wss not connecting Server version 8

[AndyObeng]

I have ovenmediaengine 0.16.5 running in docker on Centos. I am able to stream without SSL but when I modified my server.xml with the details from letsencrypt, the browser hangs for a while and then returns a code: 501 ​ message: "Connection with low-latency(OME) server failed." ​ reason: "WebSocket connection failed."

To Reproduce
Steps to reproduce the behavior:

1. Set Server.xml as follows '
   
   default
   
   ovenmediaengine.com

    	<!-- Settings for multi ip/domain and TLS -->
    	<Host>
    		<Names>
    			<!-- Host names
    				<Name>stream1.airensoft.com</Name>
   
    				<Name>stream2.airensoft.com</Name>
    				<Name>*.sub.airensoft.com</Name>
    					-->
    				<Name>2schooldirect.net</Name>
   
    			<Name>*</Name>
    		</Names>
    		<TLS>
    			<CertPath>/etc/letsencrypt/live/2schooldirect.net/cert.pem</CertPath>
    			<KeyPath>/etc/letsencrypt/live/2schooldirect.net/privkey.pem</KeyPath>
    			<ChainCertPath>/etc/letsencrypt/live/2schooldirect.net/fullchain.pem</ChainCertPath>
    		</TLS>
    	</Host>'
   

2. With Encoder 'OBS 27.2.4 on Mac Sonoma 14.2'

3. See error

Expected behavior
I should receive the playback via wss://2schooldirect.net:3334/app/{streamname}

Logs
code: 501 ​ message: "Connection with low-latency(OME) server failed." ​ reason: "WebSocket connection failed.".

Server (please complete the following information):

• OS: Centos
• OvenMediaEngine Version:0.16.5
• Branch: Not sure

Player (please complete the following information):

• Device: Laptop/Phones
• OS: Mac OS/ Android/IOS
• Browser All browsers
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[naanlizard]

Please share your full server.xml. I suspect you're not defining the TLS port

…

On Tue, Jun 18, 2024 at 14:32 AndyObeng ***@***.***> wrote: I have ovenmediaengine 0.16.5 running in docker on Centos. I am able to stream without SSL but when I modified my server.xml with the details from letsencrypt, the browser hangs for a while and then returns a code: 501 ​ message: "Connection with low-latency(OME) server failed." ​ reason: "WebSocket connection failed." *To Reproduce* Steps to reproduce the behavior: 1. Set Server.xml as follows ' default ovenmediaengine.com <!-- Settings for multi ip/domain and TLS --> <Host> <Names> <!-- Host names <Name>stream1.airensoft.com</Name> <Name>stream2.airensoft.com</Name> <Name>*.sub.airensoft.com</Name> --> <Name>2schooldirect.net</Name> <Name>*</Name> </Names> <TLS> <CertPath>/etc/letsencrypt/live/2schooldirect.net/cert.pem</CertPath> <KeyPath>/etc/letsencrypt/live/2schooldirect.net/privkey.pem</KeyPath> <ChainCertPath>/etc/letsencrypt/live/2schooldirect.net/fullchain.pem</ChainCertPath> </TLS> </Host>' 2. With Encoder 'OBS 27.2.4 on Mac Sonoma 14.2' 3. See error *Expected behavior* I should receive the playback via wss:// 2schooldirect.net:3334/app/{streamname} <http://2schooldirect.net:3334/app/%7Bstreamname%7D> *Logs* code: 501 ​ message: "Connection with low-latency(OME) server failed." ​ reason: "WebSocket connection failed.". *Server (please complete the following information):* - OS: Centos - OvenMediaEngine Version:0.16.5 - Branch: Not sure *Player (please complete the following information):* - Device: Laptop/Phones - OS: Mac OS/ Android/IOS - Browser All browsers - Version [e.g. 22] *Additional context* Add any other context about the problem here. — Reply to this email directly, view it on GitHub <#1650>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWNCZURHBOX2D72VNALZIAZHDAVCNFSM6AAAAABJQBWNI2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGM2TSOBXHE4TQNQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[AndyObeng]

Server.xml.zip
Find attached my Server.xml.
Thanks

[naanlizard]

I'm not sure that llhls and webRTC can be served on the same port. Can you post your log files? Have you verified your ports are opened and exposed in docker?

