Troubleshoot SSL/TLS certificate configuration for Wowza Streaming Engine

This article explains how to troubleshoot a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificate and the configuration of Wowza Streaming Engine™ media server software to use an SSL/TLS certificate.

Troubleshoot StreamLock certificates


Hostname substitution

When you configure player applications to establish a secure connection to Wowza Streaming Engine, and you substitute the hostname for your domain in place of the StreamLock hostname that's associated with the StreamLock certificate in the call to NetConnection.connect([url]), clients that connect to your secure stream may receive the following security alert:

The certificate you are viewing does not match the name of the site you are trying to view.

StreamLock certificates are bound to the StreamLock.net domain; therefore, you must use the StreamLock hostname that's associated with the StreamLock certificate in the call to NetConnection.connect([url]).

If you must use your own domain name in [ssl-certificate-domain-name], then you must create your own SSL/TLS certificate. For more information about how to do this, see Create a self-signed SSL certificate for Wowza Streaming Engine.

Unable to connect to streamlock.net

If one or more clients report that they can't connect using a StreamLock certificate configuration, while the majority of clients don't have this problem, this is more than likely a problem with the DNS server on the client side.

For a StreamLock certificate to function properly, the client must be able to access the streamlock.net domain. In some cases, the DNS configuration associated with the client doesn't provide a record for streamlock.net, which prevents a successful connection. You can confirm this by issuing a nslookup command from the client computer using a command line:

nslookup [ssl-certificate-domain-name]

If the nslookup command doesn't return a response that includes the Wowza Streaming Engine server's IP address, this is evidence of a DNS problem.
 
Note: Depending on your firewall settings, you might also be able to test this by issuing a ping command from the client computer by entering the command ping streamlock.net on the command line. If the ping command doesn't return a response, this is evidence of a DNS problem.
Wowza makes every effort to ensure that streamlock.net records are available to all public DNS servers. Unfortunately, Wowza has no control over DNS propagation in the public domain, especially when it comes to privately managed DNS servers. As a test and workaround, we suggest using an alternative DNS configuration if a client can't connect.

Test the SSL/TLS connection


Run an OpenSSL command to quickly confirm that you configured your SSL/TLS connection with Wowza Streaming Engine correctly.

  1. Open a Terminal window and execute one of the following OpenSSL commands, where [ssl-certificate-domain-name] is the domain name of the certificate.
    • Test the SSL/TLS connection to the server:
      openssl s_client -connect [ssl-certificate-domain-name]:443
    • Test the SSL/TLS connection to the server and display the certificate contents:
      openssl s_client -showcerts -connect [ssl-certificate-domain-name]:443
  2. Verify that you get a response that begins with CONNECTED and references the certificate.

We recommend also testing your complete workflow with playback of a stream with a secure playback URL and the player of your choice. In the playback URL, your SSL/TLS certificate domain is used as the address.

Verify Wowza Streaming Engine is configured correctly to use an SSL certificate


If you're having trouble getting your SSL certificate working with Wowza Streaming Engine, we recommend using a StreamLock certificate Wowza StreamLock™ AddOn is a security option for network encryption that provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza media servers. For more information, see Get SSL certificates from the Wowza Streaming Engine StreamLock service.

If the StreamLock certificate works, Wowza Streaming Engine is correctly configured to use an SSL certificate and you've determined that the problem is in the certificate that you're trying to use. You can create a new SSL certificate and try again, use a StreamLock certificate, or try using a PKCS 12 certificate. See Import an existing SSL certificate and private key for Wowza Streaming Engine.

Enable SSL logging


To log additional information for debugging purposes, you can enable the two advanced properties in Wowza Streaming Engine:
 
  • sslLogProtocolInfo – Instructs Wowza Streaming Engine to log SSL cipher and protocol information on startup. This helps build a list of ciphers and protocols for the HostPort SSLConfig/CipherSuites and SSLConfig/Protocols filters in the virtual host.
     
  • sslLogConnectionInfo – Can be used to debug SSL connection filtering by instructing Wowza Streaming Engine to log SSL connection information (protocol and cipher suite) for each SSL/HTTPS connection.

For more information, see Improve SSL configuration for Wowza Streaming Engine.

Verify contents of the keystore


Your keystore must contain a certificate, a private key, and certificate bundle information. Use the following command to display the contents of the keystore:

keytool -list -v -keystore [filename-keystore]

Verify the certificate's CN value


With the exception of wildcard certificate names, the CN name value on your certificate must match the host.domain information on the Wowza Streaming Engine server. Use the following command to verify the certificate's CN value:

keytool -printcert -v -file [filename-certificate]

Convert the certificate and private key to PKCS 12 if X509 isn't working


If you're having trouble using an X509 certificate, you might have more success with the PKCS 12 (.p12) format. You can use this process to convert and import an existing certificate or a newly generated certificate. For more information, see Import an existing SSL certificate and private key for Wowza Streaming Engine.

Fix intermittent HTTP/SSL padding exceptions


A bug in older versions of the Oracle Java Development Kit (JDK) affected connections that use SSL certificates. If you experience an intermittent HTTP/SSL padding exception, update to Java 8 update 20 (JDK 8u20) or greater.

Invalid certificate password error


After starting Wowza Streaming Engine, if you receive the following message in the access.log file, it likely means that the KeyStorePassword value in [install-dir]/conf/VHost.xml is incorrect:

SSLConfiguration problem: java.io.IOException: Keystore was tampered with, or password was incorrect

More resources