My domain is secured with a cert, however, I am running an RTMP video streaming server in parallel to IIS 10 on port 8080. So to access this stream, the URL is my domain:8080/viewer.html. This URL however, is showing as unsecure on browsers.
Specifics: main web server is on port 80. nginx is on port 8080 and is the rtmp stream server.
Is there a simple way to add that port/server to the domain cert without having to get another separate cert?
When I hit the “+” in the certificate page, it won’t add it to the list.
Hi, so the domains list is only the list of domains that will be added to the certificate and it’s not anything to do with bindings (associating the cert with a specific port).
To use this certificate with your stream server you’ll need a deployment task (under Tasks) and you will need to decide how best to automate the deployment - either a script or exporting the file to a particular location. It will depend what your streaming software is and what format it expects the certificate file to be in. Some software (like IIS) can read certs from the computer certificate store, others need a particular file format.
Thanks, we have a project under way to improve our documentation for deployment tasks but in this case:
The path you set for each file should be the full destination path and filename of your choice e.g. for the fullchain.pem you might enter: C\certs\basspig\fullchain.pem
You need to click the Play button next to your task to run it, this will create the output files from your latest certificate.
The nginx, apache and Generic server deployment tasks only write the files out in the required format, they do not configure nginx etc for you, so you need to do that yourself. So you will need to investigate how to do that. For nginx this typically involves modifying your nginx.conf file server listen block. Future versions will have support for more automated deployment to nginx.
So if I understand correctly, I need to make a certs folder (does it have to be under C: root? or can it be under nginx\ ?) and then run the task to create the cert… but then I have to find out how to make nginx listen for the connection? Is that port 443/444 I need to set to listen?
Nah, you’re skim reading my reply you need to set the full filename to tell it where to write the files and what each should be called. You set a file name for each file you want to output, usually that would be the full chain file and the key file. You also need to create any folder you need e.g. if you want to use C:\nginx\certs then you need to create those folders.
Neither Certify nor nginx care which drive (or folder) you write the files to also long as they can both see that drive and have permission to write/read the files.
Then you need to configure nginx to point to those files in it’s configuration - so next time the renewal happens those files will have been automatically updated with the same name in the same location.
So for instance if you want your stream server on port 8080 to use a certificate (i.e. you don’t want to change the port) then you need to update the config to add the ssl stuff. So in your nginx.conf you perhaps have something a bit like:
server {
listen 8080;
server_name www.example.com;
}
and you need to add the ssl bits to turn that into https instead of http, then restart nginx:
Is the syntax correct? Did I make a mistake anywhere here?
I made the changes, restarted nginx and tried running the task and got the following error:
UPDATE: I found out that path does not mean folder. It means the full path including the certificate and key filenames. Made those changes and Certify the Web completed with no errors. I don’t know how long it takes to deploy. My stream is still not secure.
Hi, after you make a change to nginx configuration or to the certificate you need to restart or reload nginx. You can do this using the nginx reload command or just restart your machine.
Looking at your example config above you have two server listen blocks, one for www.basspig.com on port 8080 (with no ssl) and one for www.basspig.com on port 443, with ssl (which looks correct, although I assume you don’t have the ... in there as that just means “some other config you might have” and isn’t part of the config itself.
I also assume the port 443 site isn’t doing anything or is on a different machine to your normal website, because your normal website is using IIS and if they were on the same machine they would clash?
I don’t understand how your port 8080 site becomes related to the rtmp service. Is the port 8080 site just a web page or is it supposed to be the actual rtmp stream?
It might help if you post your entire nginx.confg contents (assuming there’s no passwords etc in there). Perhaps also describe how you have this setup in general - how many machines are there, if there is just one is it running both nginx and IIS? Could you just use IIS?
I’m running IIS 10 for the HTTP/S webserver and nginx per Doug Johnson’s setup for RTMP streaming. Therefore it has to be on port 8080 so not to clash with IIS on 80.