…

On Tue, Jun 18, 2024 at 14:56 AndyObeng ***@***.***> wrote: Server.xml.zip <https://github.com/user-attachments/files/15887655/Server.xml.zip> Find attached my Server.xml. Thanks — Reply to this email directly, view it on GitHub <#1650 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWLA4AS2DGULLHYNJ73ZIA4BLAVCNFSM6AAAAABJQBWNI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZWGE3TCMZRGE> . You are receiving this because you commented.Message ID: ***@***.***>

[AndyObeng]

I have changed the port of the llhs to prevent conflicts and restarted OME. I have also confirmed that 3334 port is open through 'netstat -nlp'. The browser hangs for a while and then returns the same result. Please help

[bchah]

I see you have TcpForce=True in your ICE candidate config, in that case is port 3478 TCP open? If we could see the output logs from OME those may have more clues.

[naanlizard]

The netstat command shows what processes are listening on ports on your server, but it won't tell you if the network is allowing connections to that port

…

On Tue, Jun 18, 2024 at 15:22 AndyObeng ***@***.***> wrote: I have changed the port of the llhs to prevent conflicts and restarted OME. I have also confirmed that 3334 port is open through 'netstat -nlp'. The browser hangs for a while and then returns the same result. Please help — Reply to this email directly, view it on GitHub <#1650 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWPCN4YENS7YIZHK5FTZIA7EBAVCNFSM6AAAAABJQBWNI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZWGIZTEMZQGI> . You are receiving this because you commented.Message ID: ***@***.***>

[AndyObeng]

I see you have TcpForce=True in your ICE candidate config, in that case is port 3478 TCP open? If we could see the output logs from OME those may have more clues.

OME doesnt produce any logs. I thought by the documentation, the logs should appear in /var/log/ovenmediaengine but there is nothing there. This issue doesnt exist if I had installed without docker. I have verified that port 3478 TCP and 3334 TCP is open. I will keep trying till close of day. If nothing changes, I will install OME directly without docker. Please share if available a live chat support you may have. Thanks

[naanlizard]

If installed via docker you can get logs with the "docker logs" command We're not official ome support, we're just other users offering our help

…

On Wed, Jun 19, 2024 at 11:44 AndyObeng ***@***.***> wrote: I see you have TcpForce=True in your ICE candidate config, in that case is port 3478 TCP open? If we could see the output logs from OME those may have more clues. OME doesnt produce any logs. I thought by the documentation, the logs should appear in /var/log/ovenmediaengine but there is nothing there. This issue doesnt exist if I had installed without docker. I have verified that port 3478 TCP and 3334 TCP is open. I will keep trying till close of day. If nothing changes, I will install OME directly without docker. Please share if available a live chat support you may have. Thanks — Reply to this email directly, view it on GitHub <#1650 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWLZ4LAVRZLFVGOIXJDZIFOHTAVCNFSM6AAAAABJQBWNI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNZYGM2TOMBVHE> . You are receiving this because you commented.Message ID: ***@***.***>

[AndyObeng]

Thanks so much. I have the logs now It says
'[2024-06-19 10:50:56.476] E [SPRtcSig-t3334:12] HTTP.Server | https_server.cpp:100 | Could not handle connection event: there is no certificate
[2024-06-19 10:51:02.045] E [SPRtcSig-t3334:12] HTTP.Server | https_server.cpp:100 | Could not handle connection event: there is no certificate' .
I guess there is something wrong with my letsencrpt installation. I will check and give update. Thanks again

[getroot]

This issue is not a bug so it is moved to discussion.

[getroot]

<CertPath>/etc/letsencrypt/live/2schooldirect.net/cert.pem</CertPath>
 <KeyPath>/etc/letsencrypt/live/2schooldirect.net/privkey.pem</KeyPath>
 <ChainCertPath>/etc/letsencrypt/live/2schooldirect.net/fullchain.pem</ChainCertPath>

This path refers to the path inside Docker. The Docker container does not access the corresponding path on the host.

Check the document below.

https://airensoft.gitbook.io/ovenmediaengine/getting-started/getting-started-with-docker#getting-started-with-complex-configuration

When running Docker, you can mount the path on the host inside Docker with the -v option.

