Install SSL Letsencrypt on Wowza Server HLS Stream

I am running webserver / domain on HTTPS and Wowza Media Streaming Server on HTTP (Non-SSL) so I am getting Error for LIVE / VOD HLS stream Files “Cannot load M3U8: Unable to fetch HTTP resource over HTTPS”

HTTP stream

HTTPS stream – Needs to setup

Install Let’s Encrypt SSL Certificates
Free SSL Certbot

=> As I have installed SSL on NGINX … I am running NGINX webserver on 443 (HTTPS) … but wowza is not configured for SSL still

Try to find SSL key in Let’s Encrypt Certificate Directory

# ls /etc/letsencrypt/live
# ls /etc/letsencrypt/live/
cert.pem chain.pem fullchain.pem privkey.pem README

cert.pem: Server Certificate
chain.pem: Root and Intermediate Certificates
fullchain.pem: Combination of Server, Root and Intermediate Certificates (replaces cert.pem and chain.pem)
privkey.pem: Private Key (don’t share)

# stat /etc/letsencrypt/live/
File: ‘/etc/letsencrypt/live/’ -> ‘../../archive/’
Size: 50 Blocks: 0 IO Block: 4096 symbolic link
Device: ca01h/51713d Inode: 2754252 Links: 1

Wowza Configuration

Special Thanks to Robymus who made java converter file “wowza-letsencrypt-converter” to convert SSL to an JKS file.

# cd /usr/local/WowzaStreamingEngine/lib
# wget

– The letsencrypt-live-path parameter defaults to /etc/letsencrypt/live

Make sure you have Java 8 installed

# apt-get install oracle-java8-installer

# cd /usr/local/WowzaStreamingEngine/lib
# java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

Make sure you will have below files in /usr/local/WowzaStreamingEngine/conf/

– jksmap.txt

– File jksmap.txt have domain to keystore mapping will be used in the VHost.xml of Wowza Streaming Engine.
– JKS password will be ‘secret’.

Now update Wowza file /usr/local/WowzaStreamingEngine/conf/VHost.xml for Wowza HLS M3U8 file

Open Wowza VHost.xml and search 443 HostPort and comment out the <!– before HostPort and –> at the end of HostPort

I am using port 443 already for NGINX SSL HTTPS … so now I am using port 1443 for Wowza HLS M3U8

<!-- 443 with SSL -->
                <Name>Default SSL Streaming</Name>

Now Restart Wowza Server

# service WowzaStreamingEngine restart

Make sure you have also opened port 1443 on your firewall.

Now Wowza HLS M3U8 will work like HTTPS stream

Free SSL Certbot

Certbot, It was Let’s Encrypt Client previously. Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.

Server Support

– Apache
– Nginx
– Haproxy
– Plesk

OS Support

– Web Hosting Service
– Debian 7 (wheezy)
– Debian 8 (jessie)
– Debian 9 (stretch)
– Debian testing/unstable
– Debian (other)
– Ubuntu 17.04 (zesty)
– Ubuntu 16.10 (yakkety)
– Ubuntu 16.04 (xenial)
– Ubuntu 14.04 (trusty)
– Ubuntu (other)
– Gentoo
– Arch Linux
– Fedora 24+
– CentOS 6
– RHEL 6
– CentOS/RHEL 7
– FreeBSD
– OpenBSD 5.9
– OpenBSD 6.0+
– OpenBSD (other)
– macOS
– Devuan Jessie 1.0
– Devuan (other)
– Other UNIX
– Non-UNIX

Install on Ubuntu 17.04 (zesty) Apache

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

Get Started

$ sudo certbot --apache

$ sudo certbot --apache certonly

Automating renewal

$ sudo certbot renew --dry-run

$ sudo crontab -e

30 1 * * * /usr/bin/certbot renew --quiet

It will run renewal command at 1:30 am, every day.

Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

$ sudo certbot --authenticator standalone --installer apache -d --pre-hook "service apache2 stop" --post-hook "service apache2 start"


Congratulations! You have successfully enabled

You should test your configuration at: