[Icecast] SSL Setup
epirat07 at gmail.com
Fri Jul 21 17:07:12 UTC 2017
On 21 Jul 2017, at 18:41, José Luis Artuch wrote:
> Hello !
> El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribió:
>> Good morning,
>> On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
>>> IceCast is one of the last services I have that doesn't connect
>>> and I am looking to close that hole....
>>> OK... add a port for SSL for IceCast in icecast.xml...path for cert
>>> in same.... no biggie
>> The <ssl-certificate> belongs in the <paths> section of the config
>> (I'm not sure what you mean with 'in same', just wanted to make it
>>> The key/cert needs to be in a dir and file with applicable
>>> for the IceCast user... no biggie..
>>> chown icecastusergroup:icecastusergroup certfile
>>> What I am looking to confirm is that the cert file needs to
>>> -----BEGIN RSA PRIVATE KEY-----
>>> -----END RSA PRIVATE KEY-----
>>> -----BEGIN CERTIFICATE-----
>>> -----END CERTIFICATE-----
>>> Where the Cert is the file/text Comodo sends me, and the key is the
>>> openssl spit out earlier,
>>> Combine them up in certfile, Correct? Special order?? KEY then
>>> Cert, or v-
>>> v? Line separating them?
>> The format is the OpenSSL format: key, blank line, cert (chain).
>> echo | cat key.pem - cert.pem > combo.pem
>>> kill -HUP pidOfIcecast
>> As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
>> There is however a fix in 2.5.x (development) which is hopefully
>> released with the next development update.
>>> And good????
>>> One thing can the web server spit out just a text file that is used
>>> Comodo to verify ownership of the domain? The DNS method normally
>> Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
>> handles files in webroot according to your operating system's mine-
> On Debian 9, in the configuration file it says:
> What should be the correct path of the icecast.pem file ?.
> Should it be /usr/share/icecast2/web/icecast.pem ?.
You certainly do not want to put your private key in your public webroot...
>>> ie: http://icecast.domain.invalid/somestringofletersnumbers.txt
>>> That they
>>> request if its dumped in the webroot stuff of Icecast? With out any
>> Icecast only processes XSLT files as XSLT.
>>> So if I added a listening port on 80 for this, then took it away,
>>> since I don't use that for Icecast... Icecast is on its own server
>>> does not have Apache... web stuff for other things is on its own
>>> box. I
>>> never have used the Icecast to server up anything other than the
>>> admin etc. stuff it does by default...
>> To avoid the need to run Icecast as privileged user in oder to bind
>> low ports (if Comodo really insists in using port 80) you can use
>> firewall to do a local redirect.
>> Hope this is of help to you,
>> with best regards,
>> Icecast mailing list
>> Icecast at xiph.org
> Icecast mailing list
> Icecast at xiph.org
More information about the Icecast