[Icecast] Icecast streaming https

Chip chiapas at aktivix.org
Fri Feb 7 17:15:58 UTC 2020 

Hi

These instructions are very useful, as previously shared:

   - https://serverok.in/centovacast-enable-ssl-on-icecast

However, I think this step caused me problems using Letsencrypt (LE) and
the icecast.pem file might have been in error:

Paste your SSL in following order
1) Your private key
2) Your SSL cert
3) CA Bundle

I don't think LE creates a 'CA Bundle'. Following some other instructions I
was making the *.pem file like this:

cat cert.pem privkey.pem > icecast.pem   *<= this is not a good method*

Test your stream using this:

curl -v https://example.com:8001/mountpoint

If curl is not happy with your SSL cert it will throw an error like this:

[chip at machine ~]$  curl -v https://example.com:8001/mountpoint

    About to connect() to example.com port 8001 (#0)

    Trying 192.168.1.50… connected

    Connected to example.com (192.168.1.50) port 8001 (#0)

    Initializing NSS with certpath: sql:/etc/pki/nssdb

    CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none

    Peer’s certificate issuer is not recognized: ‘CN=Let’s Encrypt
Authority X3,O=Let’s Encrypt,C=US’

    NSS error -8179

    Closing connection #0

    Peer certificate cannot be authenticated with known CA certificates
    curl: (60) Peer certificate cannot be authenticated with known CA
certificates
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default bundle
file isn't adequate, you can specify an alternate file using the --cacert
option. If this HTTPS server uses a certificate signed by a CA represented
in the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might not
match the domain name in the URL). If you'd like to turn off curl's
verification of the certificate, use the -k (or --insecure) option.

If you are using LE then this, IMHO, is a *better way* to make the
icecast.pem file:

cat privkey.pem fullchain.pem > icecast.pem

The above creates a more 'correct' SSL cert which, for example, Alexa
devices are able to stream.

And you can check your SSL stream here:

   - https://check-your-website.server-daten.de/?q=

Thanks

Chip Scooter

On Thu, 6 Feb 2020 at 07:58, H. van de Ridder <hvdridder at solcon.nl> wrote:

> Thanks a lot.
> This manual solves my problem.
>
> Kind regards,
> Henk
> ------------------------------
>
> ------------------------------
>
>
> ----- Original Message ----
> From: Chip <chiapas at aktivix.org>
> To: Icecast streaming server user discussions <icecast at xiph.org>
> Sent: Woe, 05 Feb 2020 23:57
> Subject: Re: [Icecast] Icecast streaming https
>
> Of course...
>
> Best print it to PDF in case it ever disappears!
>
> All the best
>
> Chip Scooter
>
> On Wed, 5 Feb 2020 at 22:07, Richard Elen <relen at brideswell.com> wrote:
>
>> That's a useful site! Thanks for that!
>>
>> R
>> On 05-Feb-20 18:52, Chip wrote:
>>
>> Here you go:
>>
>>    - https://serverok.in/centovacast-enable-ssl-on-icecast
>>
>> No problem, you're welcome!
>>
>> Chip Scooter
>>
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20200207/98db7856/attachment.htm>

More information about the Icecast mailing list