Tutorial Tutorial Wowza 4.8.x – Ubuntu 18.04 – Letsencrypt

[Professor]

Tutorial Wowza 4.8.x – Ubuntu 18.04 – Letsencrypt​

Requirements

• Ubuntu 18.04 LTS server installed
• Wowza 4.8.x installed
• Firewall open ports: 8088, 8090, 443, 80, 1935
• a domainname pointing to your wowza server (we need this for SSL activation)

What will show you:

• Installation of letsencrypt on Ubuntu Server
• SSL converter to JKS file
• configuration of frontend (playback) and backend (enginemanager) over SSL
• Testing of playback url’s (vlc, jwplayer)

Keep in mind:

• Your server might have an increase of virtual memory because of the ssl encryption in your stream(s).
• Always test this in your test environment. Don’t keep me responsible for it. This is a guide as is.

Start of installation
Open an ssh connection to your Server and run scripts as root


Code:
# update your server
apt-get update && apt-get upgrade -y apt-get install git

# clone the certbot repository and configure certbot
git clone [URL]https://github.com/certbot/certbot[/URL] /opt/letsencrypt cd /opt/letsencrypt

# create an SSL certificate. change SUB.DOMAIN.EXT to the domain that points to your server
sudo -H ./letsencrypt-auto certonly --standalone -d SUB.DOMAIN.EXT

# Some questions will be asked. Fill them in accordingly
# Answer some of the questions:
```
enter email: set-your-email
agree TOS(Terms of Service): A
Share your email: (up to you): N
Set 2 cronjobs so the ssl certificate will be updated automatically

Code:
# crontab -e
@weekly root cd /opt/letsencrypt && git pull >> /var/log/letsencrypt/letsencrypt-auto-update.log @monthly root /opt/letsencrypt/letsencrypt-auto certonly --quiet --standalone --renew-by-default -d SUB.DOMAIN.EXT >> /var/log/letsencrypt/letsencrypt-auto-update.log

Wowza needs an JKS file. So we need to convert our just created ssl certificate to a JKS file. On the github page of robymus you can find the script. We will use version 0.1
Code:
# Go to the wowza directory cd /usr/local/WowzaStreamingEngine/lib

# Download the jar file in the lib directory
wget https://github.com/robymus/wowza-letsencrypt-converter/releases/download/v0.1/wowza-letsencrypt-converter-0.1.jar

# Create a jks file
java -jar wowza-letsencrypt-converter-0.1.jar -v /usr/local/WowzaStreamingEngine/conf/ /etc/letsencrypt/live/

# This file will be created in the /usr/local/WowzaStreamingEngine/conf/ directory (jksmap.txt and the jks file).
We now need the contents of the jksmap.txt (copy them to a temporary notepad).
Code:
cat /usr/local/WowzaStreamingEngine/conf/jksmap.txt

# This will show you something like this: SUB.DOMAIN.EXT={"keyStorePath":"/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks", "keyStorePassword":"secret", "keyStoreType":"JKS"}
Now we need to enable 443 in the VHost.xml file
Code:
cd /usr/local/WowzaStreamingEngine/conf

vi VHost.xml
You will see that the 443 is in comment tags <!– and –> at the end of the HostPort. Remove those tags. Second is that we have to change the KeyStorePath and KeyStorePassword in this part

Before:
Code:

<SSLConfig>

<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/keystore.jks</KeyStorePath>

<KeyStorePassword>[password]</KeyStorePassword>

<KeyStoreType>JKS</KeyStoreType>

<DomainToKeyStoreMapPath></DomainToKeyStoreMapPath>

<SSLProtocol>TLS</SSLProtocol>

<Algorithm>SunX509</Algorithm>

<CipherSuites></CipherSuites>

<Protocols></Protocols>

<AllowHttp2>false</AllowHttp2>

</SSLConfig>

And after we have changed the settings. Also make sure to change SUB.DOMAIN.EXT to your own domainname.
Code:
vi /usr/local/WowzaStreamingEngine/manager/conf/tomcat.properties

#Change the default values

#httpsPort=8090
#httpsKeyStore=conf/certificate.jks
#httpsKeyStorePassword=[password]
#httpsKeyAlias=[key-alias]

# TO:

httpsPort=8090
httpsKeyStore=/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks
httpsKeyStorePassword=secret
#httpsKeyAlias=[key-alias]

Save the file after you have made the changes.

The last thing before restarting is to change the tomcat properties

Code:
vi /usr/local/WowzaStreamingEngine/manager/conf/tomcat.properties

#Change the default values

#httpsPort=8090
#httpsKeyStore=conf/certificate.jks
#httpsKeyStorePassword=[password]
#httpsKeyAlias=[key-alias]

# TO:

httpsPort=8090
httpsKeyStore=/usr/local/WowzaStreamingEngine/conf/SUB.DOMAIN.EXT.jks
httpsKeyStorePassword=secret
#httpsKeyAlias=[key-alias]

Now we will restart Wowza

service WowzaStreamingEngineManager restart service WowzaStreamingEngine restart

The configuration is almost done.

Open your browser and instead of using the http://wowza-server:8088/enginemanager now change this to https://wowza-server:8090/enginemanager

That should give you a valid certificate. Also login in to the enginemanager. We have to do some extra steps there.

Go to Server > Virtual Host Setup and click Edit



If you don’t see port 443 as a Host Port, create it and fill in the fields . Here you have to set the location of the SSL jks file and the password. Change SUB.DOMAIN.EXT to your domainname.


Click Apply to save settings

At this point we are done. To be sure restart wowza or your complete server.

Encoder configuration

Normally via Adobe Media Live or OBS you can stream via RTMP (which is not over ssl). So make sure to stream the http port (1935 by default is http)

If you want to use another port then 1935 add it as an host port and make sure to add the port also to your Firewall (inbound)

Playback url’s

Before:
http://SUB.DOMAIN.EXT:1935/vod/mp4:sample.mp4/playlist.m3u8
In this case i also enabled SSL for port 1935, so these are my new url’s i can use:
#SSL over the default port (443)
http://sub.domain.ext:1935/vod/mp4:sample.mp4/playlist.m3u8

The second stream is the https stream in vlc

Screenshot example.