Closed Bug 1124373 Opened 9 years ago Closed 9 years ago

SSL Cert for Wowza Streaming Engine

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: richard, Assigned: gozer)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/325] )

Attachments

(1 file)

Screenshot 2015-02-04 15.50.34.png
269.31 KB, image/png
Details 
We need to enable SSL on wowza1.corpdmz.scl3.mozilla.com.  According to the Wowza documentation StreamLock certs are the preferred method.  Described here:

http://www.wowza.com/forums/content.php?454-How-to-get-SSL-certificates-from-the-StreamLock-service#prerequisites

This, however will require NAT so we have an accessible IP address for this machine.  This process also results in a cert for this machine in streamlock.net rather than mozilla.com

There are also notes on using self-signed certs at: http://www.wowza.com/forums/content.php?435-How-to-create-a-self-signed-SSL-certificate

That process requires installation of a JDK rather than using native RedHat utilities to generate the cert.

Please advise the best way to proceed.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/325]
Correction:   This machine already has NAT (wowza1.scl3.mozilla.com - 63.245.214.154).

So now I just need advice on whether the Streamlock cert is as bad an idea as it seems.

...and if so,  how we create a more mozilla-standard cert for this box.
Assignee: server-ops-webops → gozer
Here you go, done, deployed, installed and all. (With a self-signed certificate)

https://wowza1.corpdmz.scl3.mozilla.com/

You'll get a SSL warning when doing that, as the cert uses the public name wowza1.scl3.mozilla.com, but the NAT isn't allowing HTTPS through yet.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Gozer:

Thanks!  Looks like I need to file a bug to get the ports opened on the NAT.
There's something fishy about this cert. When I load it in Firefox I get one of those "I understand the risks" dialogs.

I stupidly allowed the exemption on this and don't know how to reset that in Firefox. 

However the warning is clear when using Chrome.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Peter Bengtsson [:peterbe] from comment #4)
> Created attachment 8559481 [details]
> Screenshot 2015-02-04 15.50.34.png
> 
> There's something fishy about this cert. When I load it in Firefox I get one
> of those "I understand the risks" dialogs.

Its not fishy, it's just a standard warning about a self-signed certificate, not issued
by a trusted CA.

I figured since this is an internal service, it would be good enough. If there is a need for a real
CA signed certificate later on, this can be accomodated as well.

Just needs to be requested. My understanding of this bug was just that *a* SSL cert was needed to unblock things.
Ah! Sorry, I jumped in quickly to try to help Richard. 
Basically Richard, if we're going to use this URL for production we're going to need to get a proper signed cert. If it's self-signed one has to manually open one of its URLs (e.g. https://wowza1.corpdmz.scl3.mozilla.com/) and add an exception to your browser. 

So, the question is, do we want to use this for realz?
This instance is mostly for testing.  In the later stages of testing we'll be using it to stream an alternate version of the Monday Meeting to stage.   I think we're OK with a self signed cert for now.

Is Roku choking on it?  Can Roku do SSL at all?
Flags: needinfo?(peterbe)
(In reply to Richard A Milewski[:richard] from comment #7)
> This instance is mostly for testing.  In the later stages of testing we'll
> be using it to stream an alternate version of the Monday Meeting to stage.  
> I think we're OK with a self signed cert for now.
> 
> Is Roku choking on it?  Can Roku do SSL at all?

A) I can't get it to play anything on HTTPS
B) I bet the answer is to do a bunch of Roku Developer forum research and reading pages of documentation.

We do set the cert [0] as per their instructions but that doesn't seem to work. I think all that does is the ability to be able to open httpS://air.mozilla.org/roku/categories.xml but it doesn't seem to help us be able to play httpS://d3fenhwk93s16g.cloudfront.net/xxxxxxxx/mp4.mp4 :(

[0] https://gist.github.com/peterbe/9a92f0a631b875d460c6
Flags: needinfo?(peterbe)
Since the SSL certificate work itself was done successfully, could this be bug be cleared out of our queue? Any the continuing conversation moved to a more appropriate bug?

Thanks!
Done!
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: