Configuring SSL
Centova Cast fully supports both HTTPS (secure SSL) and HTTP (plaintext non-SSL) connections on its web interface.The web interface automatically detects which protocol (HTTP or HTTPS) the browser is using and responds appropriately; as such, both protocols are supported on a single port. For example, you could access a Centova Cast installation at
cast.example.com
using either of
the following URLs:http://cast.example.com:2199 (non-SSL)
https://cast.example.com:2199 (SSL)
SSL is enabled by default, so either the http
or https
URL can be used out-of-the-box.Self-Signed Certificates
During installation, Centova Cast creates a self-signed SSL certificate for your server's IP address. For example, if your server's IP address is10.2.3.4
, the certificate will allow
you to access Centova Cast using the URL: https://10.2.3.4:2199/
Note that because self-signed certificates have not been generated by a "trusted" certificate authority, any web server using a self-signed certificates will always cause web browsers to display a security warning.
As such, the first time you (or any of your clients) attempt to access to Centova Cast, the web browser will display a security warning explaining that the certificate is not trusted, and prompt to accept or reject the connection.
This warning can be eliminated by installing your own certificate from a trusted certificate authority.
Customizing Your Self-Signed Certificate
If you wish to regenerate your self-signed certificate (for example, to use your domain name instead of your IP address), you can do so using the following command:/usr/local/centovacast/sbin/setssl self example.com
Replace example.com
with the domain name for which you want to generate the certificate.
This is a fully-automated process and once it completes, you can simply restart Centova Cast
and begin accessing the web interface at https://example.com:2199/
(again, replacing
example.com
with your actual domain name).Note that as with any self-signed certificate, all web browsers will display a security warning when accessing Centova Cast because the certificate is not issued by a trusted certificate authority.
Installing Your Own Certificate
To eliminate the web browser security warnings caused by self-signed certificates, you may wish to obtain an SSL certificate from a trusted certificate authority. The steps for doing so are as follows:- Order an SSL certificate from an SSL certificate vendor. Thousands of companies on the
Internet sell SSL certificates; if you are not familiar with any, your hosting provider
likely sells them or can recommend a good vendor. Otherwise, simply searching the web
for
purchase ssl certificate
should give you a place to start. - Your certificate authority may prompt you for the type of SSL certificate to be generated; if so, choose "Apache/mod_ssl" as the type.
- The certificate authority will prompt you to provide your CSR for your desired domain
name. You can generate one on your Centova Cast server using
the following commands:
When prompted for your Common Name, enter the fully-qualified domain name (including any subdomain that you might wish to use) for the SSL certificate. Fill out the remaining fields with the appropriate information about your organization./usr/local/centovacast/bin/openssl genrsa -out /root/cc.key 2048 /usr/local/centovacast/bin/openssl req -sha256 -key /root/cc.key -out /root/cc.csr \ -config /usr/local/centovacast/etc/openssl.cnf
This will create a CSR file called/root/cc.csr
which you can then provide to the certificate authority. - After you receive your SSL certificate from the certificate authority, you can install it
into the Centova Cast web server using the following command:
Replace/usr/local/centovacast/sbin/setssl /root/cc.key /path/to/certificate.pem
/root/cc.key
with the path to the private key you used to generate the CSR provided to the certificate authority (possibly generated in step 3 above), and/path/to/certificate.pem
with the SSL certificate bundle provided by the certificate authority. - Finally, restart Centova Cast using the following command:
You should now be able to access Centova Cast using your new SSL certificate at/etc/init.d/centovacast restart
https://example.com:2199
, whereexample.com
is your actual domain name. Your browser should not issue any security warnings now that you are using a certificate from a trusted certificate authority.
Using a Free SSL Certificate from "Let's Encrypt"
"Let's Encrypt" is a certificate authority that provides completely free SSL certificates that are trusted by all major browsers. Unlike self-signed certificates, they do not generate security warnings when visitors access your web site.Centova Cast fully supports the use of SSL certificates from "Let's Encrypt", and can automatically generate and renew such certificates once configured to do so.
Refer to the knowledge base article about Let's Encrypt for details about configuring Centova Cast with certificates from Let's Encrypt.
Forcing Users to Use SSL
Centova Cast does not, by default, force users to use SSL; they can switch at will between SSL and non-SSL simply by changinghttp://
to https://
and vice-versa in the URL.If you wish to force all users to use SSL when accessing authenticated areas of Centova Cast (i.e., areas which are restricted to logged-in users) you can edit
/usr/local/centovacast/etc/centovacast.conf
and change REQUIRE_SSL=false
to
REQUIRE_SSL=true
.Save your changes and restart Centova Cast to enforce the new SSL policy.