Skip to content

HTTPS (SSL) Configuration Issues

HTTPS Not Working / Browser Cannot Connect

Problem

After enabling HTTPS in Studio, MediaHub, or CreativeHub, the browser shows connection errors or the application does not load over HTTPS.

Causes

  • Certificate and private key files do not match (not generated as a pair)
  • Private key is encrypted but no passphrase was provided
  • Incorrect passphrase entered for encrypted key
  • Certificate files are not accessible or paths are incorrect
  • Self-signed certificate blocked by browser

Solution

Follow the diagnostic steps below to identify and resolve the issue.

Step 1: Verify Certificate and Key Files

  1. Locate your cert.pem (or .crt) and key.pem (or .key) files
  2. Ensure both files exist and are readable
  3. Check that the file paths are correct in the application settings

Step 2: Check if Private Key is Encrypted

  1. Open key.pem in a text editor (Notepad++)
  2. Check the first line:
  3. If it says -----BEGIN ENCRYPTED PRIVATE KEY----- → the key is encrypted and requires a passphrase
  4. If it says -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- → the key is not encrypted

Step 3: Configure HTTPS Settings

For Studio: 1. Open Erizos Studio 2. Go to Settings → General 3. Scroll to the HTTPS section 4. Enable the HTTPS toggle 5. Select the certificate file (cert.pem) 6. Select the key file (key.pem) 7. If the key is encrypted, enter the passphrase in the Passphrase field 8. Click Save Settings

For MediaHub: 1. Open MediaHub 2. Go to Settings → Settings 3. Repeat steps 3-8 from Studio instructions

For CreativeHub: 1. Open CreativeHub 2. Go to Admin → Settings 3. Repeat steps 3-8 from Studio instructions

Step 4: Restart the Application

After saving HTTPS settings, completely close and restart the application (not just restart the server service).

Step 5: Test Browser Connection

Try accessing the application: - Use https://hostname:port (not https://localhost:port) - Example: https://staging-server:5550

Common Browser Errors:

Error Meaning Solution
NET::ERR_CERT_AUTHORITY_INVALID Self-signed certificate Click "Advanced" → "Proceed anyway" (expected for staging/internal servers)
SSL protocol error Certificate/key mismatch or passphrase issue Verify files match and passphrase is correct
Connection refused Application did not start with HTTPS Check logs for errors

Browser Compatibility Note:

  • Works best with Firefox and Chrome
  • Microsoft Edge on Windows Server 2022 may have compatibility issues with certain certificate types
  • If Edge does not work, use Firefox or Chrome instead

Encrypted Private Key - Bad Decrypt Error

Problem

Studio, MediaHub, or CreativeHub fails to start after enabling HTTPS, or logs show "bad decrypt" or "unable to load private key" errors.

Cause

The private key file is encrypted, but either: - No passphrase was provided - Wrong passphrase was entered

Solution

  1. Verify you have the correct passphrase for the private key
  2. Go to application settings (Studio → Settings → General, MediaHub → Settings → Settings, or CreativeHub → Admin → Settings)
  3. Enter the passphrase in the Passphrase field
  4. Click Save Settings
  5. Restart the application

If you don't have the passphrase, you will need to: - Contact your IT/security team for the passphrase, OR - Generate a new unencrypted private key and certificate pair

Certificate and Key Do Not Match

Problem

HTTPS is enabled but browser shows SSL protocol errors, or the application does not start properly.

Cause

The certificate file and private key file are not a matching pair (generated separately or from different sources).

Solution

Verify that the certificate and key are a matching pair.

Verification Method (requires OpenSSL)

  1. Open Command Prompt or PowerShell in the folder containing the certificate files

  2. Run the following commands: 

    # Check certificate modulus
openssl x509 -noout -modulus -in cert.pem | openssl md5

# Check key modulus (for unencrypted key)
openssl rsa -noout -modulus -in key.pem | openssl md5

# Check key modulus (for encrypted key)
openssl rsa -noout -modulus -in key.pem -passin pass:YOUR_PASSPHRASE | openssl md5

  3. Compare the MD5 hash outputs - they must match exactly

  4. If they do not match, contact your IT/security team to provide the correct matching certificate and key pair

Note: If OpenSSL is not installed on the system, skip this verification and proceed directly to requesting a new matching certificate/key pair from your security team.

Application Works on Hostname but Not on Localhost

Problem

HTTPS works when accessing via https://hostname:port but fails when using https://localhost:port.

Cause

The SSL certificate was issued for a specific hostname or IP address and does not include "localhost" as a valid name.

Solution

This is expected behavior. Always use the actual hostname instead of localhost: - ✓ Use: https://staging-server:8080 - ✗ Avoid: https://localhost:8080

If you need to access via localhost for testing purposes, you would need to generate a new certificate that includes "localhost" as a Subject Alternative Name (SAN). Contact your IT/security team for this.

Self-Signed Certificate Warning in Browser

Problem

Browser shows "Your connection is not private" or "NET::ERR_CERT_AUTHORITY_INVALID" warning when accessing the application over HTTPS.

Cause

You are using a self-signed certificate (not issued by a trusted Certificate Authority). This is common and expected for staging/development/internal servers.

Solution

This warning is normal for self-signed certificates. You have two options:

Option 1: Bypass Warning (Quick)

  1. Click "Advanced" or "Details" in the browser warning
  2. Click "Proceed to [hostname]" or "Accept the risk and continue"
  3. The application will load normally

Option 2: Import Certificate (Permanent)

  1. Download the certificate file
  2. Import it into your operating system's trusted certificate store
  3. The browser will then trust the certificate automatically

Note: For production servers accessible from the internet, it is recommended to use certificates from a trusted Certificate Authority (e.g., Let's Encrypt, DigiCert, etc.) instead of self-signed certificates.

Logs and Debugging

Where to Find Logs

Check the following locations for HTTPS-related errors:

Windows Event Viewer: 1. Press Win + R → type eventvwr → Enter 2. Go to Windows Logs → Application 3. Look for errors from Erizos Studio or MediaHub

Log Files (possible locations): - C:\ProgramData\Erizos\Studio\logs - C:\ProgramData\Erizos\MediaHub\logs - C:\Users\[username]\AppData\Local\Erizos\logs - Installation directory logs folder

What to Look For in Logs:

Search for keywords: - "SSL", "TLS", "HTTPS" - "certificate", "cert", "key" - "unable to load private key" - "bad decrypt" - "wrong passphrase" - "handshake failed"

These error messages will help identify the specific issue with your HTTPS configuration.