TLS certificate with Let's Encrypt¶
Let's Encrypt service automatically provides certificates for setting up HTTPS in automatic mode.
Flussonic Media Server has in-built support for Let's Encrypt; installation of extra packages and manual adjustment of a web server is not necessary.
Just open the administrator's interface and click the Issue by Let's Encrypt button.
After that Flussonic Media Server will automatically retrieve and install the certificate, and you can specify HTTPS port number.
You do not have to worry about certificate expiration date or manually editing text config files.
HTTPS is useful for:
- prevention of server control theft, nobody will be able to intercept your password or streaming links;
- protecting video from security cameras;
- inserting a link to another site running on https (otherwise, browsers will start warning about unprotected content).
Below is more detailed description of the process of setting up, and the operating principle of Let's Encrypt.
Let's Encrypt: How it works¶
Detailed description can be found on the official site: https://letsencrypt.org/how-it-works/.
To make Let's Encrypt service to issue a valid certificate for you, it is necessary to prove that you own the domain.
Click Issue by Let's Encrypt in the admin panel. Flussonic Media Server will provide the domain name for which a certificate is required.
In response, it receives a key that should be returned back when the validating bot will connect to your server via HTTP (exactly on port 80) at address http://your-domain.com/.well-known
.
The validating bot tries to connect to your domain. The domain must be delegated, and DNS records must be set up for the IP address where Flussonic Media Server is operating. The bot verifies your ownership of the domain, and Flussonic Media Server saves the certificate.
To extend the certificate, you should repeat the verification process, that means that the Flussonic Media Server should always be listening on the port http 80;
.
Verification cannot be done on some other port — this is the rule of Let's Encrypt.
The certificate extention occurs automatically when the certificate expires; also, the certificate can be updated manually through the admin panel of Flussonic Media Server.
Setting of Let's Encrypt certificate¶
- Open the admin panel of Flussonic Media Server using a domain name instead of IP address (e.g.,
http://your-domain.com/admin
). - Proceed to the Config tab.
- In the TLS-tunneled protocols section, click the Issue by LetsEncrypt button. This button launches the process of obtaining a certificate.
- Wait for the certificate expiry date to appear (it usually takes up to 10 seconds).
- In the Listeners, add the port number 443 to the HTTPS ports list. You may refer here for details on configuring the listeners.
Save the settings by clicking Save. Flussonic Media Server will redirect your browser to https:// — now you can provide services over HTTPS.
Obtaining multidomain Let's Encrypt certificate¶
The procedure described above allows to issue an SSL certificate for only one domain. But what if you run multiple instances of Flussonic (e.g., for delivering streams to multiple TV channels) and need to secure multiple domains with SSL cerificates?
In this case you can use our Let's Encrypt CLI tool that allows to obtain a multidomain certificate. For example, if you have domains domain1.example.com
and domain2.example.com
with Flussonic installed, run the following command:
/opt/flussonic/contrib/control.erl letsencrypt -d domain1.example.com -d domain2.example.com
The Let's Encrypt certificate will be issued for both domains.