[Icecast] SSL Cert Woes

José Luis Artuch artuch at speedy.com.ar
Mon Aug 28 22:19:15 UTC 2017


El lun, 28-08-2017 a las 21:56 +0000, Speagle, Andy escribió:
> > > > > > > > > > > Hi Folks,
> > > > > > > > > > > 
> > > > > > > > > > > I’m having a problem getting a the SSL cert file
> > > > > > > > > > > formatted just like icecast wants… I’m running
> > > > > > > > > > > 2.4.2 …
> > > > > > > > > > > and it doesn’t seem to want to use my combined
> > > > > > > > > > > key +
> > > > > > > > > > > cert chain no matter in what order I put it.
> > > > > > > > > > > Presently, I have it in this format.. with spaces
> > > > > > > > > > > between each key/cert…
> > > > > > > > > > > 
> > > > > > > > > > > KEY
> > > > > > > > > > > 
> > > > > > > > > > > CERTCHAIN-1
> > > > > > > > > > > 
> > > > > > > > > > > CERTCHAIN-2
> > > > > > > > > > > 
> > > > > > > > > > > CERTCHAIN-3
> > > > > > > > > > > 
> > > > > > > > > > > MYCERT
> > > > > > > > > > > 
> > > > > > > > > > > And… well… not sure what else to do here.  I have
> > > > > > > > > > > the
> > > > > > > > > > > file owned by icecast:icecast … and … it should
> > > > > > > > > > > be
> > > > > > > > > > > readable in its present location… so, not sure
> > > > > > > > > > > what
> > > > > > > > > > > else would be wrong.
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > > Firtsly, what operative system are you running ?.
> > > > > > > > > > On
> > > > > > > > > > Debian GNU/Linux user
> > > > > > > > > > icecast2 and group icecast, then icecast2:icecast.
> > > > > > > > > 
> > > > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast
> > > > > > > > > ...
> > > > > > > > > 
> > > > > > > > > > Secondly, check the Icecast2's error.log looking
> > > > > > > > > > about
> > > > > > > > > > SSL or TLS capability.
> > > > > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log.
> > > > > > > > > 
> > > > > > > > > From the log, I get a simple:
> > > > > > > > > 
> > > > > > > > > WARN connection/get_ssl_certificate Invalid cert file
> > > > > > > > > <my
> > > > > > > > > cert
> > > > > > > > > filepath>
> > > > > > > > > INFO connection/get_ssl_certificate No SSL capability
> > > > > > > > > on
> > > > > > > > > any configured ports
> > > > > > > > > 
> > > > > > > > 
> > > > > > > > Make sure you have set up Icecast correctly:
> > > > > > > > 
> > > > > > > > <listen-socket>
> > > > > > > > 	<port>8443</port>
> > > > > > > > 	<ssl>1</ssl>
> > > > > > > > </listen-socket>
> > > > > > > 
> > > > > > > Yeah... it's setup properly...
> > > > > > > 
> > > > > > > > <paths>
> > > > > > > > 	...
> > > > > > > > 	<ssl-
> > > > > > > > certificate>/usr/share/icecast2/icecast.pem</ssl-
> > > > > > > > certificate>
> > > > > > > > </paths>
> > > > > > > 
> > > > > > > Yes... correct for me.
> > > > > > > 
> > > > > > > > Also, there is the possibility that Icecast2 package
> > > > > > > > does
> > > > > > > > not
> > > > > > > > support encrypted connections via openssl.
> > > > > > > > In my case I saw something similar to this:
> > > > > > > > [2017-08-08  03:05:34] INFO
> > > > > > > > connection/get_ssl_certificate
> > > > > > > > No
> > > > > > > > SSL capability Then, like solution I should have
> > > > > > > > compiled
> > > > > > > > Icecast with openssl support enabled.
> > > > > > > 
> > > > > > > Well... I believe it to be setup correctly... the RPM has
> > > > > > > a
> > > > > > > libssl
> > > > > > > requirement... and the fact that it tries to check the
> > > > > > > SSL
> > > > > > > cert
> > > > > > > file indicates that it has capability...
> > > > > > 
> > > > > > I agree.
> > > > > > I generated the certificate with:
> > > > > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048
> > > > > > -keyout
> > > > > > /usr/share/icecast2/icecast.pem -out
> > > > > > /usr/share/icecast2/icecast.pem
> > > > > > Then you need only change owner and group, nothing more.
> > > > > 
> > > > > Well... I was able to get it to work with a self-signed
> > > > > cert...
> > > > > so,
> > > > > something must be up with my Starfield signed cert... looks
> > > > > like
> > > > > they're configuring certs using "Subject Alternative Name"
> > > > > entries by
> > > > > default... could that be causing Icecast to barf on the cert?
> > > > > 
> > > > 
> > > > Looks like something about the configuration of the
> > > > certificate,
> > > > but I do not
> > > > specifically what ... I have only done tests with self-signed
> > > > certificates.
> > > > The format should be:
> > > > -----BEGIN PRIVATE KEY-----
> > > > blablabla
> > > > -----END PRIVATE KEY-----
> > > > -----BEGIN CERTIFICATE-----
> > > > blablabla
> > > > -----END CERTIFICATE-----
> > > > > Also... I setup another <listen-socket> entry for SSL... but
> > > > > Icecast
> > > > > doesn't seem to want to listen on that port when the service
> > > > > comes up.
> > > > > Any idea why that might be?
> > > > > 
> > > > 
> > > > Do you mean with different port than 8443, by exemple 8765 ?.
> > > > If
> > > > so, what is
> > > > the output of:
> > > > netstat -tulpn | grep ':8765'
> > > 
> > > Yeah... I’m just trying 8443 ... and netstat shows nada for 8443
> > > ...
> > > very strange.
> > > 
> > 
> > After restart the Icecast2 server ? ...
> 
> Yeah... after the restart... the port doesn't appear.  Does icecast2
> play well with selinux?
> 
Are you in the same LAN than the server ?.
What about the firewall ? ...
ufw allow proto tcp from any to xxx.xxx.xxx.xxx port 8443

I have not worked with SELinux, I do not know :(




More information about the Icecast mailing list