[Icecast] icecast ssl and letsencrypt renewal

David Mehler dave.mehler at gmail.com
Sat Sep 15 22:05:04 UTC 2018 

Hello Paul,

Thank you very much. That did it. I don't use certbot, but rather
acme.sh so I adapted your instructions and it's working great! One
thing do I have to have an unencrypted socket on 8000 and an encrypted
socket on 443?

Are there other security options I can implement?

Thanks.
Dave.


On 9/15/18, _zer0_ gravity <zer0___ at hotmail.com> wrote:
> Install letsencrypt and request a certificate specifying the webroot of your
> Icecast server and the host.domain:
>
> certbot-auto certonly --webroot --webroot-path /usr/share/icecast2/web/ -d
> icecast.domain.name
>
> Now you should have a certificate for your server, it's only in the wrong
> format for Icecast, copy the key and the certificate to 1 file with the
> following cmd:
>
> cat /etc/letsencrypt/live/icecast.fomain.name/privkey.pem
> /etc/letsencrypt/live/icecast.domain.name/cert.pem >
> /etc/icecast2/cert+key.pem
>
> Enable ssl on one of your Icecast sockets in Icecast.xml:
>
>     <listen-socket>
>         <port>443</port>
>         <bind-address>x.x.x.x</bind-address>
>         <ssl>1</ssl>
>     </listen-socket>
>
> And specify the location of your certificate in the <paths> section:
>
>         <ssl-certificate>/etc/icecast2/cert+key.pem</ssl-certificate>
>
> After restarting you should have a working Icecast with letsencrypt ssl
> certificate.
>
> I have a cronjob running daily calling a script to automatically renew the
> certificate and restart Icecast if needed:
>
> #!/bin/bash
> certbot-auto renew --post-hook "cat
> /etc/letsencrypt/live/icecast.domain.name/privkey.pem
> /etc/letsencrypt/live/icecast.domain.name/cert.pem >
> /etc/icecast2/cert+key.pem && /etc/init.d/icecast2 restart"
>
> Hope this helps.
>
> Paul
>
>
> -----Original Message-----
> From: Icecast [mailto:icecast-bounces at xiph.org] On Behalf Of David Mehler
> Sent: vrijdag 7 september 2018 00:21
> To: Icecast streaming server user discussions
> Subject: Re: [Icecast] icecast ssl and letsencrypt renewal
>
> Hello,
>
> How did you get icecast and letsencrypt certificates working?
>
> Thanks.
> Dave.
>
>
> On 9/6/18, _zer0_ gravity <zer0___ at hotmail.com> wrote:
>> That’s what I have been looking for, thanks !
>>
>> From: Icecast [mailto:icecast-bounces at xiph.org] On Behalf Of Tycho Eggen
>> Sent: donderdag 6 september 2018 22:21
>> To: Icecast streaming server user discussions
>> Subject: Re: [Icecast] icecast ssl and letsencrypt renewal
>>
>> You can add a posthook to your certbot cronjob:
>>
>> certbot renew —post-hook “/etc/init.d/icecast restart”
>>
>> Or however you restart icecast
>>
>> On Thu, Sep 6, 2018 at 13:05 _zer0_ gravity
>> <zer0___ at hotmail.com<mailto:zer0___ at hotmail.com>> wrote:
>> Hi all,
>>
>> I have setup icecast to work with letsencrypt ssl certificate, this works
>> fine.
>> But now I am struggling a bit on how to renew the certificate every 3
>> months.
>> As per letsencrypt recommendation I run a cronjob to check for  renewal
>> every day,
>> problem is when there is a new certificate Icecast needs to be restarted
>> to
>> pick it up, as the certificate only seems to be loaded at startup of
>> icecast.
>> I am thinking of checking if the content of the cert.pem file has been
>> altered or maybe checking the file date to see if it is not older than 1
>> day
>> or something like that.
>>
>> Regards and tia,
>>
>> Paul
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org<mailto:Icecast at xiph.org>
>> http://lists.xiph.org/mailman/listinfo/icecast
>>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
>

More information about the Icecast mailing list