fix(mediamtx): set the ssl cert file

2026-06-06 00:56:56 +00:00 · 2026-04-29 18:22:50 +02:00
parent 79093c5057
commit 8a924f2d52
4 changed files with 26 additions and 7 deletions
--- a/apps/web/src/app/(ui)/(protected)/api/mediamtx/publish/route.ts
+++ b/apps/web/src/app/(ui)/(protected)/api/mediamtx/publish/route.ts
@@ -22,6 +22,10 @@ export async function POST(request: NextRequest) {
  const parsed = schema.safeParse(body);

  if (!parsed.success) {
+    if (process.env.NODE_ENV !== 'production') {
+      console.error('Invalid MediaMTX auth request:', parsed.error.flatten());
+    }
+
    return finish('invalid request', 400, 'invalid_request');
  }
  const { action: parsedAction, protocol: parsedProtocol, path, password, token } = parsed.data;
@@ -91,14 +95,22 @@ export async function POST(request: NextRequest) {
  return finish('uhh', 401, 'unauthorized');
 }

+const emptyableString = z
+  .string()
+  .nullish()
+  .transform((value) => value ?? '');
+
 const schema = z.object({
-  user: z.string().default(''),
-  password: z.string().default(''),
-  token: z.string().default(''),
-  ip: z.string().default(''),
+  user: emptyableString,
+  password: emptyableString,
+  token: emptyableString,
+  ip: emptyableString,
  action: z.enum(['publish', 'read', 'playback', 'api', 'metrics', 'pprof']),
-  path: z.string().default(''),
-  protocol: z.union([z.enum(['rtsp', 'rtmp', 'hls', 'webrtc', 'srt']), z.literal('')]).optional(),
+  path: emptyableString,
+  protocol: z
+    .union([z.enum(['rtsp', 'rtmp', 'hls', 'webrtc', 'srt']), z.literal('')])
+    .nullish()
+    .transform((value) => value ?? ''),
  id: z.string().nullable().default(null),
-  query: z.string().default(''),
+  query: emptyableString,
 });
--- a/compose.yml
+++ b/compose.yml
@@ -61,6 +61,8 @@ services:
    build:
      context: .
      dockerfile: docker/mediamtx/Dockerfile
+    environment:
+      SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
    ports:
      - '8890:8890/udp'
  postgres-exporter:
--- a/docker/mediamtx/mirror/.env.example
+++ b/docker/mediamtx/mirror/.env.example
@@ -11,3 +11,7 @@ MEDIAMTX_WEBRTC_ADDITIONAL_HOSTS=203.0.113.10

 # mediamtx publish route on hctv
 MEDIAMTX_AUTH_HTTP_ADDRESS=https://hackclub.tv/api/mediamtx/publish
+
+# If MediaMTX still reports x509 unknown-authority for the auth callback even
+# with SSL_CERT_FILE set in compose, set MTX_AUTHHTTPFINGERPRINT manually on
+# the server as a temporary cert pin.
--- a/docker/mediamtx/mirror/docker-compose.yml
+++ b/docker/mediamtx/mirror/docker-compose.yml
@@ -31,6 +31,7 @@ services:
    volumes:
      - ./mediamtx.yml:/mediamtx.yml:ro
    environment:
+      SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
      MTX_WEBRTCADDITIONALHOSTS: ${MEDIAMTX_WEBRTC_ADDITIONAL_HOSTS}
      MTX_AUTHHTTPADDRESS: ${MEDIAMTX_AUTH_HTTP_ADDRESS}
    labels: