Wowza 4.8.x – CentOS7 – Letsencrypt

I had many questions in my previous topic about the ssl configuration in Ubuntu or CentOS. So i decided to update this, create new installers and see if the configuration of SSL has changed. And indeed it had. I prefer Ubuntu myself, but i use CentOS as well. It’s up to you which OS you want to use. 

This first post will be the configuration of LetsEncrypt on CentOS 7.x 

The ubuntu version i will publish soon after this. I don’t have the time to create video’s, so writing things down is easier for me. Feel free to place a comment (comments will be approved first, to avoid spam).

If you need a clean install of CentOS, checkout the installer scripts: https://github.com/nlmaca/Wowza_Installers which i have created  Those includes Firewall (CSF), Java 11 and Wowza installation. All you need is a valid license key or developer key. 

Requirements

  • CentOS 7.x server installed
  • Wowza 4.8.x installed
  • Firewall open ports: 8088, 8090, 443, 80, 1935
  • a domainname pointing to your wowza server (we need this for SSL activation)

What will i show you:

  • Installation of letsencrypt on CentOS
  • SSL converter to JKS file
  • configuration of frontend (playback) and backend (enginemanager) over SSL
  • Testing  of playback url’s (vlc, jwplayer)

Keep in mind:

  • Your server might will have an increase of virtual memory because of the ssl
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

Start of installation

Open an ssh connection to your Server and run scripts as root 

# update your server
yum update
yum install git

# clone the certbot repository and configure certbot
git clone https://github.com/certbot/certbot /opt/letsencrypt
cd /opt/letsencrypt

yum --enablerepo=extras install epel-release
yum install certbot

# create an SSL certificate. change SUB.DOMAIN.EXT to the domain that points to your server
sudo -H ./letsencrypt-auto certonly --standalone -d SUB.DOMAIN.EXT

