Facebook RTMP incorrect SSL certificate (OBS 28.1.2 / Windows 10 22H2)

T

TK777

New Member
Hello all,

I have been using obs for a while, I wanted to test the last version (Test it on a virtual machine).

Fresh and new install :
- Windows 10 22H2 + Last updates
- OBS Studio 28.1.2 (last version)

Streaming config for " Facebook Live " : rtmps://live-api-s.facebook.com:443/rtmp/
The following error is displayed: The RTMP server provided an incorrect SSL certificate (Le serveur RTMP a fourni un certificat SSL incorrect).

Thank you in advance for your help and suggestions ;)

Is it possible to force "not checking the SSL certificate" ?


With another virtual machine (in same time), windows 7 + OBS v27.2.4, virtual machine installed and configured a while ago, everything works.

Others infos :
- The time on the computer is OK.
- SSL Certificate seem fine (tested with openssl under linux) openssl s_client -showcerts -connect live-api-s.facebook.com:443
- Same result with Windows Defender/Firewall disabled

Logs:
Code: 
12:30:09.211: [rtmp stream: 'simple_stream'] Connecting to RTMP URL rtmps://live-api-s.facebook.com:443/rtmp/...
12:30:09.224: [rtmp stream: 'simple_stream'] Interface: Intel(R) 82574L Gigabit Network Connection (ethernet, 1000 mbps)
12:30:09.462: RTMP_Connect1, Cert verify failed: 8 (The certificate is not correctly signed by the trusted CA)
12:30:09.462: [rtmp stream: 'simple_stream'] Connection to rtmps://live-api-s.facebook.com:443/rtmp/ failed: -2
12:30:09.463: ==== Streaming Stop ================================================
12:30:25.103: [rtmp stream: 'simple_stream'] Connecting to RTMP URL rtmps://live-api-s.facebook.com:443/rtmp/...
12:30:25.107: [rtmp stream: 'simple_stream'] Interface: Intel(R) 82574L Gigabit Network Connection (ethernet, 1000 mbps)
12:30:25.339: RTMP_Connect1, Cert verify failed: 8 (The certificate is not correctly signed by the trusted CA)
12:30:25.340: [rtmp stream: 'simple_stream'] Connection to rtmps://live-api-s.facebook.com:443/rtmp/ failed: -2
12:30:25.340: ==== Streaming Stop ================================================

Full log attached to this post.
 

Attachments

  • OBS-Logs-2023-01-05 12-29-50.txt
    13.6 KB · Views: 238
  • Screenshots 001 OBS Error SSL Facebook.png
    Screenshots 001 OBS Error SSL Facebook.png
    118.4 KB · Views: 432
  • Screenshots 002 Win.png
    Screenshots 002 Win.png
    375 KB · Views: 427
  • Screenshots 003 Win.png
    Screenshots 003 Win.png
    384.8 KB · Views: 393
  • Screenshots 004 Win.png
    Screenshots 004 Win.png
    231.7 KB · Views: 417
Last edited:
R

R1CH

Forum Admin
Developer
OBS uses the OS certificate store on Windows, so make sure all windows updates are installed in case you need an updated root.
 
T

TK777

New Member
I did a fairly long research and I ended up finding the cause of the problem.
(By the way, many posts on various sites give bad solution).

Knowing the operation of SSL, the creation of certificate, I had the idea of looking at the root certificates and their installation under Windows.

Problems, Bugs, Infos :
- After Windows Fresh Install, there is only few CA Root Certificate Installed ( I don't know why... )
- If you launch the default Windows browser (Edge) on a site, some root certificates will be added automatically.

In my case :
- The browser was not launched on the machine (facebook was open in another computer)
- After fresh install there is only 22 CA Root Certificate Installed

Solution #1
- Open facebook.com in Edge, it's will download and install 2 new CA Root.
( And with luck the same CA used for the RTMP server of Facebook )

Solution #2 (Most effective)
- Download last " Trusted Root Certificates " from Windows Update
- Install Root Certificates

Run PowerShell Script (as Administrator) and use this commands :
Code: 
certutil.exe -generateSSTFromWU C:\ca-roots.sst
$sstStore = ( Get-ChildItem -Path C:\ca-roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root


RTMP Serveurs :
rtmps://live-api-s.facebook.com:443/rtmp/
rtmps://rtmp-api.facebook.com:443/rtmp/

Some links :
https://woshub.com/updating-trusted-root-certificates-in-windows-10/
https://www.reddit.com/r/sysadmin/comments/u6fqxf/does_windows_automatically_update_root/
https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15671
 

Attachments

  • Ca Root 01 Before.png
    Ca Root 01 Before.png
    146 KB · Views: 256
  • Ca Root 02 After.png
    Ca Root 02 After.png
    161.9 KB · Views: 250
Last edited:
R

R1CH

Forum Admin
Developer
Unfortunately I think you may have messed up your root certificate store considerably. The certutil command downloads a bundle of both root certificates and revoked certificates. By importing revoked certificates into the root store you may be implicitly trusting them. My up to date Windows 10 only has ~ 80 trusted root certificates.

