[Icecast] SSL Setup

Marvin Scholz epirat07 at gmail.com
Fri Jul 21 17:07:12 UTC 2017



On 21 Jul 2017, at 18:41, José Luis Artuch wrote:

> Hello !
>
> El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribió:
>> Good morning,
>>
>>
>> On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
>>> IceCast is one of the last services I have that doesn't connect
>>> securely, 
>>> and I am looking to close that hole....
>>> [...]
>>> OK... add a port for SSL for IceCast in icecast.xml...path for cert
>>> file 
>>> in same.... no biggie
>>
>> The <ssl-certificate> belongs in the <paths> section of the config
>> file.
>> (I'm not sure what you mean with 'in same', just wanted to make it
>> clear.)
>>
>>
>>> The key/cert needs to be in a dir and file with applicable
>>> permissions 
>>> for the IceCast user... no biggie..
>>>
>>> chown icecastusergroup:icecastusergroup  certfile
>>
>>
>>> What I am looking to confirm is that the cert file needs to
>>> contain:
>>>
>>> -----BEGIN RSA PRIVATE KEY-----
>>> MII
>>> -----END RSA PRIVATE KEY-----
>>>
>>> -----BEGIN CERTIFICATE-----
>>> MI
>>> -----END CERTIFICATE----- 
>>>
>>> Where the Cert is the file/text Comodo sends me, and the key is the
>>> one 
>>> openssl spit out earlier, 
>>>
>>> Combine them up in certfile, Correct? Special order?? KEY then
>>> Cert, or v-
>>> v? Line separating them?
>>
>> The format is the OpenSSL format: key, blank line, cert (chain).
>> echo | cat key.pem - cert.pem > combo.pem
>>
>>
>>> kill -HUP pidOfIcecast
>>
>> As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
>> There is however a fix in 2.5.x (development) which is hopefully
>> released with the next development update.
>>
>>
>>> And good????
>>>
>>> One thing can the web server spit out just a text file that is used
>>> by 
>>> Comodo to verify ownership of the domain? The DNS method normally 
>>> fails....
>>
>> Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
>> handles files in webroot according to your operating system's mine-
>> type
>> table.
>>
> On Debian 9, in the configuration file it says:
>
> <webroot>/usr/share/icecast2/web</webroot>
> <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
>
> What should be the correct path of the icecast.pem file ?.
> Should it be /usr/share/icecast2/web/icecast.pem ?.

You certainly do not want to put your private key in your public webroot...

>
> Thanks.
>>
>>> ie: http://icecast.domain.invalid/somestringofletersnumbers.txt
>>> That they 
>>> request if its dumped in the webroot stuff of Icecast? With out any
>>> XSLT 
>>> markup?
>>
>> Icecast only processes XSLT files as XSLT.
>>
>>
>>> So if I added a listening port on 80 for this, then took it away, 
>>> since I don't use that for Icecast... Icecast is on its own server
>>> which 
>>> does not have Apache... web stuff for other things is on its own
>>> box. I 
>>> never have used the Icecast to server up anything other than the
>>> default 
>>> admin etc. stuff it does by default...
>>
>> To avoid the need to run Icecast as privileged user in oder to bind
>> to
>> low ports (if Comodo really insists in using port 80) you can use
>> your
>> firewall to do a local redirect.
>>
>>
>> Hope this is of help to you,
>>
>> with best regards,
>>
>>
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast


More information about the Icecast mailing list