search

AirenSoft / OvenMediaEngine

OvenMediaEngine (OME) is a Sub-Second Latency Live Streaming Server with Large-Scale and High-Definition. #WebRTC #LLHLS
https://OvenMediaEngine.com/ome
GNU Affero General Public License v3.0
2.53k stars 1.06k forks source link

"tlsv1 alert unknown ca " #992

Closed gregfr closed 1 year ago

gregfr commented 1 year ago

Greetings

I have an issue that bothers me: I've set up OME with LE certificates, its works with https://demo.ovenplayer.com on my Chrome, but with httpie it gives:

http: error: SSLError: HTTPSConnectionPool(host='...', port=3334): Max retries exceeded with url: /app/live/llhls.m3u8 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

and in OME's log:

E [SPRtcSig-T3334:12] OpenSSL | tls.cpp:193  | An error occurred while accept SSL connection: [OpenSSL] error:0A000418:SSL routines::tlsv1 alert unknown ca (167773208)

A check on SSLShopper says: The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. I'm afraid it could lead to some older browsers not working.

My OME config is not fancy:

<CertPath>/cert/cert.pem</CertPath> 
<KeyPath>/cert/key.pem</KeyPath>
<ChainCertPath>/cert/fullchain.pem</ChainCertPath>

Any idea?

Thanks in advance

Regards

getroot commented 1 year ago

Is LE Let's Encrypt? It works fine for OME. Double check that fullchain.pem is correct. And you tried to connect to the domain, right?

Please upload the full Server.xml and ovenmediaengine.log files to analyze the problem.

naanlizard commented 1 year ago

It sounds like they are testing with an out of date tester that doesn't recognize Let's Encrypt. I don't think it's a problem with OME

gregfr commented 1 year ago

Thanks for your answers. How would you check that fullchain.pem is correct?

I've tried the services listed here: https://geekflare.com/ssl-test-certificate ; some of these don't want to scan port 3334.

Also Cloudfront gives an error:

CloudFront wasn't able to connect to the origin.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.

To generate the cert files, I've used the same procedure which was working for nginx.

getroot commented 1 year ago

I haven't experienced anything wrong with my chain certificate, so I haven't tried to check if it's OK. I don't know about nginx, but they seem to use certificates where the site certificate and chain certificate are integrated. In OME, site certificate and chain certificate are separated. Does your chain certificate contain all the ca's well?