Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRS in secure configuration is not sending the full certificate chain #3967

Closed
neilyoung opened this issue Mar 2, 2024 · 9 comments · Fixed by #4033
Closed

SRS in secure configuration is not sending the full certificate chain #3967

neilyoung opened this issue Mar 2, 2024 · 9 comments · Fixed by #4033
Assignees
@winlinvip
Labels
API HTTP-API, HTTP-Callback, etc. EnglishNative This issue is conveyed exclusively in English.

Comments

@neilyoung
Copy link

neilyoung commented Mar 2, 2024
edited
Loading

I'm having a fullchain GoDaddy certificate created for SRS. It looks like as if the SRS HTTPS server only sends the FIRST certificate in the chain, which in turn leads to "Unknown CA" on systems, which do not natively have knowledge about GoDaddy's CA.
@winlinvip winlinvip added the EnglishNative This issue is conveyed exclusively in English. label Mar 2, 2024
@neilyoung
Copy link
Author

neilyoung commented Mar 2, 2024
edited
Loading

Add on: I first tried to terminate SRS SSL with NGINX, but that didn't work (at least not for the API). I suspect not all clients are able to follow a 302 Redirect.

EDIT: Tried again, I'm now able to terminate the app and the api via NGINX 443. Not sure, what happens first time.

So my problem is maybe no problem anymore, because I can circumvent using SRS 1990 by NGINX 443.

@winlinvip
Copy link
Member

winlinvip commented Mar 3, 2024
edited
Loading

SRS's HTTPS server is intended for demonstration purposes. I recommend using NGINX, Caddy, or any other HTTP server for production use. These HTTP servers can be configured to proxy both streaming and API requests to SRS. For guidelines on building an HTTPS proxy server using NGINX or Caddy, refer to the SRS FAQ on the official website.

@winlinvip winlinvip closed this as not planned Won't fix, can't repro, duplicate, stale Mar 3, 2024
@winlinvip winlinvip self-assigned this Mar 3, 2024
@winlinvip winlinvip added the API HTTP-API, HTTP-Callback, etc. label Mar 3, 2024
@neilyoung
Copy link
Author

OK, thanks for the quick answer. I'm back on NGINX again, which initially didn't work for me in a combination with DJI CloudAPI, but now I'm sure that - if it still doesn't work - there must be an issue with DJI.

Could you guide me regarding one little quirk I see? Regardless of what configuration I choose, there is still this port 1990 attached to the URL constructed for the WHIP/WHEP access in your app:

image

The reason is line 132 in objs/nginx/html/players/js/srs.page.js, which ultimately adds port 1990 in case HTTPS is detected.

var api = ':' + (query.api || (window.location.protocol === 'http:' ? '1985' : '1990'));

Would there be a way to suppress this by configuration or would I have to patch this code line (which works btw)?

@neilyoung

This comment was marked as off-topic.

Sign in to view
@winlinvip
Copy link
Member

You can specifies the HTTPS port in the URL:

image

For example: http://localhost:8080/players/whep.html?api=3443

@neilyoung
Copy link
Author

Well ok, but seriously?

@neilyoung
Copy link
Author

neilyoung commented Mar 4, 2024
edited by winlinvip
Loading

Why is my supplementary question considered "off-topic"? The central issue at hand is that my certificate consists of a chain of four certificates, and it appears that only the first one is being transmitted to clients.

TRANS_BY_GPT4

suzp1984 added a commit to suzp1984/srs that referenced this issue Apr 21, 2024
@suzp1984
issue ossrs#3967: support x509 certification chiain in single pem file.
47ab617
@suzp1984 suzp1984 mentioned this issue Apr 21, 2024
Merged
@suzp1984
Copy link
Contributor

I think #4033 can solve this issue.

@neilyoung
Copy link
Author

neilyoung commented Apr 21, 2024
edited
Loading

@suzp1984 Thanks, but I replaced SRS by MediaMTX, also for the RTSP support

winlinvip added a commit that referenced this issue Apr 22, 2024
@suzp1984 @winlinvip
Support x509 certification chiain in single pem file. v5.0.211 v6.0.1…
5eb802d 
…22 (#4033)

Fix #3967 There is an API `SSL_use_certificate_chain_file`, which can load the
certification chain and also single certificate.

---------

Co-authored-by: winlin <winlinvip@gmail.com>
winlinvip added a commit that referenced this issue Apr 22, 2024
@suzp1984 @winlinvip
Support x509 certification chiain in single pem file. v5.0.211 (#4033)
299a542 
Fix #3967 There is an API `SSL_use_certificate_chain_file`, which can load the
certification chain and also single certificate.

---------

Co-authored-by: winlin <winlinvip@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@winlinvip winlinvip

Labels
API HTTP-API, HTTP-Callback, etc. EnglishNative This issue is conveyed exclusively in English.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support x509 certification chiain in single pem file. v5.0.211 v6.0.122 suzp1984/srs
3 participants
@neilyoung @suzp1984 @winlinvip