[Icecast] SSL Setup
phschafft at de.loewenfelsen.net
Mon Jul 10 09:31:06 UTC 2017
On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
> IceCast is one of the last services I have that doesn't connect securely,
> and I am looking to close that hole....
> OK... add a port for SSL for IceCast in icecast.xml...path for cert file
> in same.... no biggie
The <ssl-certificate> belongs in the <paths> section of the config file.
(I'm not sure what you mean with 'in same', just wanted to make it
> The key/cert needs to be in a dir and file with applicable permissions
> for the IceCast user... no biggie..
> chown icecastusergroup:icecastusergroup certfile
> What I am looking to confirm is that the cert file needs to contain:
> -----BEGIN RSA PRIVATE KEY-----
> -----END RSA PRIVATE KEY-----
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> Where the Cert is the file/text Comodo sends me, and the key is the one
> openssl spit out earlier,
> Combine them up in certfile, Correct? Special order?? KEY then Cert, or v-
> v? Line separating them?
The format is the OpenSSL format: key, blank line, cert (chain).
echo | cat key.pem - cert.pem > combo.pem
> kill -HUP pidOfIcecast
As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
There is however a fix in 2.5.x (development) which is hopefully
released with the next development update.
> And good????
> One thing can the web server spit out just a text file that is used by
> Comodo to verify ownership of the domain? The DNS method normally
Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
handles files in webroot according to your operating system's mine-type
> ie: http://icecast.domain.invalid/somestringofletersnumbers.txt That they
> request if its dumped in the webroot stuff of Icecast? With out any XSLT
Icecast only processes XSLT files as XSLT.
> So if I added a listening port on 80 for this, then took it away,
> since I don't use that for Icecast... Icecast is on its own server which
> does not have Apache... web stuff for other things is on its own box. I
> never have used the Icecast to server up anything other than the default
> admin etc. stuff it does by default...
To avoid the need to run Icecast as privileged user in oder to bind to
low ports (if Comodo really insists in using port 80) you can use your
firewall to do a local redirect.
Hope this is of help to you,
with best regards,
Philipp Schafft (CEO/Geschäftsführer)
Telephon: +49.3535 490 17 92
Löwenfelsen UG (haftungsbeschränkt) Registration number:
Bickinger Straße 21 HRB 12308 CB
04916 Herzberg (Elster) VATIN/USt-ID:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: This is a digitally signed message part
More information about the Icecast