Blue Iris, Stunnel HTTPS, Media Tiles: Step-By-Step Guide

Note to Future Me: “When I can’t remember how I worked this out, or where I stored the spreadwheet, I’ll hopefully find this in a Search” :slight_smile:

For anyone else struggling as I was to overcome the problem of getting Media Tiles to work in Chrome v111 and newer from an EXTERNAL INTERNET CONNECTION, here’s a Step-By-Step Guide on how I was able to resolve it.

The Main Things You’ll Need:

  1. Blue Iris Software running on a Local Server
  2. Stunnel running on the same Server
  3. A Domain Name
  4. SSL Security Certificates

Now, as @josh has indicated, this isn’t for the faint of heart!

I dropped in Line Item Numbers for reference. If you see a mistake or something I can improve on, please reference the Line Item Number in your reply and I’ll make the edits in the original post.

Good Luck should you need to implement this :slight_smile:

Note: if at some time I’m able to upload a file, I’ll gladly attached the table below in PDF.

Reference/Background 1 Comments
Bread Crumbs in This Link 2 The information in the Bread Crumbs Link helped me figure out what do in my situation
3 The Bread Crumbs Link assumes you do NOT already have a website
4 In my situation, I already had a Domain to use which already had SSL Certificates to use: So I did NOT need to create new Certificates
5
IMPORTANT NOTE 6 If you don’t need HTTPS access from OUTSIDE of your own Local Network, you MIGHT be able to use Stunnel’s Self-Signed Certificates
7
Step-By-Step 8 Device or Software Tab Within Details
9
10 Blue Iris Of course, your Blue Iris Software needs to be set up and running
11 WebServer Enable the HTTP Port: Choose a port that does not conflict with an existing device. Example 81
12 Enable the HTTP Port (Stunnel/NGROK). Choose a port that does not conflict. Example 443
13 Click Advanced
14 Un-select Use secure session keys and login page (this will allow SharpTools to pass the Username & Password in the Media Tile
15 Should click the HELP File in Blue Iris and read up a bit on HTTPS and Stunnel for a general understanding.
16 Each Camera General Tab: Assure Name and Short Name are filled in meaningfully for you. Example: Driveway Camera; DriveCam
17 You’ll need this later in SharpTools to build the URL
18 User Name Create a User Name and Password: example: MyUserName; MyPassword (of course use something more secure than that :wink:
19
20 Router DHCP Reservations Reserve the IP of your Blue Iris Server to assure it gets the same IP every time it boots up.
21 Port Forwarding Forward the HTTP Port you chose in Blue Iris to the Mac Address (or IP) of your Blue Iris Server: Port Start/End=81; WAN Ports=81/81
22 Forward the HTTPS Port you chose in Blue Iris to the Mac Address (or IP) of your Blue Iris Server: Port Start/End=443; WAN Ports=443/443
23
24 Stunnel www.stunnel.org Download the version of Stunnel that is suitable for your OS
25 Install Stunnel: Upon Install, it will prompt you for some basic information
26 In my case, it’s Windows 10
27
28 Domain Host Manage DNS Records This is located in different places on different Domain Hosts. In SiteGround, it’s under Domain/DNS Zone Editor
29 This is where you’re going to create the reference from your WEBSITE back to the Blue Iris Server
30 Create an A Record named: BlueIris.YOURDOMAIN.com
31 IPv4 Address: Will be the IP Address of your Internet Service (see Blue Iris Settings/WebServer: It shows you the EXTERNAL IP Address)
32
33 Security/SSL Manager Select your Domain and View the Certificates
34 If you DO NOT have Certificates, you’ll need to create them within your Domain Host
35 In my case, SiteGround already created and maintains Let’s Encrypt Certificates
36 Select your Certificate and click View. You should have THREE. Be ready to copy/paste these into new files on your computer below.
37 1) Certificate (CRT)
38 2) Private Key (KEY)
39 3) Certificate Authority Bundle (CABUNDLE)
40
41 Windows Explorer C:\Program Files (x86)\Stunnel\config Copy the default Stunnel.PEM file to a new file named: MyDomain.pem (of course MyDomain=Your actual domain name :wink:
42 Copy the default Stunnel.PEM file to a new file named: MyDomain.cafile.pem (of course MyDomain=Your actual domain name :wink:
43 Open your new MyDomain.pem file; select all; Delete everything; Copy/Paste your PRIVATE KEY, followed by your CERTIFICATE into this file
44 Open your new MyDomain.cafile.pem file; select all; Delete everything; Copy/Paste your Certificate Authority Bundle into this file
45 Of course, save both new files above (you might have to deal with some Windows Security to edit these files).
46 Make a copy of the default Stunnel.CONF file for your reference if needed in the future
47 Open stunnel.conf, select all, Delete Everything; Create the following text; save (of course use whatever ports you chose instead of 443 and 81)
48 ; TLS front-end to a web server
[BlueIris]
accept = 443
connect = 81
cert =mydomain.com.pem
CAFile = mydomain.com.cafile.pem
49
50 Stunnel Top Menu Pull Down: Configuration; Reload Configuration
51 You should perhaps 7 lines of text ending in Configuration successful. If not, confirm ALL of the steps above have been completed
52 You might need to Pull Down File; Terminate; Then restart Stunnel
53
54 Web Browser Preliminary Test of URL for SharpTools In CHROME v111 and newer: Type in the following URL: https://blueiris.mydomain.com:443/mjpg/BlueIrisShortCamName/?user=XXX&pw=XXX
55 Example would look like: https://blueiris.mydomain.com:443/mjpg/DriveCam/?user=MyUserName&pw=MyPassword
56 IF THIS WORKS: You’ll be taken DIRECTLY to the Video Stream (without pausing to sign into Blue Iris or the Camera)
57
58 SharpTools Account/ManageResources/Media Create New
59 Media Name: Driveway Camera
60 Media URL: Use the SUCCESSFUL URL that you tested above in Chrome
61 You SHOULD see a LIVE Thumbnail at the bottom.
62 Click Update; Might have to click Update again
63 Click anywhere OFF of the Create Media Dialog to exit
64
65 Pull Down Dashboard Select an Existing Dashboard OR Create a New One depending upon your needs.
66 Click 3 Dots; Edit; +; Media; Select your Media Tile(s); Click Done; Click Save
67 You should see a LIVE view of your Camera
Edit the Tile to your liking and needs
2 Likes

