Pages

August 7, 2019

Using Certbot with Nimble Streamer

Certbot is a popular tool for working with Let's Encrypt certificates. Nimble Streamer has full support for SSL-protected streaming so let's see how you can use Certbot with Nimble Streamer for your convenience.

1. Set up Certbot


First go to Certbot website and scroll down to "My HTTP website is running" line. Choose "Other" option in Software field and then your OS in "System" field.

You'll be redirected to this Certbot page with necessary instructions.

Follow steps 1 through 3 to install and setup Certbot.

On step 7, choose "Yes, my web server is not currently running on this machine" option.

If you have Nimble Streamer working on port 80, this will not work because Certbot will try to bring up its own web server. In this case, choose "No, I need to keep my web server running" and read this article for additional setup and then continue with steps below.

2. Set up certificate


On step 8 - "Install your certificate" - you need to use your new certificate in Nimble Streamer configuration.

Add these lines to your /etc/nimble/nimble.conf file:
ssl_port = 443
ssl_certificate = /etc/letsencrypt/live/your.domain.name/fullchain.pem
ssl_certificate_key = /etc/letsencrypt/live/your.domain.name/privkey.pem
and then re-start Nimble Streamer with this command:
sudo service nimble restart
You can find more info about nimble.conf on this page.

If you need more complex setup scenario like multiple domains or encryption methods, you can follow this article to set up SSL certificate properly.

By this step, you'll have Nimble Streamer instance running with valid SSL certificate.

3. Set up certificate renewal


The last step will be to set up the automatic renewal of certificate. Certbot does this perfectly, however we'll need to make it call Nimble Streamer for reload the certificate. This can be done via Nimble Streamer native API.

First, set up management API as described on this page under "Starting point: enable API access" point.
Here's an example you can use:
management_listen_interfaces = 127.0.0.1
management_port = 8083
Then re-start Nimble Streamer instance:
sudo service nimble restart

Second step will be to run the renew command as described in "Test automatic renewal" Certbot page section, with additional post-hook parameter like this:
sudo certbot renew --post-hook 'curl -X POST http://127.0.0.1:8083/manage/reload_ssl_certificates'
You can use the above command (which makes proper API call) to manually renew SSL certificates without Nimble Streamer restart.

To test automatic certificate renewal, run the following command:
sudo certbot renew --dry-run --post-hook 'curl -X POST http://127.0.0.1:8083/manage/reload_ssl_certificates'

The latest version of Certbot provides pre-configured automated renewal for Ubuntu via systemd timers.
To make sure that Certbot’s systemd timer is installed, use the following command:
systemctl list-timers
Its output should contain certbot.timer at UNIT column.

To make Nimble Streamer apply new certificate settings without restart, please use following commands to create post-hook timer:
sudo echo -e '#!/bin/sh\ncurl -s -X POST http://127.0.0.1:8083/manage/reload_ssl_certificates' > /etc/letsencrypt/renewal-hooks/post/nimble-ssl-renew.sh 
sudo chmod 750 /etc/letsencrypt/renewal-hooks/post/nimble-ssl-renew.sh
Now you certificates will be renewed automatically.

Troubleshooting

If Nimble doesn't start after the above steps, and its logs contain the following error
[20ХХ-01-01 00:00:00 P????-T????] [nimble] E: failed to load SSL certificate(s)
please check that user nimble can read folder /etc/letsencrypt, then you need to execute the following commands to grant required permissions:
sudo chgrp -R nimble /etc/letsencrypt/
sudo chmod -R g+rx /etc/letsencrypt/


That's it. If you have any questions or issues, feel free to contact us via helpdesk.

Related documentation


SSL setup for Nimble Streamer, Paywall feature set

No comments:

Post a Comment

If you face any specific issue or want to ask some question to our team,
PLEASE USE OUR HELPDESK

This will give much faster and precise response.
Thank you.

Note: Only a member of this blog may post a comment.