Question / Help Unable to Live Stream to Facebook Live over rtmps://

evinrude

New Member
Hoping someone can point out that I am doing something wrong. I have not been able to connect to Facebook Live over rtmps using the latest off of master, version 23.0.1-151-g29a1a97-modified (linux), on Centos 7. I have verified that mbed-tls development libraries are installed and it is being used by OBS.

The issue I am facing are relevant to these lines in the log file.
Code:
Mar 27 18:55:16 fbc-video nautilus-classic.desktop: info: [rtmp stream: 'adv_stream'] Connecting to RTMP URL rtmps://live-api-s.facebook.com:443/rtmp/...
Mar 27 18:55:16 fbc-video nautilus-classic.desktop: info: RTMP_Connect1, TLS_Connect failed: -0x7680
Mar 27 18:55:16 fbc-video nautilus-classic.desktop: info: [rtmp stream: 'adv_stream'] Connection to rtmps://live-api-s.facebook.com:443/rtmp/ failed: -2

OBS is not able to complete the handshake and the error from mbed-tls is 0x7680. That error is found in ssl.h in mbed-tls.
Code:
#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED   -0x7680

Has anyone else faced this issue? How did you fix it? Surely you can disable cert verification in mbed-tls. I do not know how to do it without digging into mbed-tls.

Any help is appreciated.
 

evinrude

New Member
Figured it out after some digging into mbed-tls forums. I updated plugins/obs-outputs/librtmp/rtmp_sys.h with MBEDTLS_SSL_VERIFY_OPTIONAL from MBEDTLS_SSL_VERIFY_REQUIRED.

Code:
124 #define TLS_client(ctx,s)       \
125   s = malloc(sizeof(mbedtls_ssl_context));\
126   mbedtls_ssl_init(s);\
127   mbedtls_ssl_setup(s, &ctx->conf);\
128         mbedtls_ssl_config_defaults(&ctx->conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);\
129   mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);\
130         mbedtls_ssl_conf_rng(&ctx->conf, mbedtls_ctr_drbg_random, &ctx->ctr_drbg)
131
132 #define TLS_server(ctx,s)\
133   s = malloc(sizeof(mbedtls_ssl_context));\
134   mbedtls_ssl_init(s);\
135   mbedtls_ssl_setup(s, ctx->conf);\
136         mbedtls_ssl_conf_endpoint(ctx->conf, MBEDTLS_SSL_IS_SERVER);\
137   mbedtls_ssl_conf_authmode(ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);\
138         mbedtls_ssl_conf_rng(ctx->conf, mbedtls_ctr_drbg_random, ctx->ctr_drbg);\
139         mbedtls_ssl_conf_own_cert(ctx->conf, &ctx->cert, &ctx->key);\
140         mbedtls_ssl_conf_dh_param_bin(ctx->conf,\
141     (const unsigned char *)my_dhm_P, strlen(my_dhm_P),\
142     (const unsigned char *)my_dhm_G, strlen(my_dhm_G))

I am sure there is a proper way to do this, but for now I just need it to work.
 
I am having the exact same issue, I believe. I have been using RTMP for Facebook Live (I just heard for the first time that it is being deprecated) and I have always been unable to stream with RTMPS/SSL.
I'm on Ubuntu 18.10. I just installed (via apt) OpenSSL and ffmpeg. Obviously I updated the server URL and stream key. I have had no luck...

I suppose an RTMPS module wasn't loaded...?

Code:
08:54:21 AM.214: FFMPEG VAAPI supported
08:54:21 AM.287: VLC found, VLC video source enabled
08:54:21 AM.288: ---------------------------------
08:54:21 AM.288:   Loaded Modules:
08:54:21 AM.288:     vlc-video.so
08:54:21 AM.288:     text-freetype2.so
08:54:21 AM.288:     rtmp-services.so
08:54:21 AM.288:     obs-x264.so
08:54:21 AM.288:     obs-transitions.so
08:54:21 AM.288:     obs-outputs.so
08:54:21 AM.288:     obs-libfdk.so
08:54:21 AM.288:     obs-filters.so
08:54:21 AM.288:     obs-ffmpeg.so
08:54:21 AM.288:     linux-v4l2.so
08:54:21 AM.288:     linux-pulseaudio.so
08:54:21 AM.288:     linux-jack.so
08:54:21 AM.288:     linux-decklink.so
08:54:21 AM.288:     linux-capture.so
08:54:21 AM.288:     linux-alsa.so
08:54:21 AM.288:     image-source.so
08:54:21 AM.288:     frontend-tools.so
08:54:21 AM.288:     decklink-ouput-ui.so
08:54:21 AM.288: ---------------------------------
08:54:21 AM.292: ==== Startup complete ===============================================

