Kurento - WebSocket Connection failed

Question

I am trying to run the Javascript recording example of Kurento WebRTC as seen in:

http://doc-kurento.readthedocs.org/en/stable/tutorials/js/tutorial-recorder.html

I have setup Kurento on a Ubuntu machine and it is running OK. The service has started as well. Furthermore I tested the Java based example and it was running without any issues.

The js recording example failed with the following error:

Mixed Content: The page at 'https://ABCDEF' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://XYZ:8433/'. This request has been blocked; this endpoint must be available over WSS

I changed the ws_uri variable to point to a secure web socket:

ws_uri: 'wss://XYZ:8433',

However, I get the following error now:

WebSocket connection to 'wss://XYZ:8433/' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED

The kurento server is secured to run over HTTPS using letsencrypt. I used the following instructions to secure the server:

https://doc-kurento.readthedocs.org/en/latest/mastering/securing-kurento-applications.html

However, on the above example it asks to concatenate the following crt files:

cat signing-ca.crt subordinate-ca.crt server.crt > server.pem

I am confused here though, since I could not find the above files. Letsencrypt generates the following .pem files for me:

cert.pem, chain.pem, fullchain.pem, privkey.pem

Should one of the above files be used in the kurento.json.conf file?

Answer 1

You already have a certificate chain files, and as the documentation mentions:

If this PEM certificate is a signed certificate (by a Certificate Authority such as Verisign), then you are done.

Kurento needs both the private key and the full chain, but these files are generated separately when using letsencrypt. You can concatenate the fullchain.pem and your privkey.pem with cat privkey.pem fullchain.pem > server.pem

Configure Kurento to use your new file server.pem as its certificate:

"secure": {
  "port": 8433,
  "certificate": "server.pem",
  "password": ""
}

For the record, if you were to sign your own certificate, you would have used cat in order to create a certificate chain as following:

root-ca ==> signing-ca ==> subordinate-ca ==> server

Answer 2

Your kurento.json.conf file is probably fine.

I ran into this issue a while back. The problem is that java is blocking websocket tunneling for security purposes. You need to add setAllowedOrigins(*) within the registerWebSocketHandlers method. Note: this is not secure and should not be used in a production environment.

@Override
public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
 registry.addHandler(handler(), "/helloworld").setAllowedOrigins("*");
}

Here's the response from the Kurento team as to why it is coded this way ... https://groups.google.com/d/msg/kurento/Q5ODV7hkuOc/RnsZKBaXDQAJ