[Icecast] SSL Setup

Walter York walteryork at hotmail.com
Mon Jul 10 15:33:08 UTC 2017

I use Let's Encrypt for SSL with icecast.  Here is my rudimentary script on GitHub... It does NOT require Apache or nginx.


On Jul 10, 2017, at 9:39 AM, ScanCaster <scancaster at scancaster.net<mailto:scancaster at scancaster.net>> wrote:

On Mon, 10 Jul 2017 09:31:06 +0000, Philipp Schafft wrote:

 Good morning,
 The <ssl-certificate> belongs in the <paths> section of the config file.
 (I'm not sure what you mean with 'in same', just wanted to make it

"in same" = in same file, icecast.xml

 The format is the OpenSSL format: key, blank line, cert (chain). echo |
 cat key.pem - cert.pem > combo.pem

Thats what I needed to verify...

 kill -HUP pidOfIcecast

 As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
 There is however a fix in 2.5.x (development) which is hopefully
 released with the next development update.

Unfortunately, for our setup, a change for "security" reasons affects our
operations, in that metadata is not accepted from an IP which is not the
sources IP. We have server wide metadata that is written to our sources
at times. So we have to stick to a version prior to this, 2.4.2 or so or
all our scripts break. If there is an option to allow an override of
this, we would look to update, but if not, the server wide metadata is
more important.

 Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
 handles files in webroot according to your operating system's mine-type

Yeah, I dumped an old test file in there from an old domain, and tried
it, worked, fine... a little redir 80 to 8000 and that will suffice.

 Icecast only processes XSLT files as XSLT.

Just like to verify, since I never touched any thing in that server.

 To avoid the need to run Icecast as privileged user in oder to bind to
 low ports (if Comodo really insists in using port 80) you can use your
 firewall to do a local redirect.

  We can  do a redir via some software, but yes, Comodo insists that is
either on 80 or 443 if you do their web based verification. The DNS one
on 53, I've never ever got to work. I personally think they are too quick
to look and then give up on looking at the DNS server for their TXT
record and/or don't pull it direct from the DNS server with authority
which would show the change immediately. Don't know, except that its been
100% failure when trying to use it.



Icecast mailing list
Icecast at xiph.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20170710/1794e989/attachment.html>

More information about the Icecast mailing list