Ok SSL with RTMPS works, but Screen Share is broken. They are working on it ,
3.1.2 is waiting for a resoution. Thanks to Maxim for helping resolve the
proxyType issue. That was the one thing all docs missed the other was ports.
I don’t think one document had a working config example for Openmeetings 3.1.1.
Even the doc on RTMPS at the official website doesn’t work. This works! So
enjoy stress free install using SSL.
To get SSL working with RTMPS you need to do the following:
If you want to use LetsEncrypt Free SSL do this use the following or skip and
add your own valid cert from any location to the keystone. I add the
LetsEncrypt because I couldn’t find a single source that had this correct
either. It took a bit to resolve.
Install LetsEncrypt plenty of places to show you how to install. Then do
cert-only install. You need to convert the cert to work with keystone.
cd /etc/letsencrypt/live/yourdomain
# Java cacerts you can add the x3-cross-sign.pem to it like this. You have to
download the x3-cross-sign.pem from letsencrypt website. the default Java
password is: changeit
keytool -importcert -file /etc/letsencrypt/live/yourdomain/x3-cross-sign.pem
-keystore cacerts
# Make new keystore
#keytool -keysize 2048 -genkey -alias key -keyalg RSA -keystore keystore.jks
# Make sure you append the x3-cross-sign.pem to the chain.pem or it will not
work.
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12
-name red5 -CAfile chain.pem -caname root
# Import keys
keytool -importkeystore -deststorepass password -destkeypass password
-destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12
-srcstorepass d4h3j9nq1 -alias red5
cp keystore.jks /opt/yourinstall/conf/keystore.jks
cp keystore.jks /opt/yourinstall/conf/keystore.screen
cp keystore.jks /opt/yourinstall/conf/truststore.jks
vi conf/red5.properties
https.port=443
rtmps.port=443
rtmps.keystorepass=yourpass
rtmps.keystorefile=conf/keystore.jks
rtmps.truststorepass=yourpass
rtmps.truststorefile=conf/truststore.jks
Make sure you set proxyType to none or it will not work.
vi webapps/openmeetings/public/config.xml
<rtmpport>1935</rtmpport>
<rtmpsslport>443</rtmpsslport>
<useSSL>yes</useSSL>
<protocol>https</protocol>
# NOTE: don’t use best like other docs say. It doesn’t work!!
<proxyType>none</proxyType>
Now enable SSL in the jee-container.xml. I copy the file appending .ssl and
.html to allow quick changes.
vi conf/jee-container.xml
<!-- Tomcat without SSL enabled
<bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader"
depends-on="context.loader" init-method="start" lazy-init="true">
<property name="webappFolder" value="${red5.root}/webapps" />
<property name="connectors">
<list>
<bean name="httpConnector"
class="org.red5.server.tomcat.TomcatConnector">
<property name="protocol"
value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address"
value="${http.host}:${http.port}" />
<property name="redirectPort" value="${https.port}" />
</bean>
</list>
</property>
<property name="baseHost">
<bean class="org.apache.catalina.core.StandardHost">
<property name="name" value="${http.host}" />
</bean>
</property>
<property name="valves">
<list>
<bean id="valve.access"
class="org.apache.catalina.valves.AccessLogValve">
<property name="directory" value="log" />
<property name="prefix" value="${http.host}_access." />
<property name="suffix" value=".log" />
<property name="pattern" value="common" />
<property name="rotatable" value="true" />
</bean>
</list>
</property>
</bean>
-->
<!-- Tomcat with SSL enabled -->
<bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader"
depends-on="context.loader" init-method="start" lazy-init="true">
<property name="webappFolder" value="${red5.root}/webapps" />
<property name="connectors">
<list>
<bean name="httpConnector"
class="org.red5.server.tomcat.TomcatConnector">
<property name="protocol"
value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address" value="${http.host}:${http.port}"
/>
<property name="redirectPort" value="${https.port}" />
</bean>
<bean name="httpsConnector"
class="org.red5.server.tomcat.TomcatConnector">
<property name="secure" value="true" />
<property name="protocol"
value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address" value="${http.host}:${https.port}"
/>
<property name="redirectPort" value="${http.port}" />
<property name="connectionProperties">
<map>
<entry key="port" value="${https.port}" />
<entry key="redirectPort" value="${http.port}" />
<entry key="SSLEnabled" value="true" />
<entry key="sslProtocol" value="TLS" />
<entry key="keystoreFile"
value="${rtmps.keystorefile}" />
<entry key="keystorePass"
value="${rtmps.keystorepass}" />
<entry key="keystoreType" value="JKS" />
<entry key="truststoreFile"
value="${rtmps.truststorefile}" />
<entry key="truststorePass"
value="${rtmps.truststorepass}" />
<entry key="clientAuth" value="false" />
<entry key="allowUnsafeLegacyRenegotiation"
value="true" />
<entry key="maxKeepAliveRequests"
value="${http.max_keep_alive_requests}"/>
<entry key="useExecutor" value="true"/>
<entry key="maxThreads"
value="${http.max_threads}"/>
<entry key="acceptorThreadCount"
value="${http.acceptor_thread_count}"/>
<entry key="processorCache"
value="${http.processor_cache}"/>
</map>
</property>
</bean>
</list>
</property>
<property name="baseHost">
<bean class="org.apache.catalina.core.StandardHost">
<property name="name" value="${http.host}" />
</bean>
</property>
</bean>
You can now start up red5 from init if you followed the install instructions.
You should be able to connect to https://yourdomain.com. If it complains the
cert is not valid then you missed something in the keystone process. This is
the script I use to build my keystone from a cron job just before it expires
automatically so it should work.
Good luck,
Jason