And here is the error from trying to start the stream;

Code:
09:03:00 AM.015: libfdk_aac encoder created
09:03:00 AM.015: libfdk_aac bitrate: 192, channels: 2
09:03:00 AM.016: [rtmp stream: 'adv_stream'] Connecting to RTMP URL rtmps://live-api-s.facebook.com:443/rtmp/...
09:03:00 AM.103: RTMP_Connect1, no SSL/TLS support
09:03:00 AM.104: [rtmp stream: 'adv_stream'] Connection to rtmps://live-api-s.facebook.com:443/rtmp/ failed: -2
09:03:00 AM.104: ==== Streaming Stop ================================================

I really need to figure out what I'm doing wrong before May...
 
I'm seeing the exact same error message as evinrude. I suspect it's related to Rpmfusion's packaging, as I'm seeing this in Fedora 29. I've opened a bug at https://bugzilla.rpmfusion.org/show_bug.cgi?id=5237

I suspect mbed-tls is simply not able to find a ca-bundle.

It looks like SparkplugEsquire is seeing an unrelated problem, though the end result is probably the same.

I have Fedora 29 on a personal SSD. I brought it on campus and booted from it, and I have the exact same issue, as far as I can tell.
 

R1CH

Forum Admin
Developer
OBS currently expects CA certs to be in /etc/ssl/certs/. If they are in a different location please let us know, we can add additional CA search paths to the mbed TLS init.

Note that the "RTMP_Connect1, no SSL/TLS support" means the version of OBS you're using was built without RTMPS / mbedTLS.
 

4nrkey

New Member
Hi there,

I'm experiencing the same problem here.

My log : https://obsproject.com/logs/JhIMAfQ-YwCcC80S

06:44:16.988: [rtmp stream: 'simple_stream'] Connecting to RTMP URL rtmps://live-api-s.facebook.com:443/rtmp/...
06:44:17.093: RTMP_Connect1, no SSL/TLS support
06:44:17.093: [rtmp stream: 'simple_stream'] Connection to rtmps://live-api-s.facebook.com:443/rtmp/ failed: -2


Figured it out after some digging into mbed-tls forums. I updated plugins/obs-outputs/librtmp/rtmp_sys.h with MBEDTLS_SSL_VERIFY_OPTIONAL from MBEDTLS_SSL_VERIFY_REQUIRED.

@evinrude : How did you manage to do it? I searched a bit in the forums and can't find an answer. If you have the link to where you found a solution, it would be very appreciated.

OBS currently expects CA certs to be in /etc/ssl/certs/. If they are in a different location please let us know, we can add additional CA search paths to the mbed TLS init.

Note that the "RTMP_Connect1, no SSL/TLS support" means the version of OBS you're using was built without RTMPS / mbedTLS.

@R1CH :
There is a file named ca-certificates.crt in the folder /etc/ssl/certs/ . Should I look for something specific in this folder? And should I update my OBS version to be able to broadcast live on Facebook? I intalled OBS a week ago for the first time, and I don't see any update.
 
Hi there,

I'm experiencing the same problem here.

My log : https://obsproject.com/logs/JhIMAfQ-YwCcC80S

06:44:16.988: [rtmp stream: 'simple_stream'] Connecting to RTMP URL rtmps://live-api-s.facebook.com:443/rtmp/...
06:44:17.093: RTMP_Connect1, no SSL/TLS support
06:44:17.093: [rtmp stream: 'simple_stream'] Connection to rtmps://live-api-s.facebook.com:443/rtmp/ failed: -2
There are two distinct issues in this thread. The simple problem is OBS compiled without SSL support. That's the issue your log indicates. If you built OBS from source, you will need to re-compile with ssl support.

