[Icecast] Help to enable SSL
Thomas B. Rücker
thomas at ruecker.fi
Sun Aug 12 06:55:00 UTC 2018
Hi,
On 08/12/2018 02:04 AM, subscription at nextdial.com.br wrote:
> Hello,
>
> At a test VPS running Ubuntu 16.04 LTS I did this:
>
> 1. sudo apt-get update
> 2. sudo add-apt-repository ppa:certbot/certbot
> 3. sudo apt-get install certbot
>
You'll need an additional step at this point, see below.
> 1. sudo apt-get install icecast2
> 2. sudo certbot certonly --standalone -d domain.com
> 3. cat cert.pem privkey.pem | sudo tee /etc/icecast2/icecast.pem
> 4. sudo vi /etc/icecast2/icecast.xml
> 5. <listen-socket>
> <port>8443</port>
> <ssl>1</ssl>
> </listen-socket>
> <ssl-certificate>/etc/icecast2/icecast.pem</ssl-certificate>
> 6. sudo chown icecast2:icecast /etc/icecast2/icecast.pem
> 7. sudo /etc/init.d/icecast2 restart
>
>
> After that, I have this at the log:
>
> [2018-08-12 01:47:07] INFO stats/_stats_thread stats thread started
> [2018-08-12 01:47:07] INFO main/main Icecast 2.4.2 server started
> [2018-08-12 01:47:07] INFO connection/get_ssl_certificate No SSL
> capability
> [2018-08-12 01:47:07] INFO yp/yp_update_thread YP update thread started
>
This is because Debian (and Ubuntu, as they recycle the same packaging)
refuse to compile Icecast (and other software) with openSSL support for
political reasons.
> What I am doing wrong
>
You didn't do anything wrong as such. You just didn't know that there
are additional steps if you need TLS support.
The official Xiph.org packages are built with openSSL support:
https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)
$ curl
https://download.opensuse.org/repositories/multimedia:/xiph/xUbuntu_16.04/Release.key
>/tmp/multimedia-obs.key
$ gpg /tmp/multimedia-obs.key
It should yield:
pub rsa2048 2017-11-21 [SC] [expires: 2020-01-30]
0E313DB7936B4E76E720065B77EC2301F23C6AA3
uid multimedia OBS Project
$ sudo apt-key add /tmp/multimedia-obs.key
$ sudo sh -c "echo deb
http://download.opensuse.org/repositories/multimedia:/xiph/xUbuntu_16.04/
./ >>/etc/apt/sources.list.d/icecast.list"
$ sudo apt-get update
$ sudo apt-get install icecast2
Make sure it downloads the package from an OBS address and not from an
ubuntu.com or mirror. (Newer versions like 18.04 require an explicit
version or other tricks at the moment: sudo apt-get install
icecast2/2.4.2-2 )
At this point your server should already be running the Xiph.org build
of Icecast and port 8443 should answer to HTTPS.
If you would prefer to listen to the standard port of 443, please follow
these additional directions:
http://lists.xiph.org/pipermail/icecast/2015-February/013198.html
Under no circumstances you should try to reverse proxy Icecast 2.4.x -
while one can make it mostly work, it is far from trivial to set things
up in a way that will avoid most of the corner cases. Most famously,
taking down your webserver.
Cheers,
Thomas
More information about the Icecast
mailing list