[bchah]

Adding to this, make sure that once the directory is mapped, the user you are running OME as has permission to read the cert files. You will see in the startup logs if there was an issue initializing the certificate (or if it was not found).

[AndyObeng]

Hello @getroot I still think this is a small bug. The reason is that I have tried everything possible: I ensured that the OME image user had sufficient priviledges to see the cert files. I converted the cert files from pem format to crt. I opened the TLS port. I even changed the name of the conf folder to origin_conf since that is where the OME server wanted to read the cert files. When I abandoned docker and installed manually to system, IT WORKED with no issues. Please view the screenshot below as it seems to suggest where the docker image expects the cert files to be but those folders dont exist. Aside this OME is awesome. Thanks

[getroot]

Where are your certificate files and what did you do to make the ome docker container read them? Please also let us know your docker command. We will definitely find your mistake there.

[AndyObeng]

Where are your certificate files and what did you do to make the ome docker container read them? Please also let us know your docker command. We will definitely find your mistake there.
I use letsencrypt. My files are located at /etc/letsencrypt/live/2schooldirect.net/ folder. I ensured that the user of the OME container had read/write access to this directory. Thanks

[getroot]

As others have explained below, the Docker container and the Linux host are completely independent systems. The docker container cannot access the host's filesystem.

The /etc/letsencrypt/live/2schooldirect.net/ folder is probably a folder on the host. Either mount this folder inside docker, or copy the certificate to the folder you mounted -v $OME_DOCKER_HOME/conf: and modify the certificate path in Server.xml to point to /opt/ovenmediaengine/bin/origin_conf.

I think it would be a good idea to learn a little bit about how docker works.

[naanlizard]

You need to share exactly what you are running with docker, you are just making it more difficult to assist you by drip feeding information

…

On Sun, Jun 23, 2024 at 13:50 AndyObeng ***@***.***> wrote: Where are your certificate files and what did you do to make the ome docker container read them? Please also let us know your docker command. We will definitely find your mistake there. I use letsencrypt. My files are located at /etc/letsencrypt/live/ 2schooldirect.net/ folder. I ensured that the user of the OME container had read/write access to this directory. Thanks — Reply to this email directly, view it on GitHub <#1652 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWPDHDBTDBVYNTCPJELZI3ABTAVCNFSM6AAAAABJUECKTCVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQNJRHAZTC> . You are receiving this because you commented.Message ID: ***@***.*** com>

[AndyObeng]

@naanlizard I run the following with root priviledges: 1. docker run -d -it --name ome -e OME_HOST_IP=Your.HOST.IP.Address
-v $OME_DOCKER_HOME/conf:/opt/ovenmediaengine/bin/origin_conf
-v $OME_DOCKER_HOME/logs:/var/log/ovenmediaengine
-p 1935:1935 -p 9999:9999/udp -p 9000:9000 -p 3333:3333 -p 3478:3478
-p 10000-10009:10000-10009/udp
airensoft/ovenmediaengine:latest
2. I edited my server.xml to add the paths to my SSL files.
3. When TLS didnt work, I used openssl to generate the crt versions of my pem files and replaced them in the server.xml. This too didnt work
4. Meanwhile I had already ensured that port 3334 was open.
5. By contrast when I did a manual installation to system, all I had to do was to edit the xml files and put the path to my pem format SSL files and it worked

[AndyObeng]

Of course I replaced our.HOST.IP.Address with my IP

[naanlizard]

You need to mount the ssl certificates in the docker container. The container does not have access to your host filesystem

…

On Sun, Jun 23, 2024 at 14:18 AndyObeng ***@***.***> wrote: Of course I replaced OME_HOST_IP with my IP — Reply to this email directly, view it on GitHub <#1652 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWJPQY4NJGZO2252IQ3ZI3DLHAVCNFSM6AAAAABJUECKTCVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQNJRHE2DK> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[bchah]

PEM-encoded works fine. It's likely what people have been saying, that your OME instance running in Docker does not have permission to read those files which seem to be sitting outside of the docker container. Are you issuing the certificate inside the docker container? If not, your Docker run command is not sufficient.

Add something like this:

-v /path/to/etc/letsencrypt/on/host:/etc/letsencrypt

And as a sanity check, try running chmod -R 777 /etc/letsencrypt inside the container. What does that do?

