Allow option for invalid certificates for RTSPS

[TomBrien]

UniFi protect serves RTSPS streams for cameras from the controller with a certificate valid for IPv4/6 loopbacks. Trying to connect to these feeds fails with log errors similar to:

time="2022-02-05T11:19:31Z" level=info msg="Run stream" call=Run channel=0 func=StreamServerRunStreamDo module=core stream=camera.g4_doorbell_high
time="2022-02-05T11:19:31Z" level=error msg="Stream error restart stream x509: certificate is valid for 127.0.0.1, fe80::1, not <PROTECT_SERVER_IP>" call=Restart

It would be nice to allow the option to ignore the invalid certificate, in a trusted environment. For a little more context, see the discussions here.

[allenporter]

I think this is managed by vdk library and we'd need to plumb through a server option into the parameters of the webrtc client along with the url.

[cibernox]

This is exactly the problem I was facing with my unifi stuff. I can help with betatesting at most tho, I know next to nothing about video streaming.

[deepch]

RTSPS - used certificate you cert created for 127.0.0.1 you connect you device using example 192.168.100 go to device settings and create cert you real host name

https://github.com/deepch/vdk/blob/13fad59f2c2f07fa24d56f64bdb578d236c23361/format/rtspv2/client.go#L130

[TomBrien]

I believe it is possible to replace the certificate on UniFi but the system does not make it easy (no UI option etc). Note that the default 127.0.0.1 certificate is pre installed by the OS and is likely re-instated upon updates. I will have a a play with this when I get a chance but it would be good I still thing to ignore this locally

[deepch]

maybe there are tls options there but i need to look into this or you can do it yourself.

[allenporter]

I propose we set the flag InsecureSkipVerify and have a command line flag option that sets it. I can do this if nobody else does it first as I think having unifi protect work smoothly is worthwhile.

[deepch]

https://github.com/deepch/vdk/blob/505988a89c32f6ce4fe67f9343c5684287dc9d33/format/rtspv2/client.go#L100

[deepch]

try

RTSPtoWeb/config.json

Line 27 in efeaa18

"insecure_skip_verify": true,

[allenporter]

Nice, thanks for adding this. I think we need to "wire up" to test this in the home assistant add-on, unless one of you has a standalone instance of the server to try this out with.

[allenporter]

I was looking at adding support to the home assistant add-on and i think it would turn out to be simpler if we could set this at the top level config.json, for all streams, rather than per stream. Would that be alright with you?

[deepch]

It would be great!

But I'm still sick, it's very hard for me to work.

[allenporter]

Thanks I'll have a look

[t3therdev]

fix worked for our needs as well. thank you! agree it should be global. thanks!

[kerhbal]

hi there, it looks like I'm seeing black screen even "insecure_skip_verify": true is applied:

Thanks if anyone knows what is happening.

[t3therdev]

Does it work with MSE or HLS? You could be seeing a webrtc port issue.

[kerhbal]

@t3therdev thanks for replying, actually nothing works...

as I directly copied the url from unifi protect, not sure what went wrong... rtsps link looks like this:rtsps://192.168.1.1:7441/xxxxxx?enableSrtp

[deepch]

share you stream need test it.

[kerhbal]

@deepch tried again with modified url (rtsps => rtsp and the port), everything works. probably something is different with my previous unifi protects rtsps stream.

[allenporter]

For rtsps (let's keep rtsp out of scope) if anyone is trying with the new flag it would be helpful to confirm with log messages. Are they the same as the original bug filed or different?

[deepch]

For rtsps (let's keep rtsp out of scope) if anyone is trying with the new flag it would be helpful to confirm with log messages. Are they the same as the original bug filed or different?

Yes, that's a good idea.

[SeraphimSerapis]

As promised on #107, here is what I get via the debug log when trying to access my UniFi Protect Integration cameras via the integration:

