[Icecast] After I enabled SSL, stream mountpoints broke

Nathan Miller nate at themillerhome.org
Sat Apr 4 06:53:39 UTC 2015


Thanks Thomas.  I did see the stunnel option but I really had no need to
put out that extra effort as my source lives on the same host as the
icecast server.  Just like you stated, since I'm pointing it at the
localhost there really is no need to encrypt that stream.  So I'm just
running a secondary port that isn't publicly exposed as non-ssl.

Thanks again,
Nathan

On Fri, Apr 3, 2015 at 10:50 PM, "Thomas B. Rücker" <thomas at ruecker.fi>
wrote:

> On 04/04/2015 02:42 AM, Nathan Miller wrote:
> > Philipp,
> >
> > Thank you for your quick response.  I can't believe that I didn't
> > think of that...I guess I just assumed that it would use SSL.  I'm
> > using Liquidsoap as my source client.  Once you brought that up I
> > started researching whether there was a way to force Liquidsoap to use
> > SSL and from what I found it doesn't look like there is an
> > option...but please correct me if you or anyone else who reads this
> > knows differently.
> >
> > After I had a good idea of what was happening I found this other
> > thread http://lists.xiph.org/pipermail/icecast/2015-January/013118.html
> that
> > talks about exactly what I'm trying to do using Liquidsoap.  I
> > followed it and I'm good now running on two ports...one SSL and one
> > not from connecting to Liquidsoap.
> >
> > Thanks again for your hint :) and please let me know if you've seen
> > other ways to tackle this with Liquidsoap than what I setup.
>
> If you read the remainder of that thread you pointed to, you'll find
> some hints.
> The main thing being to "ssl enable" the source connections by using
> Stunnel on the originating machine. This random picture from "the
> interwebz" explains it pretty well:
> http://www.ximera.de/bilder/stunnel2.png
> In place of "Hamster" you'd have your source client.
>
> I expect the TLS support situation to improve with source clients, as we
> are soon going to release a TLS enabled version of libshout. The library
> many clients use to talk to Icecast servers.
>
> In case one has only local connections from source clients, then just
> binding a plain http port to ::1 or 127.0.0.1 is safe too.
>
> Cheers
>
> Thomas
>
>
>
> > On Fri, Apr 3, 2015 at 3:41 PM, Philipp Schafft <lion at lion.leolix.org
> > <mailto:lion at lion.leolix.org>> wrote:
> >
> >     Good evening,
> >
> >     On Fri, 2015-04-03 at 14:02 -0700, Nathan Miller wrote:
> >     > I'm running Icecast package 2.4.1 on Ubuntu 14.04
> >     > from
> >     ttp://download.opensuse.org/repositories/home:/dm8tbr/xUbuntu_14.04
> <http://download.opensuse.org/repositories/home:/dm8tbr/xUbuntu_14.04>.
> >     >
> >     >
> >     > I've been running on this server for about 6 months now without any
> >     > issue and all my streams run great.  This icecast server is
> >     running on
> >     > the same host that my wordpress site is running on.  This is all
> >     on my
> >     > own private server, not a hosting service.
> >     >
> >     >
> >     > Recently I decided to switch everything to SSL and all went well
> >     with
> >     > the exception of the icecast server.  The SSL portion of the
> icecast
> >     > server is actually working just fine and the SSL certificate is
> >     > loading on the admin page on all modern browsers without any
> >     issue or
> >     > error.  I can see the full admin page and navigate it without
> issue.
> >     > The problem is as soon as I add this line to the <paths> section,
> as
> >     > required to load the PEM certificate, my mountpoint streams stopped
> >     > loading:
> >     >
> >     >
> >     >
> >
>  <ssl-certificate>/usr/share/icecast2/ssl/mysslcertname.pem</ssl-certificate>
> >     >
> >     >
> >     >
> >     > Then my icecast error log fills with this whenever anyone
> >     attempts to
> >     > hit any of the stream mountpoints that failed to load:
> >     >
> >     >
> >     > [2015-04-02  18:17:59] INFO fserve/fserve_client_create checking
> for
> >     > file /stream1 (/usr/share/icecast2/web/stream1)
> >     > [2015-04-02  18:17:59] WARN fserve/fserve_client_create req for
> file
> >     > "/usr/share/icecast2/web/stream1" No such file or directory
> >     > [2015-04-03  01:52:43] INFO fserve/fserve_client_create checking
> for
> >     > file /stream2 (/usr/share/icecast2/web/stream2)
> >     > [2015-04-03  01:52:43] WARN fserve/fserve_client_create req for
> file
> >     > "/usr/share/icecast2/web/stream2" No such file or directory
> >
> >     Those messages tell that there is no mount nor a file in web/. I
> >     suspect
> >     that the stream is not mounted (= the source is not connected).
> >
> >
> >     > There is nothing in the error logs after I've added this line to
> the
> >     > <paths> and restarted icecast so I'm not sure what is breaking
> >     but I'm
> >     > guessing from the errors whenever someone tries to hit the
> >     mountpoint
> >     > that the file that was supposed to be created never is.  Not
> >     sure why
> >     > adding to the path would cause this issue, but as soon as I
> >     remove it
> >     > all returns to a working order with stream mountpoints loading and
> >     > working perfectly...though now SSL is broken again :(
> >
> >     Which source client do you use? If you switch the port to TLS that is
> >     used by the source client to connect you also need to set the source
> >     client to TLS mode.
> >
> >
> >     > Hopefully someone can provide some guidance here!  Thanks!
> >
> >     Please come back with the answers. I'm sure this isn't impossible.
> >
> >     Have a good night!
> >
> >     --
> >     Philipp.
> >      (Rah of PH2)
> >
> >     _______________________________________________
> >     Icecast mailing list
> >     Icecast at xiph.org <mailto:Icecast at xiph.org>
> >     http://lists.xiph.org/mailman/listinfo/icecast
> >
> >
> >
> >
> > _______________________________________________
> > Icecast mailing list
> > Icecast at xiph.org
> > http://lists.xiph.org/mailman/listinfo/icecast
>
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20150403/c74b6beb/attachment.htm>


More information about the Icecast mailing list