Blue Iris, Stunnel HTTPS, Media Tiles: Step-By-Step Guide

Note to Future Me: “When I can’t remember how I worked this out, or where I stored the spreadwheet, I’ll hopefully find this in a Search”

For anyone else struggling as I was to overcome the problem of getting Media Tiles to work in Chrome v111 and newer from an EXTERNAL INTERNET CONNECTION, here’s a Step-By-Step Guide on how I was able to resolve it.

The Main Things You’ll Need:

1. Blue Iris Software running on a Local Server
2. Stunnel running on the same Server
3. A Domain Name
4. SSL Security Certificates

Now, as @josh has indicated, this isn’t for the faint of heart!

I dropped in Line Item Numbers for reference. If you see a mistake or something I can improve on, please reference the Line Item Number in your reply and I’ll make the edits in the original post.

Good Luck should you need to implement this

Note: if at some time I’m able to upload a file, I’ll gladly attached the table below in PDF.

Reference/Background	1			Comments
Bread Crumbs in This Link	2			The information in the Bread Crumbs Link helped me figure out what do in my situation
	3			The Bread Crumbs Link assumes you do NOT already have a website
	4			In my situation, I already had a Domain to use which already had SSL Certificates to use: So I did NOT need to create new Certificates
	5
IMPORTANT NOTE	6			If you don’t need HTTPS access from OUTSIDE of your own Local Network, you MIGHT be able to use Stunnel’s Self-Signed Certificates
	7
Step-By-Step	8	Device or Software	Tab Within	Details
	9
	10	Blue Iris		Of course, your Blue Iris Software needs to be set up and running
	11		WebServer	Enable the HTTP Port: Choose a port that does not conflict with an existing device. Example 81
	12			Enable the HTTP Port (Stunnel/NGROK). Choose a port that does not conflict. Example 443
	13			Click Advanced
	14			Un-select Use secure session keys and login page (this will allow SharpTools to pass the Username & Password in the Media Tile
	15			Should click the HELP File in Blue Iris and read up a bit on HTTPS and Stunnel for a general understanding.
	16		Each Camera	General Tab: Assure Name and Short Name are filled in meaningfully for you. Example: Driveway Camera; DriveCam
	17			You’ll need this later in SharpTools to build the URL
	18		User Name	Create a User Name and Password: example: MyUserName; MyPassword (of course use something more secure than that
	19
	20	Router	DHCP Reservations	Reserve the IP of your Blue Iris Server to assure it gets the same IP every time it boots up.
	21		Port Forwarding	Forward the HTTP Port you chose in Blue Iris to the Mac Address (or IP) of your Blue Iris Server: Port Start/End=81; WAN Ports=81/81
	22			Forward the HTTPS Port you chose in Blue Iris to the Mac Address (or IP) of your Blue Iris Server: Port Start/End=443; WAN Ports=443/443
	23
	24	Stunnel	www.stunnel.org	Download the version of Stunnel that is suitable for your OS
	25			Install Stunnel: Upon Install, it will prompt you for some basic information
	26			In my case, it’s Windows 10
	27
	28	Domain Host	Manage DNS Records	This is located in different places on different Domain Hosts. In SiteGround, it’s under Domain/DNS Zone Editor
	29			This is where you’re going to create the reference from your WEBSITE back to the Blue Iris Server
	30			Create an A Record named: BlueIris.YOURDOMAIN.com
	31			IPv4 Address: Will be the IP Address of your Internet Service (see Blue Iris Settings/WebServer: It shows you the EXTERNAL IP Address)
	32
	33		Security/SSL Manager	Select your Domain and View the Certificates
	34			If you DO NOT have Certificates, you’ll need to create them within your Domain Host
	35			In my case, SiteGround already created and maintains Let’s Encrypt Certificates
	36			Select your Certificate and click View. You should have THREE. Be ready to copy/paste these into new files on your computer below.
	37			1) Certificate (CRT)
	38			2) Private Key (KEY)
	39			3) Certificate Authority Bundle (CABUNDLE)
	40
	41	Windows Explorer	C:\Program Files (x86)\Stunnel\config	Copy the default Stunnel.PEM file to a new file named: MyDomain.pem (of course MyDomain=Your actual domain name
	42			Copy the default Stunnel.PEM file to a new file named: MyDomain.cafile.pem (of course MyDomain=Your actual domain name
	43			Open your new MyDomain.pem file; select all; Delete everything; Copy/Paste your PRIVATE KEY, followed by your CERTIFICATE into this file
	44			Open your new MyDomain.cafile.pem file; select all; Delete everything; Copy/Paste your Certificate Authority Bundle into this file
	45			Of course, save both new files above (you might have to deal with some Windows Security to edit these files).
	46			Make a copy of the default Stunnel.CONF file for your reference if needed in the future
	47			Open stunnel.conf, select all, Delete Everything; Create the following text; save (of course use whatever ports you chose instead of 443 and 81)
	48			; TLS front-end to a web server [BlueIris] accept = 443 connect = 81 cert =mydomain.com.pem CAFile = mydomain.com.cafile.pem
	49
	50	Stunnel	Top Menu	Pull Down: Configuration; Reload Configuration
	51			You should perhaps 7 lines of text ending in Configuration successful. If not, confirm ALL of the steps above have been completed
	52			You might need to Pull Down File; Terminate; Then restart Stunnel
	53
	54	Web Browser	Preliminary Test of URL for SharpTools	In CHROME v111 and newer: Type in the following URL: https://blueiris.mydomain.com:443/mjpg/BlueIrisShortCamName/?user=XXX&pw=XXX
	55			Example would look like: https://blueiris.mydomain.com:443/mjpg/DriveCam/?user=MyUserName&pw=MyPassword
	56			IF THIS WORKS: You’ll be taken DIRECTLY to the Video Stream (without pausing to sign into Blue Iris or the Camera)
	57
	58	SharpTools	Account/ManageResources/Media	Create New
	59			Media Name: Driveway Camera
	60			Media URL: Use the SUCCESSFUL URL that you tested above in Chrome
	61			You SHOULD see a LIVE Thumbnail at the bottom.
	62			Click Update; Might have to click Update again
	63			Click anywhere OFF of the Create Media Dialog to exit
	64
	65		Pull Down Dashboard	Select an Existing Dashboard OR Create a New One depending upon your needs.
	66			Click 3 Dots; Edit; +; Media; Select your Media Tile(s); Click Done; Click Save
	67			You should see a LIVE view of your Camera
				Edit the Tile to your liking and needs

… adding on a few more tips…

Hiya. Thank you so much for taking the time to do this. I have tried various solutions to get an stunnel blueiris onto sharptools but it never seems to work. Thankfully I am also on siteground with a domain and ssl so your instructions have been great.

Sadly it still is not plaing ball. Can I ask a q re the port forwarding. I have tried both the LAN and WAN Ip addresses with 81 to 81 and 443 to 443 and even 8080 to 8080 just in case but nothing seems to work. I am only guessing that my error has something to do with port forwarding or my stunnel service. There seem to be so many stunnel files with gui start and stop and service install etc ect. Have you got any other tips? Sorry to be a nuisance.

Hi @JGFrance,

You’re welcome! Not a nuisance at all… We’re all here to help each other!

I sure hope something below brings you to the solution: PLEASE report back on your steps to success and I’ll edit the original post if needed!!!

When writing the instructions, I tried to “stay true” to the example ports shown in the Blue Iris Help File, so I referred to Ports 81 & 443.

But in my case, I already had something occupying 81 and 443. Any chance you have the same issue?

I ended up changing mine to 91 and 440 (and of course forwarding the Ports in the Router accordingly).

In my prior post, I dropped in the steps to run Stunnel as a Service. I ended up “terminating” that Service using the shortcuts in the Windows/Start/StunnelAll Users, and just running the Stunnel GUI at Startup. And worth noting: Stunnel made it easy to Install/Uninstall/Start/Stop the Service in their StartMenu Shortcuts… I missed that the first-time around

ALSO, some other things to check:

1. When you load the Stunnel GUI Start, are you getting Configuration Successful message at the bottom?
   
   

   

   image836×145 33.3 KB

2. Is Stunnel showing you the “green light” in the System Tray ?
   

3. In Blue Iris > Settings > Webserver, you need to drop “blueiris.YOURDOMAIN.com:440” and uncheck the use HTTPS LAN Also
   

   

   image632×609 84.2 KB

4. OHHHH… Make sure you do that Step #14 in the Original Post… as well as double-checking ALL the steps

Thanks again John

This is really appreciated. Have followed the steps very carefully and triple checked the settings but no joy.

1. Yes I am getting the config successful.

image990×237 5.76 KB

2. Yes Stunnel is green in system tray

3. • I have changed the WAN to the domain address and unchecked the HTTPS Lan and step 14.

Personally I think something is going wrong with the port forwarding. I use a UNIFI router. Can I check please in the original post you said

I have changed the ports to 91 and 440 as you suggested but my query is the WAN or LAN

This is what I have done:

The forward IP on both settings is my LAN computer that is running Blue Iris. I fear this may be wrong if you say WAN port?

Again sorry to be dim and thanks in advance?

Good Morning @JGFrance,

You’re welcome!

It sure seems like you’re close.

So in my Router, it uses the term “WAN Port” to take any requests coming from outside the local network, which include the :440, and forward them to the Local Port of the Blue Iris Server (192.168.1.4 in my case):

image1261×68 2.63 KB

image1238×42 1.09 KB

It looks like you’re on track there.

Can you answer these questions by number? :

1. Check your Router’s Port Forwarding: Are any other IP’s forwarded to 91 or 440 ?

2. What happens when you test HTTPS as in Line Items 54 & 55 ? Do you get any results?

3. What happens if you try to go to Blue Iris’ Web Browser Interface ? (I added spaces so it didn’t render as a URL): https:// blueiris. YOURDOMAIN .com:440

4. Have you checked your “Windows” Firewall ?

a) System Tray
b) Firewall & Network Protection
c) Allow an app through the firewall

5. What about your Router Firewall? Each Router is different, but generally found under Security. You can disable any Firewall settings (at least temporarily for testing).

6. Confirm your DNS Zone Editor at Site Ground:
   

   

   image1418×156 9.95 KB

Of course, please report back and we’ll continue to troubleshoot

HI John

And thank you so much again. Finally, it was my own stupid fault! I have a UNIFI gateway router that is behind my main router. I needed to first route the 443 port on my 1st router to the gateway to allow that to then route 443 to the BI server.

All is well except one niggle. My SSL certificate is showing as not trusted. It is fine because I can get fully browser to ignore untrusted SSl’s. Guess I will need to take this up with Siteground.

Anyway I just wanted to say thank you so much again for all your amazing step by step advice. But for my own router behind router issues it would have worked first time. Many thanks indeed!

@JGFrance

You’re welcome!!!

THAT’S great news ! I love it when a mystery is solved

My problem was that my users often rely on Chrome, which does not allow the inclusion of non-secure media on Secure/HTTPS sites. FireFox still does and is a viable work-around as well, but I would think sooner/or/later, they will follow in Chrome’s footsteps

Couple of thoughts re certificate:

1. Can you confirm that the cert is shown as Active on Site Ground ?
   

   

   image1407×191 12.3 KB

2. Can you review/double-check what you copy/pasted into the certs and confirm your Stunnel config file has been modified to 91 & 400 and the correct pem files (Lines 37-52) ? Seems to me that I had pasted the wrong thing into one of the files, and/or didn’t have the Stunnel Config file correct, or skipped one of those steps and received the same error you mention.

Hiya. Thanks again. All active, checked the conf file and pem files which seem okay. It’s definitely the private key followed by the certificate in the mydomainpemfile?

Here’s a thought that I may have got wrong? When you rename the pem files do you rename them as blueiris.mydomain.com.pem or just mydomain.com.pem

Welcome.

Yes, it’s definitely the Private Key followed by the Certificate in the mydomainname pem file. For what it’s worth, I don’t have any blank line spaces between, in the beginning, or end. No idea if it matters one/way/or/the other

As for the pem file names, they can be whatever you want, but then the config file needs to refer to them explicitly:

• file name of : yourdomain.com.cafile.pem must be referred to exactly the same in config (all lower case, no caps, etc.)
• file name of: yourdomain.com.pem must be referred to exactly the same in config

This is the extent of my config file:

• socket = l:TCP_NODELAY=1
• ; TLS front-end to a web server
• [BlueIris]
• accept = 440
• connect = 91
• cert = yourdomain.com.pem
• CAFile = yourdomain.com.cafile.pem
• ; “TIMEOUTclose = 0” is a workaround for a design flaw in Microsoft SChannel
• ; Microsoft implementations do not use TLS close-notify alert and thus they
• ; are vulnerable to truncation attacks
• TIMEOUTclose = 0

Another Thought: Anything else within your Main Router or within your Secondary Router that might be impacting this? Confirm Windows Firewall; Try disabling Firewalls in BOTH routers (for temp/testing purposes).

Thanks again John. Have tripled checked contents and tried everything including disabling all firewalls but chrome is just not liking this SSL cert. I did notice in the stunnel folder a file called ca-certs which has been left unchanged. Am wondering if this causing any problems?

Anyway don’t worry you have been more than helpful already and as I said it is working in kiosk so I may figure out a solution to chrome one day . If I do will post back. Thank you!!

Okay little update. I originally had my website with a basic lets encrypt SSL certificate. I changed it to a lets encrypt wildcard instead. I think the problem with the first one was that it only covers the basic domain.com and not the subdomain (i.e. blueiris.domain.com) which is what I have been using. Hoorray !!!

Thanks again John

Hi Jon,

You’re welcome!!!

AWESOME! SUCCESS!!!

I like it when the answer is found!

GREAT JOB and Good Call on Changing out the SSL Certificate!!!

So while you were swapping out the Certificate, I was pounding out a few more thoughts. You can ignore of course, but I wanted to leave it in the thread in hopes of helping others in the future!

Have a GREAT DAY !!!

As long as you’re NOT referring to ca-certs file in your config, it shouldn’t matter.

Hope you don’t mind, but just a few more thoughts:

1. I’ve done this now on two separate Domains/BlueIris Installs and got HTTPS to work in Chrome, so something/somewhere isn’t quite right.

2. Did you try reducing down the Stunnel Config file to only those items in my prior post? (i.e. removing all of the other Stunnel Settings/Examples) ?

3. Confirm your Certificate Files “did” in fact save in the Stunnel Config Folder (seems like mine would not save without doing something with Windows Admin setting).

4. As well, when I originally created the Cert/PEM files, it had actually saved it as a “txt” file type. Confirm that it is in fact a .pem file extension:
   

5. Did you try the Proverbial Reboot? (causing both Stunnel & Blue Iris to load fresh)?

Once again amazing advice thank you. Yes I had to change the windows permissions too as I also noticed they saved as text files at one point. My config file now has your extra timeout bits too but I made sure to delete everything else. The only difference in my set up is I have the blue iris LAN on ssl too now as I was wondering if the certificate wasn’t approving due to the server having both http and https. Anyway I don’t think it makes any difference.

All in all a real success with brilliant tips. You have a great day too…

You’re very welcome!

Ah, as for the HTTPS on LAN too… just dropping this in for reference …

If you use the Blue Iris Android/iPhone App, it has an amazing GET IPS feature that reaches out to update your WAN IP when it changes. Which is GREAT when you’re NOT using HTTPS.

The problem with HTTPS on Local Area Network is that GET IPS fills the WAN Address with your WAN “IP”, rather than leaving your domain name in place.

image328×733 77.8 KB

Hello

I am currently attempting to configure my Blue Iris system to work with Stunnel. I have followed the necessary steps and recently purchased a domain from NameCheap. However, when attempting to acquire certificates, I encounter the following error in PowerShell below

I have ensured that I replaced “*.mydomain.com” and “mydomain.com” with my actual domain as instructed. However, I am still encountering this issue. Any assistance in resolving this error would be greatly appreciated.

Thank you

>> Copy-Item $cert.FullChainFile -Destination "C:\Program Files (x86)\stunnel\config\mydomain.com.cafile.pem" -Force
Copy-Item : Cannot bind argument to parameter 'Path' because it is null.
At line:1 char:11
+ Copy-Item $cert.KeyFile -Destination "C:\Program Files (x86)\stunnel\ ...
+           ~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Copy-Item], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CopyItemCom
   mand

Get-Content : Cannot bind argument to parameter 'Path' because it is null.
At line:2 char:19
+ Get-Content -Path $cert.CertFile -Raw | Add-Content -Path  "C:\Progra ...
+                   ~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-Content], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.GetContentC
   ommand

Copy-Item : Cannot bind argument to parameter 'Path' because it is null.
At line:3 char:11
+ Copy-Item $cert.FullChainFile -Destination "C:\Program Files (x86)\st ...
+           ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Copy-Item], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CopyItemCom

Can you try:

1. Downloading from your Browser/Domain ServerWebGUI Tools
2. Into a temporary folder on your local drive (rather than using PowerShell),
3. then edit the files in that temporary folder,
4. then copy to the proper Stunnel folder (overwriting files as prompted).

My recollection was that the Windows Permissions required me to grant Admin Authority when copying those files to the Stunnel folder. Perhaps those permissions are preventing your PowerShell Commands from succeeding?

Re Line #45 of my Step-By-Step:
“45 Of course, save both new files above (you might have to deal with some Windows Security to edit these files).”

Thank you! I downloaded the SSL from the domain server.

Cool!

But don’t leave us hanging Let us know if you were able to get Stunnel working in Blue Iris

If I want https only on local network do I need Stunnel?
What I need to do?
Thanks