Wowza 4.8.x – Ubuntu 18.04 – Letsencrypt

I had many questions in my previous topic about the ssl configuration in Ubuntu or CentOS. So i decided to update this, create new installers and see if the configuration of SSL has changed. And indeed it had. I prefer Ubuntu myself, but i use CentOS as well. It’s up to you which OS you want to use. 

This second post will be the configuration of LetsEncrypt on Ubuntu 18.04 LTS

See this page: Wowza 4.8.x CentOS 7 Letsencrypt  for the CentOS version

Feel free to place a comment (comments will be approved first, to avoid spam).

If you need a clean install of Wowza Streaming Engine on Ubuntu 18.04 LTS  then checkout the installer scripts: https://github.com/nlmaca/Wowza_Installers which i have created  Those includes Firewall (CSF), Java 11 and Wowza installation. All you need is a valid license key or developer key. 

Requirements

  • Ubuntu 18.04 LTS server installed
  • Wowza 4.8.x installed
  • Firewall open ports: 8088, 8090, 443, 80, 1935
  • a domainname pointing to your wowza server (we need this for SSL activation)

What will i show you:

  • Installation of letsencrypt on Ubuntu Server
  • SSL converter to JKS file
  • configuration of frontend (playback) and backend (enginemanager) over SSL
  • Testing  of playback url’s (vlc, jwplayer)

Keep in mind:

  • Your server might have an increase of virtual memory because of the ssl encryption in your stream(s).
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

Start of installation

Open an ssh connection to your Server and run scripts as root 

# update your server
apt-get update && apt-get upgrade -y
apt-get install git

# clone the certbot repository and configure certbot
git clone https://github.com/certbot/certbot /opt/letsencrypt
cd /opt/letsencrypt

# create an SSL certificate. change SUB.DOMAIN.EXT to the domain that points to your server
sudo -H ./letsencrypt-auto certonly --standalone -d SUB.DOMAIN.EXT

# Some questions will be asked. Fill them in accordingly
# Answer some of the questions:
```
enter email: set-your-email
agree TOS(Terms of Service): A
Share your email: (up to you): N

Set 2 cronjobs so the ssl certificate will be updated automaticly

# crontab -e
@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log
@monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d SUB.DOMAIN.EXT >> /var/log/letsencrypt/letsencrypt-auto-update.log

Wowza needs an JKS file. So we need to convert our just created ssl certificate to a JKS file. On the github page of robymus you can find the script. We will use version 0.1

# Go to the wowza directory
cd /usr/local/WowzaStreamingEngine/lib 

# Download the jar file in the lib directory
wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar

# Create a jks file
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

# This file will be created in the /usr/local/WowzaStreamingEngine/conf/ directory (jksmap.txt and the jks file).

We now need the contents of the jksmap.txt (copy them to a temporary notepad). 

cat /usr/local/WowzaStreamingEngine/conf/jksmap.txt

# This will show you something like this: SUB.DOMAIN.EXT={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}

Now we need to enable 443 in the VHost.xml file

cd /usr/local/WowzaStreamingEngine/conf

vi VHost.xml

You will see that the 443 is in comment tags <!–  and –> at the end of the HostPort. Remove those tags.  Second is that we have to change the KeyStorePath and KeyStorePassword in this part

Before: 

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
    <KeyStorePassword>[password]</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

And after we have changed the settings. Also make sure to change SUB.DOMAIN.EXT to your own domainname.

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/SUB.DOMAIN.EXT.jks</KeyStorePath>
    <KeyStorePassword>secret</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

Save the file after you have made the changes. 

The last thing before restarting is to change the tomcat properties

vi /usr/local/WowzaStreamingEngine/manager/conf/tomcat.properties

#Change the default values

#httpsPort=8090
#httpsKeyStore=conf/certificate.jks
#httpsKeyStorePassword=[password]
#httpsKeyAlias=[key-alias]

# TO:

httpsPort=8090
httpsKeyStore=/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks
httpsKeyStorePassword=secret
#httpsKeyAlias=[key-alias]

Now we will restart Wowza

service WowzaStreamingEngineManager restart
service WowzaStreamingEngine restart

The configuration is almost done. 

Open your browser and instead of using the http://wowza-server:8088/enginemanager now change this to https://wowza-server:8090/enginemanager

That should give you a valid certificate. Also login in to the enginemanager. We have to do some extra steps there. 

Go to Server > Virtual Host Setup and click Edit

 

 

 

 

 

Fig. 

If you don’t see port 443 as a Host Port, create it and fill in the fields . Here you have to set the location of the SSL jks file and the password. Change SUB.DOMAIN.EXT to your domainname. 

 

 

 

 

 

 

 

 

 

Click Apply to save settings

At this point we are done. To be sure restart wowza or your complete server. 

Encoder configuration

Normally via Adobe Media Live or OBS you can stream via RTMP (which is not over ssl). So make sure to stream the http port (1935  by default is http)

If you want to use another port then 1935 add it as an host port and make sure to add the port also to your Firewall (inbound)

Playback url’s

Before:

http://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8

In this case i also enabled SSL for port 1935, so these are my new url’s i can use:

#SSL over the default port (443)
https://SUB.DOMAIN.EXT/vod/mp4:sample.mp4/playlist.m3u8

Screenshot example. 

I make use of a free edition of JWPlayer. I added the livestream url (https) in the player and run the player via a javascript on my website. 

The second stream is the https stream in vlc.

Click on the image for a larger view

 

 

 

 

 

Please feel free to give it a try. If you have any questions, just leave a comment. 

If it doesn’t work for you, try to give as much detail as possible. (It doesn’t work isn’t enough).

You may also like...

4 Responses

  1. Ian Liuzzi-Fedun says:

    While creating the cert I’m being told that it can’t bind to port 80. Would I have to stop any Wowza services while doing this?

    • maca says:

      Hi,
      you don’t have to stop wowza services, but did you open port 80 in your firewall? Otherwise letsencrypt can’t verify.

      • Ian Liuzzi-Fedun says:

        I’d say 80 is forwarded. Check it out: 96.56.138.34

        • maca says:

          When i check your ip, port 80 is closed. Port 443 and 1935 are open. Did you add port 80 to your firewall on your server? Forwarding is nog enough, that will only route port 80 to your server, but your server still blocks it.
          edit: or do you have something else running on port 80? That could also give you that notice
          update: problems were solved by Email.

Leave a Reply

Your email address will not be published. Required fields are marked *