SSL Explained in Cablecast 7.1 and Newer
Cablecast 7.1 now makes uses of a version of the Nginx proxy server for a lot of the back end features such as the confidence thumbnails in the main menu, and force matrix, as well as the digital file uploading in the Cablecast UI. Because of this the IIS web server no longer handles public facing traffic. Instead all public facing traffic is handled by the Nginx proxy server and then reverse proxies to IIS for the Cablecast Web API.
Because of these changes, we added support for SSL using Let's Encrypt in Cablecast. To use SSL with the include Lets Encrypt, you will need the following in place:
- TCP 80 and 443 allowed inbound to your Cablecast Host server (usually a VOD or VIO server).
- DNS address that points to your Cablecast Host server.
How this works is by issuing an http challenge, so in order for Cablecast to request and create a certificate, the Let's Encrypt ACME servers need to access the Cablecast machine over http on port 80. Once the challenge is excepted Cablecast will automatically enable https and redirect all http traffic to https.
If you can let through the http access even if only to the http::/<server-host>/.well-known/ and it's subdirectories (this is where the challenges are placed) this will be easier going forward as the certificates will be managed for you.
If you can not make port 80 accessible, and wish to provide your own certificate, then you will need to export the certificates in the PEM format to make them compatible with the Nginx proxy server. For example here are instructions from SSL provider digicert on how to create a CSR and resulting PEM files. See our below notes for installing the certificate file/key pair. Consult with your cert provider on the necessary steps to get them in PEM format.
https://www.digicert.com/kb/csr-ssl-installation/nginx-openssl.htm
https://www.godaddy.com/help/nginx-generate-csrs-certificate-signing-requests-3601
Note
The CRT pem file must include the root certificate and any intermediate certificates.
What you'll end up with are two PEM files. One for the certificate and one for the key. The Cablecast interface will tell you proper naming and location for these files. Note, these are based on your server's domain name. See below for an example: