search

ant-media / Ant-Media-Server

Ant Media Server is a live streaming engine software that provides adaptive, ultra low latency streaming by using WebRTC technology with ~0.5 seconds latency. Ant Media Server is auto-scalable and it can run on-premise or on-cloud.
https://antmedia.io
Other
4.24k stars 620 forks source link

RTMP not serving full SSL Cert Chain #3899

Open GregBlaha opened 2 years ago

GregBlaha commented 2 years ago

Short description

RTMPS is enabled in my Ant Media Server install. I have SSL enabled using a custom certificate purchased through a third party CA. It is working properly for HTTPS for the web interface.

When I go to stream using RTMPS over port 8443, I receive an error message on my streaming client stating "The RTMP server sent an invalid SSL certificate".

Environment

Steps to reproduce

  1. Enable SSL using the ./enable_ssl.sh script with a third-party cert
  2. Enable RTMPS via config files
  3. Attempt to stream to RTMPS ingest address
  4. Only the first part of the cert chain is served out, causing the client to distrust the cert

Expected behavior

The server should serve out the cert with the full chain allowing the streaming client to trust the cert and connect.

Actual behavior

The command openssl s_client -connect :8443 returns "verify error:num=20:unable to get local issuer certificate" after sending the server certificate (depth 0). None of the rest of the chain is sent.

The same command pointing at the HTTPS web interface, "openssl s_client -connect :443", returns the full four part certificate chain and the certificate is trusted.

Are they pulling from different keystores? I have tried rebuilding the keystore in every imaginable way, but cannot get it to serve out the full certificate chain (with intermediates and roots) over RTMPS.

Logs

Here is the log of the openssl connection to port 8443 and 443 for comparison:

https://pastebin.com/KwieW2Ed

muratugureminoglu commented 2 years ago

Hi @GregBlaha

“unable to get local issuer certificate” error, it’s an indication that the root certificates on the system are not working correctly. Is there any port forwarding or Load Balancer/Reverse proxy for 443. port ? Also, can you verify that you are using the same certificates for WWW and RTMPS? By the way, if you share your domain name I can check it for you?

Regards.