[Icecast] SSL Cert Woes

Speagle, Andy andy.speagle at wichita.edu
Mon Aug 28 21:37:43 UTC 2017


> > > > > > > > Hi Folks,
> > > > > > > >
> > > > > > > > I’m having a problem getting a the SSL cert file formatted
> > > > > > > > just like icecast wants… I’m running 2.4.2 … and it
> > > > > > > > doesn’t seem to want to use my combined key + cert chain
> > > > > > > > no matter in what order I put it.
> > > > > > > > Presently, I have it in this format.. with spaces between
> > > > > > > > each key/cert…
> > > > > > > >
> > > > > > > > KEY
> > > > > > > >
> > > > > > > > CERTCHAIN-1
> > > > > > > >
> > > > > > > > CERTCHAIN-2
> > > > > > > >
> > > > > > > > CERTCHAIN-3
> > > > > > > >
> > > > > > > > MYCERT
> > > > > > > >
> > > > > > > > And… well… not sure what else to do here.  I have the file
> > > > > > > > owned by icecast:icecast … and … it should be readable in
> > > > > > > > its present location… so, not sure what else would be
> > > > > > > > wrong.
> > > > > > > >
> > > > > > >
> > > > > > > Firtsly, what operative system are you running ?. On Debian
> > > > > > > GNU/Linux user
> > > > > > > icecast2 and group icecast, then icecast2:icecast.
> > > > > >
> > > > > > I'm on RHEL 7, so the user/group is icecast:icecast ...
> > > > > >
> > > > > > > Secondly, check the Icecast2's error.log looking about SSL
> > > > > > > or TLS capability.
> > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log.
> > > > > >
> > > > > > From the log, I get a simple:
> > > > > >
> > > > > > WARN connection/get_ssl_certificate Invalid cert file <my cert
> > > > > > filepath>
> > > > > > INFO connection/get_ssl_certificate No SSL capability on any
> > > > > > configured ports
> > > > > >
> > > > >
> > > > > Make sure you have set up Icecast correctly:
> > > > >
> > > > > <listen-socket>
> > > > > 	<port>8443</port>
> > > > > 	<ssl>1</ssl>
> > > > > </listen-socket>
> > > >
> > > > Yeah... it's setup properly...
> > > >
> > > > > <paths>
> > > > > 	...
> > > > > 	<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
> > > > > certificate>
> > > > > </paths>
> > > >
> > > > Yes... correct for me.
> > > >
> > > > > Also, there is the possibility that Icecast2 package does not
> > > > > support encrypted connections via openssl.
> > > > > In my case I saw something similar to this:
> > > > > [2017-08-08  03:05:34] INFO connection/get_ssl_certificate No
> > > > > SSL capability Then, like solution I should have compiled
> > > > > Icecast with openssl support enabled.
> > > >
> > > > Well... I believe it to be setup correctly... the RPM has a libssl
> > > > requirement... and the fact that it tries to check the SSL cert
> > > > file indicates that it has capability...
> > >
> > > I agree.
> > > I generated the certificate with:
> > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
> > > /usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem
> > > Then you need only change owner and group, nothing more.
> >
> > Well... I was able to get it to work with a self-signed cert... so,
> > something must be up with my Starfield signed cert... looks like
> > they're configuring certs using "Subject Alternative Name" entries by
> > default... could that be causing Icecast to barf on the cert?
> >
> Looks like something about the configuration of the certificate, but I do not
> specifically what ... I have only done tests with self-signed certificates.
> The format should be:
> -----BEGIN PRIVATE KEY-----
> blablabla
> -----END PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> blablabla
> -----END CERTIFICATE-----
> > Also... I setup another <listen-socket> entry for SSL... but Icecast
> > doesn't seem to want to listen on that port when the service comes up.
> > Any idea why that might be?
> >
> Do you mean with different port than 8443, by exemple 8765 ?. If so, what is
> the output of:
> netstat -tulpn | grep ':8765'

Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 ... very strange.



More information about the Icecast mailing list