… adding on a few more tips…

Another Bread Crumb Link This Link has a guide about installing Stunnel with Inventu, which is a WEB TERMINAL EMULATION program
Run Stunnel as a Service 1.Open a Command Prompt as an Administrator
2.Change the active folder to the STunnel install folder (default c:\program files (x86)\stunnel)
3.Then cd to the bin folder
4.Run the service install option for Stunnel: Which is Stunnel -install
5.The Service is now setup:
6.Note that the service is setup but not started at this time (the configuration will auto-start the service when the server is restarted).
1 Like

Hiya. Thank you so much for taking the time to do this. I have tried various solutions to get an stunnel blueiris onto sharptools but it never seems to work. Thankfully I am also on siteground with a domain and ssl so your instructions have been great.

Sadly it still is not plaing ball. Can I ask a q re the port forwarding. I have tried both the LAN and WAN Ip addresses with 81 to 81 and 443 to 443 and even 8080 to 8080 just in case but nothing seems to work. I am only guessing that my error has something to do with port forwarding or my stunnel service. There seem to be so many stunnel files with gui start and stop and service install etc ect. Have you got any other tips? Sorry to be a nuisance.

1 Like

Hi @JGFrance,

You’re welcome! Not a nuisance at all… We’re all here to help each other!

I sure hope something below brings you to the solution: PLEASE report back on your steps to success and I’ll edit the original post if needed!!!

When writing the instructions, I tried to “stay true” to the example ports shown in the Blue Iris Help File, so I referred to Ports 81 & 443.

But in my case, I already had something occupying 81 and 443. Any chance you have the same issue?

I ended up changing mine to 91 and 440 (and of course forwarding the Ports in the Router accordingly).

