Configuring SSL For Wowza Streaming Engine Using Letsencrypt On Windows 10

"Only a life lived for others is a life worthwhile." – Albert Einstein

Configuring SSL For Wowza Streaming Engine Using Letsencrypt On Windows 10

When it comes to SSL, self-signed certificates are not an option for anything more than development-level testing. For real-world use, you need a proper certificate either through StreamLock service or using a third-party provider. Letsencrypt is the most popular open certificate authority (CA) in the world today. In this article, we will explore the option of configuring the Wowza streaming engine with a Letsencrypt-based SSL certificate on the Windows 10 operating system.

PREREQUISITES

  1. Certbot client for window
  2. Licensed & working copy of latest Wowza streaming engine (4.8.x)
  3. Basic administrative rights and knowledge of windows.
  4. A valid domain name & access to a domain management system to create a DNS record
  5. Webcam with Microphone to publish a WebRTC stream

STEPS


REQUEST SSL CERTIFICATE


  • Install Certbot client for windows using the instructions and installer provided here.
  • Test certbot client o to ensure that it is working as expected.
    • Open a command prompt and type : certbot -help
    • The output will display :
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.

ENSURE ADMINISTRATIVE PRIVILEGES


Ensure that you have sufficient administrative privileges. This is needed to run shell commands with administrative permissions and also start/stop the Wowza streaming engine as needed.

  1. Make sure you have a licensed & working copy of the Wowza streaming engine for windows. In case you don’t, you can get it here.
  2. Once you have obtained the software follow these instructions to install it properly on your windows system.
  3. Make sure all the necessary ports are opened and that WSE & WSE manager works normally over HTTP.

CREATE DNS A RECORD


  • Access your domain management system/control panel and go to the zone editor or DNS record management section.
  • Create a DNS A type record for the domain or subdomain that you wish to use with Wowza streaming engine. The DNS A record defines a mapping of your WSE IP address to the FQDN.
  • Once the record is created you might want to wait from a few minutes to a few hours for the propagation to be complete. Although nowadays it does happen quite a fact actually.
  • If your ports are opened and WSE is running, you should be able to access the manager/engine it over FQDN without using HTTPS. This will tell you that the DNS A record was successful.

REQUEST SSL CERTIFICATE VIA LETSENCRYPT


  1. Start a shell session with administrative rights
  2. Enter the following command to request a SSL certificate :
    PS C:\Windows\system32> certbot certonly --standalone --preferred-challenges http -d example.domain.xom
    NOTE: There should be no process listening on port 80/443.
  3. Follow the onscreen instructions to get your SSl certificate.
  4. Your certificates and other relevant information is stored under the C:\Certbot directory.

GENERATE A JKS FILE FROM SSL CERTIFICATE PARTS


Although we have the certificate files from letsencrypt the job is not yet done!. Wowza needs a JKS file and not the PEM files. We, therefore, need to convert the letsencrypt ssl certificate to a JKS file. To do so we will be using a wonderful converter utility by robymus. Head on to the Releases section and download the latest jar file (wowza-letsencrypt-converter-0.2.jar).

  1. Ensure that your system has Java 8 (JDK).If not go over to oracle downloads section and get it.
  2. Start a command prompt with administrative rights.
  3. Change directory to Wowza’s conf home (WOWZA_ROOT/conf).
  4. Move the downloaded jar file to this location (WOWZA_ROOT/conf).
  5. Execute the following command to generate the JKS file :
    java -jar wowza-letsencrypt-converter-0.2.jar -v ./ C:\Certbot\live
  6. The above command will output two files in your conf directory: jksmap.txt and example.domain.jks.
  7. You can edit the jksmap.txt file in a notepad and inspect the contents. We will be using some of these elements in our Wowza configuration files to enable SSL.

    example.domain.com={“keyStorePath”:”C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.8.17+1\conf\.\example.domain.com.jks”, “keyStorePassword”:”secret”, “keyStoreType”:”JKS”}
  8. Now personally due to the windows program files naming convention, i would move the JKS file to a shorter path such as : C:\Certbot\wowza\example.domain.com.jks. (The program files path naming almost always causes issues.)

CONFIGURE WOWZA TO USE THE JKS FILE


  1. Navigate to wowza engine manager in the browser using the IP address or just 127.0.0.1.
  2. Login & proceed to Server settings => Virtual Host Setup.
  3. Under Basic click Edit


  4. Edit Default SSL Streaming & specify the following
    1. Click the option Enable SSL/StreamLock (even though we are using letsencrypt) to enable SSL
    2. Specify the path to JKS file under Keystore Path
    3. Specify the keystore password as the secret
    4. Specify port(s) to use for SSL streaming. (i have used 1443). Whatever port you select make sure it is allowed in your network firewall settings.
    5. Click the use WebRTC option if you want to use WebRTC.
    6. Once you are done hit Apply


    7. Make sure to save all the settings and restart the service/server.

      The other way to do this is to manually edit the WOWZA_HOME/conf/VHost.xml file, enable SSL and configure the values we saw in jksmap.txt. The Default SSL Streaming configuration section will look something like this:


    8. Finally, if make sure all changes are saved and then restart the server or service (if Wowza is installed as a service)

HLS PLAYBACK


You should now be able to playback HLS using the following url format: https://example.domain.com:1443/live/test/playlist.m3u8

WebRTC Publish & Playback


For WebRTC publish and playback, first make sure you have allowed the application to publish & playback WebRTC streams under -> Applications -> {app name} -> WebRTC.


PUBLISHING WEBRTC


  1. Make sure your WebCam + Microphone setup is properly connected to your PC.
  2. Click on the Open WebRTC Publish Page option.
  3. Fill in all the required fileds in the application displayed.
    • Signalling URL: wss://example.domain.com:1443/webrtc-session.json
    • Application Name : [app name] (ex: live)
    • Stream Name : test
  4. Now click on the Publish button to start publishing
  5. If everything is setup correctly you can see the Publish button label change to Stop

The signaling URL for Wowza is always wss://{SSL-ENABLED-DOMAIN-NAME}:1443/webrtc-session.json

Congratulations you have enabled SSL on Wowza using Letsencrypt!!