HTTPS: Support automatic HTTPS with let'sencrypt

[winlinvip]

Note: SRS has already supported HTTPS server. You can refer to the HTTPS API (CN / EN) and HTTPS Live Streaming (CN / EN). This issue describes how to automatically obtain SSL certificates.

EN

You could also use the default self-signed SSL certs, please search thisisunsafe from Wiki.

For HTTPS API or streaming, you must get a domain name from like godaddy or AWS route 53, and a SSL certificate.

• API: Get SSL certificate from API, like letsencrypt, by client sdk. This is what this issue describes
• File: Buy SSL certificate from CA, like ssls.com, download the PrivateKey and Certificate file, install to SRS or Nginx, like conf/server.key and conf/server.crt.

CaddyServer support automatic HTTPS by letsencrypt or ZeroSSL, both are free for single domain(not free if wildcard) certificate.

Note that for wildcard certificate, it's much cheap to buy from ssls.com, about $50/year. But it's very expensive for ZeroSSL, about $600/year.

It's very important to avoid any proxy for live streaming or WebRTC, because it consumes lots of bandwidth and resource.

CN

To support HTTPS API or streaming, it is necessary to register a domain. In China, you can purchase a domain from Alibaba Cloud or Tencent Cloud and complete the record filing process. Additionally, you will need an SSL certificate, which can be obtained through the following methods:

• API: Obtain SSL certificates from an API, such as letsencrypt, and use a client SDK to call the service. This is what this issue describes
• Download as files: Usually, you can download a free certificate for a single domain from Alibaba Cloud or Tencent Cloud. Alternatively, you can purchase a wildcard certificate and download it, then configure it in SRS or Nginx using the files conf/server.key and conf/server.crt.

For personal websites, you can consider supporting integration with letsencrypt or ZeroSSL to automatically generate SSL certificates. Single domain certificates are free, while wildcard domain certificates are chargeable.

Note: For wildcard domains, it seems much cheaper to purchase them on ssls.com for only $50 per year, while on ZeroSSL it costs $600 per year. There may be some differences in the certificates they provide.

This must be supported natively by SRS, as using an HTTPS proxy for streaming media would have significant issues and low efficiency.

Solution

There are some solutions:

• Reload Solution: Use an external tool to generate an SSL certificate, then reload SRS, similar to Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
• Native Solution: Implements the ACME protocol by client sdk, like CaddyServer what does.

Note: The Reload Solution also works for SSL certificate files, download from SSL service provider like ssls.com or ZeroSSL

SSL File

SRS cloud server now supports setting Nginx SSL key and certificate:

LEGO

Please refer to LEGO.

Let's Encrypt

SRS cloud server now supports Let's Encrypt for automatic certificate issuance:

The certificate is valid for 3 months and a task will be initiated to automatically renew it after 30 days:

Automatic SSL certificates can be issued using the certbot webroot method:

First, you need to map your domain name to an IP address, for example, lh.ossrs.net mapped to your server x.x.x.x.

Next, SRS will automatically mount a path /.well-known/acme-challenge/ mapped to the directory /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/.well-known/acme-challenge/. This allows the files created by certbot to be accessed.

Then, execute the command, referring to here:

certbot certonly --webroot \
  -w /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/ -d lh.ossrs.net \
  --register-unsafely-without-email \
  --agree-tos \
  --preferred-challenges http

Note: Be careful not to include the automatically created directory .well-known/acme-challenge/.

Note: --register-unsafely-without-email ignores the email and applies for a certificate without an email. It is not very secure, but it is sufficient for most cases.

Note: --agree-tos agrees to the terms of service.

Note: -q or --quiet enables quiet mode, no interactive input required.

Note: --preferred-challenges http uses HTTP validation instead of DNS validation.

This command will do two things to verify that the domain is ours:

• Write a temporary file to the webroot directory.
• Go to letsencrypt to apply for an SSL certificate, which will verify the temporary file under webroot.

For example, the written file is:

[root@VM-0-7-centos mgmt]# tree -a letsencrypt/.well-known/acme-challenge/
letsencrypt/.well-known/acme-challenge/

├── .gitkeep
└── .well-known
└── acme-challenge
└── aqUI1_zmhXKaCmMhKKgyAvY-L_MjzZ7G98DK1e6fvFQ

Make sure to maintain the markdown structure.

Will verify this HTTP address:

   Domain: lh.ossrs.net
   http://lh.ossrs.net/.well-known/acme-challenge/aqUI1_zmhXKaCmMhKKgyAvY-L_MjzZ7G98DK1e6fvFQ

Note: The directory must not exist, otherwise it will create a subdirectory.

2022-02-02 21:47:30,690:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/.well-known/acme-challenge/.well-known/acme-challenge/vZcxgngJ6q_vOslFiUkkd3lFPu6dlvQRaEJfIM9CUXs

After successful completion, it will prompt:

[root@VM-0-7-centos mgmt]# certbot certonly --webroot -w /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt/ -d cvm.ossrs.net --register-unsafely-without-email --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for cvm.ossrs.net
Performing the following challenges:
http-01 challenge for cvm.ossrs.net
Using the webroot path /usr/local/lighthouse/softwares/srs-terraform/mgmt/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cvm.ossrs.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cvm.ossrs.net/privkey.pem
   Your certificate will expire on 2022-05-03. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Certificate file:

• Private key: /etc/letsencrypt/live/lh.ossrs.net/privkey.pem
• Certificate: /etc/letsencrypt/live/cvm.ossrs.net/cert.pem

Just need to execute the command regularly to issue the certificate. It will check the expiration time of the certificate and update it within the last 30 days.

certbot renew -q

After updating the certificate, you need to reload nginx.

certbot renew --post-hook 'systemctl reload nginx.service'

Force update the certificate.

certbot renew --post-hook 'systemctl reload nginx.service' --force-renewal

Delete certificate.

certbot delete --cert-name lh.ossrs.net -q

TRANS_BY_GPT3

[winlinvip]

Use Docker to start certbot: Running with Docker

TRANS_BY_GPT3