Note: SRS has already supported HTTPS server. You can refer to the HTTPS API (CN / EN) and HTTPS Live Streaming (CN / EN). This issue describes how to automatically obtain SSL certificates.
You could also use the default self-signed SSL certs, please search thisisunsafe from Wiki.
For HTTPS API or streaming, you must get a domain name from like godaddy or AWS route 53, and a SSL certificate.
API: Get SSL certificate from API, like letsencrypt, by client sdk. This is what this issue describes
File: Buy SSL certificate from CA, like ssls.com, download the PrivateKey and Certificate file, install to SRS or Nginx, like conf/server.key and conf/server.crt.
CaddyServer support automatic HTTPS by letsencrypt or ZeroSSL, both are free for single domain(not free if wildcard) certificate.
Note that for wildcard certificate, it's much cheap to buy from ssls.com, about $50/year. But it's very expensive for ZeroSSL, about $600/year.
It's very important to avoid any proxy for live streaming or WebRTC, because it consumes lots of bandwidth and resource.
To support HTTPS API or streaming, it is necessary to register a domain. In China, you can purchase a domain from Alibaba Cloud or Tencent Cloud and complete the record filing process. Additionally, you will need an SSL certificate, which can be obtained through the following methods:
API: Obtain SSL certificates from an API, such as letsencrypt, and use a client SDK to call the service. This is what this issue describes
Download as files: Usually, you can download a free certificate for a single domain from Alibaba Cloud or Tencent Cloud. Alternatively, you can purchase a wildcard certificate and download it, then configure it in SRS or Nginx using the files conf/server.key and conf/server.crt.
For personal websites, you can consider supporting integration with letsencrypt or ZeroSSL to automatically generate SSL certificates. Single domain certificates are free, while wildcard domain certificates are chargeable.
Note: For wildcard domains, it seems much cheaper to purchase them on ssls.com for only $50 per year, while on ZeroSSL it costs $600 per year. There may be some differences in the certificates they provide.
This must be supported natively by SRS, as using an HTTPS proxy for streaming media would have significant issues and low efficiency.
SRS cloud server now supports Let's Encrypt for automatic certificate issuance:
The certificate is valid for 3 months and a task will be initiated to automatically renew it after 30 days:
Automatic SSL certificates can be issued using the certbot webroot method:
First, you need to map your domain name to an IP address, for example, lh.ossrs.net mapped to your server x.x.x.x.
Next, SRS will automatically mount a path /.well-known/acme-challenge/ mapped to the directory /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/.well-known/acme-challenge/. This allows the files created by certbot to be accessed.
Note: Be careful not to include the automatically created directory .well-known/acme-challenge/.
Note: --register-unsafely-without-email ignores the email and applies for a certificate without an email. It is not very secure, but it is sufficient for most cases.
Note: --agree-tos agrees to the terms of service.
Note: -q or --quiet enables quiet mode, no interactive input required.
Note: --preferred-challenges http uses HTTP validation instead of DNS validation.
This command will do two things to verify that the domain is ours:
Write a temporary file to the webroot directory.
Go to letsencrypt to apply for an SSL certificate, which will verify the temporary file under webroot.
For example, the written file is:
[root@VM-0-7-centos mgmt]# tree -a letsencrypt/.well-known/acme-challenge/
letsencrypt/.well-known/acme-challenge/
Note: The directory must not exist, otherwise it will create a subdirectory.
2022-02-02 21:47:30,690:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/.well-known/acme-challenge/.well-known/acme-challenge/vZcxgngJ6q_vOslFiUkkd3lFPu6dlvQRaEJfIM9CUXs
After successful completion, it will prompt:
[root@VM-0-7-centos mgmt]# certbot certonly --webroot -w /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/ -d cvm.ossrs.net --register-unsafely-without-email --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for cvm.ossrs.net
Performing the following challenges:
http-01 challenge for cvm.ossrs.net
Using the webroot path /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/cvm.ossrs.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/cvm.ossrs.net/privkey.pem
Your certificate will expire on 2022-05-03. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Just need to execute the command regularly to issue the certificate. It will check the expiration time of the certificate and update it within the last 30 days.
certbot renew -q
After updating the certificate, you need to reload nginx.
EN
For HTTPS API or streaming, you must get a domain name from like godaddy or AWS route 53, and a SSL certificate.
conf/server.key
andconf/server.crt
.CaddyServer support automatic HTTPS by letsencrypt or ZeroSSL, both are free for single domain(not free if wildcard) certificate.
It's very important to avoid any proxy for live streaming or WebRTC, because it consumes lots of bandwidth and resource.
CN
To support HTTPS API or streaming, it is necessary to register a domain. In China, you can purchase a domain from Alibaba Cloud or Tencent Cloud and complete the record filing process. Additionally, you will need an SSL certificate, which can be obtained through the following methods:
conf/server.key
andconf/server.crt
.For personal websites, you can consider supporting integration with letsencrypt or ZeroSSL to automatically generate SSL certificates. Single domain certificates are free, while wildcard domain certificates are chargeable.
This must be supported natively by SRS, as using an HTTPS proxy for streaming media would have significant issues and low efficiency.
Solution
There are some solutions:
Reload Solution
: Use an external tool to generate an SSL certificate, then reload SRS, similar to Using Free Let’s Encrypt SSL/TLS Certificates with NGINXNative Solution
: Implements the ACME protocol by client sdk, like CaddyServer what does.SSL File
SRS cloud server now supports setting Nginx SSL key and certificate:
LEGO
Please refer to LEGO.
Let's Encrypt
SRS cloud server now supports Let's Encrypt for automatic certificate issuance:
The certificate is valid for 3 months and a task will be initiated to automatically renew it after 30 days:
Automatic SSL certificates can be issued using the certbot webroot method:
First, you need to map your domain name to an IP address, for example,
lh.ossrs.net
mapped to your serverx.x.x.x
.Next, SRS will automatically mount a path
/.well-known/acme-challenge/
mapped to the directory/usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/.well-known/acme-challenge/
. This allows the files created bycertbot
to be accessed.Then, execute the command, referring to here:
This command will do two things to verify that the domain is ours:
webroot
directory.webroot
.For example, the written file is:
├── .gitkeep └── .well-known └── acme-challenge └── aqUI1_zmhXKaCmMhKKgyAvY-L_MjzZ7G98DK1e6fvFQ
Will verify this HTTP address:
Note: The directory must not exist, otherwise it will create a subdirectory.
After successful completion, it will prompt:
Certificate file:
/etc/letsencrypt/live/lh.ossrs.net/privkey.pem
/etc/letsencrypt/live/cvm.ossrs.net/cert.pem
Just need to execute the command regularly to issue the certificate. It will check the expiration time of the certificate and update it within the last 30 days.
After updating the certificate, you need to reload nginx.
Force update the certificate.
Delete certificate.
TRANS_BY_GPT3