SSL Setup

It's not mandatory for all cases. It's mandatory when requesting access to mic and camera. It's not mandatory for playing streams HTTPS and WSS (WebSocket Secure) is mandatory for Google Chrome to run WebRTC and WebSocket applications.

In addition, developers want to serve their content with a secure connection as well. The script in this document install Let's Encrypt SSL certificate.

Enabling SSL in Linux(Ubuntu)

• Create A Record for your domain name in your DNS records. So your domain name is resolved to your server's Public IP address.
• Go to the folder where Ant-Media-Server is installed. Default directory is /usr/local/antmedia

cd /usr/local/antmedia

If there is a service that uses 80 port, you need to disable it. If your system has Apache Web Server, you need to disable it first such a command below

sudo service apache2 stop

There are several options to get the SSL certificate. Please choose the one appropriate for you.

Option 1: Create Let's Encrypt Certificate with HTTP-01 Challenge

Call the enable_ssl.sh with your domain name.

sudo ./enable_ssl.sh -d example.com

Option 2: Import Your Custom Certificate

enable_ssl.sh script supports external fullchain.pem, chain.pem and privkey.pem files as in the following format

sudo ./enable_ssl.sh -f {FULL_CHAIN_FILE} -p {PRIVATE_KEY_FILE} -c {CHAIN_FILE} -d {DOMAIN_NAME} 

Ex:

sudo ./enable_ssl.sh -f yourdomain.crt -p yourdomain.key -c yourdomainchain.crt -d yourdomain.com
sudo ./enable_ssl.sh -f yourdomain.pem -p yourdomain.key -c yourdomainchain.pem -d yourdomain.com

Option 3: Create Let's Encrypt Certificate with DNS-01 Challenge

In this method, there will be no HTTP request back to your server. This method is useful to create SSL certificate in restricted environments. This feature is available in version later than 2.4.0.2.

• Run enable_ssl.sh with -v custom as follows

  sudo ./enable_ssl.sh -d {DOMAIN_NAME}  -v custom
  

• Script will ask you to create a TXT record for your domain name.

  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Please deploy a DNS TXT record under the name
  _acme-challenge.subdomain.yourdomain.com with the following value:
  
  ziB3UjMMSSO-La7jgqPXXXXeK-r2Ja80HluNJVvkg
  
  Before continuing, verify the record is deployed.
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  

• Create a TXT record in your DNS records as instructed above. For the sample above, we've create a TXT record _acme-challenge.subdomain.yourdomain.com having a value ziB3UjMMSSO-La7jgqPXXXXeK-r2Ja80HluNJVvkg
• After your create the TXT record, please Enter to Continue

The process should be completed successfully if you set everything correctly.

Create Let's Encrypt Certificate with DNS-01 Challenge through Route 53

Let's Encrypt have some plugins to simplify the authorization. Route 53 plugin creates TXT records and deletes them after authorization is done. It's very useful while creating instances in AWS Wavelength Zones. Because HTTP-01 challenge does not work in AWS Wavelength Zone due to its nature.

• Go to IAM User in your AWS Console and Create an user with Programmatic Access. IAM user needs route53:ListHostedZones, route53:GetChange, route53:ChangeResourceRecordSets permission. If you import the following policy file while creating the user, the permissions will be granted easily. Check this doc to create IAM users in AWS

{
  "Version": "2012-10-17",
  "Id": "certbot-dns-route53 sample policy",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "route53:ListHostedZones",
              "route53:GetChange"
          ],
          "Resource": [
              "*"
          ]
      },
      {
          "Effect" : "Allow",
          "Action" : [
              "route53:ChangeResourceRecordSets"
          ],
          "Resource" : [
              "arn:aws:route53:::hostedzone/*"
          ]
      }
  ]
}

• After you create IAM user, AWS will provide AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY. Please create the ~/.aws/config with your keys as follows

[default]
aws_access_key_id=WRITE_YOUR_ACCESS_KEY
aws_secret_access_key=WRITE_YOUR_SECRET_ACCESS_KEY

• Create A record for your domain name in Route 53 that resolves to your IP address.
• Run the enable_ssl.sh as follows

sudo ./enable_ssl.sh -d {DOMAIN_NAME}  -v route53

• If everything is set properly, you can access to the server via http://{DOMAIN_NAME}:5443

Conclusion

If you disable any service that binds to 80 port such as Apache Web Server, enable it again

sudo service apache2 start

If the above scripts return successfully, SSL will be installed your server, you can use https through 5443. Like below

https://example.com:5443

ATTENTION: If port 80 is used by some other process or it's forwarded to some other port, enable_ssl.sh will not be successful. Please disable the process or delete the port forwarding temporarily before running the enable_ssl.sh script above

References

• Blog Post: Enable SSL with Just One Command
• Let's Encrypt