[Icecast] Icecast streaming https
Chip
chiapas at aktivix.org
Fri Feb 7 17:15:58 UTC 2020
Hi
These instructions are very useful, as previously shared:
- https://serverok.in/centovacast-enable-ssl-on-icecast
However, I think this step caused me problems using Letsencrypt (LE) and
the icecast.pem file might have been in error:
Paste your SSL in following order
1) Your private key
2) Your SSL cert
3) CA Bundle
I don't think LE creates a 'CA Bundle'. Following some other instructions I
was making the *.pem file like this:
cat cert.pem privkey.pem > icecast.pem *<= this is not a good method*
Test your stream using this:
curl -v https://example.com:8001/mountpoint
If curl is not happy with your SSL cert it will throw an error like this:
[chip at machine ~]$ curl -v https://example.com:8001/mountpoint
About to connect() to example.com port 8001 (#0)
Trying 192.168.1.50… connected
Connected to example.com (192.168.1.50) port 8001 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Peer’s certificate issuer is not recognized: ‘CN=Let’s Encrypt
Authority X3,O=Let’s Encrypt,C=US’
NSS error -8179
Closing connection #0
Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA
certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default bundle
file isn't adequate, you can specify an alternate file using the --cacert
option. If this HTTPS server uses a certificate signed by a CA represented
in the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might not
match the domain name in the URL). If you'd like to turn off curl's
verification of the certificate, use the -k (or --insecure) option.
If you are using LE then this, IMHO, is a *better way* to make the
icecast.pem file:
cat privkey.pem fullchain.pem > icecast.pem
The above creates a more 'correct' SSL cert which, for example, Alexa
devices are able to stream.
And you can check your SSL stream here:
- https://check-your-website.server-daten.de/?q=
Thanks
Chip Scooter
On Thu, 6 Feb 2020 at 07:58, H. van de Ridder <hvdridder at solcon.nl> wrote:
> Thanks a lot.
> This manual solves my problem.
>
> Kind regards,
> Henk
> ------------------------------
>
> ------------------------------
>
>
> ----- Original Message ----
> From: Chip <chiapas at aktivix.org>
> To: Icecast streaming server user discussions <icecast at xiph.org>
> Sent: Woe, 05 Feb 2020 23:57
> Subject: Re: [Icecast] Icecast streaming https
>
> Of course...
>
> Best print it to PDF in case it ever disappears!
>
> All the best
>
> Chip Scooter
>
> On Wed, 5 Feb 2020 at 22:07, Richard Elen <relen at brideswell.com> wrote:
>
>> That's a useful site! Thanks for that!
>>
>> R
>> On 05-Feb-20 18:52, Chip wrote:
>>
>> Here you go:
>>
>> - https://serverok.in/centovacast-enable-ssl-on-icecast
>>
>> No problem, you're welcome!
>>
>> Chip Scooter
>>
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xiph.org/pipermail/icecast/attachments/20200207/98db7856/attachment.htm>
More information about the Icecast
mailing list