RTMPS support for Facebook Live API's Upcoming Requirement

[JosueAChavez]

Facebook is planning to deprecate RTMP on May 1st.

Using the SSL option for my RTMP connection changes the Server URL from rtmp://live-api-s.facebook.com:80/rtmp/ to rtmps://live-api-s.facebook.com:443/rtmp/.

When I insert that URL paired with my streaming key in my nginx.conf file, I'm returned with an invalid port message that looks like

nginx: [emerg] invalid port in url "rtmps://live-api-s.facebook.com:443/rtmp/some_secret_key" in C:\nginx 1.7.11.3 Gryphon/conf/nginx.conf:187

I suspect that the port rtmps is unknown.

Are there any workarounds to use this module with RTMPS? This module is very efficient compared to alternatives solutions I found (ffmpeg).

I'm using nginx 1.7.11.3 Gryphon on Windows 10.

[jwainwright87]

I've just seen the same @JosueAChavez and started panicking. I am using nginx on a raspberry pi to push streams to facebook live and wondering how to do this after 1st May 2019.

I understand at this time that nginx does not support RTMPS however from doing some searching, it looks like you can use stunnel somehow. This looks above my level so I am reluctant to try it on my raspberry pi server.

[duoporcoduo]

I'm on the same issue, I use a command today:

push rtmp://live-api-s.facebook.com:80/rtmp/KEY;

push rtmp://x.rtmp.youtube.com/live2/KEY;

When replacing the address with rtmps the server does not rise.

Can someone help?

[ForrestScott]

I have the same issue as I also use the RTMP module to stream to FaceBook live.

[jwainwright87]

I am looking at nimble streamer as an alternative, apparently that supports RTMPS

[ForrestScott]

Nimble appears to require a subscription? If so, that's not for me.

[Lax]

I have a solution to run an stunnel and publish to the rtmps:// address.

I will write a brief into doc in a few days
Here a link to the steps and key config "RTMP/RTMPS relay with stunnel"

---

Yes, you need to choose another port if nginx is listening on :1935

[ForrestScott]

Lax, I had been reading about stunnel but couldn't figure out how to configure it. Thank you so much for the tutorial!!! I'll give it a shot!

One question: Since nginx is listening on port 1935, doesn't stunnel need to be listening to a different port since they are running on the same machine?

[jwainwright87]

I have a solution to run an stunnel and publish to the rtmps:// address.

I will write a brief into doc in a few days
Here a link to the steps and key config "RTMP/RTMPS relay with stunnel"

I have had a look at this article and I don't understand how it works. Does anyone have any idea?

[jwainwright87]

Lax, I had been reading about stunnel but couldn't figure out how to configure it. Thank you so much for the tutorial!!! I'll give it a shot!

One question: Since nginx is listening on port 1935, doesn't stunnel need to be listening to a different port since they are running on the same machine?

I'm assuming it will be 443

[ForrestScott]

jwainwright87, Lax's tutorial has nginx and stunnel running on the same box so they both can't be listening to port 1935. For my testing, right or wrong, I chose port 207 (an unused AppleTalk port) for stunnel to listen on.

Initial testing shows that Lax's example works for me, however I did have to remove the "include = /etc/stunnel/conf.d" line though. It appears to me that right now FB will accept an RTMP or an RTMPS stream regardless of the SLL switch setting.

I use OBS to stream and nginx to relay to FB, YT and a private 3rd party web site. So here is how it works: obs -> nginx (port 1935) -> stunnel (port 207) -> FB. I run nginx and now stunnel on a ubuntu 18.04 server.

[jwainwright87]

@ForrestScott That's ace I'll give that a go. I got a bit confused during one tutorial it was talking about setting up a certificate from the client side. Do you know it stunnel sorts all that out for you. Also, how do you sent the rtmps feed instead of the rtmp address?

Thanks in advanced

[franMx]

HI, I'm trying this on a windows machine. Any idea on the configuration to work properly on stunnel?
Tried:
[fb-live]
client = yes
accept = 127.0.0.1:1935
connect = live-api-s.facebook.com:443
verifyChain = no

but got:
Service [fb-live] needs authentication to prevent MITM attacks

[ForrestScott]

@jwainwright87 I didn't have to do anything with security certificates. I think that is what the "verifyChain = no" line is about. But I do wonder about that.

I changed my nginx push to FB to this: "push rtmp://127.0.0.1:207/rtmp/;" Again, I am using port 207 for stunnel.

@franMx I got the same message but in my case I think it can be ignored since nginx and stunnel are communicating on the same machine.

