Setting up SSL/HTTPS on the HyperCaster
By default, the HyperCaster comes configured with a self-signed certificate (as of release 6.4) for serving the web application over secure https. However, if you wish to securely embed content (such as the external schedule) in another web page on a secure site, that iframe will fail to render unless the browser loading the page has already trusted the self-signed certificate. Obtaining a certificate signed by a Certificate Authority will solve this problem. There are several ways to go about it.
Under Config → Server → SSL Certificate you can upload your own certificate and key, or set the HyperCaster to automatically obtain its own key from LetsEncrypt (an internet service that provides free certificate signing).
To use your own certificate and key, be sure Auto Renew SSL Certificate is unchecked, and enter the Fully Qualified Domain Name (FQDN), Key and SSL Certificate information in the form. The certificate will only be valid and work properly if the domain in the certificate is for the FQDN address for which the HyperCaster is reachable from the outside.
Note that to obtain a certificate of your own, various authorities handle things differently, but the commonalities are that there is a validation challenge where the authority makes you prove you own the domain you claim to own, whether that’s an IP, or a fully qualified domain name, or a wildcard domain name. There are two types of challenges. One is where they ask you to play a TXT directive on the DNS server, and the other is where they tell you what web request they will make to your domain, and tell you what response they want back from that request, and you set up your server to respond appropriately, or your DNS server to respond appropriately. You cannot do this from the HyperCaster, so you either need to temporarily point the DNS entry to another machine and process the challenge from there, or use the TXT directive in the DNS server approach. Once you have a key and cert in hand, you can cut and paste them into the SSL Certificate form.
In order to get the LetsEncrypt integration to work a few prerequisites are necessary.
- A Fully Qualified Domain Name (FQDN) must point to the HyperCaster.
- A DNS entry pointing a fully qualified domain name to the external IP address of the HyperCaster. Under TelVueCare, we’re happy to set this up for you using our <client>.telvuera.com domain. Alternatively, you can use your own DNS service.
- Requests on port 80 to that domain name must reach the HyperCaster for the Let’s Encrypt web request challenge to work. Port forward port 80 from your router to the HyperCaster port 50000. The HyperCaster will be able to respond to the Let’s Encrypt challenge on port 50000.
Once the above are complete, simply enter the FQDN into the Config > SSL Certificate, check the box labeled Auto Renew SSL Certificate, and click Save.
- For secure access to the embeddable program guide to include as an iframe on your site, requests on port 443 to that domain name must reach port 50001 on the HyperCaster. Use port forwarding to forward port 443 to HyperCaster port 50001. For example your iframe embed for the program guide on your site could now use as the src field https://<domain>/external_schedule/simple_day_schedule?id=1&responsive=true
- For secure access to the HyperCaster UI for remote management, requests on an available port to that domain name must reach port 443 on the HyperCaster. Use port forwarding to forward the available port to HyperCaster port 443. For example if you used port 4443, this allows you to access the HyperCaster UI remotely via https://<domain>:4443. It is strongly suggested that your firewall limit access to the HyperCaster UI to specific known locations.