Here’s my nginx configuration:
#user nobody;
# multiple workers works !
worker_processes 2;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 8192;
# max value 32768, nginx recycling connections+registry optimization =
# this.value * 20 = max concurrent connections currently tested with one worker
# C1000K should be possible depending there is enough ram/cpu power
# multi_accept on;
}
server {
listen 8080;
server_name www.basspig.com;
}
server {
listen 443 ssl;
server_name www.basspig.com;
ssl_certificate C:/nginx/certs/www.basspig.com.crt;
ssl_certificate_key C:/nginx/certs/www.basspig.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
rtmp {
server {
listen 1935;
chunk_size 4096;
application live365 {
live on;
record off;
# record all;
# record_path /recordings;
# push rtmp://c:/nginx/srv/hls/stream1;
# push rtmp://a.rtmp.youtube.com/live2/0123-4567-89ab-cdef;
hls on;
hls_path /nginx/srv/hls/;
hls_fragment 3;
hls_playlist_length 60;
# uncomment the line below to prevent people from playing using RTMP
# deny play all;
}
}
}
http {
include mime.types;
server {
listen 8080;
location / {
root /nginx/srv/;
index index.html;
add_header Cache-Control no-cache; # Disable cache
}
}
}
Should I be adding the certificate lines under the port 8080 basspig section of the config?
If I recall, I did shut down nginx and restart it to read the modified conf file.
So the main thing is specifying ssl on the same line where you set the listening port, then also supplying the ssl_certificate and ssl_certificate_key files. There are lots of other options for things like ssl_ciphers, I have no idea if the example you are using for that is right or not though.
You would then access that service using https instead of http (to tell the browser to try an https connection instead of plain http).
I don’t think your port 443 listen block is going to do anything (or it may conflict with IIS) because IIS is already using port 443.
I changed the block of code and verified that those two cert files exist in the folder referenced by Certify and tried https but still getting “this site can’t provide a secure connection”. ERR_SSL_PROTOCOL_ERROR
I just realised the example config you pasted above has two sections which setup a listen for port 8080 (one at the top of the file and one at the bottom). I’d expect you only need one of those, perhaps get rid of the top one and configure the bottom one?
I don’t think your port 443 block is doing anything (IIS will be serving the real https on the default port 443, so nginx can’t be doing it as well on the same port).
Some folks are reporting they can not view my stream because their browser says my site is not safe and they click “back to safety”. So it would behoove me to get this certificate problem solved and get the :8080 server under the cert.
Sorry, while I can provide some general guidance I’m afraid I can’t actually configure your system for you, you’re going to have to dig deep and solve it or hire someone to solve it for you.
As the system administrator you need to really take the lead on working this out - there’s nothing technically wrong with anything Certify The Web has done, you just haven’t yet configured your system to use the certificate you have.
I don’t know anything about your RTMP service or what it’s supposed to do so I can’t really solve this on your behalf. I’ve pointed out that your config has multiple listen blocks for port 8080 and suggested that you get rid of the top one but you’re going to have to do the work to figure out the rest, I’d suggest jumping on a support forum for the RTMP server as perhaps someone with more specific experience there could help. You have your certificate files, so that part is taken care of, you just need to figure out how to use them.
I have had to pull that code from the nginx conf file tonight because for some reason, nginx terminated and when I tried to restart it it would not start.
2022/09/14 01:08:57 [emerg] 3168#5036: "server" directive is not allowed here in C:\nginx/conf/nginx.conf:22
2022/09/14 01:08:58 [emerg] 9224#10564: "server" directive is not allowed here in C:\nginx/conf/nginx.conf:22
you need to set the full filename to tell it where to write the files and what each should be called. You set a file name for each file you want to output, usually that would be the full chain file and the key file. You also need to create any folder you need e.g. if you want to use C:\nginx\certs then you need to create those folders.