today at 20:58:00time="2022-02-21T19:58:00Z" level=info msg="Run stream" call=Run channel=0 func=StreamServerRunStreamDo module=core stream=demo1
today at 20:58:002022/02/21 19:58:00 [OPTIONS rtsp://IP:7447/token RTSP/1.0
today at 20:58:00CSeq: 1
today at 20:58:00User-Agent: Lavf58.76.100
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [RTSP/1.0 200 OK
today at 20:58:00CSeq: 1
today at 20:58:00Cache-Control: no-store
today at 20:58:00Date: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Expires: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Pragma: no-cache
today at 20:58:00Public: DESCRIBE, OPTIONS, PAUSE, PLAY, SETUP, TEARDOWN, ANNOUNCE, RECORD
today at 20:58:00Server: EvoStream Media Server (www.evostream.com)
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [DESCRIBE rtsp://IP:7447/token RTSP/1.0
today at 20:58:00CSeq: 2
today at 20:58:00Accept: application/sdp
today at 20:58:00User-Agent: Lavf58.76.100
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [RTSP/1.0 200 OK
today at 20:58:00CSeq: 2
today at 20:58:00Cache-Control: no-store
today at 20:58:00Content-Base: rtsp://IP:7447/token/
today at 20:58:00Content-Length: 593
today at 20:58:00Content-Type: application/sdp
today at 20:58:00Date: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Expires: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Pragma: no-cache
today at 20:58:00Server: EvoStream Media Server (www.evostream.com)
today at 20:58:00
today at 20:58:00v=0
today at 20:58:00o=- 9172 0 IN IP4 IP
today at 20:58:00s=68D79ADFE9D1_1
today at 20:58:00u=www.evostream.com
today at 20:58:00e=contact@evostream.com
today at 20:58:00c=IN IP4 IP
today at 20:58:00t=0 0
today at 20:58:00a=recvonly
today at 20:58:00a=control:*
today at 20:58:00a=range:npt=now-
today at 20:58:00m=audio 0 RTP/AVP 96
today at 20:58:00a=recvonly
today at 20:58:00a=rtpmap:96 mpeg4-generic/48000/1
today at 20:58:00a=control:trackID=0
today at 20:58:00a=fmtp:96 streamtype=5; profile-level-id=15; mode=AAC-hbr; config=1188; SizeLength=13; IndexLength=3; IndexDeltaLength=3;
today at 20:58:00m=video 0 RTP/AVP 97
today at 20:58:00a=recvonly
today at 20:58:00a=control:trackID=1
today at 20:58:00a=rtpmap:97 H264/90000
today at 20:58:00a=fmtp:97 profile-level-id=4d401f; packetization-mode=1; sprop-parameter-sets=Z01AH42NQHgLf+AtwEBAUAAAPoAAC7gJ2giEag==,aO44gA==
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [SETUP rtsp://IP:7447/token/trackID=0 RTSP/1.0
today at 20:58:00CSeq: 3
today at 20:58:00Transport: RTP/AVP/TCP;unicast;interleaved=0-1
today at 20:58:00User-Agent: Lavf58.76.100
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [RTSP/1.0 200 OK
today at 20:58:00CSeq: 3
today at 20:58:00Cache-Control: no-store
today at 20:58:00Date: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Expires: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Pragma: no-cache
today at 20:58:00Server: EvoStream Media Server (www.evostream.com)
today at 20:58:00Session: YVdIB3iE
today at 20:58:00Transport: RTP/AVP/TCP;unicast;interleaved=0-1
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [Audio AAC bad config]
today at 20:58:002022/02/21 19:58:00 [SETUP rtsp://IP:7447/token/trackID=1 RTSP/1.0
today at 20:58:00CSeq: 4
today at 20:58:00Transport: RTP/AVP/TCP;unicast;interleaved=2-3
today at 20:58:00User-Agent: Lavf58.76.100
today at 20:58:00Session: YVdIB3iE
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [RTSP/1.0 200 OK
today at 20:58:00CSeq: 4
today at 20:58:00Cache-Control: no-store
today at 20:58:00Date: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Expires: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Pragma: no-cache
today at 20:58:00Server: EvoStream Media Server (www.evostream.com)
today at 20:58:00Session: YVdIB3iE
today at 20:58:00Transport: RTP/AVP/TCP;unicast;interleaved=2-3
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [PLAY rtsp://IP:7447/token/ RTSP/1.0
today at 20:58:00CSeq: 5
today at 20:58:00User-Agent: Lavf58.76.100
today at 20:58:00Session: YVdIB3iE
today at 20:58:00
today at 20:58:00]
today at 20:58:002022/02/21 19:58:00 [RTSP/1.0 200 OK
today at 20:58:00CSeq: 5
today at 20:58:00Cache-Control: no-store
today at 20:58:00Date: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Expires: Mon, 21 Feb 2022 19:58:00 UTC
today at 20:58:00Pragma: no-cache
today at 20:58:00RTP-Info: url=rtsp://IP:7447/token/trackID=0;seq=5781;rtptime=0,url=rtsp://IP:7447/token/trackID=1;seq=18157;rtptime=0
today at 20:58:00Range: npt=now-
today at 20:58:00Server: EvoStream Media Server (www.evostream.com)
