search

AirenSoft / OvenMediaEngine

OvenMediaEngine (OME) is a Sub-Second Latency Live Streaming Server with Large-Scale and High-Definition. #WebRTC #LLHLS
https://airensoft.com/ome.html
GNU Affero General Public License v3.0
2.57k stars 1.06k forks source link

OME not recognizing self signed certificate #1318

Closed dimiden closed 1 year ago

dimiden commented 1 year ago

Discussed in https://github.com/AirenSoft/OvenMediaEngine/discussions/1317

Originally posted by **Shutoparu** July 18, 2023 I am using a self signed certificate on OME, but this keeps showing in the log (docker environment): ``` [2023-07-18 03:55:30.568] E [SPAPISvr-t8082:31] OpenSSL | tls.cpp:208 | An error occurred while accept SSL connection: [OpenSSL] error:0A000418:SSL routines::tlsv1 alert unknown ca (167773208) ``` I am using the following Server.xml. I'm not sure how can I get the chained certificate from a self signed certificate, so for now I simply put the same certificate in there. (pretty sure this is where it goes wrong.) ``` OvenMediaEngine origin * stun.l.google.com:19302 1935 9999 1 3333 3334 *:3478 *:10000-10005/udp 3333 3334 *:3478 *:10000-10005/udp 3333 3334 1 8081 8082 * /etc/cert/server.crt /etc/cert/server.crt /etc/cert/server.key admin:admin default * /etc/cert/server.crt /etc/cert/server.crt /etc/cert/server.key app live bypass_stream ${OriginStreamName} 1 8 30000 false false 0.5 6 10 * ``` For the certificate, this is the command I ran (on MacOS): ``` openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf ``` ssl.conf: ``` [req] prompt = no default_md = sha256 default_bits = 2048 distinguished_name = dn x509_extensions = v3_req [dn] C = TW ST = Taiwan L = Taipei O = Shutoparu OU = Shuto test emailAddress = my@email.com CN = localhost [v3_req] subjectAltName = @alt_names [alt_names] DNS.1 = *.localhost DNS.2 = localhost IP.1 = 192.XXX.XXX.XXX ``` I'm new to all these stuff so any help is appreciated. Thanks in advance.
dimiden commented 1 year ago

@Shutoparu This issue occurred due to an incorrect certificate set in the <ChainCertPath>. As mentioned in #1317, there was an issue with errors occurring when <ChainCertPath> is not set, and it seems like you set server.crt due to this issue. I have just fixed this and committed f3cc17ecc097e1c798451eaf07494ab8197a7643.

getroot commented 1 year ago

The fix for this bug is part of the 0.15.14 release.