Wowza 4.8.x – CentOS7 – Letsencrypt
Update june 19, 2023: I have created an update series for Letsencrypt. Please follow the new tutorial.
https://vanmarion.nl/blog/blog/letsencrypt-ssl-for-wowza-frontend-backend/
I had many questions in my previous topic about the ssl configuration in Ubuntu or CentOS. So i decided to update this, create new installers and see if the configuration of SSL has changed. And indeed it had. I prefer Ubuntu myself, but i use CentOS as well. It’s up to you which OS you want to use.
This first post will be the configuration of LetsEncrypt on CentOS 7.x
The ubuntu version i will publish soon after this. I don’t have the time to create video’s, so writing things down is easier for me. Feel free to place a comment (comments will be approved first, to avoid spam).
If you need a clean install of CentOS, checkout the installer scripts: https://github.com/nlmaca/Wowza_Installers which i have created Those includes Firewall (CSF), Java 11 and Wowza installation. All you need is a valid license key or developer key.
Requirements
- CentOS 7.x server installed
- Wowza 4.8.x installed
- Firewall open ports: 8088, 8090, 443, 80, 1935
- a domainname pointing to your wowza server (we need this for SSL activation)
What will i show you:
- Installation of letsencrypt on CentOS
- SSL converter to JKS file
- configuration of frontend (playback) and backend (enginemanager) over SSL
- Testing of playback url’s (vlc, jwplayer)
Keep in mind:
- Your server might will have an increase of virtual memory because of the ssl
- Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.
Start of installation
Open an ssh connection to your Server and run scripts as root
# update your server yum update yum install git # clone the certbot repository and configure certbot git clone https://github.com/certbot/certbot /opt/letsencrypt cd /opt/letsencrypt yum --enablerepo=extras install epel-release yum install certbot # create an SSL certificate. change SUB.DOMAIN.EXT to the domain that points to your server sudo -H ./letsencrypt-auto certonly --standalone -d SUB.DOMAIN.EXT # Some questions will be asked. Fill them in accordingly # Answer some of the questions: ``` enter email: set-your-email agree TOS(Terms of Service): A Share your email: (up to you): N
Set 2 cronjobs so the ssl certificate will be updated automaticly
# crontab -e @weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log @monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d SUB.DOMAIN.EXT >> /var/log/letsencrypt/letsencrypt-auto-update.log
Wowza needs an JKS file. So we need to convert our just created ssl certificate to a JKS file. On the github page of robymus you can find the script. We will use version 0.1
# Go to the wowza directory cd /usr/local/WowzaStreamingEngine/lib # Download the jar file in the lib directory wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar # Create a jks file java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/ # This file will be created in the /usr/local/WowzaStreamingEngine/conf/ directory (jksmap.txt and the jks file).
We now need the contents of the jksmap.txt (copy them to a temporary notepad).
cat /usr/local/WowzaStreamingEngine/conf/jksmap.txt # This will show you something like this: SUB.DOMAIN.EXT={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}
Now we need to enable 443 in the VHost.xml file
You will see that the 443 is in comment tags <!– and –> at the end of the HostPort. Remove those tags. Second is that we have to change the KeyStorePath and KeyStorePassword in this part
Before:
<SSLConfig> <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath> <KeyStorePassword>[password]</KeyStorePassword> <KeyStoreType>JKS</KeyStoreType> <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath> <SSLProtocol>TLS</SSLProtocol> <Algorithm>SunX509</Algorithm> <CipherSuites></CipherSuites> <Protocols></Protocols> <AllowHttp2>false</AllowHttp2> </SSLConfig>
And after we have changed the settings. Also make sure to change SUB.DOMAIN.EXT to your own domainname.
<SSLConfig> <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/SUB.DOMAIN.EXT.jks</KeyStorePath> <KeyStorePassword>secret</KeyStorePassword> <KeyStoreType>JKS</KeyStoreType> <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath> <SSLProtocol>TLS</SSLProtocol> <Algorithm>SunX509</Algorithm> <CipherSuites></CipherSuites> <Protocols></Protocols> <AllowHttp2>false</AllowHttp2> </SSLConfig>
Save the file after you have made the changes.
The last thing before restarting is to change the tomcat properties
vi /usr/local/WowzaStreamingEngine/manager/conf/tomcat.properties #Change the default values #httpsPort=8090 #httpsKeyStore=conf/certificate.jks #httpsKeyStorePassword=[password] #httpsKeyAlias=[key-alias] # TO: httpsPort=8090 httpsKeyStore=/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks httpsKeyStorePassword=secret #httpsKeyAlias=[key-alias]
Now we will restart Wowza
service WowzaStreamingEngineManager restart service WowzaStreamingEngine restart
The configuration is almost done.
Open your browser and instead of using the http://wowza-server:8088/enginemanager now change this to https://wowza-server:8090/enginemanager
That should give you a valid certificate. Also login in to the enginemanager. We have to do some extra steps there.
Go to Server > Virtual Host Setup and click Edit
Fig.
If you don’t see port 443 as a Host Port, create it and fill in the fields . Here you have to set the location of the SSL jks file and the password. Change SUB.DOMAIN.EXT to your domainname.