[naanlizard]

I wouldn't run that chmod command, a regular ls command would be plenty. Either way yeah you need to make sure the container can see the files

…

On Sun, Jun 23, 2024 at 14:39 bchah ***@***.***> wrote: PEM-encoded works fine. It's likely what people have been saying, that your OME instance running in Docker does not have permission to read those files which seem to be sitting *outside* of the docker container. Are you issuing the certificate *inside* the docker container? If not, your Docker run command is not sufficient. Add something like this: -v /path/to/etc/letsencrypt/on/host:/etc/letsencrypt And as a sanity check, try running chmod -R 777 /etc/letsencrypt inside the container. What does that do? — Reply to this email directly, view it on GitHub <#1652 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWLPMPUXCGO2PWEHXJLZI3F2VAVCNFSM6AAAAABJUECKTCVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQNJSGA2TQ> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[vollhorn]

Hi,
I jump in because I seem to have the same problem. i follwed above advises, mounted the certificate path and I can list the letsencrypt *.pem files from within the docker container. I also did the chmod command. However I am not abe to do a wss or a https connection to the server OME with the demo player, whereas http and ws work fine (3333 port, llhls and WebRTC).
I am using the default server.xml except the path for the TLS are set to the path I see when I do ls in the container.
I did not enable the API server.
I use the original letsencrypt *.pem files and changed the setup.xml accordingly
I checked validity of the certificates.

Any advise? or maybe a solution to above discussion?

[naanlizard]

What do the logs say?

…

On Thu, Jul 11, 2024 at 20:45 vollhorn ***@***.***> wrote: Hi, I jump in because I seem to have the same problem. i follwed above advises, mounted the certificate path and I can list the letsencrypt *.pem files from within the docker container. I also did the chmod command. However I am not abe to do a wss or a https connection to the server OME with the demo player, whereas http and ws work fine. I am using the default server.xml except the path for the TLS are set to the path I see when I do ls in the container. I did not enable API server. I use the original letsencrypt *.pem files and changed te setup.xml accordingly I checked validity of the certificates. Any advise? or maybe a solution to above discussion? — Reply to this email directly, view it on GitHub <#1652 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABV4BWNIAFMOJ67YLT2HU2LZLZV4RAVCNFSM6AAAAABJUECKTCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMBSGAZTENQ> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[vollhorn]

Thanks for answering!
I downloaded the log, but what should I look for?

[vollhorn]

Ok, sorry, I found this:

[2024-07-11 10:43:45.787] E [OvenMediaEngine:1] Certificate | certificate.cpp:47 | Failed to create a certificate for VirtualHost [default]:
Reason: [default] Could not create a certificate from file - [OpenSSL] error:16000069:STORE routines::unregistered scheme (369098857)
Cert file path: /opt/ovenmediaengine/bin/letsencrypt/cert.pem
Chain cert file path: /opt/ovenmediaengine/bin/letsencrypt/fullchain.pem
Private key file path: /opt/ovenmediaengine/bin/letsencrypt/privkey.pem

Does this mean the *.pem files are not readable for openssl or OME?

[vollhorn]

Update:
when inside the docker container, I can list the cert files inside the mounted /opt/ovenmediaengine/bin/letsencrypt/ directory. There is also a README from letsencrypt inside the directory. With cat README I can read the file. All *.pem files howver can be listed with ls, but are not accessible, neiter with cat nor with i.e. "openssl ec -in privkey.pem pubout". says not such file or directory.
When doing the same outside the docker this works fine.
I dont understand this - how can that be? So imo it must be a docker issue, not an OME issue. But when we are suggested to use docker, this should not be a non-documented issue.
Any ideas how to solve this?
Thanks very much in advance for any hint...

[vollhorn]

Update:
at least for my problem I found the solution:
For some reason the mounted files in the directory were only relative links. Since i am not a linux expert, I did not recognize this.
Solution:
I removed the mount -v.
I copied the actual *.pem files into the actual server directory /usr/share/ovenmediaengine/conf/
This directory is already mounted for the Server configruation xml.
I verified I see the *.pem files (and not only links) in this directory from inside the container with ls -l.
I changed the server.xml TLS section according to the new path.
restart of the container -> now it works fine!

Thanks to all for the comments and discussion above.