[Icecast] SSL Setup

bubba watson bubba4lyfe at gmail.com
Fri Aug 11 18:37:42 UTC 2017 

It is a server message indicator. It is used to distinguish server messages.

Sent from my iPhone

> On Aug 11, 2017, at 13:28, Jos� Luis Artuch <artuch at speedy.com.ar> wrote:
> 
> Hi !
> Still fighting here :)
> 
> /var/log/icecast2/error.log
> ...
> [2017-08-08  03:05:34] INFO main/main Icecast 2.4.2 server started
> [2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL
> capability ***
> [2017-08-08  03:05:34] INFO yp/yp_update_thread YP update thread
> started
> ...
> 
> What exactly does *** mean ?.
> 
> Thanks !
> José Luis
> 
>> El vie, 21-07-2017 a las 19:44 +0200, Marvin Scholz escribió:
>> 
>>> On 21 Jul 2017, at 19:27, José Luis Artuch wrote:
>>> 
>>>> El vie, 21-07-2017 a las 19:07 +0200, Marvin Scholz escribió:
>>>> 
>>>>> On 21 Jul 2017, at 18:41, José Luis Artuch wrote:
>>>>> 
>>>>> Hello !
>>>>> 
>>>>>> El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribió:
>>>>>> Good morning,
>>>>>> 
>>>>>> 
>>>>>>> On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
>>>>>>> IceCast is one of the last services I have that doesn't
>>>>>>> connect
>>>>>>> securely, 
>>>>>>> and I am looking to close that hole....
>>>>>>> [...]
>>>>>>> OK... add a port for SSL for IceCast in icecast.xml...path
>>>>>>> for
>>>>>>> cert
>>>>>>> file 
>>>>>>> in same.... no biggie
>>>>>> 
>>>>>> The <ssl-certificate> belongs in the <paths> section of the
>>>>>> config
>>>>>> file.
>>>>>> (I'm not sure what you mean with 'in same', just wanted to
>>>>>> make
>>>>>> it
>>>>>> clear.)
>>>>>> 
>>>>>> 
>>>>>>> The key/cert needs to be in a dir and file with applicable
>>>>>>> permissions 
>>>>>>> for the IceCast user... no biggie..
>>>>>>> 
>>>>>>> chown icecastusergroup:icecastusergroup  certfile
>>>>>> 
>>>>>> 
>>>>>>> What I am looking to confirm is that the cert file needs to
>>>>>>> contain:
>>>>>>> 
>>>>>>> -----BEGIN RSA PRIVATE KEY-----
>>>>>>> MII
>>>>>>> -----END RSA PRIVATE KEY-----
>>>>>>> 
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> MI
>>>>>>> -----END CERTIFICATE----- 
>>>>>>> 
>>>>>>> Where the Cert is the file/text Comodo sends me, and the
>>>>>>> key is
>>>>>>> the
>>>>>>> one 
>>>>>>> openssl spit out earlier, 
>>>>>>> 
>>>>>>> Combine them up in certfile, Correct? Special order?? KEY
>>>>>>> then
>>>>>>> Cert, or v-
>>>>>>> v? Line separating them?
>>>>>> 
>>>>>> The format is the OpenSSL format: key, blank line, cert
>>>>>> (chain).
>>>>>> echo | cat key.pem - cert.pem > combo.pem
>>>>>> 
>>>>>> 
>>>>>>> kill -HUP pidOfIcecast
>>>>>> 
>>>>>> As of Icecast2 2.4.x you need to restart Icecast to reload
>>>>>> the
>>>>>> cert.
>>>>>> There is however a fix in 2.5.x (development) which is
>>>>>> hopefully
>>>>>> released with the next development update.
>>>>>> 
>>>>>> 
>>>>>>> And good????
>>>>>>> 
>>>>>>> One thing can the web server spit out just a text file that
>>>>>>> is
>>>>>>> used
>>>>>>> by 
>>>>>>> Comodo to verify ownership of the domain? The DNS method
>>>>>>> normally 
>>>>>>> fails....
>>>>>> 
>>>>>> Sure. Just put it into the webroot (<webroot> in <paths>).
>>>>>> Icecast
>>>>>> handles files in webroot according to your operating system's
>>>>>> mine-
>>>>>> type
>>>>>> table.
>>>>>> 
>>>>> 
>>>>> On Debian 9, in the configuration file it says:
>>>>> 
>>>>> <webroot>/usr/share/icecast2/web</webroot>
>>>>> <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
>>>>> certificate>
>>>>> 
>>>>> What should be the correct path of the icecast.pem file ?.
>>>>> Should it be /usr/share/icecast2/web/icecast.pem ?.
>>>> 
>>>> You certainly do not want to put your private key in your public
>>>> webroot...
>>>> 
>>> 
>>> Thanks Marvin. Is ok into any other directory, for example
>>> /etc/icecast2/ssl ?.
>> 
>> I think so, yes.
>> 
>>>>> 
>>>>> Thanks.
>>>>>> 
>>>>>>> ie: http://icecast.domain.invalid/somestringofletersnumbers
>>>>>>> .txt
>>>>>>> That they 
>>>>>>> request if its dumped in the webroot stuff of Icecast? With
>>>>>>> out
>>>>>>> any
>>>>>>> XSLT 
>>>>>>> markup?
>>>>>> 
>>>>>> Icecast only processes XSLT files as XSLT.
>>>>>> 
>>>>>> 
>>>>>>> So if I added a listening port on 80 for this, then took it
>>>>>>> away, 
>>>>>>> since I don't use that for Icecast... Icecast is on its own
>>>>>>> server
>>>>>>> which 
>>>>>>> does not have Apache... web stuff for other things is on
>>>>>>> its
>>>>>>> own
>>>>>>> box. I 
>>>>>>> never have used the Icecast to server up anything other
>>>>>>> than
>>>>>>> the
>>>>>>> default 
>>>>>>> admin etc. stuff it does by default...
>>>>>> 
>>>>>> To avoid the need to run Icecast as privileged user in oder
>>>>>> to
>>>>>> bind
>>>>>> to
>>>>>> low ports (if Comodo really insists in using port 80) you can
>>>>>> use
>>>>>> your
>>>>>> firewall to do a local redirect.
>>>>>> 
>>>>>> 
>>>>>> Hope this is of help to you,
>>>>>> 
>>>>>> with best regards,
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Icecast mailing list
>>>>>> Icecast at xiph.org
>>>>>> http://lists.xiph.org/mailman/listinfo/icecast
>>>>> 
>>>>> _______________________________________________
>>>>> Icecast mailing list
>>>>> Icecast at xiph.org
>>>>> http://lists.xiph.org/mailman/listinfo/icecast
>>>> 
>>>> _______________________________________________
>>>> Icecast mailing list
>>>> Icecast at xiph.org
>>>> http://lists.xiph.org/mailman/listinfo/icecast
>>> 
>>> _______________________________________________
>>> Icecast mailing list
>>> Icecast at xiph.org
>>> http://lists.xiph.org/mailman/listinfo/icecast
>> 
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast

More information about the Icecast mailing list