In my prior post, I dropped in the steps to run Stunnel as a Service. I ended up “terminating” that Service using the shortcuts in the Windows/Start/StunnelAll Users, and just running the Stunnel GUI at Startup. And worth noting: Stunnel made it easy to Install/Uninstall/Start/Stop the Service in their StartMenu Shortcuts… I missed that the first-time around :slight_smile:

ALSO, some other things to check:

  1. When you load the Stunnel GUI Start, are you getting Configuration Successful message at the bottom?
    image

  2. Is Stunnel showing you the “green light” in the System Tray ?
    image

  3. In Blue Iris > Settings > Webserver, you need to drop “blueiris.YOURDOMAIN.com:440” and uncheck the use HTTPS LAN Also

  4. OHHHH… Make sure you do that Step #14 in the Original Post… as well as double-checking ALL the steps :slight_smile:

1 Like

Thanks again John

This is really appreciated. Have followed the steps very carefully and triple checked the settings but no joy.

  1. Yes I am getting the config successful.

  1. Yes Stunnel is green in system tray

image

    • I have changed the WAN to the domain address and unchecked the HTTPS Lan and step 14.

Personally I think something is going wrong with the port forwarding. I use a UNIFI router. Can I check please in the original post you said

image

I have changed the ports to 91 and 440 as you suggested but my query is the WAN or LAN

This is what I have done:
image

image

The forward IP on both settings is my LAN computer that is running Blue Iris. I fear this may be wrong if you say WAN port?

Again sorry to be dim and thanks in advance? :slightly_smiling_face: :slightly_smiling_face: :slightly_smiling_face:

1 Like

Good Morning @JGFrance,

You’re welcome!

It sure seems like you’re close.

So in my Router, it uses the term “WAN Port” to take any requests coming from outside the local network, which include the :440, and forward them to the Local Port of the Blue Iris Server (192.168.1.4 in my case):


It looks like you’re on track there.

Can you answer these questions by number? :

  1. Check your Router’s Port Forwarding: Are any other IP’s forwarded to 91 or 440 ?

  2. What happens when you test HTTPS as in Line Items 54 & 55 ? Do you get any results?

  3. What happens if you try to go to Blue Iris’ Web Browser Interface ? (I added spaces so it didn’t render as a URL): https:// blueiris. YOURDOMAIN .com:440

  4. Have you checked your “Windows” Firewall ?

a) System Tray image
b) Firewall & Network Protection
c) Allow an app through the firewall
image
image
image

  1. What about your Router Firewall? Each Router is different, but generally found under Security. You can disable any Firewall settings (at least temporarily for testing).

  2. Confirm your DNS Zone Editor at Site Ground:

Of course, please report back and we’ll continue to troubleshoot :slight_smile:

HI John

And thank you so much again. Finally, it was my own stupid fault! I have a UNIFI gateway router that is behind my main router. I needed to first route the 443 port on my 1st router to the gateway to allow that to then route 443 to the BI server.

All is well except one niggle. My SSL certificate is showing as not trusted. It is fine because I can get fully browser to ignore untrusted SSl’s. Guess I will need to take this up with Siteground.

Anyway I just wanted to say thank you so much again for all your amazing step by step advice. But for my own router behind router issues it would have worked first time. Many thanks indeed!

1 Like

@JGFrance

You’re welcome!!!

THAT’S great news ! I love it when a mystery is solved :slight_smile:

My problem was that my users often rely on Chrome, which does not allow the inclusion of non-secure media on Secure/HTTPS sites. FireFox still does and is a viable work-around as well, but I would think sooner/or/later, they will follow in Chrome’s footsteps :frowning:

Couple of thoughts re certificate:

  1. Can you confirm that the cert is shown as Active on Site Ground ?

  2. Can you review/double-check what you copy/pasted into the certs and confirm your Stunnel config file has been modified to 91 & 400 and the correct pem files (Lines 37-52) ? Seems to me that I had pasted the wrong thing into one of the files, and/or didn’t have the Stunnel Config file correct, or skipped one of those steps and received the same error you mention.

Hiya. Thanks again. All active, checked the conf file and pem files which seem okay. It’s definitely the private key followed by the certificate in the mydomainpemfile?

Here’s a thought that I may have got wrong? When you rename the pem files do you rename them as blueiris.mydomain.com.pem or just mydomain.com.pem

1 Like

Welcome.

Yes, it’s definitely the Private Key followed by the Certificate in the mydomainname pem file. For what it’s worth, I don’t have any blank line spaces between, in the beginning, or end. No idea if it matters one/way/or/the other :slight_smile:

image

As for the pem file names, they can be whatever you want, but then the config file needs to refer to them explicitly:

  • file name of : yourdomain.com.cafile.pem must be referred to exactly the same in config (all lower case, no caps, etc.)
  • file name of: yourdomain.com.pem must be referred to exactly the same in config

This is the extent of my config file:

  • socket = l:TCP_NODELAY=1
  • ; TLS front-end to a web server
  • [BlueIris]
  • accept = 440
  • connect = 91
  • cert = yourdomain.com.pem
  • CAFile = yourdomain.com.cafile.pem
  • ; “TIMEOUTclose = 0” is a workaround for a design flaw in Microsoft SChannel
  • ; Microsoft implementations do not use TLS close-notify alert and thus they
  • ; are vulnerable to truncation attacks
  • TIMEOUTclose = 0

Another Thought: Anything else within your Main Router or within your Secondary Router that might be impacting this? Confirm Windows Firewall; Try disabling Firewalls in BOTH routers (for temp/testing purposes).

Thanks again John. Have tripled checked contents and tried everything including disabling all firewalls but chrome is just not liking this SSL cert. I did notice in the stunnel folder a file called ca-certs which has been left unchanged. Am wondering if this causing any problems?

Anyway don’t worry you have been more than helpful already and as I said it is working in kiosk so I may figure out a solution to chrome one day :roll_eyes:. If I do will post back. Thank you!!

1 Like

Okay little update. I originally had my website with a basic lets encrypt SSL certificate. I changed it to a lets encrypt wildcard instead. I think the problem with the first one was that it only covers the basic domain.com and not the subdomain (i.e. blueiris.domain.com) which is what I have been using. Hoorray !!!

Thanks again John

2 Likes

Hi Jon,

You’re welcome!!!

AWESOME! SUCCESS!!!

I like it when the answer is found!

GREAT JOB and Good Call on Changing out the SSL Certificate!!!

So while you were swapping out the Certificate, I was pounding out a few more thoughts. You can ignore of course, but I wanted to leave it in the thread in hopes of helping others in the future!

Have a GREAT DAY !!!


As long as you’re NOT referring to ca-certs file in your config, it shouldn’t matter.

Hope you don’t mind, but just a few more thoughts:

  1. I’ve done this now on two separate Domains/BlueIris Installs and got HTTPS to work in Chrome, so something/somewhere isn’t quite right.

  2. Did you try reducing down the Stunnel Config file to only those items in my prior post? (i.e. removing all of the other Stunnel Settings/Examples) ?

  3. Confirm your Certificate Files “did” in fact save in the Stunnel Config Folder (seems like mine would not save without doing something with Windows Admin setting).

  4. As well, when I originally created the Cert/PEM files, it had actually saved it as a “txt” file type. Confirm that it is in fact a .pem file extension:
    image

  5. Did you try the Proverbial Reboot? (causing both Stunnel & Blue Iris to load fresh)?

1 Like

Once again amazing advice thank you. Yes I had to change the windows permissions too as I also noticed they saved as text files at one point. My config file now has your extra timeout bits too but I made sure to delete everything else. The only difference in my set up is I have the blue iris LAN on ssl too now as I was wondering if the certificate wasn’t approving due to the server having both http and https. Anyway I don’t think it makes any difference.

All in all a real success with brilliant tips. You have a great day too…

2 Likes

You’re very welcome!

Ah, as for the HTTPS on LAN too… just dropping this in for reference …

If you use the Blue Iris Android/iPhone App, it has an amazing GET IPS feature that reaches out to update your WAN IP when it changes. Which is GREAT when you’re NOT using HTTPS.

The problem with HTTPS on Local Area Network is that GET IPS fills the WAN Address with your WAN “IP”, rather than leaving your domain name in place.

1 Like