SRS in secure configuration is not sending the full certificate chain

Question

SRS in secure configuration is not sending the full certificate chain

neilyoung opened this issue 3 months ago · comments

I'm having a fullchain GoDaddy certificate created for SRS. It looks like as if the SRS HTTPS server only sends the FIRST certificate in the chain, which in turn leads to "Unknown CA" on systems, which do not natively have knowledge about GoDaddy's CA.

neilyoung · Answer 1 · Sat Mar 02 2024 23:45:17 GMT+0800 (China Standard Time)

Add on: I first tried to terminate SRS SSL with NGINX, but that didn't work (at least not for the API). I suspect not all clients are able to follow a 302 Redirect.

EDIT: Tried again, I'm now able to terminate the app and the api via NGINX 443. Not sure, what happens first time.

So my problem is maybe no problem anymore, because I can circumvent using SRS 1990 by NGINX 443.

Winlin · Answer 2 · Sun Mar 03 2024 09:33:15 GMT+0800 (China Standard Time)

SRS's HTTPS server is intended for demonstration purposes. I recommend using NGINX, Caddy, or any other HTTP server for production use. These HTTP servers can be configured to proxy both streaming and API requests to SRS. For guidelines on building an HTTPS proxy server using NGINX or Caddy, refer to the SRS FAQ on the official website.

neilyoung · Answer 3 · Sun Mar 03 2024 12:55:09 GMT+0800 (China Standard Time)

OK, thanks for the quick answer. I'm back on NGINX again, which initially didn't work for me in a combination with DJI CloudAPI, but now I'm sure that - if it still doesn't work - there must be an issue with DJI.

Could you guide me regarding one little quirk I see? Regardless of what configuration I choose, there is still this port 1990 attached to the URL constructed for the WHIP/WHEP access in your app:

The reason is line 132 in objs/nginx/html/players/js/srs.page.js, which ultimately adds port 1990 in case HTTPS is detected.

var api = ':' + (query.api || (window.location.protocol === 'http:' ? '1985' : '1990'));

Would there be a way to suppress this by configuration or would I have to patch this code line (which works btw)?

neilyoung · Answer 4 · Sun Mar 03 2024 16:34:30 GMT+0800 (China Standard Time)

And - out of curiosity - can you confirm that SRS is only able to deal with one entry in the server.crt?

Winlin · Answer 5 · Mon Mar 04 2024 08:51:56 GMT+0800 (China Standard Time)

You can specifies the HTTPS port in the URL:

For example: http://localhost:8080/players/whep.html?api=3443

neilyoung · Answer 6 · Mon Mar 04 2024 09:05:17 GMT+0800 (China Standard Time)

Well ok, but seriously?

neilyoung · Answer 7 · Mon Mar 04 2024 09:10:00 GMT+0800 (China Standard Time)

Why is my supplementary question considered "off-topic"? The central issue at hand is that my certificate consists of a chain of four certificates, and it appears that only the first one is being transmitted to clients.

TRANS_BY_GPT4