[Icecast] SSL Setup
José Luis Artuch
artuch at speedy.com.ar
Fri Jul 21 16:41:30 UTC 2017
Hello !
El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribió:
> Good morning,
>
>
> On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
> > IceCast is one of the last services I have that doesn't connect
> > securely,
> > and I am looking to close that hole....
> > [...]
> > OK... add a port for SSL for IceCast in icecast.xml...path for cert
> > file
> > in same.... no biggie
>
> The <ssl-certificate> belongs in the <paths> section of the config
> file.
> (I'm not sure what you mean with 'in same', just wanted to make it
> clear.)
>
>
> > The key/cert needs to be in a dir and file with applicable
> > permissions
> > for the IceCast user... no biggie..
> >
> > chown icecastusergroup:icecastusergroup certfile
>
>
> > What I am looking to confirm is that the cert file needs to
> > contain:
> >
> > -----BEGIN RSA PRIVATE KEY-----
> > MII
> > -----END RSA PRIVATE KEY-----
> >
> > -----BEGIN CERTIFICATE-----
> > MI
> > -----END CERTIFICATE-----
> >
> > Where the Cert is the file/text Comodo sends me, and the key is the
> > one
> > openssl spit out earlier,
> >
> > Combine them up in certfile, Correct? Special order?? KEY then
> > Cert, or v-
> > v? Line separating them?
>
> The format is the OpenSSL format: key, blank line, cert (chain).
> echo | cat key.pem - cert.pem > combo.pem
>
>
> > kill -HUP pidOfIcecast
>
> As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
> There is however a fix in 2.5.x (development) which is hopefully
> released with the next development update.
>
>
> > And good????
> >
> > One thing can the web server spit out just a text file that is used
> > by
> > Comodo to verify ownership of the domain? The DNS method normally
> > fails....
>
> Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
> handles files in webroot according to your operating system's mine-
> type
> table.
>
On Debian 9, in the configuration file it says:
<webroot>/usr/share/icecast2/web</webroot>
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
What should be the correct path of the icecast.pem file ?.
Should it be /usr/share/icecast2/web/icecast.pem ?.
Thanks.
>
> > ie: http://icecast.domain.invalid/somestringofletersnumbers.txt
> > That they
> > request if its dumped in the webroot stuff of Icecast? With out any
> > XSLT
> > markup?
>
> Icecast only processes XSLT files as XSLT.
>
>
> > So if I added a listening port on 80 for this, then took it away,
> > since I don't use that for Icecast... Icecast is on its own server
> > which
> > does not have Apache... web stuff for other things is on its own
> > box. I
> > never have used the Icecast to server up anything other than the
> > default
> > admin etc. stuff it does by default...
>
> To avoid the need to run Icecast as privileged user in oder to bind
> to
> low ports (if Comodo really insists in using port 80) you can use
> your
> firewall to do a local redirect.
>
>
> Hope this is of help to you,
>
> with best regards,
>
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
More information about the Icecast
mailing list