search

ant-media / Ant-Media-Server

Ant Media Server is a live streaming engine software that provides adaptive, ultra low latency streaming by using WebRTC technology with ~0.5 seconds latency. Ant Media Server is auto-scalable and it can run on-premise or on-cloud.
https://antmedia.io
Other
4.27k stars 628 forks source link

Add password field for protected private certificate use-case #3526

Closed SelimEmre closed 2 years ago

SelimEmre commented 3 years ago

Add password field for protected private certificate use-case

mekya commented 3 years ago

Could you please give some more info about this issue?

SelimEmre commented 3 years ago

The current solution doesn't work private certificate key with password protection. Does it make sense for you?

mekya commented 3 years ago

Yes it makes sense.

kylecauston commented 3 years ago

Hey guys,

To establish SSL connectivity between AntMedia and our product, we used to use a private key (generated by us) with a passphrase to create the required certificates to establish a secure connection. When we used to use this private key with the AntMedia enable_ssl.sh script in AMS 2.1, the script used to ‘succeed’ and tell us to use https to access the AntMedia web portal. In AMS 2.3, the enable_ssl.sh script succeeds in the same way, but we cannot access the web portal anymore.

Digging into the logs, we found the following error message:

INFO: The certificate [conf/fullchain.pem] or its private key [conf/privkey.pem] could not be processed using a JSSE key manager and will be given directly to OpenSSL
 Some of your private key files are encrypted for security reasons.
 In order to read them you have to provide the pass phrases.
 Enter password :
 Some of your private key files are encrypted for security reasons.
 In order to read them you have to provide the pass phrases.
 Enter password :
 Some of your private key files are encrypted for security reasons.
 In order to read them you have to provide the pass phrases.
 Enter password :

This message indicated to us that the passphrase that we were passing to the enable_ssl script does not get sent to OpenSSL correctly. Following this, we created a key with a blank passphrase, and that fixed the issue. This means that when we are commissioning our solution at a customer site, we would have to ask them to ensure that the private key that they provide us with has no pass phrase. We are currently investigating on our end if this is an acceptable solution too.

mekya commented 3 years ago

Hi @kylecauston ,

Thank you making this clear for us.

I understand your problem.

As a quick workaround solution, I can recommend changing the pass phrase in /usr/local/antmedia/conf/red5.properties file.

Check that if it's working for you and please let me know.

mekya commented 2 years ago

Please also take a look at this solution -> https://github.com/ant-media/Ant-Media-Server/issues/4076#issuecomment-1141735170