How to troubleshoot SSL certificate configuration

This article explains how to troubleshoot a Secure Sockets Layer (SSL) certificate and the configuration of Wowza Streaming Engine™ media server software to use an SSL certificate.

Contents


Verify Wowza Streaming Engine is configured correctly to use an SSL certificate
Enable SSL logging
Verify contents of the keystore
Verify the certificate's CN value
How to convert the certificate and private key to PKCS 12 if X509 isn't working
Intermitent HTTP/SSL padding exception
Invalid certificate password error
More resources

Verify Wowza Streaming Engine is configured correctly to use an SSL certificate


If you're having trouble getting your SSL certificate working with Wowza Streaming Engine, we recommend using a StreamLock certificate Wowza StreamLock™ AddOn is a security option for network encryption that provides near-instant provisioning of free 256-bit Secure Sockets Layer (SSL) certificates to verified Wowza customers for use with Wowza media servers. For more information, see How to get SSL certificates from the StreamLock service.

If the StreamLock certificate works, Wowza Streaming Engine is correctly configured to use an SSL certificate and you've determined that the problem is in the certificate that you're trying to use. You can create a new SSL certificate and try again, use a StreamLock certificate, or try using a PKCS 12 certificate (How to import an existing SSL certificate and private key).

Enable SSL logging


To log additional information for debugging purposes, you can add the following properties:
 
  • sslLogProtocolInfo - The sslLogProtocolInfo property instructs the media server to log SSL cipher and protocol information on startup. This information helps build a list of ciphers and protocols for the HostPort SSLConfig/CipherSuites and SSLConfig/Protocols filters in the Virtual Host. For more information, see Logging SSL cipher and protocol information.
     
  • sslLogConnectionInfo - The sslLogConnectionInfo property can be used to debug SSL connection filtering by instructing the media server to log SSL connection information (protocol and cipher suite) for each SSL/HTTPS connection. For more information, see Debugging SSL connection filtering.

Verify contents of the keystore


Your keystore must contain a certificate, a private key, and certificate bundle information. Use the following command to display the contents of the keystore:
keytool -list -v -keystore [filename-keystore]

Verify the certificate's CN value


With the exception of wildcard certificate names, the CN name value on your certificate must match the host.domain information on the Wowza Streaming Engine server. Use the following command to verify the certificate's CN value:
keytool -printcert -v -file [filename-certificate]

How to convert the certificate and private key to PKCS 12 if X509 isn't working


If you're having trouble using an X509 certificate, you might have more success with the PKCS 12 (.p12) format. You can use this process to convert and import an existing certificate or a newly generated certificate. For more information, see How to import an existing SSL certificate and private key.
 
Note: The command line tool keytool doesn't support the direct importation of private key information to a keystore (.JKS). Instead, you must convert the certificate and private key into a PKCS 12 (.p12) file, which can then be imported into your keystore.

Intermittent HTTP/SSL padding exception


Note: This issue has been fixed in Java 7 update 67 (JDK 7u67) or greater and Java 8 update 20 (JDK 8u20) or greater.
A bug in the Oracle Java Development Kit (JDK) affects connections that use SSL certificates. Occasionally the SSL handshake fails during Diffie-Hellman key exchange and the connection hangs. For more information, see How to fix intermittent HTTP/SSL failure (padding exception).

Invalid certificate password error


After starting the Wowza media server, if you receive the following message in the access.log file, it likely means that the KeyStorePassword value in [install-dir]/conf/VHost.xml is incorrect:
 
SSLConfiguration problem: java.io.IOException: Keystore was tampered with, or password was incorrect

More resources


How to get SSL certificates from the StreamLock service
How to create a self-signed SSL certificate
How to request an SSL certificate from a certificate authority
How to import an existing SSL certificate and private key
Originally Published: 08-17-2016.
 

If you're having problems or want to discuss this article, post in our forum.