Problem creating an Alexa skill - maybe https issue

Hi

I’m trying to create an Alexa skill for Internet radio. I’ve followed a tutorial here - their code/stream works. When I substitute in my stream URL leaving everything else the same, the skill hangs so I think there might be a problem with the stream (and perhaps the cert).

The stream plays in VLC, Winamp, and if you cut and paste it into Firefox/Chrome.

My domain is: ssl.canstream.co.uk

Checking with curl, I ran the following command:

curl -v https://ssl.canstream.co.uk:8201/live.mp3

It produced the following output:

[itcrowd@machine ~]$ curl -v https://ssl.canstream.co.uk:8201/live.mp3

  • About to connect() to ssl.canstream.co.uk port 8201 (#0)

  • Trying 195.10.228.22… connected

  • Connected to ssl.canstream.co.uk (195.10.228.22) port 8201 (#0)

  • Initializing NSS with certpath: sql:/etc/pki/nssdb

  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none

  • Peer’s certificate issuer is not recognized: ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’

  • NSS error -8179

  • Closing connection #0

  • Peer certificate cannot be authenticated with known CA certificates
    curl: (60) Peer certificate cannot be authenticated with known CA certificates
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

Again checking with curl, I ran the following command which appeared to stream the URL:

curl -vk https://ssl.canstream.co.uk:8201/live.mp3

My web server is: Server version: Apache/2.2.15 (Unix) [Not relevant]

The operating system my server runs is: Centos 6

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: certbot 1.2.0

The cert I am using is made as follows:

cat privkey.pem > icecast.pem
cat cert.pem >> icecast.pem

The file icecast.pem consists of

-----BEGIN RSA PRIVATE KEY-----
[priv ate key stuff]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[certificate stuff]
-----END CERTIFICATE-----

A tutorial here suggests that icecast.pem should be made as follows:

1) Your private key
2) Your SSL cert
3) CA Bundle

It is possible I did not use the above method as I followed a different tutorial which combined only the private key and the certificate - and it appeared to support streaming over SSL.

If I am to also combine CA Bundle what file does that relate to? I have the following files:

cert.pem chain.pem fullchain.pem privkey.pem

What file does CA Bundle relate to: fullchain.pem?

I hope you can help. Many thanks in advance.

1 Like

Instead of cert.pem, try using fullchain.pem (which contains cert.pem & chain.pem).
[You shouldn’t have to provide the underlying/trusted “root CA” bundle]

So that:
1) Your private key = privkey.pem
2) Your SSL cert = fullchain.pem
3) CA Bundle = [not needed]

2 Likes

Thanks @rg305 - I tried that but then the stream didn’t work so I’ll go back to the original for now as follows:

cat privkey.pem > icecast.pem
cat cert.pem >> icecast.pem

Where can I get the CA Bundle from? I’d like to try that method.

1 Like

Hi @ITCrowd

checking your domain via https://check-your-website.server-daten.de/?q=ssl.canstream.co.uk%3A8201%2Flive.mp3

Two problems:

  • You have created some new certificates:
Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-02-05 2020-05-05 ssl.canstream.co.uk
1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-01-15 2020-04-14 ssl.canstream.co.uk
1 entries
Let’s Encrypt Authority X3 2019-11-15 2020-02-13 ssl.canstream.co.uk
1 entries
Let’s Encrypt Authority X3 2019-11-15 2020-02-13 ssl.canstream.co.uk
1 entries
Let’s Encrypt Authority X3 2019-10-18 2020-01-17 ssl.canstream.co.uk
1 entries

but you use a very old expired certificate.

  • Your chain is wrong. The answer from @rg305 is your required solution - you have to use fullchain.pem, not cert.pem. But not from your old certificate, use your newest certificate.

Must look like

Use

certbot certificates

to find the newest certificate.

2 Likes

On CentOS 6 with apache 2.2.15 in the configuration file /etc/httpd/conf.d/ssl.conf you must have all the three options enabled:

SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile

On my systems I tried to minimize the changes from the vanilla configuration, here is the output of the diff:

121c121
< #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
---
> SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

So I have the following (grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf):

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

I replaced the localhost.* files with symbolic links pointing to the real certificate and key file. The server-chain.crt points to the file which contains exclusively the intermediate signing certificate.

I tried to combined the certificates into one file (like full chain), it does not work.

3 Likes

Ah, thanks.

Yep, @ITCrowd - your Apache is too old. Old Apache -> three files are required, not one file with cert and chain.

3 Likes

Thank you @rg305 @JuergenAuer @bruncsak - it works.

My construction of the cert was all wrong and I was using the wrong elements as @JuergenAuer pointed out.

I’ve learned so much - thank you again :beers:

4 Likes