Troubleshoot SSL certificate configuration for Wowza Streaming Engine

This article explains how to troubleshoot a Secure Sockets Layer (SSL) certificate and the configuration of Wowza Streaming Engine™ media server software to use an SSL certificate.

Verify Wowza Streaming Engine is configured correctly to use an SSL certificate


If you're having trouble getting your SSL certificate working with Wowza Streaming Engine, we recommend using a StreamLock certificate Wowza StreamLock™ AddOn is a security option for network encryption that provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza media servers. For more information, see Get SSL certificates from the Wowza Streaming Engine StreamLock service.

If the StreamLock certificate works, Wowza Streaming Engine is correctly configured to use an SSL certificate and you've determined that the problem is in the certificate that you're trying to use. You can create a new SSL certificate and try again, use a StreamLock certificate, or try using a PKCS 12 certificate. See Import an existing SSL certificate and private key for Wowza Streaming Engine.

Enable SSL logging


To log additional information for debugging purposes, you can enable the two advanced properties in Wowza Streaming Engine:
 
  • sslLogProtocolInfo – Instructs Wowza Streaming Engine to log SSL cipher and protocol information on startup. This helps build a list of ciphers and protocols for the HostPort SSLConfig/CipherSuites and SSLConfig/Protocols filters in the virtual host.
     
  • sslLogConnectionInfo – Can be used to debug SSL connection filtering by instructing Wowza Streaming Engine to log SSL connection information (protocol and cipher suite) for each SSL/HTTPS connection.

For more information, see Improve SSL configuration for Wowza Streaming Engine.

Verify contents of the keystore


Your keystore must contain a certificate, a private key, and certificate bundle information. Use the following command to display the contents of the keystore:

keytool -list -v -keystore [filename-keystore]

Verify the certificate's CN value


With the exception of wildcard certificate names, the CN name value on your certificate must match the host.domain information on the Wowza Streaming Engine server. Use the following command to verify the certificate's CN value:

keytool -printcert -v -file [filename-certificate]

Convert the certificate and private key to PKCS 12 if X509 isn't working


If you're having trouble using an X509 certificate, you might have more success with the PKCS 12 (.p12) format. You can use this process to convert and import an existing certificate or a newly generated certificate. For more information, see Import an existing SSL certificate and private key for Wowza Streaming Engine.

Fix intermittent HTTP/SSL padding exceptions


A bug in older versions of the Oracle Java Development Kit (JDK) affected connections that use SSL certificates. If you experience an intermittent HTTP/SSL padding exception, update to Java 8 update 20 (JDK 8u20) or greater.

Invalid certificate password error


After starting Wowza Streaming Engine, if you receive the following message in the access.log file, it likely means that the KeyStorePassword value in [install-dir]/conf/VHost.xml is incorrect:

SSLConfiguration problem: java.io.IOException: Keystore was tampered with, or password was incorrect

More resources