[Icecast] SSL Cert Woes

José Luis Artuch artuch at speedy.com.ar
Mon Aug 28 21:13:41 UTC 2017


El lun, 28-08-2017 a las 20:23 +0000, Speagle, Andy escribió:
> > > > > > > Hi Folks,
> > > > > > > 
> > > > > > > I’m having a problem getting a the SSL cert file
> > > > > > > formatted
> > > > > > > just like icecast wants… I’m running 2.4.2 … and it
> > > > > > > doesn’t
> > > > > > > seem to want to use my combined key + cert chain no
> > > > > > > matter in
> > > > > > > what order I put it.
> > > > > > > Presently, I have it in this format.. with spaces between
> > > > > > > each
> > > > > > > key/cert…
> > > > > > > 
> > > > > > > KEY
> > > > > > > 
> > > > > > > CERTCHAIN-1
> > > > > > > 
> > > > > > > CERTCHAIN-2
> > > > > > > 
> > > > > > > CERTCHAIN-3
> > > > > > > 
> > > > > > > MYCERT
> > > > > > > 
> > > > > > > And… well… not sure what else to do here.  I have the
> > > > > > > file
> > > > > > > owned by icecast:icecast … and … it should be readable in
> > > > > > > its
> > > > > > > present location… so, not sure what else would be wrong.
> > > > > > > 
> > > > > > 
> > > > > > Firtsly, what operative system are you running ?. On Debian
> > > > > > GNU/Linux user
> > > > > > icecast2 and group icecast, then icecast2:icecast.
> > > > > 
> > > > > I'm on RHEL 7, so the user/group is icecast:icecast ...
> > > > > 
> > > > > > Secondly, check the Icecast2's error.log looking about SSL
> > > > > > or
> > > > > > TLS capability.
> > > > > > On Debian GNU/Linux /var/log/icecast2/error.log.
> > > > > 
> > > > > From the log, I get a simple:
> > > > > 
> > > > > WARN connection/get_ssl_certificate Invalid cert file <my
> > > > > cert
> > > > > filepath>
> > > > > INFO connection/get_ssl_certificate No SSL capability on any
> > > > > configured ports
> > > > > 
> > > > 
> > > > Make sure you have set up Icecast correctly:
> > > > 
> > > > <listen-socket>
> > > > 	<port>8443</port>
> > > > 	<ssl>1</ssl>
> > > > </listen-socket>
> > > 
> > > Yeah... it's setup properly...
> > > 
> > > > <paths>
> > > > 	...
> > > > 	<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
> > > > certificate>
> > > > </paths>
> > > 
> > > Yes... correct for me.
> > > 
> > > > Also, there is the possibility that Icecast2 package does not
> > > > support encrypted connections via openssl.
> > > > In my case I saw something similar to this:
> > > > [2017-08-08  03:05:34] INFO connection/get_ssl_certificate No
> > > > SSL
> > > > capability Then, like solution I should have compiled Icecast
> > > > with
> > > > openssl support enabled.
> > > 
> > > Well... I believe it to be setup correctly... the RPM has a
> > > libssl
> > > requirement... and the fact that it tries to check the SSL cert
> > > file
> > > indicates that it has capability...
> > 
> > I agree.
> > I generated the certificate with:
> > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
> > /usr/share/icecast2/icecast.pem -out
> > /usr/share/icecast2/icecast.pem Then
> > you need only change owner and group, nothing more.
> 
> Well... I was able to get it to work with a self-signed cert... so,
> something must be up with my Starfield signed cert... looks like
> they're configuring certs using "Subject Alternative Name" entries by
> default... could that be causing Icecast to barf on the cert?
> 
Looks like something about the configuration of the certificate, but I
do not specifically what ... I have only done tests with self-signed
certificates.
The format should be:
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
> Also... I setup another <listen-socket> entry for SSL... but Icecast
> doesn't seem to want to listen on that port when the service comes
> up.  Any idea why that might be?
> 
Do you mean with different port than 8443, by exemple 8765 ?. If so,
what is the output of:
netstat -tulpn | grep ':8765'




More information about the Icecast mailing list