Install SSL Letsencrypt on Wowza Server HLS Stream

I am running webserver / domain on HTTPS and Wowza Media Streaming Server on HTTP (Non-SSL) so I am getting Error for LIVE / VOD HLS stream Files “Cannot load M3U8: Unable to fetch HTTP resource over HTTPS”

HTTP stream
http://origin.domain.com:1935/live/myStream/playlist.m3u8

HTTPS stream – Needs to setup
https://origin.domain.com:1443/live/myStream/playlist.m3u8

Install Let’s Encrypt SSL Certificates
Free SSL Certbot

=> As I have installed SSL on NGINX … I am running NGINX webserver on 443 (HTTPS) … but wowza is not configured for SSL still

Try to find SSL key in Let’s Encrypt Certificate Directory

# ls /etc/letsencrypt/live
# ls /etc/letsencrypt/live/origin.domain.com
cert.pem chain.pem fullchain.pem privkey.pem README

cert.pem: Server Certificate
chain.pem: Root and Intermediate Certificates
fullchain.pem: Combination of Server, Root and Intermediate Certificates (replaces cert.pem and chain.pem)
privkey.pem: Private Key (don’t share)

# stat /etc/letsencrypt/live/origin.domain.com/fullchain.pem
File: ‘/etc/letsencrypt/live/origin.domain.com/fullchain.pem’ -> ‘../../archive/origin.domain.com/fullchain3.pem’
Size: 50 Blocks: 0 IO Block: 4096 symbolic link
Device: ca01h/51713d Inode: 2754252 Links: 1

Wowza Configuration

Special Thanks to Robymus who made java converter file “wowza-letsencrypt-converter” to convert SSL to an JKS file.

# cd /usr/local/WowzaStreamingEngine/lib
# wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar

– The letsencrypt-live-path parameter defaults to /etc/letsencrypt/live

Make sure you have Java 8 installed

# apt-get install oracle-java8-installer

# cd /usr/local/WowzaStreamingEngine/lib
# java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

Make sure you will have below files in /usr/local/WowzaStreamingEngine/conf/

– origin.domain.com.jks
– jksmap.txt

– File jksmap.txt have domain to keystore mapping will be used in the VHost.xml of Wowza Streaming Engine.
– JKS password will be ‘secret’.

Now update Wowza file /usr/local/WowzaStreamingEngine/conf/VHost.xml for Wowza HLS M3U8 file

Open Wowza VHost.xml and search 443 HostPort and comment out the <!– before HostPort and –> at the end of HostPort

I am using port 443 already for NGINX SSL HTTPS … so now I am using port 1443 for Wowza HLS M3U8

<!-- 443 with SSL -->
            <HostPort>
                <Name>Default SSL Streaming</Name>
                <Type>Streaming</Type>
                <ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
                <IpAddress>*</IpAddress>
                <Port>1443</Port>
                <HTTPIdent2Response></HTTPIdent2Response>
                <SSLConfig>
                    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/origin.domain.com.jks</KeyStorePath>
                    <KeyStorePassword>secret</KeyStorePassword>
                    <KeyStoreType>JKS</KeyStoreType>
                    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
                    <SSLProtocol>TLS</SSLProtocol>
                    <Algorithm>SunX509</Algorithm>
                    <CipherSuites></CipherSuites>
                    <Protocols></Protocols>
                </SSLConfig>
                <SocketConfiguration>
                    <ReuseAddress>true</ReuseAddress>
                    <ReceiveBufferSize>65000</ReceiveBufferSize>
                    <ReadBufferSize>65000</ReadBufferSize>
                    <SendBufferSize>65000</SendBufferSize>
                    <KeepAlive>true</KeepAlive>
                    <AcceptorBackLog>100</AcceptorBackLog>
                </SocketConfiguration>
                <HTTPStreamerAdapterIDs>cupertinostreaming,smoothstreaming,sanjosestreaming,dvrchunkstreaming,mpegdashstreaming</HTTPStreamerAdapterIDs>
                <HTTPProviders>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPCrossdomain</BaseClass>
                        <RequestFilters>*crossdomain.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPClientAccessPolicy</BaseClass>
                        <RequestFilters>*clientaccesspolicy.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPProviderMediaList</BaseClass>
                        <RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
                        <RequestFilters>*</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                </HTTPProviders>
            </HostPort>

Now Restart Wowza Server

# service WowzaStreamingEngine restart

Make sure you have also opened port 1443 on your firewall.

Now Wowza HLS M3U8 will work like HTTPS stream
https://origin.domain.com:1443/live/myStream/playlist.m3u8

Free SSL Certbot

Certbot, It was Let’s Encrypt Client previously. Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.

Server Support

– Apache
– Nginx
– Haproxy
– Plesk

OS Support

– Web Hosting Service
– Debian 7 (wheezy)
– Debian 8 (jessie)
– Debian 9 (stretch)
– Debian testing/unstable
– Debian (other)
– Ubuntu 17.04 (zesty)
– Ubuntu 16.10 (yakkety)
– Ubuntu 16.04 (xenial)
– Ubuntu 14.04 (trusty)
– Ubuntu (other)
– Gentoo
– Arch Linux
– Fedora 24+
– CentOS 6
– RHEL 6
– CentOS/RHEL 7
– FreeBSD
– OpenBSD 5.9
– OpenBSD 6.0+
– OpenBSD (other)
– macOS
– Devuan Jessie 1.0
– Devuan (other)
– Other UNIX
– Non-UNIX

Install on Ubuntu 17.04 (zesty) Apache

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

Get Started https://certbot.eff.org/#ubuntutzesty-apache

$ sudo certbot --apache

$ sudo certbot --apache certonly

Automating renewal

$ sudo certbot renew --dry-run

$ sudo crontab -e

30 1 * * * /usr/bin/certbot renew --quiet

It will run renewal command at 1:30 am, every day.

Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

$ sudo certbot --authenticator standalone --installer apache -d stream.domain.com --pre-hook "service apache2 stop" --post-hook "service apache2 start"

.
.
.

Congratulations! You have successfully enabled https://stream.domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=stream.domain.com

Activate Free SSL Certificate for Website – Cloudflare

Google will soon shame all websites that are unencrypted also Google count HTTPS for ranking factor. Cloudflare provide Free SSL Certificate in your website DNS system. You just need to edit your DNS records / Name-servers

Cloudflare HTTPS protects website from Security Vulnerabilities and DDoS attacks.

Origin Server (Your Domain) ===== HTTP =====> CloudFlare ===== HTTPS =====> Visitors

Setting up your free Cloudflare Flexible SSL

1. Sign up to Cloudflare.com

2. Enter your domain name and Begin Scan

3. Verify all Your DNS Records for your domain

4. Select Free Cloudflare Plan then follow all steps

5. Change Your Nameservers in your domain control panel

6. Goto Crypto tab then activate free SSL. Choose Flexible Type.
Cloudflare will take approx 24 hours to activate new SSL certificate.

7. Other Cloudflare settings for caching

8. For wordpress websites add Page Rules in CloudFlare

You can use WordPress Plugins

CloudFlare Flexible SSL

Cloudflare

WordPress Force HTTPS

Really Simple SSL

SSL Insecure Content Fixer

OR

1. http://www.svnlabs.in/wp-admin/*
Always Online: On, Cache Level: Bypass

2. http://www.svnlabs.in/wp-login.php*
Always Online: On, Cache Level: Bypass

3. http://svnlabs.in/*
Forwarding URL: (Status Code: 301 – Permanent Redirect, Url: https://www.svnlabs.in/$1)

Free SSL