[Icecast] SSL Cert Woes

Speagle, Andy andy.speagle at wichita.edu
Mon Aug 28 20:23:04 UTC 2017


> > > > > > Hi Folks,
> > > > > >
> > > > > > I’m having a problem getting a the SSL cert file formatted
> > > > > > just like icecast wants… I’m running 2.4.2 … and it doesn’t
> > > > > > seem to want to use my combined key + cert chain no matter in
> > > > > > what order I put it.
> > > > > > Presently, I have it in this format.. with spaces between each
> > > > > > key/cert…
> > > > > >
> > > > > > KEY
> > > > > >
> > > > > > CERTCHAIN-1
> > > > > >
> > > > > > CERTCHAIN-2
> > > > > >
> > > > > > CERTCHAIN-3
> > > > > >
> > > > > > MYCERT
> > > > > >
> > > > > > And… well… not sure what else to do here.  I have the file
> > > > > > owned by icecast:icecast … and … it should be readable in its
> > > > > > present location… so, not sure what else would be wrong.
> > > > > >
> > > > >
> > > > > Firtsly, what operative system are you running ?. On Debian
> > > > > GNU/Linux user
> > > > > icecast2 and group icecast, then icecast2:icecast.
> > > >
> > > > I'm on RHEL 7, so the user/group is icecast:icecast ...
> > > >
> > > > > Secondly, check the Icecast2's error.log looking about SSL or
> > > > > TLS capability.
> > > > > On Debian GNU/Linux /var/log/icecast2/error.log.
> > > >
> > > > From the log, I get a simple:
> > > >
> > > > WARN connection/get_ssl_certificate Invalid cert file <my cert
> > > > filepath>
> > > > INFO connection/get_ssl_certificate No SSL capability on any
> > > > configured ports
> > > >
> > >
> > > Make sure you have set up Icecast correctly:
> > >
> > > <listen-socket>
> > > 	<port>8443</port>
> > > 	<ssl>1</ssl>
> > > </listen-socket>
> >
> > Yeah... it's setup properly...
> >
> > > <paths>
> > > 	...
> > > 	<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
> > > certificate>
> > > </paths>
> >
> > Yes... correct for me.
> >
> > > Also, there is the possibility that Icecast2 package does not
> > > support encrypted connections via openssl.
> > > In my case I saw something similar to this:
> > > [2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL
> > > capability Then, like solution I should have compiled Icecast with
> > > openssl support enabled.
> >
> > Well... I believe it to be setup correctly... the RPM has a libssl
> > requirement... and the fact that it tries to check the SSL cert file
> > indicates that it has capability...
> I agree.
> I generated the certificate with:
> openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
> /usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem Then
> you need only change owner and group, nothing more.

Well... I was able to get it to work with a self-signed cert... so, something must be up with my Starfield signed cert... looks like they're configuring certs using "Subject Alternative Name" entries by default... could that be causing Icecast to barf on the cert?

Also... I setup another <listen-socket> entry for SSL... but Icecast doesn't seem to want to listen on that port when the service comes up.  Any idea why that might be?



More information about the Icecast mailing list