Install SSL Letsencrypt on Wowza Server HLS Stream

I am running webserver / domain on HTTPS and Wowza Media Streaming Server on HTTP (Non-SSL) so I am getting Error for LIVE / VOD HLS stream Files “Cannot load M3U8: Unable to fetch HTTP resource over HTTPS”

HTTP stream
http://origin.domain.com:1935/live/myStream/playlist.m3u8

HTTPS stream – Needs to setup
https://origin.domain.com:1443/live/myStream/playlist.m3u8

Install Let’s Encrypt SSL Certificates
Free SSL Certbot

=> As I have installed SSL on NGINX … I am running NGINX webserver on 443 (HTTPS) … but wowza is not configured for SSL still

Try to find SSL key in Let’s Encrypt Certificate Directory

# ls /etc/letsencrypt/live
# ls /etc/letsencrypt/live/origin.domain.com
cert.pem chain.pem fullchain.pem privkey.pem README

cert.pem: Server Certificate
chain.pem: Root and Intermediate Certificates
fullchain.pem: Combination of Server, Root and Intermediate Certificates (replaces cert.pem and chain.pem)
privkey.pem: Private Key (don’t share)

# stat /etc/letsencrypt/live/origin.domain.com/fullchain.pem
File: ‘/etc/letsencrypt/live/origin.domain.com/fullchain.pem’ -> ‘../../archive/origin.domain.com/fullchain3.pem’
Size: 50 Blocks: 0 IO Block: 4096 symbolic link
Device: ca01h/51713d Inode: 2754252 Links: 1

Wowza Configuration

Special Thanks to Robymus who made java converter file “wowza-letsencrypt-converter” to convert SSL to an JKS file.

# cd /usr/local/WowzaStreamingEngine/lib
# wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar

– The letsencrypt-live-path parameter defaults to /etc/letsencrypt/live

Make sure you have Java 8 installed

# apt-get install oracle-java8-installer

# cd /usr/local/WowzaStreamingEngine/lib
# java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

Make sure you will have below files in /usr/local/WowzaStreamingEngine/conf/

– origin.domain.com.jks
– jksmap.txt

– File jksmap.txt have domain to keystore mapping will be used in the VHost.xml of Wowza Streaming Engine.
– JKS password will be ‘secret’.

Now update Wowza file /usr/local/WowzaStreamingEngine/conf/VHost.xml for Wowza HLS M3U8 file

Open Wowza VHost.xml and search 443 HostPort and comment out the <!– before HostPort and –> at the end of HostPort

I am using port 443 already for NGINX SSL HTTPS … so now I am using port 1443 for Wowza HLS M3U8

<!-- 443 with SSL -->
            <HostPort>
                <Name>Default SSL Streaming</Name>
                <Type>Streaming</Type>
                <ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
                <IpAddress>*</IpAddress>
                <Port>1443</Port>
                <HTTPIdent2Response></HTTPIdent2Response>
                <SSLConfig>
                    <KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/origin.domain.com.jks</KeyStorePath>
                    <KeyStorePassword>secret</KeyStorePassword>
                    <KeyStoreType>JKS</KeyStoreType>
                    <DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>
                    <SSLProtocol>TLS</SSLProtocol>
                    <Algorithm>SunX509</Algorithm>
                    <CipherSuites></CipherSuites>
                    <Protocols></Protocols>
                </SSLConfig>
                <SocketConfiguration>
                    <ReuseAddress>true</ReuseAddress>
                    <ReceiveBufferSize>65000</ReceiveBufferSize>
                    <ReadBufferSize>65000</ReadBufferSize>
                    <SendBufferSize>65000</SendBufferSize>
                    <KeepAlive>true</KeepAlive>
                    <AcceptorBackLog>100</AcceptorBackLog>
                </SocketConfiguration>
                <HTTPStreamerAdapterIDs>cupertinostreaming,smoothstreaming,sanjosestreaming,dvrchunkstreaming,mpegdashstreaming</HTTPStreamerAdapterIDs>
                <HTTPProviders>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPCrossdomain</BaseClass>
                        <RequestFilters>*crossdomain.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPClientAccessPolicy</BaseClass>
                        <RequestFilters>*clientaccesspolicy.xml</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPProviderMediaList</BaseClass>
                        <RequestFilters>*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                    <HTTPProvider>
                        <BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
                        <RequestFilters>*</RequestFilters>
                        <AuthenticationMethod>none</AuthenticationMethod>
                    </HTTPProvider>
                </HTTPProviders>
            </HostPort>

Now Restart Wowza Server

# service WowzaStreamingEngine restart

Make sure you have also opened port 1443 on your firewall.

Now Wowza HLS M3U8 will work like HTTPS stream
https://origin.domain.com:1443/live/myStream/playlist.m3u8