[Icecast] SSL Cert Woes

José Luis Artuch artuch at speedy.com.ar
Mon Aug 28 21:52:22 UTC 2017


El lun, 28-08-2017 a las 21:37 +0000, Speagle, Andy escribió:
> > > > > > > > > Hi Folks,
> > > > > > > > > 
> > > > > > > > > I’m having a problem getting a the SSL cert file
> > > > > > > > > formatted
> > > > > > > > > just like icecast wants… I’m running 2.4.2 … and it
> > > > > > > > > doesn’t seem to want to use my combined key + cert
> > > > > > > > > chain
> > > > > > > > > no matter in what order I put it.
> > > > > > > > > Presently, I have it in this format.. with spaces
> > > > > > > > > between
> > > > > > > > > each key/cert…
> > > > > > > > > 
> > > > > > > > > KEY
> > > > > > > > > 
> > > > > > > > > CERTCHAIN-1
> > > > > > > > > 
> > > > > > > > > CERTCHAIN-2
> > > > > > > > > 
> > > > > > > > > CERTCHAIN-3
> > > > > > > > > 
> > > > > > > > > MYCERT
> > > > > > > > > 
> > > > > > > > > And… well… not sure what else to do here.  I have the
> > > > > > > > > file
> > > > > > > > > owned by icecast:icecast … and … it should be
> > > > > > > > > readable in
> > > > > > > > > its present location… so, not sure what else would be
> > > > > > > > > wrong.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > > Firtsly, what operative system are you running ?. On
> > > > > > > > Debian
> > > > > > > > GNU/Linux user
> > > > > > > > icecast2 and group icecast, then icecast2:icecast.
> > > > > > > 
> > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast ...
> > > > > > > 
> > > > > > > > Secondly, check the Icecast2's error.log looking about
> > > > > > > > SSL
> > > > > > > > or TLS capability.
> > > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log.
> > > > > > > 
> > > > > > > From the log, I get a simple:
> > > > > > > 
> > > > > > > WARN connection/get_ssl_certificate Invalid cert file <my
> > > > > > > cert
> > > > > > > filepath>
> > > > > > > INFO connection/get_ssl_certificate No SSL capability on
> > > > > > > any
> > > > > > > configured ports
> > > > > > > 
> > > > > > 
> > > > > > Make sure you have set up Icecast correctly:
> > > > > > 
> > > > > > <listen-socket>
> > > > > > 	<port>8443</port>
> > > > > > 	<ssl>1</ssl>
> > > > > > </listen-socket>
> > > > > 
> > > > > Yeah... it's setup properly...
> > > > > 
> > > > > > <paths>
> > > > > > 	...
> > > > > > 	<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
> > > > > > certificate>
> > > > > > </paths>
> > > > > 
> > > > > Yes... correct for me.
> > > > > 
> > > > > > Also, there is the possibility that Icecast2 package does
> > > > > > not
> > > > > > support encrypted connections via openssl.
> > > > > > In my case I saw something similar to this:
> > > > > > [2017-08-08  03:05:34] INFO connection/get_ssl_certificate
> > > > > > No
> > > > > > SSL capability Then, like solution I should have compiled
> > > > > > Icecast with openssl support enabled.
> > > > > 
> > > > > Well... I believe it to be setup correctly... the RPM has a
> > > > > libssl
> > > > > requirement... and the fact that it tries to check the SSL
> > > > > cert
> > > > > file indicates that it has capability...
> > > > 
> > > > I agree.
> > > > I generated the certificate with:
> > > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
> > > > /usr/share/icecast2/icecast.pem -out
> > > > /usr/share/icecast2/icecast.pem
> > > > Then you need only change owner and group, nothing more.
> > > 
> > > Well... I was able to get it to work with a self-signed cert...
> > > so,
> > > something must be up with my Starfield signed cert... looks like
> > > they're configuring certs using "Subject Alternative Name"
> > > entries by
> > > default... could that be causing Icecast to barf on the cert?
> > > 
> > 
> > Looks like something about the configuration of the certificate,
> > but I do not
> > specifically what ... I have only done tests with self-signed
> > certificates.
> > The format should be:
> > -----BEGIN PRIVATE KEY-----
> > blablabla
> > -----END PRIVATE KEY-----
> > -----BEGIN CERTIFICATE-----
> > blablabla
> > -----END CERTIFICATE-----
> > > Also... I setup another <listen-socket> entry for SSL... but
> > > Icecast
> > > doesn't seem to want to listen on that port when the service
> > > comes up.
> > > Any idea why that might be?
> > > 
> > 
> > Do you mean with different port than 8443, by exemple 8765 ?. If
> > so, what is
> > the output of:
> > netstat -tulpn | grep ':8765'
> 
> Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 ...
> very strange.
> 
After restart the Icecast2 server ? ...



More information about the Icecast mailing list