Click Apply to save settings
If you want to stream over SSL on port 1935, also enable SSL there and set the same jks location and password.
At this point we are done. To be sure restart wowza or your complete server.
Playback url’s
Before:
http://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8
In this case i also enabled SSL for port 1935, so these are my new url’s i can use:
# SSL over port 1935 https://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8 #SSL over the default port (443) https://SUB.DOMAIN.EXT/vod/mp4:sample.mp4/playlist.m3u8
Screenshot example.
I make use of a free edition of JWPlayer. I added the livestream url (https) in the player and run the player via a javascript on my website.
The second stream is the https stream in vlc.
Click on the image for a larger view
Please feel free to give it a try. If you have any questions, just leave a comment.
If it doesn’t work for you, try to give as much detail as possible. (It doesn’t work isn’t enough).
Hello Friend.
I followed the step by step.
But I can’t send my video.
On my Adobe Live Encoder, the URL rtmp cannot connect to the server.
Did you enable SSL for port 1935? If yes, disable SSL in the virtualHost for port 1935 and you can connect again with your encoder. You can output your stream over port 443 then.
The other possibility is to add an extra Hostport which you will only use in your rtmp encoder
Example: Add Hostport 1900 (no ssl).
In csf add the TCP port to inbound
vi /etc/csf/csf.conf (search for your ssh port and you will find the line to be changed
Example:
I added port 1900 as a hostport and added the port to the firewall
TCP_IN = “22,53,80,443,554,1935,1900,8084:8088,8090”
restart csf
csf -x
csf -e
And you should be able to connect on port 1900 from your encoder.
FMS Url: rtmp://YOUR-WOWZA-DOMAIN:1900/live
There are many ways to do a setup like this. Always check to what you connect. RTMP is NOT over SSL. So if your hostport is set to SSL, you will sure know where your problem is.
It worked friend, really perfect your tutorial.
After many years, I can now send my streaming video using LetsEncrypt’s SSL.
I really have no words to thank you.
You helped me a lot, my congratulations for sharing your knowledge.
I am very grateful to you, may God protect you friend !!!!!
You’re welcome.
Maybe you also want to try OBS. I prefer that above the old Adobe Encoder, https://obsproject.com/ It is freeware and pretty easy to setup. You can almost use the same settings for that. I think i have to write a separate tutorial for that haha
The Player Wowza this error:
https://www.wowza.com/community/questions/52011/this-live-event-has-ended-message.html
You can helmpe ?
VLC Works 100%
“this live event has ended” message
In Wowza Player…
Helpme ?
I discovered the error.
My live video streaming works using the SMIL Files feature.
However, when I activate the feature, which is already configured with these settings:
alencar> ALENCAR.smil
Live Single Server or Origin
Return to SMIL Files
Title
adaptive streaming
Streams in this SMIL file
Source (src) Language Type Actions
alencar_source eng video
alencar_h263 eng video
alencar_720p eng video
alencar_360p eng video
alencar_240p eng video
alencar_160p eng video
But then the Wowza Player gives the error: “this live event has ended”
But if I put my URL in Wowza Player without SMIL Files, Wowza PLayer works as normal.
I can’t help you with the wowza player. I never use it. It’s best to get in contact with Wowza on this.
can you help me to use jwplayer?
I’m on the jwplayer website but it looks like it’s no longer free.
can’t you do a tutorial teaching how to use this player?
Hi Alencar,
will see what i can do. Jwplayer can be used with the cloud player, but adjusting the player or running a selfhosted is not possible anymore on the free account. I found another player which is free up until 10K impressions per month. Have to do some testing on that first.
If however you have a large audience i still would consider getting a payed subscription for jwplayer.
edit: https://www.wowza.com/docs/use-theoplayer-with-wowza-streaming-engine should give you a good start on how to connect it wowza
Hello Friend,
Can you help me?
I’m trying to follow your step by step again.
In a Centos 7 with Wowza 4.8.5
However, in this step, this error happens:
[root@video letsencrypt]# sudo -H ./letsencrypt-auto certonly –standalone -d domain.com
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
[root@video letsencrypt]#
Hi Alencar, i already replied to you by email, but didn’t see this comment until now. Will update the site when i have some time. In the meantime you can check the github page for (most of the time) up to date installers.
https://github.com/nlmaca/Wowza_Installers
Hi, Excelent manual, but I think need to be updated. I got this error:
[root@wowza-base-15-01-21-c-32-64gib-sfo2-01 letsencrypt]# sudo -H ./letsencrypt-auto certonly –standalone -d gnodecws.com
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
Hi Andres,
My website indeed needs an update on this. Will do when i have some time. In the meantime check this page for updates. Sometimes updating a script is easier then updating my site.
https://github.com/nlmaca/Wowza_Installers
Need help on this sudo: ./letsencrypt-auto: command not found
Hi Boldbat,
have you checked this page? : https://github.com/nlmaca/Wowza_Installers/blob/master/CentOS/CentOS7_SSL.md
I do not support CentOS anymore, so you might have to find a solution yourself on updating/installing letsencrypt
Hi
One question, do I need to set record A of my domain pointing to the IP of wowza server??
Hi Andres,
When using an an ssl you need a domainname for it. If you don’t use SSL a domainname is not needed. So with SSL an A record is fine.