# Some questions will be asked. Fill them in accordingly
# Answer some of the questions:
```
enter email: set-your-email
agree TOS(Terms of Service): A
Share your email: (up to you): N

Set 2 cronjobs so the ssl certificate will be updated automaticly

# crontab -e
@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log
@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d SUB.DOMAIN.EXT >> /var/log/letsencrypt/letsencrypt-auto-update.log

Wowza needs an JKS file. So we need to convert our just created ssl certificate to a JKS file. On the github page of robymus you can find the script. We will use version 0.1

# Go to the wowza directory
cd /usr/local/WowzaStreamingEngine/lib 

# Download the jar file in the lib directory
wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar

# Create a jks file
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

# This file will be created in the /usr/local/WowzaStreamingEngine/conf/ directory (jksmap.txt and the jks file).

We now need the contents of the jksmap.txt (copy them to a temporary notepad). 

cat /usr/local/WowzaStreamingEngine/conf/jksmap.txt

# This will show you something like this: SUB.DOMAIN.EXT={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}

Now we need to enable 443 in the VHost.xml file

You will see that the 443 is in comment tags <!–  and –> at the end of the HostPort. Remove those tags.  Second is that we have to change the KeyStorePath and KeyStorePassword in this part

Before: 

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
    <KeyStorePassword>[password]</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

And after we have changed the settings. Also make sure to change SUB.DOMAIN.EXT to your own domainname.

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/SUB.DOMAIN.EXT.jks</KeyStorePath>
    <KeyStorePassword>secret</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

Save the file after you have made the changes. 

The last thing before restarting is to change the tomcat properties

vi /usr/local/WowzaStreamingEngine/manager/conf/tomcat.properties

#Change the default values

#httpsPort=8090
#httpsKeyStore=conf/certificate.jks
#httpsKeyStorePassword=[password]
#httpsKeyAlias=[key-alias]

# TO:

httpsPort=8090
httpsKeyStore=/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks
httpsKeyStorePassword=secret
#httpsKeyAlias=[key-alias]

Now we will restart Wowza

service WowzaStreamingEngineManager restart
service WowzaStreamingEngine restart

The configuration is almost done. 

Open your browser and instead of using the http://wowza-server:8088/enginemanager now change this to https://wowza-server:8090/enginemanager

That should give you a valid certificate. Also login in to the enginemanager. We have to do some extra steps there. 

Go to Server > Virtual Host Setup and click Edit

 

 

 

 

 

Fig. 

If you don’t see port 443 as a Host Port, create it and fill in the fields . Here you have to set the location of the SSL jks file and the password. Change SUB.DOMAIN.EXT to your domainname. 

 

 

 

 

 

 

 

 

 

Click Apply to save settings

If you want to stream over SSL on port 1935, also enable SSL there and set the same jks location and password. 

At this point we are done. To be sure restart wowza or your complete server. 

Playback url’s

Before:

http://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8

In this case i also enabled SSL for port 1935, so these are my new url’s i can use:

# SSL over port 1935
https://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8

#SSL over the default port (443)
https://SUB.DOMAIN.EXT/vod/mp4:sample.mp4/playlist.m3u8

Screenshot example. 

I make use of a free edition of JWPlayer. I added the livestream url (https) in the player and run the player via a javascript on my website. 

The second stream is the https stream in vlc.

Click on the image for a larger view

 

 

 

 

 

Please feel free to give it a try. If you have any questions, just leave a comment. 

If it doesn’t work for you, try to give as much detail as possible. (It doesn’t work isn’t enough).

You may also like...

14 Responses

  1. Alencar says:

    Hello Friend.

    I followed the step by step.
    But I can’t send my video.

    On my Adobe Live Encoder, the URL rtmp cannot connect to the server.

    • maca says:

      Did you enable SSL for port 1935? If yes, disable SSL in the virtualHost for port 1935 and you can connect again with your encoder. You can output your stream over port 443 then.

      • maca says:

        The other possibility is to add an extra Hostport which you will only use in your rtmp encoder
        Example: Add Hostport 1900 (no ssl).
        In csf add the TCP port to inbound
        vi /etc/csf/csf.conf (search for your ssh port and you will find the line to be changed
        Example:
        I added port 1900 as a hostport and added the port to the firewall
        TCP_IN = “22,53,80,443,554,1935,1900,8084:8088,8090”

        restart csf
        csf -x
        csf -e

        And you should be able to connect on port 1900 from your encoder.
        FMS Url: rtmp://YOUR-WOWZA-DOMAIN:1900/live

        There are many ways to do a setup like this. Always check to what you connect. RTMP is NOT over SSL. So if your hostport is set to SSL, you will sure know where your problem is.

      • Alencar says:

        It worked friend, really perfect your tutorial.

        After many years, I can now send my streaming video using LetsEncrypt’s SSL.

        I really have no words to thank you.

        You helped me a lot, my congratulations for sharing your knowledge.

        I am very grateful to you, may God protect you friend !!!!!

        • maca says:

          You’re welcome.
          Maybe you also want to try OBS. I prefer that above the old Adobe Encoder, https://obsproject.com/ It is freeware and pretty easy to setup. You can almost use the same settings for that. I think i have to write a separate tutorial for that haha

  2. Alencar says:

    VLC Works 100%

  3. Alencar says:

    “this live event has ended” message

    In Wowza Player…

    Helpme ?

  4. Alencar says:

    I discovered the error.

    My live video streaming works using the SMIL Files feature.

    However, when I activate the feature, which is already configured with these settings:

    alencar> ALENCAR.smil
    Live Single Server or Origin
    Return to SMIL Files

    Title
    adaptive streaming
    Streams in this SMIL file

    Source (src) Language Type Actions
    alencar_source eng video
    alencar_h263 eng video
    alencar_720p eng video
    alencar_360p eng video
    alencar_240p eng video
    alencar_160p eng video

    But then the Wowza Player gives the error: “this live event has ended”

    But if I put my URL in Wowza Player without SMIL Files, Wowza PLayer works as normal.

    • maca says:

      I can’t help you with the wowza player. I never use it. It’s best to get in contact with Wowza on this.

      • Alencar says:

        can you help me to use jwplayer?

        • Alencar says:

          I’m on the jwplayer website but it looks like it’s no longer free.

          can’t you do a tutorial teaching how to use this player?

          • maca says:

            Hi Alencar,
            will see what i can do. Jwplayer can be used with the cloud player, but adjusting the player or running a selfhosted is not possible anymore on the free account. I found another player which is free up until 10K impressions per month. Have to do some testing on that first.
            If however you have a large audience i still would consider getting a payed subscription for jwplayer.
            edit: https://www.wowza.com/docs/use-theoplayer-with-wowza-streaming-engine should give you a good start on how to connect it wowza

  1. July 4, 2020

    […] this page: Wowza 4.8.x CentOS 7 Letsencrypt  for the CentOS […]

Leave a Reply

Your email address will not be published. Required fields are marked *