[Icecast] SSL Setup

Philipp Schafft phschafft at de.loewenfelsen.net
Mon Jul 10 09:31:06 UTC 2017 

Good morning,


On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
> IceCast is one of the last services I have that doesn't connect securely, 
> and I am looking to close that hole....
> [...]

> OK... add a port for SSL for IceCast in icecast.xml...path for cert file 
> in same.... no biggie

The <ssl-certificate> belongs in the <paths> section of the config file.
(I'm not sure what you mean with 'in same', just wanted to make it
clear.)


> The key/cert needs to be in a dir and file with applicable permissions 
> for the IceCast user... no biggie..
> 
> chown icecastusergroup:icecastusergroup  certfile


> What I am looking to confirm is that the cert file needs to contain:
> 
> -----BEGIN RSA PRIVATE KEY-----
> MII
> -----END RSA PRIVATE KEY-----
> 
> -----BEGIN CERTIFICATE-----
> MI
> -----END CERTIFICATE----- 
> 
> Where the Cert is the file/text Comodo sends me, and the key is the one 
> openssl spit out earlier, 
> 
> Combine them up in certfile, Correct? Special order?? KEY then Cert, or v-
> v? Line separating them?

The format is the OpenSSL format: key, blank line, cert (chain).
echo | cat key.pem - cert.pem > combo.pem


> kill -HUP pidOfIcecast

As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
There is however a fix in 2.5.x (development) which is hopefully
released with the next development update.


> And good????
> 
> One thing can the web server spit out just a text file that is used by 
> Comodo to verify ownership of the domain? The DNS method normally 
> fails....

Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
handles files in webroot according to your operating system's mine-type
table.


> ie: http://icecast.domain.invalid/somestringofletersnumbers.txt That they 
> request if its dumped in the webroot stuff of Icecast? With out any XSLT 
> markup?

Icecast only processes XSLT files as XSLT.


> So if I added a listening port on 80 for this, then took it away, 
> since I don't use that for Icecast... Icecast is on its own server which 
> does not have Apache... web stuff for other things is on its own box. I 
> never have used the Icecast to server up anything other than the default 
> admin etc. stuff it does by default...

To avoid the need to run Icecast as privileged user in oder to bind to
low ports (if Comodo really insists in using port 80) you can use your
firewall to do a local redirect.


Hope this is of help to you,

with best regards,


-- 
Philipp Schafft (CEO/Geschäftsführer) 
Telephon: +49.3535 490 17 92

Löwenfelsen UG (haftungsbeschränkt)     Registration number:
Bickinger Straße 21                     HRB 12308 CB
04916 Herzberg (Elster)                 VATIN/USt-ID:
Germany                                 DE305133015
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20170710/3dc6b4c6/attachment.sig>

More information about the Icecast mailing list