Certbot (Linux)
Hello everyone! In this post we wanted to highlight a feature added in MistServer version 2.17. This version added an integration with CertBot for Let’sEncrypt SSL certificates, as well as all SSL functionality to the Open Source edition of MistServer. For those less familiar with internet jargon, this means that we have added a method to stream your videos over HTTPS easier.
Are you running Mistserver and a web server on the same server?
Before we start: if you're using MistServer together with a web server (as in running MistServer on the same server that is hosting your website) we recommend using a reverse proxy. This way, you can get by with just a single SSL certificate. This will also allow you to run MistServer on the same port as your website, which looks more professional. This guide is therefore aimed for setups that run MistServer “standalone”, without a webserver on the same machine. That said, let's dig into it!
Requirements
- A Linux server
- MistServer
- Browser to verify it is working working
Steps in this guide
- What is
MistUtilCertbot - Installing Certbot
- Running
MistUtilCertbot - Checking whether it works
1. What is MistUtilCertBot
Starting with version 2.17 of MistServer we added a new tool in your MistServer install called MistUtilCertbot. This tool takes care of Certbot integration, meaning the entire setup can now be done with just a single command! (After both MistServer and Certbot are installed first, of course.) Using this tool you will be able to easily create an automatically renewing valid SSL certificate to handle HTTPS requests.
2. Install Certbot
Certbot is a *Nix only tool meant for easy SSL certificate management. It's a package in most distributions of Linux, so we recommend using your distribution’s package manager to install it. More information on Certbot can be found here, and distribution-specific instructions can be found here.
3. Run MistUtilCertbot through Certbot
Once installed you can have Certbot set up your MistServer HTTPS certificate by running the following command (run this command as the same user you would usually run certbot as; it does not matter what user MistServer is running as):
certbot certonly \
--manual \
--preferred-challenges=http \
--manual-auth-hook MistUtilCertbot \
--deploy-hook MistUtilCertbot \
-d DOMAIN01 \
-d DOMAIN02 \
-d ETC
You'll have to change the DOMAIN01,DOMAIN02,ETC part into your own domain(s).
Other than that there’s no need to make changes.
Set up auto-renewing of CertBot certificates
This differs per distribution, so we recommend following the “Set up automatic renewal” step on certbot’s instructions page. There is no need to follow any of the other steps, as the rest is taken care of by our integration.
Done That's it! Your MistServer now has SSL enabled and it will be auto-renewing monthly!
4. Check whether it works
The only thing left now is to go and check whether HTTPS worked. This can be done simply by previewing a stream over the newly setup HTTPS connection. Go to any video you have set up and check the embed page. It will allow you an option to use HTTPS, tick that box and visit the HTML page using the HTTPS address. If the video plays without problem you’ve done it right!
Additional information
A bug can appear where the last step does not activate certbot correctly and no HTTPS protocol appears within MistServer. If you're experiencing this you can solve it by running the following command:
RENEWED_LINEAGE=/etc/letsencrypt/live/DOMAIN01/ MistUtilCertbot -g 10
Replace DOMAIN01 with the first given domain from your original certbot command.
This bug used to appear in older versions of MistServer, but should no longer be an issue in current versions of MistServer. We are keeping this information here to make sure users of older versions of MistServer know what to do if it shows up.
Troubleshooting
If HTTPS isn’t working it’s usually because a setting is wrong. The easiest way to check what the problem might be is to activate the developer console of the browser (usually it’s “F12”) and see what the error messages are. Of course you can always contact us if you run into issues you can’t figure out!
Conclusion
As you can see, setting up SSL/HTTPS through MistUtilCertbot makes the process quite easy. If you got the commands right you could be done in a few minutes. Which is quite important as SSL connections are expected from your viewers, you can’t be doing everything over HTTP anymore.