Configuring SSL

Configuring SSL

Centova Cast fully supports both HTTPS (secure SSL) and HTTP (plaintext non-SSL) connections on its web interface.

The web interface automatically detects which protocol (HTTP or HTTPS) the browser is using and responds appropriately; as such, both protocols are supported on a single port. For example, you could access a Centova Cast installation at cast.example.com using either of the following URLs:

http://cast.example.com:2199   (non-SSL)
https://cast.example.com:2199  (SSL)

SSL is enabled by default, so either the http or https URL can be used out-of-the-box.

Self-Signed Certificates

During installation, Centova Cast creates a self-signed SSL certificate for your server's IP address. For example, if your server's IP address is 10.2.3.4, the certificate will allow you to access Centova Cast using the URL: https://10.2.3.4:2199/

Note that because self-signed certificates have not been generated by a "trusted" certificate authority, any web server using a self-signed certificates will always cause web browsers to display a security warning.

As such, the first time you (or any of your clients) attempt to access to Centova Cast, the web browser will display a security warning explaining that the certificate is not trusted, and prompt to accept or reject the connection.

This warning can be eliminated by installing your own certificate from a trusted certificate authority.

Customizing Your Self-Signed Certificate

If you wish to regenerate your self-signed certificate (for example, to use your domain name instead of your IP address), you can do so using the following command:

/usr/local/centovacast/sbin/set_ssl_cert self example.com

Replace example.com with the domain name for which you want to generate the certificate. This is a fully-automated process and once it completes, you can simply restart Centova Cast and begin accessing the web interface at https://example.com:2199/ (again, replacing example.com with your actual domain name).

Note that as with any self-signed certificate, all web browsers will display a security warning when accessing Centova Cast because the certificate is not issued by a trusted certificate authority.

Installing Your Own Certificate

To eliminate the web browser security warnings caused by self-signed certificates, you may wish to obtain an SSL certificate from a trusted certificate authority. The steps for doing so are as follows:

  1. Order an SSL certificate from an SSL certificate vendor. Thousands of companies on the Internet sell SSL certificates; if you are not familiar with any, your hosting provider likely sells them or can recommend a good vendor. Otherwise, simply searching the web for purchase ssl certificate should give you a place to start.

  2. Your certificate authority may prompt you for the type of SSL certificate to be generated; if so, choose "Apache/mod_ssl" as the type.

  3. The certificate authority will prompt you to provide your CSR for your desired domain name. You can generate one on your Centova Cast server using the following commands:

    /usr/local/centovacast/bin/openssl genrsa -out /root/cc.key 2048
    /usr/local/centovacast/bin/openssl req -new -sha256 -key /root/cc.key -out /root/cc.csr \
        -config /usr/local/centovacast/etc/openssl.cnf
    

    When prompted for your Common Name, enter the fully-qualified domain name (including any subdomain that you might wish to use) for the SSL certificate. Fill out the remaining fields with the appropriate information about your organization.

    This will create a CSR file called /root/cc.csr which you can then provide to the certificate authority.

  4. After you receive your SSL certificate from the certificate authority, you can install it into the Centova Cast web server using the following command:

    /usr/local/centovacast/sbin/set_ssl_cert /root/cc.key /path/to/certificate.pem
    

    Replace /root/cc.key with the path to the private key you used to generate the CSR provided to the certificate authority (possibly generated in step 3 above), and /path/to/certificate.pem with the SSL certificate bundle provided by the certificate authority.

  5. Finally, restart Centova Cast using the following command:

    systemctl restart centovacast
    

    You should now be able to access Centova Cast using your new SSL certificate at https://example.com:2199, where example.com is your actual domain name. Your browser should not issue any security warnings now that you are using a certificate from a trusted certificate authority.

Using a Free SSL Certificate from "Let's Encrypt"

"Let's Encrypt" is a certificate authority that provides completely free SSL certificates that are trusted by all major browsers. Unlike self-signed certificates, they do not generate security warnings when visitors access your web site.

Centova Cast fully supports the use of SSL certificates from "Let's Encrypt", and can automatically generate and renew such certificates once configured to do so.

Refer to the knowledge base article about Let's Encrypt for details about configuring Centova Cast with certificates from Let's Encrypt.

Forcing Users to Use SSL

Centova Cast does not, by default, force users to use SSL; they can switch at will between SSL and non-SSL simply by changing http:// to https:// and vice-versa in the URL.

If you wish to force all users to use SSL when accessing authenticated areas of Centova Cast (i.e., areas which are restricted to logged-in users) you can edit /usr/local/centovacast/etc/centovacast.conf and change REQUIRE_SSL=false to REQUIRE_SSL=true.

Save your changes and restart Centova Cast to enforce the new SSL policy.