today at 20:58:00Session: YVdIB3iE
today at 20:58:00
today at 20:58:00]
today at 20:58:00time="2022-02-21T19:58:00Z" level=info msg="Success connection RTSP" call=Start channel=0 func=StreamServerRunStream module=core stream=demo1
today at 20:58:002022/02/21 19:58:00 WebRTC Ignore Audio Track codec not supported WebRTC support only PCM_ALAW or PCM_MULAW
today at 20:58:002022/02/21 19:58:00 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:042022/02/21 19:58:04 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:082022/02/21 19:58:08 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:122022/02/21 19:58:12 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:12time="2022-02-21T19:58:12Z" level=error msg="WebRTC Client Offline" call=WritePacket channel=0 func=HTTPAPIServerStreamWebRTC module=http_webrtc stream=demo1
today at 20:58:162022/02/21 19:58:16 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:202022/02/21 19:58:20 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:242022/02/21 19:58:24 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:262022/02/21 19:58:26 [OPTIONS rtsp://IP:7447/token/ RTSP/1.0
today at 20:58:26CSeq: 6
today at 20:58:26Require: implicit-play
today at 20:58:26User-Agent: Lavf58.76.100
today at 20:58:26Session: YVdIB3iE
today at 20:58:26
today at 20:58:26]
today at 20:58:282022/02/21 19:58:28 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:322022/02/21 19:58:32 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:362022/02/21 19:58:36 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:402022/02/21 19:58:40 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:442022/02/21 19:58:44 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:482022/02/21 19:58:48 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:522022/02/21 19:58:52 [OPTIONS rtsp://IP:7447/token/ RTSP/1.0
today at 20:58:52CSeq: 7
today at 20:58:52Require: implicit-play
today at 20:58:52User-Agent: Lavf58.76.100
today at 20:58:52Session: YVdIB3iE
today at 20:58:52
today at 20:58:52]
today at 20:58:522022/02/21 19:58:52 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:58:562022/02/21 19:58:56 [24 Type need add next version report https://github.com/deepch/vdk]
today at 20:59:002022/02/21 19:59:00 [TEARDOWN rtsp://IP:7447/token/ RTSP/1.0
today at 20:59:00CSeq: 8
today at 20:59:00User-Agent: Lavf58.76.100
today at 20:59:00Session: YVdIB3iE
today at 20:59:00
today at 20:59:00]
today at 20:59:002022/02/21 19:59:00 [RTSP Client RTP Read Header read tcp IP_SERVER:33416->IP:7447: use of closed network connection]
today at 20:59:002022/02/21 19:59:00 [RTSP Client Close <nil>]
today at 20:59:00time="2022-02-21T19:59:00Z" level=info msg="Stream exit by signal or not client" call=StreamServerRunStream channel=0 func=StreamServerRunStreamDo module=core stream=demo1
today at 21:04:04time="2022-02-21T20:04:04Z" level=info msg="Run stream" call=Run channel=0 func=StreamServerRunStreamDo module=core stream=camera.g4_doorbell_high
today at 21:04:04time="2022-02-21T20:04:04Z" level=info msg="Success connection RTSP" call=Start channel=0 func=StreamServerRunStream module=core stream=camera.g4_doorbell_high

This is what the picture looks like:

I circumvented the certificate issue by setting:

  "channel_defaults": {
    "insecure_skip_verify": true
  }

Please let me know if any of this is useful! Thanks again for your work!

[allenporter]

Thanks for the detail, it sounds like this worked to resolve the certificate issue, but the unifi protect cameras still don't work over the RTSPS url, but the RTSP urls do work from what I hear.

[SeraphimSerapis]

Can confirm! When I manually add the camera to config.json as described in #107, the cam works great. Sadly the integration only goes with RTSPS since that's the way forward for UniFi, so there may be some additional work required to make this function correctly.

[SeraphimSerapis]

Update: now that #107 has been sorted, I can confirm that the cameras are added correctly to the configuration.

As @azbutz pointed out, the issue seems to be isolated to the following query parameter that is added to the URL: rtsps://IP:7441/TOKEN?enableSrtp - when removing ?enableSrtp the stream loads just fine (except that manual change is overriden every time the camera is opened in Home Assistant).

[wjbridge]

You can still get the RTSP stream by Web UI: Generate only RTSPS links for better security. (RTSP streams are still available by removing S from RTSPS, changing port 7441 to 7447 and by removing ?enableSrtp from the URL)

Link
I tested this on Unifi Protect v2.0