[Icecast] Help to enable SSL

Thomas B. Rücker thomas at ruecker.fi
Sun Aug 12 06:55:00 UTC 2018


On 08/12/2018 02:04 AM, subscription at nextdial.com.br wrote:
> Hello,
> At a test VPS running Ubuntu 16.04 LTS I did this:
>  1. sudo apt-get update
>  2. sudo add-apt-repository ppa:certbot/certbot
>  3. sudo apt-get install certbot

You'll need an additional step at this point, see below.

>  1. sudo apt-get install icecast2
>  2. sudo certbot certonly --standalone -d domain.com
>  3. cat cert.pem privkey.pem | sudo tee /etc/icecast2/icecast.pem
>  4. sudo vi /etc/icecast2/icecast.xml
>  5. <listen-socket>
>         <port>8443</port>
>         <ssl>1</ssl>
>     </listen-socket>
>     <ssl-certificate>/etc/icecast2/icecast.pem</ssl-certificate>
>  6. sudo chown icecast2:icecast /etc/icecast2/icecast.pem
>  7. sudo /etc/init.d/icecast2 restart
> After that, I have this at the log:
> [2018-08-12  01:47:07] INFO stats/_stats_thread stats thread started
> [2018-08-12  01:47:07] INFO main/main Icecast 2.4.2 server started
> [2018-08-12  01:47:07] INFO connection/get_ssl_certificate No SSL
> capability
> [2018-08-12  01:47:07] INFO yp/yp_update_thread YP update thread started

This is because Debian (and Ubuntu, as they recycle the same packaging)
refuse to compile Icecast (and other software) with openSSL support for
political reasons.

> What I am doing wrong

You didn't do anything wrong as such. You just didn't know that there
are additional steps if you need TLS support.
The official Xiph.org packages are built with openSSL support:

$ curl
$ gpg /tmp/multimedia-obs.key

It should yield:
pub rsa2048 2017-11-21 [SC] [expires: 2020-01-30]
uid multimedia OBS Project

$ sudo apt-key add /tmp/multimedia-obs.key
$ sudo sh -c "echo deb
./ >>/etc/apt/sources.list.d/icecast.list"
$ sudo apt-get update
$ sudo apt-get install icecast2

Make sure it downloads the package from an OBS address and not from an
ubuntu.com or mirror. (Newer versions like 18.04 require an explicit
version or other tricks at the moment: sudo apt-get install
icecast2/2.4.2-2 )

At this point your server should already be running the Xiph.org build
of Icecast and port 8443 should answer to HTTPS.

If you would prefer to listen to the standard port of 443, please follow
these additional directions:
Under no circumstances you should try to reverse proxy Icecast 2.4.x -
while one can make it mostly work, it is far from trivial to set things
up in a way that will avoid most of the corner cases. Most famously,
taking down your webserver.



More information about the Icecast mailing list