The other issue is that when connecting to Facebook, the SSL connection fails, complaining that the Facebook SSL certificate won't verify. The CA bundle is symlinked in /etc/ssl/certs as expected, so I'm sorta stumped as to what the root problem is there. It seems fairly reproducible on Fedora/RPMFusion.

I wonder if it would be possible to split this thread into the two separate issues.
 

4nrkey

New Member
If you built OBS from source, you will need to re-compile with ssl support.
I'm running Linux mint, and everythng is user friendly, so I have little idea how to compile OBS with or without SSL support. I just clicked install and it "worked". I wouldn't be able to recompile it, it's out of my capacities unless provided with a good step by step procedure.

On the other forum you posted the bug on, you said "The workaround has been to stream with RTMP-- without ssl." How do I do that? I tried to remove the "s" from the facebook streaming URL in OBS, and of course it doesn't work! ;) I see the code evinrude posted, but I don't know how to apply it. I would be grateful if you could help me with that. So far, I entered the #define line in the terminal and it returned nothing.

Thank you!
 

evinrude

New Member
Hi there,

I'm experiencing the same problem here.

My log : https://obsproject.com/logs/JhIMAfQ-YwCcC80S

06:44:16.988: [rtmp stream: 'simple_stream'] Connecting to RTMP URL rtmps://live-api-s.facebook.com:443/rtmp/...
06:44:17.093: RTMP_Connect1, no SSL/TLS support
06:44:17.093: [rtmp stream: 'simple_stream'] Connection to rtmps://live-api-s.facebook.com:443/rtmp/ failed: -2




@evinrude : How did you manage to do it? I searched a bit in the forums and can't find an answer. If you have the link to where you found a solution, it would be very appreciated.



@R1CH :
There is a file named ca-certificates.crt in the folder /etc/ssl/certs/ . Should I look for something specific in this folder? And should I update my OBS version to be able to broadcast live on Facebook? I intalled OBS a week ago for the first time, and I don't see any update.

@4nrkey Sorry for the late response. I was never notified via email that anyone was responding to this thread. All I did was modify the code as I explained in my second post to get around the SSL issues. I did not update the ca certs on the box. I just wanted it to work and I am a Software Developer by trade so this was an easy fix for me to just "get it working".
 
I'm running Linux mint, and everythng is user friendly, so I have little idea how to compile OBS with or without SSL support. I just clicked install and it "worked". I wouldn't be able to recompile it, it's out of my capacities unless provided with a good step by step procedure.

On the other forum you posted the bug on, you said "The workaround has been to stream with RTMP-- without ssl." How do I do that? I tried to remove the "s" from the facebook streaming URL in OBS, and of course it doesn't work! ;) I see the code evinrude posted, but I don't know how to apply it. I would be grateful if you could help me with that. So far, I entered the #define line in the terminal and it returned nothing.

Thank you!
You'll also need to change the "443" in the URL to "80".
 

pedrump

New Member
Figured it out after some digging into mbed-tls forums. I updated plugins/obs-outputs/librtmp/rtmp_sys.h with MBEDTLS_SSL_VERIFY_OPTIONAL from MBEDTLS_SSL_VERIFY_REQUIRED.

Code:
124 #define TLS_client(ctx,s)       \
125   s = malloc(sizeof(mbedtls_ssl_context));\
126   mbedtls_ssl_init(s);\
127   mbedtls_ssl_setup(s, &ctx->conf);\
128         mbedtls_ssl_config_defaults(&ctx->conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);\
129   mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);\
130         mbedtls_ssl_conf_rng(&ctx->conf, mbedtls_ctr_drbg_random, &ctx->ctr_drbg)
131
132 #define TLS_server(ctx,s)\
133   s = malloc(sizeof(mbedtls_ssl_context));\
134   mbedtls_ssl_init(s);\
135   mbedtls_ssl_setup(s, ctx->conf);\
136         mbedtls_ssl_conf_endpoint(ctx->conf, MBEDTLS_SSL_IS_SERVER);\
137   mbedtls_ssl_conf_authmode(ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);\
138         mbedtls_ssl_conf_rng(ctx->conf, mbedtls_ctr_drbg_random, ctx->ctr_drbg);\
139         mbedtls_ssl_conf_own_cert(ctx->conf, &ctx->cert, &ctx->key);\
140         mbedtls_ssl_conf_dh_param_bin(ctx->conf,\
141     (const unsigned char *)my_dhm_P, strlen(my_dhm_P),\
142     (const unsigned char *)my_dhm_G, strlen(my_dhm_G))

