Wowza 4.8.x – Ubuntu 20.04 LTS – Letsencrypt

I had many questions in my previous topic about the ssl configuration in Ubuntu or CentOS. So i decided to update this, create new installers and see if the configuration of SSL has changed. And indeed it had. I prefer Ubuntu myself, but i use CentOS as well. It’s up to you which OS you want to use. 

This second post will be the configuration of LetsEncrypt on Ubuntu 18.04 LTS

See this page: Wowza 4.8.x CentOS 7 Letsencrypt  for the CentOS version

Feel free to place a comment (comments will be approved first, to avoid spam).

If you need a clean install of Wowza Streaming Engine on Ubuntu 18.04 LTS  then checkout the installer scripts: https://github.com/nlmaca/Wowza_Installers which i have created  Those includes Firewall (CSF), Java 11 and Wowza installation. All you need is a valid license key or developer key. 

The procedure for 20.04 is almost the same except for the creation of the SSL certificate. Everything else is the same as on a Ubuntu 18.04 installation. I still decided to create a new post for this, just in case if specific OS problems occur.

Requirements

  • Ubuntu 20.04 LTS server installed
  • Wowza 4.8.x installed
  • Firewall open ports: 8088, 8090, 443, 80, 1935
  • a domainname pointing to your wowza server (we need this for SSL activation)

What will i show you:

  • Installation of letsencrypt on Ubuntu Server
  • SSL converter to JKS file
  • configuration of frontend (playback) and backend (enginemanager) over SSL
  • Testing  of playback url’s (vlc, jwplayer)

Keep in mind:

  • Your server might have an increase of virtual memory because of the ssl encryption in your stream(s).
  • Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

Start of installation

Open an ssh connection to your Server and run scripts as root 

Note: Certbot-auto will not be supported on Ubuntu 20.04 so this command has slightly changed comparing to 18.04

# update your server
apt update && apt upgrade -y
apt install git
apt install certbot

# clone the certbot repository and configure certbot
git clone https://github.com/certbot/certbot /opt/letsencrypt
cd /opt/letsencrypt

# create an SSL certificate. change SUB.DOMAIN.EXT to the domain that points to your server
certbot certonly --standalone -d SUB.DOMAIN.EXT

# Some questions will be asked. Fill them in accordingly
# Answer some of the questions:
```
enter email: set-your-email
agree TOS(Terms of Service): A
Share your email: (up to you): N

Set 2 cronjobs so the ssl certificate will be updated automaticly

# crontab -e
@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log
@monthly root /opt/letsencrypt/ certbot certonly --quiet --standalone --renew-by-default -d SUB.DOMAIN.EXT >> /var/log/letsencrypt/letsencrypt-auto-update.log

Wowza needs an JKS file. So we need to convert our just created ssl certificate to a JKS file. On the github page of robymus you can find the script. We will use version 0.1

# Go to the wowza directory
cd /usr/local/WowzaStreamingEngine/lib 

# Download the jar file in the lib directory
wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar

# Create a jks file
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

# This file will be created in the /usr/local/WowzaStreamingEngine/conf/ directory (jksmap.txt and the jks file).

We now need the contents of the jksmap.txt (copy them to a temporary notepad). 

cat /usr/local/WowzaStreamingEngine/conf/jksmap.txt

# This will show you something like this: SUB.DOMAIN.EXT={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}

Now we need to enable 443 in the VHost.xml file

cd /usr/local/WowzaStreamingEngine/conf

vi VHost.xml

You will see that the 443 is in comment tags <!–  and –> at the end of the HostPort. Remove those tags.  Second is that we have to change the KeyStorePath and KeyStorePassword in this part

Before: 

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>
    <KeyStorePassword>[password]</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

And after we have changed the settings. Also make sure to change SUB.DOMAIN.EXT to your own domainname.

<SSLConfig>
    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/SUB.DOMAIN.EXT.jks</KeyStorePath>
    <KeyStorePassword>secret</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
    <AllowHttp2>false</AllowHttp2>
</SSLConfig>

Save the file after you have made the changes. 

The last thing before restarting is to change the tomcat properties

vi /usr/local/WowzaStreamingEngine/manager/conf/tomcat.properties

#Change the default values

#httpsPort=8090
#httpsKeyStore=conf/certificate.jks
#httpsKeyStorePassword=[password]
#httpsKeyAlias=[key-alias]

# TO:

httpsPort=8090
httpsKeyStore=/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks
httpsKeyStorePassword=secret
#httpsKeyAlias=[key-alias]

Now we will restart Wowza

systemctl restart WowzaStreamingEngineManager
systemctl restart WowzaStreamingEngine

The configuration is almost done. 

Open your browser and instead of using the http://wowza-server:8088/enginemanager now change this to https://wowza-server:8090/enginemanager

That should give you a valid certificate. Also login in to the enginemanager. We have to do some extra steps there. 

Go to Server > Virtual Host Setup and click Edit

 

 

 

 

 

Fig. 

If you don’t see port 443 as a Host Port, create it and fill in the fields . Here you have to set the location of the SSL jks file and the password. Change SUB.DOMAIN.EXT to your domainname. 

 

 

 

 

 

 

 

 

 

Click Apply to save settings

At this point we are done. To be sure restart wowza or your complete server. 

Encoder configuration

Normally via Adobe Media Live or OBS you can stream via RTMP (which is not over ssl). So make sure to stream the http port (1935  by default is http)

If you want to use another port then 1935 add it as an host port and make sure to add the port also to your Firewall (inbound)

Playback url’s

Before:

http://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8

In this case i also enabled SSL for port 1935, so these are my new url’s i can use:

#SSL over the default port (443)
https://SUB.DOMAIN.EXT/vod/mp4:sample.mp4/playlist.m3u8

Screenshot example. 

I make use of a free edition of JWPlayer. I added the livestream url (https) in the player and run the player via a javascript on my website. 

The second stream is the https stream in vlc.

Click on the image for a larger view

 

 

 

 

 

Please feel free to give it a try. If you have any questions, just leave a comment. 

Troubleshooting

The ssl certificate can’t authenticate on port 80 ?

First check if the ports are open on your server: 

lsof -i -P -n | grep LISTEN

# it should return the open ports on your server.
sshd        2028            root    3u  IPv4  28753      0t0  TCP *:22 (LISTEN)
sshd        2028            root    4u  IPv6  28764      0t0  TCP *:22 (LISTEN)
systemd-r   4703 systemd-resolve   13u  IPv4  37166      0t0  TCP 127.0.0.53:53 (LISTEN)
java      658615            root   57u  IPv4 434159      0t0  TCP *:8088 (LISTEN)
java      658615            root   62u  IPv4 434163      0t0  TCP *:8090 (LISTEN)
java      658737            root   10u  IPv4 434357      0t0  TCP *:35501 (LISTEN)
java      658737            root  108u  IPv4 435335      0t0  TCP *:8087 (LISTEN)
java      658737            root  117u  IPv4 434496      0t0  TCP *:8083 (LISTEN)
java      658737            root  120u  IPv4 434511      0t0  TCP *:1935 (LISTEN)
java      658737            root  124u  IPv4 434515      0t0  TCP *:443 (LISTEN)
java      658737            root  128u  IPv4 434519      0t0  TCP *:8086 (LISTEN)

If it doesn’t show port 80,443,8090, 1935 you have to check your firewall to open these ports. 

Questions

Of course i’m willing to help, but i need information for that.  Which steps did you do, what is the error you get,  Then feel free to leave a comment. 

If the installation works for you i would also like to hear.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *