree TOS(Terms of Service): A
Share your email: (up to you): N

Set 2 cronjobs so the ssl certificate will be updated automaticly

# crontab -e
@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log
@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d SUB.DOMAIN.EXT >> /var/log/letsencrypt/letsencrypt-auto-update.log

Wowza needs an JKS file. So we need to convert our just created ssl certificate to a JKS file. On the github page of robymus you can find the script. We will use version 0.1

# Go to the wowza directory
cd /usr/local/WowzaStreamingEngine/lib 

# Download the jar file in the lib directory
wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar

# Create a jks file
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

# This file will be created in the /usr/local/WowzaStreamingEngine/conf/ directory (jksmap.txt and the jks file).

We now need the contents of the jksmap.txt (copy them to a temporary notepad). 

cat /usr/local/WowzaStreamingEngine/conf/jksmap.txt

# This will show you something like this: SUB.DOMAIN.EXT={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}

Now we need to enable 443 in the VHost.xml file

You will see that the 443 is in comment tags <!–  and –> at the end of the HostPort. Remove those tags.  Second is that we have to change the KeyStorePath and KeyStorePassword in this part

Before: 

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
    <KeyStorePassword>[password]</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

And after we have changed the settings. Also make sure to change SUB.DOMAIN.EXT to your own domainname.

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/SUB.DOMAIN.EXT.jks</KeyStorePath>
    <KeyStorePassword>secret</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

Save the file after you have made the changes. 

The last thing before restarting is to change the tomcat properties

vi /usr/local/WowzaStreamingEngine/manager/conf/tomcat.properties

#Change the default values

#httpsPort=8090
#httpsKeyStore=conf/certificate.jks
#httpsKeyStorePassword=[password]
#httpsKeyAlias=[key-alias]

# TO:

httpsPort=8090
httpsKeyStore=/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks
httpsKeyStorePassword=secret
#httpsKeyAlias=[key-alias]

Now we will restart Wowza

service WowzaStreamingEngineManager restart
service WowzaStreamingEngine restart

The configuration is almost done. 

Open your browser and instead of using the http://wowza-server:8088/enginemanager now change this to https://wowza-server:8090/enginemanager

That should give you a valid certificate. Also login in to the enginemanager. We have to do some extra steps there. 

Go to Server > Virtual Host Setup and click Edit

 

 

 

 

 

Fig. 

If you don’t see port 443 as a Host Port, create it and fill in the fields . Here you have to set the location of the SSL jks file and the password. Change SUB.DOMAIN.EXT to your domainname. 

 

 

 

 

 

 

 

 

 

Click Apply to save settings

If you want to stream over SSL on port 1935, also enable SSL there and set the same jks location and password. 

At this point we are done. To be sure restart wowza or your complete server. 

Playback url’s

Before:

http://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8

In this case i also enabled SSL for port 1935, so these are my new url’s i can use:

# SSL over port 1935
https://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8

#SSL over the default port (443)
https://SUB.DOMAIN.EXT/vod/mp4:sample.mp4/playlist.m3u8

Screenshot example. 

I make use of a free edition of JWPlayer. I added the livestream url (https) in the player and run the player via a javascript on my website. 

The second stream is the https stream in vlc.

Click on the image for a larger view

 

 

 

 

 

Please feel free to give it a try. If you have any questions, just leave a comment. 

If it doesn’t work for you, try to give as much detail as possible. (It doesn’t work isn’t enough).

You may also like...

0 0 votes
Article Rating
Subscribe
Notify of
guest

21 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Alencar
Alencar
3 years ago

Hello Friend.

I followed the step by step.
But I can’t send my video.

On my Adobe Live Encoder, the URL rtmp cannot connect to the server.

Alencar
Alencar
Reply to  maca
3 years ago

It worked friend, really perfect your tutorial.

After many years, I can now send my streaming video using LetsEncrypt’s SSL.

I really have no words to thank you.

You helped me a lot, my congratulations for sharing your knowledge.

I am very grateful to you, may God protect you friend !!!!!

A
A
3 years ago
Alencar
Alencar
3 years ago

VLC Works 100%

Alencar
Alencar
3 years ago

“this live event has ended” message

In Wowza Player…

Helpme ?

Alencar
Alencar
3 years ago

I discovered the error.

My live video streaming works using the SMIL Files feature.

However, when I activate the feature, which is already configured with these settings:

alencar> ALENCAR.smil
Live Single Server or Origin
Return to SMIL Files

Title
adaptive streaming
Streams in this SMIL file

Source (src) Language Type Actions
alencar_source eng video
alencar_h263 eng video
alencar_720p eng video
alencar_360p eng video
alencar_240p eng video
alencar_160p eng video

But then the Wowza Player gives the error: “this live event has ended”

But if I put my URL in Wowza Player without SMIL Files, Wowza PLayer works as normal.

Alencar
Alencar
Reply to  maca
3 years ago

can you help me to use jwplayer?

Alencar
Alencar
Reply to  Alencar
3 years ago

I’m on the jwplayer website but it looks like it’s no longer free.

can’t you do a tutorial teaching how to use this player?

Alencar Well
Alencar Well
3 years ago

Hello Friend,

Can you help me?

I’m trying to follow your step by step again.

In a Centos 7 with Wowza 4.8.5

However, in this step, this error happens:

[root@video letsencrypt]# sudo -H ./letsencrypt-auto certonly –standalone -d domain.com
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
[root@video letsencrypt]#

Andres
3 years ago

Hi, Excelent manual, but I think need to be updated. I got this error:

[root@wowza-base-15-01-21-c-32-64gib-sfo2-01 letsencrypt]# sudo -H ./letsencrypt-auto certonly –standalone -d gnodecws.com
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

Boldbat
Boldbat
Reply to  maca
1 year ago

Need help on this sudo: ./letsencrypt-auto: command not found

Andres
3 years ago

Hi

One question, do I need to set record A of my domain pointing to the IP of wowza server??