XCALLY Motion is ready to use with HTTPS but the certificate is auto-signed (this process is made during the installation).
Motion manages the HTTPS request with nginx service (more info here: http://nginx.org/en/).
In order to install a valid certificate you need to replace the following files with your purchased certificate files:
If you use WebRTC, please do not change the extension of .key and .crt files
Let's Encrypt See here if you want to use Let's Encrypt to generate HTTPS certificate for your server
- Create your .csr (Certificate Signing Request) and .key
- Move your .key (i.e. motion.key) inside the proper folder:
mv motion.key /etc/pki/tls/private/motion.key
If you want to use a private key with different name, you need to update system configuration: Nginx configurationnano /etc/nginx/conf.d/motion.confReplace the property ssl_certificate_key with proper value, for example:ssl_certificate_key /etc/pki/tls/private/motion.key;Asterisk configurationnano /etc/nginx/conf.d/motion.confReplace the property tlsprivatekey with proper value, for example:tlsprivatekey /etc/pki/tls/private/motion.key;WebRTC configuration If you use WebRTC, you need to properly set the value of TLS certificate's private key property. See here for more information.
- SEND your generated .csr to your favorite CERTIFICATION AUTHORITY (CA)
- When you receive the .crt from the CA, move the .crt (i.e. motion.crt)
mv motion.crt /etc/pki/tls/certs/motion.crt
If you want to use a private key with different name, you need to update system configuration: Nginx configurationnano /etc/nginx/conf.d/motion.confReplace the property ssl_certificate_key with proper value, for example:ssl_certificate /etc/pki/tls/certs/motion.crt;Asterisk configurationnano /etc/asterisk/http.confReplace the property tlsprivatekey with proper value, for example:tlscertfile /etc/pki/tls/certs/motion.crt;WebRTC configuration If you use WebRTC, you need to properly set the value of TLS certificate's private key property. See here for more information.
- You need to restart nginx service to apply your changes.
Please run the following command:
service nginx restart
If you want to use a private key or .crt file with different name, please remember to restart asterisk service:service asterisk restart
Advanced setup
The above procedure is fine for SSL https access to the Motion GUI via DESKTOP browsers.
Please note that with some Mobile browsers (i.e. Chrome or Firefox for Android) you could experience invalid certificate issues. In order to prevent that, please follow the advanced procedure here available:
The .key file and its statement inside the motion.conf file is the same as per the above procedure:
ssl_certificate_key /etc/pki/tls/private/motion.key;
Here it is what you need to focus:
You will probably receive two cert files from your Certification authority (i.e. NameCheap or COMODO SSL):
yourdomain_com.ca-bundle and yourdomain_com.crt
Let’s combine the two files with the following command:
cat yourdomain_com.crt yourdomain_com.ca-bundle > motion_combine.crt
Let’s move the combined .crt inside the proper folder:
mv motion_combine.crt /etc/pki/tls/certs/motion.crt
Now, please replace motion.crt with motion.crt inside your motion.conf file:
nano /etc/nginx/conf.d/motion.conf
Replace the property ssl_certificate with proper value:
ssl_certificate = <path_of_your_combine_crt>;
For example:
ssl_certificate = /etc/pki/tls/certs/motion.crt;
- Finally, please restart nginx service to apply your changes:
service nginx restart