I am sure there is a proper way to do this, but for now I just need it to work.
Hey man this works for me! Thank you for posting this workaround!
https://www.youtube.com/watch?v=gOj7j8V7nTg
hope someone else found this helpful ;)
 

muzso

New Member
I had the exact same error as the OP (evinrude), but I was not really comfortable with disabling SSL certificate (chain) verification as a workaround. It took me quite some time, but I've finally found the problem in the code. It reads the root CA certificates from /etc/ssl/certs, that's good so far. But it mistakenly considers any non-zero return value from the mbedtls_x509_crt_parse_path() function (in plugins/obs-outputs/librtmp/rtmp.c) as an error, whereas the return value is merely the number of files in the specified path (/etc/ssl/certs in our case) that were skipped due to some problem, eg. the file could not be opened or could not be parsed as an X.509 PEM-formatted certificate.

In my case I had a symlink in /etc/ssl/certs that pointed to a file that was only readable by root, thus OBS Studio couldn't open it and this resulted in the discarding all root CA certificates. Fixing this issue in /etc/ssl/certs fixed Facebook Live streaming in OBS Studio.

You can check whether all entries in /etc/ssl/certs are valid certificates with the following command:
Code:
for f in $(find /etc/ssl/certs -maxdepth 1 ! -type d | sort); do openssl x509 -in "$f" -noout > /dev/null 2>&1 || echo "$f"; done

It'll print out the names of the files that it couldn't parse as an X.509 certificate.

P.S.: I'll see if I can submit a pull request for the obs-studio github project to fix the issue in the application. It shouldn't discard all other certificates in the /etc/ssl/certs certificate store if any of the files there is not readable or not a valid certificate.
 

muzso

New Member
Btw. this issue affects all RTMPS streamings on the Linux builds of OBS Studio, not just Facebook Live.
 

muzso

New Member
It turns out that the issue is already fixed upstream, i.e. in the OBS Studio GH project.
Here's the commit (from 12th January): https://github.com/obsproject/obs-studio/commit/4d89123cdc9c47fdf984980b93a70447c1692183
And the PR to merge it into master: https://github.com/obsproject/obs-studio/pull/2314

It's in the 25.0.0 RC2, so the fix will be in 25.0.0, when it gets released.
(I don't see any bugfix backports to previous major or minor releases on the projects release page, so at this point 25.0.0. will be the next release most probably.)
 

kikobar

New Member
OBS currently expects CA certs to be in /etc/ssl/certs/. If they are in a different location please let us know, we can add additional CA search paths to the mbed TLS init.

Note that the "RTMP_Connect1, no SSL/TLS support" means the version of OBS you're using was built without RTMPS / mbedTLS.
I installed OBS using the ppa on Ubuntu 16.04 LTS and 18.04 LTS. The built for the 18.04 LTS seems to have RTMPS /mbedTLS support because I am able to stream to Facebook. The built for the 16.04 LTS fails.
Any plan for adding TLS support to the 16.04 LTS built any time soon?
 

Squalor

New Member
I tried the SNAP version of OBS on Ubuntu 16.04 and it fails with no SSL/TLS support as well, The SNAP version of OBS on Ubuntu 18.04 fails with no SSL/TLS support as well
 
Last edited:

Squalor

New Member
I installed OBS using the ppa on Ubuntu 16.04 LTS and 18.04 LTS. The built for the 18.04 LTS seems to have RTMPS /mbedTLS support because I am able to stream to Facebook. The built for the 16.04 LTS fails.
Any plan for adding TLS support to the 16.04 LTS built any time soon?
I built a package for Ubuntu 16.04 with TLS support. Let me know if it works for you.

 

Zorro_Tj

New Member
Hi all, same problem for me, i have installed OBS on Debian Stretch (9) via aptitude, work fine on YouTube, instead in Facebook it say: no SSL/TSL support... In the attachment my log file. Sorry for my english.
 

Attachments

  • 2020-03-22 15-10-21.txt
    7.6 KB · Views: 121
Top