SSL Cert for Wowza Streaming Engine

RESOLVED FIXED

Status

Infrastructure & Operations
WebOps: SSL and Domain Names
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: richard, Assigned: gozer)

Tracking

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/325] )

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
We need to enable SSL on wowza1.corpdmz.scl3.mozilla.com.  According to the Wowza documentation StreamLock certs are the preferred method.  Described here:

http://www.wowza.com/forums/content.php?454-How-to-get-SSL-certificates-from-the-StreamLock-service#prerequisites

This, however will require NAT so we have an accessible IP address for this machine.  This process also results in a cert for this machine in streamlock.net rather than mozilla.com

There are also notes on using self-signed certs at: http://www.wowza.com/forums/content.php?435-How-to-create-a-self-signed-SSL-certificate

That process requires installation of a JDK rather than using native RedHat utilities to generate the cert.

Please advise the best way to proceed.

Updated

3 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/325]
(Reporter)

Comment 1

3 years ago
Correction:   This machine already has NAT (wowza1.scl3.mozilla.com - 63.245.214.154).

So now I just need advice on whether the Streamlock cert is as bad an idea as it seems.

...and if so,  how we create a more mozilla-standard cert for this box.
(Assignee)

Updated

3 years ago
Assignee: server-ops-webops → gozer
(Reporter)

Updated

3 years ago
Blocks: 1110526
(Assignee)

Comment 2

3 years ago
Here you go, done, deployed, installed and all. (With a self-signed certificate)

https://wowza1.corpdmz.scl3.mozilla.com/

You'll get a SSL warning when doing that, as the cert uses the public name wowza1.scl3.mozilla.com, but the NAT isn't allowing HTTPS through yet.
(Assignee)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 3

3 years ago
Gozer:

Thanks!  Looks like I need to file a bug to get the ports opened on the NAT.
Created attachment 8559481 [details]
Screenshot 2015-02-04 15.50.34.png

There's something fishy about this cert. When I load it in Firefox I get one of those "I understand the risks" dialogs.

I stupidly allowed the exemption on this and don't know how to reset that in Firefox. 

However the warning is clear when using Chrome.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 5

3 years ago
(In reply to Peter Bengtsson [:peterbe] from comment #4)
> Created attachment 8559481 [details]
> Screenshot 2015-02-04 15.50.34.png
> 
> There's something fishy about this cert. When I load it in Firefox I get one
> of those "I understand the risks" dialogs.

Its not fishy, it's just a standard warning about a self-signed certificate, not issued
by a trusted CA.

I figured since this is an internal service, it would be good enough. If there is a need for a real
CA signed certificate later on, this can be accomodated as well.

Just needs to be requested. My understanding of this bug was just that *a* SSL cert was needed to unblock things.
Ah! Sorry, I jumped in quickly to try to help Richard. 
Basically Richard, if we're going to use this URL for production we're going to need to get a proper signed cert. If it's self-signed one has to manually open one of its URLs (e.g. https://wowza1.corpdmz.scl3.mozilla.com/) and add an exception to your browser. 

So, the question is, do we want to use this for realz?
(Reporter)

Comment 7

3 years ago
This instance is mostly for testing.  In the later stages of testing we'll be using it to stream an alternate version of the Monday Meeting to stage.   I think we're OK with a self signed cert for now.

Is Roku choking on it?  Can Roku do SSL at all?
Flags: needinfo?(peterbe)
(In reply to Richard A Milewski[:richard] from comment #7)
> This instance is mostly for testing.  In the later stages of testing we'll
> be using it to stream an alternate version of the Monday Meeting to stage.  
> I think we're OK with a self signed cert for now.
> 
> Is Roku choking on it?  Can Roku do SSL at all?

A) I can't get it to play anything on HTTPS
B) I bet the answer is to do a bunch of Roku Developer forum research and reading pages of documentation.

We do set the cert [0] as per their instructions but that doesn't seem to work. I think all that does is the ability to be able to open httpS://air.mozilla.org/roku/categories.xml but it doesn't seem to help us be able to play httpS://d3fenhwk93s16g.cloudfront.net/xxxxxxxx/mp4.mp4 :(

[0] https://gist.github.com/peterbe/9a92f0a631b875d460c6
Flags: needinfo?(peterbe)
(Assignee)

Comment 9

3 years ago
Since the SSL certificate work itself was done successfully, could this be bug be cleared out of our queue? Any the continuing conversation moved to a more appropriate bug?

Thanks!
(Reporter)

Comment 10

3 years ago
Done!
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.