[Icecast] self-signed ssl certificate, icecast2, and no ssl capability

David Mehler dave.mehler at gmail.com
Fri Sep 28 18:06:02 UTC 2018 

Hello,

I'm trying to get ssl going via a self-signed certificate on my
Icecast server. It's running raspbian stretch on a Raspberry Pi so the
latest version from packages.

I tried to connect to the web site via https specifically:

https://hostname:8000

thinking it would go ssl, it didn't I got a could not connect error
message, site might use unsafe or outdated tls security protocols,
that's from memory.

I set icecast2 logging to 4 debug prior to this and looked at my error
file grep for the term ssl I got this:

#grep ssl /var/log/icecast2/error.log
[2018-09-28  13:43:48] INFO connection/get_ssl_certificate No SSL capability

The relevant portions of my icecast.xml file:

#cat icecast.xml
...
    <listen-socket>
        <port>8000</port>
        <bind-address>xxx.xxx.xxx.xxx</bind-address>
        <shoutcast-mount>/stream</shoutcast-mount>
        <ssl>1</ssl>
    </listen-socket>
...
paths section:
        <!-- The certificate file needs to contain both public and private part.
             Both should be PEM encoded.
        -->
 <ssl-certificate>/etc/icecast2/icecast.pem</ssl-certificate>
    <ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>
    <security>
        <chroot>0</chroot>
        <changeowner>
            <user>icecast2</user>
            <group>icecast</group>
        </changeowner>
    </security>

I then checked the permissions on my self-signed certificate:

#ls -l icecast.pem
-rw-r----- 1 icecast2 icecast 5455 Sep 27 13:17 icecast.pem

and taking out the gibbrish of my certificate:
#cat icecast.pem
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

To create this self-signed certificate I did:

cd /etc/icecast2
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout
icecast.pem -out icecast.pem
chown icecast2:icecast icecast.pem
chmod 0640 icecast.pem

Suggestions as to where I went wrong appreciated.
Thanks.
Dave.

More information about the Icecast mailing list