1672943147756.png


Check to see if this one is untrusted on your system, or you may need to wipe and re-import a legitimate set of root certs.
 
T

TK777

New Member
R1CH said:
Unfortunately I think you may have messed up your root certificate store considerably (....)
Click to expand...
+1 (ツ)_/¯

Clean CA Root :
If i check the CA Root "A-Trust Root-05" i have same message...
There must be command to remove "expired" or "revoked" certificates. I did not look/tests in the present.

Tests :
All my tests are done in a virtual machine (for security)...

OBS Studio in " Virtual machine "
I use OBS Studio in a VMWare virtual machine (it's works fine for testing and also for production)...
VM because I have some complementary apps to OBS which unfortunately does not work under Linux :'(
Regarding all the optimizations that I made on physical machine or the Windows virtual machine (to have a light windows) for OBS, if necessary I will share my research/work ( thanks to NTLite v2.3 ).
My OBS VM works as well with " VMware Workstation " or " VMware ESX / ESXI "
 
T

Tomasz Góral

Active Member
Check your time is correct, yeah i see on screenshot but you say is VM, maybe is something wrong with time.
Second, use ffmpeg to send stream.
Ffmpeg is command line utility don't use ssl from Windows.
 
T

TK777

New Member
Tomasz Góral said:
Check your time is correct, yeah i see on screenshot but you say is VM, maybe is something wrong with time.
Click to expand...
Time is OK.
Time synchronizes perfectly with the NTP mechanisms for having tested it (One of the first things I checked).
Tomasz Góral said:
Second, use ffmpeg to send stream.
Ffmpeg is command line utility don't use ssl from Windows.
Click to expand...
Thank you for the suggestion.
I don't know how to change this option, I have to look/search.
Tests would be useful (especially if it is more efficient) ;-)
NB : I have not benchmark yet comparison of : vGPU / vCPU / CPU...
VM increases the CPU load, but the new processors integrate functions to improve video encoding (i7 , Xeon, etc).


For this error: The RTMP server provided an incorrect SSL certificate (Le serveur RTMP a fourni un certificat SSL incorrect).
I confirm problem of " CA Root Certificate Installed " and the "way Windows manages the update" (I have redone multiple tests).

- The execution of Windows Update does not seem to change Root CA (Root Certificate Authority)
- Opening a website (domain) with Edge (HTTPS protocol) will download/update new CA root automatically.
- The direct connect to an RMTP connection with SSL/TLS does not seem to update/donwload or try to add new root certificates (while with the browser, the process is executed).
Maybe only for HTTPS protocols ?

For comparison of the mechanism with other OS (Linux, Android, etc) or browsers integrating mechanisms (ex: Firefox).
There is a management of root certificates (more options) that can be updated with the update of some packages (ex: OpenSSL under Linux). Configuration possibilities under OS (Min/Max Protocol, allow self signed, etc) or the management of the OSCP Stapling for monitoring revocations.

After seeing many messages on forums, see even videos that talk about the subject, I think people have had the same problem without knowing it...

In any case, thank you all for your messages and suggestions ;)
I hope this post on this forum will help other people.
 
bleros

bleros

New Member
I had same problem with my fresh install of my windows 10 server enterprise edition. you dont had to do anything you just must login to microsoft edge first time if required login to profile
Because now edge is part of windows like IE
Once u login start streaming
 
P

PiuX

New Member
Hi

Same problem....

Stream to YouTube RTMPS is okay, but when I start a stream to Facebook this message appears:

"Failed to connect to Server "
"the RTMP Server sent an invalid SSL Certificate"

This on the last 3 computers with the latest version of OBS. I have used OBS on many PCs so far and am familiar with the setup and program.

- Fresh install
- Windows updated
- OBS latest version
- N.1 PC with NVidia GPU and N. 2 PC with Intel GPU

I also have 2 other PCs in the same network and they work fine (same Windows 10 and OBS settings identical !! )

I'm trying in a thousand ways, but no results!!

Any news, help or suggestion?

Thank you very much
 
superlinux

superlinux

New Member
This is my first writing in this post. I have the same issue on FreeBSD 14. I hope someone here help me. Thanks.
 
You must log in or register to reply here.
Top