search

AirenSoft / OvenSpace

OvenSpace is Sub-Second Latency Streaming Demo Service using OvenMediaEngine, OvenPlayer, and OvenLiveKit.
https://space.ovenplayer.com/
MIT License
59 stars 22 forks source link

Launch OvenSpace (Advanced) #3

Open LydiaTM opened 2 years ago

LydiaTM commented 2 years ago

Hi!

I am trying to run ovenspace with TLS certificates and Nginx but the OvenmediaEngine server returns the following error:

[[2022-03-09 17:20:30.157] E [SPAPIServer-T80:1916] OpenSSL | tls.cpp:193 | An error occurred while accept SSL connection: [OpenSSL] error:0A000418:SSL routines::tlsv1 alert unknown ca (167773208) [2022-03-09 17:20:30.158] E [SPAPIServer-T80:1916] OpenSSL | tls_server_data.cpp:108 | An error occurred while accept TLS connection: error code: 1]

I detail below the steps followed and the configuration set up.

NGINX CONFIGURATION

First I set up the recommended NGINX configuration and restart NGINX.

server {
    listen       443 ssl;
    server_name  my_domain;

    ssl_certificate /your/path/to/my_cert_file.crt;
    ssl_certificate_key /your/path/to/my_key_file.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass http://127.0.0.1:5000;
    }

    location /socket.io {
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass http://127.0.0.1:5000/socket.io;
    }
}

server {
    listen       80;
    server_name  my_domain;

    rewrite ^(.*) https://my_domain$1 permanent;
}

I generated the self-signed certificates with openssl for the machine, where server_name is the name of the machine.

OVENMEDIAENGINE CONFIGURATION

After that I make OvenMediaEngine's REST API Server, WebRTC Provider, and WebRTC Publisher work with TLS and restart OvenMediaEngine. 

<Managers>
        <Host>
            <Names>
                <Name>*</Name>
            </Names>

            <TLS>
                <CertPath>path/to/my_cert_file.crt</CertPath>
                <KeyPath>path/to/my_cert_file.crt</KeyPath>
                <!-- <ChainCertPath>airensoft_com_chain.crt</ChainCertPath> -->
            </TLS>
        </Host>
        <API>
            <AccessToken>my_access_token</AccessToken>
        </API>

</Managers>

<Domain>
        <Names>
            <Name>*</Name>
        </Names>
        <TLS>
            <CertPath>path/to/my_cert_file.crt</CertPath>
            <KeyPath>path/to/my_key_file.key</KeyPath>
            <!-- <ChainCertPath>path/to/file.crt</ChainCertPath> -->
        </TLS>
</Domain>

Finally, I set up the OvenSpace configuration and run the .py file.

OVENSPACE CONFIGURATION

Finally, I set up the OvenSpace configuration and run the .py file.

OME_HOST = 'machine_name'

OME_API_ENABLE_TLS = 'true'
OME_API_PORT = '8082'
OME_API_ACCESS_TOKEN = 'access-token'

OME_VHOST_NAME = 'default'
OME_APP_NAME = 'app'
OME_STREAM_NAME = 'stream'

OME_WEBRTC_PROVIDER_ENABLE_TLS = 'true'
OME_WEBRTC_PROVIDER_PORT = '8333'

OME_WEBRTC_PUBLISHER_ENABLE_TLS = 'true'
OME_WEBRTC_PUBLISHER_PORT = '8333'

BROWSER CONSOLE

When I access the address 'https://machine_name' from the browser, it returns the following error in the browser console:

[/getStreams:1 Failed to load resource: the server responded with a status of 500 (INTERNAL SERVER ERROR) ovenspace.js:486 Could not get streams from OME.]

OVENSPACE LOGS

The OvenSpace logs are follows:

OVENMEDIAENGINE LOGS

Furthermore, in the OvenMediaEngine logs, I get the error mentioned at the beginning of this message:

[[2022-03-09 17:20:30.157] E [SPAPIServer-T80:1916] OpenSSL | tls.cpp:193 | An error occurred while accept SSL connection: [OpenSSL] error:0A000418:SSL routines::tlsv1 alert unknown ca (167773208) [2022-03-09 17:20:30.158] E [SPAPIServer-T80:1916] OpenSSL | tls_server_data.cpp:108 | An error occurred while accept TLS connection: error code: 1]

SangwonOh commented 2 years ago

@LydiaTM Hi. Thank you for using OvenSpace.

You need to set up chain cert in OME. Although it is not possible to confirm the structure of the certificate you have set, please set ROOT CA and Intermediate CA separately as chain cert. If you have any problems, detailed support is available in the OvenMediaEngine repository.

<Managers>
        <Host>
            <Names>
                <Name>*</Name>
            </Names>

            <TLS>
                <CertPath>path/to/my_cert_file.crt</CertPath>
                <KeyPath>path/to/my_cert_file.crt</KeyPath>
                <!-- <ChainCertPath>airensoft_com_chain.crt</ChainCertPath> -->
            </TLS>
        </Host>
        <API>
            <AccessToken>my_access_token</AccessToken>
        </API>

</Managers>

<Domain>
        <Names>
            <Name>*</Name>
        </Names>
        <TLS>
            <CertPath>path/to/my_cert_file.crt</CertPath>
            <KeyPath>path/to/my_key_file.key</KeyPath>
            <!-- <ChainCertPath>path/to/file.crt</ChainCertPath> -->
        </TLS>
</Domain>
LydiaTM commented 2 years ago

Thanks for your help!

I am new to the certificates issue and I don't know how to generate the intermedia certificate. Could you help me, please?

Thanks in advance.

SangwonOh commented 2 years ago

@LydiaTM Hi. It will depend on the type of certificate issued, but this may be your case.

The certificate you set in nginx may have the following structure. (ssl_certificate /your/path/to/my_cert_file.crt;)

-----BEGIN CERTIFICATE-----
Your Domain CA
-----END CERTIFICATE-----
Intermediate CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOT CA
-----END CERTIFICATE-----

This is chain cert. You can set this cert to <ChainCertPath>path/to/file.crt</ChainCertPath>.

And you can make a new file something like my-cert.crt and paste first section of chain cert.

-----BEGIN CERTIFICATE-----
Your Domain CA
-----END CERTIFICATE-----

And set this cert file to <CertPath>path/to/my_cert_file.crt</CertPath>

I hope this helps. As mentioned earlier, there are various methods depending on the type of certificate issued. I can only help up to the point above.