[franMx]

Thanks, @ForrestScott unfortunately got this one.

2019.04.04 09:46:49 LOG5[1]: Service [fb-live] accepted connection from 127.0.0.1:53922
2019.04.04 09:46:49 LOG5[1]: s_connect: connected 31.13.89.1:443
2019.04.04 09:46:49 LOG5[1]: Service [fb-live] connected remote server from 192.168.15.8:53923
2019.04.04 09:46:49 LOG5[1]: Connection closed: 3591 byte(s) sent to TLS, 3480 byte(s) sent to socket

Would you mind sharing your conf?

[ForrestScott]

@franMx , that looks exactly what I see in my log.

Here is my conf:

setuid = stunnel4
setgid = stunnel4
pid = /tmp/stunnel.pid
output = /var/log/stunnel4/stunnel.log
;include = /etc/stunnel/conf.d

[fb-live]
client = yes
accept = 127.0.0.1:207
connect = live-api-s.facebook.com:443
verifyChain = no

[franMx]

Thanks @ForrestScott, it's working now. On windows stunnel didn't modified the first part, just second block.

[JosueAChavez]

Thank you @Lax for the solution! I tried it and it works perfectly and with little to none performance hiccups 🙌

I wrote instructions for those who are using this on Windows. We are all not doomed after all!

[Lax]

Lax, I had been reading about stunnel but couldn't figure out how to configure it. Thank you so much for the tutorial!!! I'll give it a shot!

One question: Since nginx is listening on port 1935, doesn't stunnel need to be listening to a different port since they are running on the same machine?

Yes, you need to choose another port for stunnel if Nginx is already listening on :1935.
(document updated)

[jwainwright87]

Having some issues when I am running the following command
systemctl restart stunnel4 && systemctl status stunnel4

This is my output...

`==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to restart 'stunnel4.service'.
Multiple identities can be used for authentication:

1. ,,, (pi)
2. root
   Choose identity to authenticate as (1-2): 1
   Password:
   ==== AUTHENTICATION COMPLETE ===
   ● stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)
   Loaded: loaded (/etc/init.d/stunnel4; generated; vendor preset: enabled)
   Active: active (exited) since Fri 2019-04-05 17:01:04 BST; 27ms ago
   Docs: man:systemd-sysv-generator(8)
   Process: 1168 ExecStop=/etc/init.d/stunnel4 stop (code=exited, status=0/SUCCESS)
   Process: 1174 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=0/SUCCESS)

Apr 05 17:01:04 NginX systemd[1]: Starting LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)...
Apr 05 17:01:04 NginX stunnel4[1174]: TLS tunnels disabled, see /etc/default/stunnel4
Apr 05 17:01:04 NginX systemd[1]: Started LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons).`

I did have a issue when installing stunnel4. For some reason it would not let me create the stunnel.conf in bash, so I had to manually create the conf file using nano and input the code in there.

Any help would be much appreciated.

[jwainwright87]

I am also getting this when entering the code for the config file:
sudo cat < /etc/stunnel/stunnel.conf

setuid = stunnel4
setgid = stunnel4
pid=/tmp/stunnel.pid
output = /var/log/stunnel4/stunnel.log
include = /etc/stunnel/conf.d
EOF
-bash: /etc/stunnel/stunnel.conf: Permission denied

[ForrestScott]

@jwainwright87 , are you running your commands as sudo? It's required but not mentioned in Lax's guide.

[jwainwright87]

@ForrestScott Yes, sorry forgot to mention that. I am also running on Debian Stretch

[duoporcoduo]

@Lax, you saved my day, it worked out right here, thank you!

[jwainwright87]

@ForrestScott SOLVED my problem.

Issue I had was I needed to ENABLE=1 stunnel in /etc/default/stunnel4

When I ran the restart, it all worked.

Link to article that helped me https://cindyxiaoxiaoli.wordpress.com/2014/06/04/get-stunnel4-up-and-running-on-ubuntu-14-04/

[lbradio]

Lax, I had been reading about stunnel but couldn't figure out how to configure it. Thank you so much for the tutorial!!! I'll give it a shot!
One question: Since nginx is listening on port 1935, doesn't stunnel need to be listening to a different port since they are running on the same machine?

