SRS in secure configuration is not sending the full certificate chain

[neilyoung]

I'm having a fullchain GoDaddy certificate created for SRS. It looks like as if the SRS HTTPS server only sends the FIRST certificate in the chain, which in turn leads to "Unknown CA" on systems, which do not natively have knowledge about GoDaddy's CA.

[neilyoung]

Add on: I first tried to terminate SRS SSL with NGINX, but that didn't work (at least not for the API). I suspect not all clients are able to follow a 302 Redirect.

EDIT: Tried again, I'm now able to terminate the app and the api via NGINX 443. Not sure, what happens first time.

So my problem is maybe no problem anymore, because I can circumvent using SRS 1990 by NGINX 443.

[winlinvip]

SRS's HTTPS server is intended for demonstration purposes. I recommend using NGINX, Caddy, or any other HTTP server for production use. These HTTP servers can be configured to proxy both streaming and API requests to SRS. For guidelines on building an HTTPS proxy server using NGINX or Caddy, refer to the SRS FAQ on the official website.

[neilyoung]

OK, thanks for the quick answer. I'm back on NGINX again, which initially didn't work for me in a combination with DJI CloudAPI, but now I'm sure that - if it still doesn't work - there must be an issue with DJI.

Could you guide me regarding one little quirk I see? Regardless of what configuration I choose, there is still this port 1990 attached to the URL constructed for the WHIP/WHEP access in your app:

The reason is line 132 in objs/nginx/html/players/js/srs.page.js, which ultimately adds port 1990 in case HTTPS is detected.

var api = ':' + (query.api || (window.location.protocol === 'http:' ? '1985' : '1990'));

Would there be a way to suppress this by configuration or would I have to patch this code line (which works btw)?

[neilyoung]

And - out of curiosity - can you confirm that SRS is only able to deal with one entry in the server.crt?

[winlinvip]

You can specifies the HTTPS port in the URL:

For example: http://localhost:8080/players/whep.html?api=3443

[neilyoung]

Well ok, but seriously?

[neilyoung]

Why is my supplementary question considered "off-topic"? The central issue at hand is that my certificate consists of a chain of four certificates, and it appears that only the first one is being transmitted to clients.

TRANS_BY_GPT4

[suzp1984]

I think #4033 can solve this issue.

[neilyoung]

@suzp1984 Thanks, but I replaced SRS by MediaMTX, also for the RTSP support