[Icecast] SSL Cert Woes

José Luis Artuch artuch at speedy.com.ar
Mon Aug 28 19:25:19 UTC 2017 

Hi Andy,
El lun, 28-08-2017 a las 19:05 +0000, Speagle, Andy escribió:
> > > > > Hi Folks,
> > > > > 
> > > > > I’m having a problem getting a the SSL cert file formatted
> > > > > just
> > > > > like icecast wants… I’m running 2.4.2 … and it doesn’t seem
> > > > > to
> > > > > want to use my combined key + cert chain no matter in what
> > > > > order I
> > > > > put it.
> > > > > Presently, I have it in this format.. with spaces between
> > > > > each
> > > > > key/cert…
> > > > > 
> > > > > KEY
> > > > > 
> > > > > CERTCHAIN-1
> > > > > 
> > > > > CERTCHAIN-2
> > > > > 
> > > > > CERTCHAIN-3
> > > > > 
> > > > > MYCERT
> > > > > 
> > > > > And… well… not sure what else to do here.  I have the file
> > > > > owned
> > > > > by icecast:icecast … and … it should be readable in its
> > > > > present
> > > > > location… so, not sure what else would be wrong.
> > > > > 
> > > > 
> > > > Firtsly, what operative system are you running ?. On Debian
> > > > GNU/Linux user
> > > > icecast2 and group icecast, then icecast2:icecast.
> > > 
> > > I'm on RHEL 7, so the user/group is icecast:icecast ...
> > > 
> > > > Secondly, check the Icecast2's error.log looking about SSL or
> > > > TLS
> > > > capability.
> > > > On Debian GNU/Linux /var/log/icecast2/error.log.
> > > 
> > > From the log, I get a simple:
> > > 
> > > WARN connection/get_ssl_certificate Invalid cert file <my cert
> > > filepath>
> > > INFO connection/get_ssl_certificate No SSL capability on any
> > > configured ports
> > > 
> > 
> > Make sure you have set up Icecast correctly:
> > 
> > <listen-socket>
> > 	<port>8443</port>
> > 	<ssl>1</ssl>
> > </listen-socket>
> 
> Yeah... it's setup properly...
> 
> > <paths>
> > 	...
> > 	<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
> > certificate>
> > </paths>
> 
> Yes... correct for me.
> 
> > Also, there is the possibility that Icecast2 package does not
> > support
> > encrypted connections via openssl.
> > In my case I saw something similar to this:
> > [2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL
> > capability
> > Then, like solution I should have compiled Icecast with openssl
> > support
> > enabled.
> 
> Well... I believe it to be setup correctly... the RPM has a libssl
> requirement... and the fact that it tries to check the SSL cert file
> indicates that it has capability... 
I agree.
I generated the certificate with:
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem
Then you need only change owner and group, nothing more.

More information about the Icecast mailing list