Yes, you need to choose another port for stunnel if Nginx is already listening on :1935.
(document updated)

Did you actually updated the document? It's still on port 1935 ;-) (and I can't get it to work)

[Akeem1985]

Can someone help me I think I am missing something I was able to install stunnel on my nginx server. However I am a bit confuse of the next steps. Can someone help

[h1rule]

I still get

[!] /etc/stunnel/stunnel.conf:5: "verifyChain = no": Specified option name is not valid here

[nhalstead]

Just a note as well, Facebook is closing the usage of RTMP and only allowing RTMPs starting November 1st 2019. Facebook has reset static/persistent stream keys and in addition the stream defaults for the user to use is RTMPs, you just need to uncheck the box that is "Use a secure connection (SSL)".

(This is related to Facebook Pages, Streaming to User Accounts, "Share on your timeline", I believe are forced)

[nhalstead]

@Yesha052 If you would look at the URL that you have posted, that is a Stream Key to Facebook's RTMP (with SSL) for Streaming TO Facebook.

This feed is ONE WAY. So feeding this into ExoPlayer will not work. Check for a different link in the the OG API. Chances are, Facebook will not give you a direct link to get the video feed FROM Facebook servers, you'll probability get a link to the post or something such as that.

In addition this Issue that you are having is NOT related to this issue, Either create a new Issue and work out of that or if you already have one work from that ticket.

[kkrishnan90]

Is there anyway to pass the Facebook streaming key as a dynamic parameter in push directive ? I have been banging my head for the past 2 days to do it. Any help is much appreciated ! Thanks in advance !

[ssllqq]

I still get

[!] /etc/stunnel/stunnel.conf:5: "verifyChain = no": Specified option name is not valid here

I just removed verifyChain = no and it started working, by default it no

[threehappypenguins]

I tried Lax's instructions, and also tried ForrestScott's changes in the stunnel.conf file, and I still can't get my live stream to show up in Facebook. When I type in nano /var/log/stunnel4/stunnel.log the log is blank.

When I type in systemctl restart stunnel4 && systemctl status stunnel4 I get:

● stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)
   Loaded: loaded (/etc/init.d/stunnel4; generated; vendor preset: enabled)
   Active: active (exited) since Wed 2020-02-12 12:00:44 AST; 21ms ago
     Docs: man:systemd-sysv-generator(8)
  Process: 22516 ExecStop=/etc/init.d/stunnel4 stop (code=exited, status=0/SUCCESS)
  Process: 22521 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=0/SUCCESS)
      CPU: 21ms

Feb 12 12:00:44 CRPC-HC2 systemd[1]: Starting LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)...
Feb 12 12:00:44 CRPC-HC2 systemd[1]: Started LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons).

Is this normal? How do I even go about figuring out where its going wrong when the log is blank too?

[threehappypenguins]

I'm starting to think that maybe this is a port forwarding issue for me. So when I created my nginx server, I did so on my Odroid HC2. Because I need access to port 80 on it, in the nginx.conf file, I changed the listen address from 80 to 8725 (made up number). So then in port forward, I have external port 1935 forwarded to internal port 8725 (for my Odroid's internal IP address).

So then I thought that I should forward internal port 19350 (for stunnel) to 8725 as well. But I still can't receive the Facebook stream. Thoughts?

[threehappypenguins]

I had to give up on my Odroid. I ended up signing up for Amazon AWS EC2 and installed nginx and stunnel on Ubuntu. I used ForrestScott's setup for stunnel.conf but with port 19350 instead:

setuid = stunnel4
setgid = stunnel4
pid = /tmp/stunnel.pid
output = /var/log/stunnel4/stunnel.log
;include = /etc/stunnel/conf.d

[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
verifyChain = no

Apparently, what is supposed to show when I restart stunnel with systemctl restart stunnel4 && systemctl status stunnel4
is

● stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons)
   Loaded: loaded (/etc/init.d/stunnel4; generated)
   Active: active (running) since Wed 2020-02-12 18:56:54 UTC; 7ms ago
     Docs: man:systemd-sysv-generator(8)
  Process: 31140 ExecStop=/etc/init.d/stunnel4 stop (code=exited, status=0/SUCCESS)
  Process: 31389 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 1152)
   CGroup: /system.slice/stunnel4.service
           └─31414 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf

Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG5[ui]: Running  with OpenSSL 1.1.1  11 Sep 2018
Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG5[ui]: Update OpenSSL shared libraries or rebuild stunn
Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:
Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG5[ui]: Reading configuration from file /etc/stunnel/stu
Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG5[ui]: UTF-8 byte order mark not detected
Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG5[ui]: FIPS mode disabled
Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG4[ui]: Service [fb-live] needs authentication to preven
Feb 12 18:56:54 ip-172-31-4-177 stunnel[31413]: LOG5[ui]: Configuration successful
Feb 12 18:56:54 ip-172-31-4-177 stunnel4[31389]: Starting TLS tunnels: /etc/stunnel/stunnel.conf: started
Feb 12 18:56:54 ip-172-31-4-177 systemd[1]: Started LSB: Start or stop stunnel 4.x (TLS tunnel for network

Lastly, I can see errors with stunnel by typing in systemctl status stunnel4.service or journalctl -ex and press ctrl + c to exit out of it (I am using PuTTY in Windows).

[KenSharp]

I really don't know why this bug report is full of so much prattle.

stunnel works fine.

[siniztr]

OK so I have the RTMP server running, and can do live streams to a website. I have set up the stunnel4 as done in the instructions and am not getting any error, however Facebook is not seeing an incoming stream, and checking netstat does not show a connection outbound to facebook. I do see the stream listening but not too sure if the RTMP server is connecting to the tunnel.

[GordonMatthewson]

got this working, thank you!!!

[mathiasseyfert]

I still get
[!] /etc/stunnel/stunnel.conf:5: "verifyChain = no": Specified option name is not valid here

I just removed verifyChain = no and it started working, by default it no

thank you,

that solved my errors in the setup made with these instructions:
https://obsproject.com/forum/threads/facebook-to-deprecate-rtmp-from-live-api-on-5-1-2019.84978/

on Ubuntu 16.04.6:

sudo apt install stunnel4

Edit file stunnel.conf

sudo nano /etc/stunnel/stunnel.conf

setuid = stunnel4
setgid = stunnel4
pid=/tmp/stunnel.pid
output = /var/log/stunnel4/stunnel.log
include = /etc/stunnel/conf.d

Change in stunnel4 ENABLED=0 to ENABLED=1

sudo nano /etc/default/stunnel4

ENABLED=1

Make dir

sudo mkdir /etc/stunnel/conf.d

Edit /create file

sudo nano /etc/stunnel/conf.d/fb.conf

[fb-live]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443

restart

sudo systemctl restart stunnel4 && systemctl status stunnel4

Edit file /usr/local/nginx/conf/nginx.conf

from
push rtmp://<the_server_you_want_to_push>/<yout_stream_key>;
to
push rtmp://127.0.0.1:19350/rtmp/<yout_stream_key>;

by the way: this solution (stunnel) is using way less cpu than forwarding via FFMPEG...

[shelomito12]

Hey guys, quick question:

Has anyone tried using 2 different Facebook streams on nginx and stunnel?

I'm a little bit more curious about how the stunnel config would be since both streams would use the same destination domain live-api-s.facebook.com:443

So the following would work?:

[fb-live1]
client = yes
accept = 127.0.0.1:19350
connect = live-api-s.facebook.com:443
verifyChain = no

[fb-live2]
client = yes
accept = 127.0.0.1:19360
connect = live-api-s.facebook.com:443
verifyChain = no

[TheRealMattLear]

It is not necessary because the hostname and port do not change, only the stream name changes. You only need a single point in stunnel.

[shelomito12]

It is not necessary because the hostname and port do not change, only the stream name changes. You only need a single point in stunnel.

Thanks! it worked

[shelomito12]

Hey guys sorry for posting this issue here but today, there was a tragedy during streaming.

A friend (DJ) connected to my nginx server via Virtual Dj and reported the following errors:

• The facebook stream was only live for 20 minutes, and the audio was terrible (breaking out at all times)
• The youtube stream was only live for less than 3 minutes and half of it muted (no audio after a minute or so.
• The ffmpeg command only sent audio to one of my radio stations intead of the 2 of them.

Below is my Nginx config:

# RTMP configuration
rtmp {
    server {
        listen 1935; # Listen on standard RTMP port
        chunk_size 4000;
        play_restart on;

        application live {
            live on;
            allow publish 127.0.0.1;
            allow publish all;
            allow play all;
            # Turn on HLS
            hls on;
            hls_path /nginx/hls/;
            hls_fragment 3;
            hls_playlist_length 60;
            # disable consuming the stream from nginx as rtmp
            #deny play all;
            push rtmp://live.restream.io/live/KEY;
            push rtmp://127.0.0.1:1936/rtmp/FBKEY1;
			push rtmp://127.0.0.1:1936/rtmp/FBKEY2;
            exec /home/ubuntu/encoder/bin/ffmpeg -i rtmp://127.0.0.1:1935/$app/$name -vn -c:a mp3 -ac 2 -b:a 64k -ar 44100 -f tee -map 0 [f=mp3:onfail=ignore]icecast://source:hackme@liquidsoap:8080/live|[f=mp3:onfail=ignore]icecast://source:test456@radio.zeno.fm:8000/stream";
        }
    }
}

I want to know whether the issue was on my friends side (maybe a bad internet connection), or an issue on the Nginx server side (see below)

I saw the following lines in the nginx error log:

2020/05/21 20:29:01 [error] 13859#0: *74 hls: force fragment split: -154.310 sec, , client: 186.10.216.130, server: 0.0.0.0:1935
2020/05/21 20:29:03 [error] 13859#0: *74 hls: force fragment split: 162.543 sec, , client: 186.10.216.130, server: 0.0.0.0:1935
2020/05/21 20:29:10 [error] 13859#0: *74 hls: force fragment split: -155.344 sec, , client: 186.10.216.130, server: 0.0.0.0:1935

[LoganSound]

I would guess since the problem largely affected audio that your DJ friend was copyright struck.

[istvanmate]

OK so I have the RTMP server running, and can do live streams to a website. I have set up the stunnel4 as done in the instructions and am not getting any error, however Facebook is not seeing an incoming stream, and checking netstat does not show a connection outbound to facebook. I do see the stream listening but not too sure if the RTMP server is connecting to the tunnel.

Same here. Happened at least 3 times in the last 3 months, soo quite annoying... stream was pushed to YouTube without any problem, so nginx worked fine, stunnel showed connection from nginx, but Facebook did not get ANY data. I suspect stunnel not connecting correctly to FB, but cannot prove it yet...

[ForrestScott]

I may have the same problem. Once in a great while, as in perhaps once every 3 months or so, my FB feed won't start but YT is fine. We start streaming 10 min early before the event so we catch this situation and fix it by restarting the stream.

[istvanmate]

I may have the same problem. Once in a great while, as in perhaps once every 3 months or so, my FB feed won't start but YT is fine. We start streaming 10 min early before the event so we catch this situation and fix it by restarting the stream.

@ForrestScott you restart the stream only or the tools too?

[ForrestScott]

We just restart the stream from within OBS.

[SteveMitto]

How can i fix this error

LOG4[ui]: Service [fb-live] needs authentication to prevent MITM attacks

[vnfreezone]

How can i fix this error

LOG4[ui]: Service [fb-live] needs authentication to prevent MITM attacks

Having the same error :(

[ChristofferSthlm]

I'm getting two issues when trying to set this up and work:

1) My current stunnel.conf looks like this:
;setuid = stunnel4
;setgid = stunnel4
pid=/tmp/stunnel.pid
output = /usr/local/var/log/stunnel4/stunnel.log
include = /usr/local/etc/stunnel/conf.d

If I activate setuid and setgid, I'm getting error messages like this:
/usr/local/etc/stunnel/stunnel.conf:1: "setuid = stunnel4": Illegal UID

2) The connection with facebook does not work. I'm getting this error message:
Error resolving "live-api-s.facebook.com": Neither nodename nor servname known (EAI_NONAME)

I'm doing this on a mac. Any suggestions?

[egbertn]

MITM

I got this message when configuring stunnel4 on Raspberry PI 4 B (arm). My conclusion now, is that 32 bit support for raspberry pi is quickly going down. stunnel4 for arm, lacks features, and recompiling the latest stunnel4 on raspi no longer possible.

To skip the lah-di dah, what I did is following the instructions for Bash on Ubuntu on Windows (WSL 2) and now it works by pointing the RTMP server to rtmp://172.28.165.42/live

[jack-fdrv]

I used centos, but was unable to run stunel, so i switched to Ubuntu 18 with this guid, and it works for me!

[DanielFrankDK]

MITM

I got this message when configuring stunnel4 on Raspberry PI 4 B (arm). My conclusion now, is that 32 bit support for raspberry pi is quickly going down. stunnel4 for arm, lacks features, and recompiling the latest stunnel4 on raspi no longer possible.

To skip the lah-di dah, what I did is following the instructions for Bash on Ubuntu on Windows (WSL 2) and now it works by pointing the RTMP server to rtmp://172.28.165.42/live

That did not explain what you did, at all.

[egbertn]

To skip the lah-di dah, what I did is following the instructions for Bash on Ubuntu on Windows (WSL 2) and now it works by pointing the RTMP server to rtmp://172.28.165.42/live

You should install and configure it using WSL 2, -if you have windows-.