[Icecast] Icecast and HTTPS

_zer0_ gravity zer0___ at hotmail.com
Mon Jan 4 20:56:27 UTC 2021 

There are some things to consider if you want Icecast to serve https:

The ssl certificate file needs BOTH the private key AND the chain into one file. The order did not make a difference in my setups.
The <ssl-private-key> is not needed, only the <ssl-certificate>

Make sure that the icecast2 user is the owner of the certificate:
chown icecast2:icecast /usr/share/icecast2/icecast.pem

Make sure NOT to put it in the "web" directory, the pem file should NOT be publicly accessible.
I have used both /etc/icecast2/ and /usr/share/icecast2/ directories successfully.

I am using letsencrypt and have use a post-hook script so that it only updates after a new certificate has been deployed:
#!/bin/bash
/bin/cat /etc/letsencrypt/live/YOURDOMAIN/privkey.pem /etc/letsencrypt/live/ YOURDOMAIN/fullchain.pem > /usr/share/icecast2/icecast.pem && /usr/bin/systemctl restart icecast2

Make sure you are NOT using the version from the Debian repositories, as they are compiled without SSL support.
Instead use the repositories described here: https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

I also had to add a priority file to make sure apt grabs the right one, as the version number on both repositories is the same, but only the version on the official Xiph repo has SSL support.
After adding the official xiph repository add a file /etc/apt/preferences.d/icecast with the following:

Package: icecast2
Pin: origin "download.opensuse.org"
Pin-Priority: 999

Then do a reinstall with:

apt update
apt reinstall icecast2

This are the relevant parts of my icecast2.xml:

    <listen-socket>
        <port>8443</port>
        <ssl>1</ssl>
    </listen-socket>

    <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>

Of course restart icecast2 after updating the ssl-certificate as it is only read during startup, that is also why I do a restart (and not a reload) in the certbot post-hook:
Systemctl restart icecast2
Also close and reopen your browser to test so that you are sure the certificate is not being cached locally.

Worked for me with Debian 9 and 10.

Regards, Paul


-----Oorspronkelijk bericht-----
Van: Icecast <icecast-bounces at xiph.org> Namens Marvin Scholz
Verzonden: Monday, 4 January 2021 20:59
Aan: Icecast streaming server user discussions <icecast at xiph.org>
Onderwerp: Re: [Icecast] Icecast and HTTPS

Icecast does support TLS and nearly all modern players do support streams over HTTPS too.

On 4 Jan 2021, at 20:56, Norbert Deleutre wrote:

> With a free player ?  Which one ?
>
> —-
> N.D
> LMGC
>
>
>> Le 4 janv. 2021 à 20:34, John McHarry <jmcharry at gmx.net> a écrit :
>>
>> It does. https://audio-mp3.ibiblio.org/whqr_hd1 is served from an
>> icecast2 server. Check http://audio-mp3.ibiblio.org:8000
>>
>>
>> On Mon, 2021-01-04 at 20:14 +0100, Norbert Deleutre wrote:
>>> I had made the same resquest in septembre 2020.
>>> And my conclusion is that icecast doesn’t Work with ssl-
>>>
>>> —-
>>> N.D
>>> LMGC
>>>
>>>
>>>> Le 4 janv. 2021 à 19:06, Wangr <Wang at pc-factory.at> a écrit :
>>>>
>>>> Hello to all!
>>>>
>>>> I have tried for days now to use icecast2 (version 2.4.99.2) with 
>>>> HTTPS. Been through so many manuals and howtos, but nothing works.
>>>>
>>>> I have used the Debian version, as well as compiled from source.
>>>>
>>>> Ports 8000 and 8443 are open on the firewall.
>>>>
>>>>
>>>> Here is some relevant info:
>>>>
>>>> /etc/icecast2/icecast.xml:
>>>>
>>>> <listen-socket>
>>>> <port>8000</port>
>>>> </listen-socket>
>>>> <listen-socket>
>>>> <port>8443</port>
>>>> <ssl>1</ssl>
>>>> </listen-socket>
>>>>
>>>> <http-headers>
>>>> <header name="Access-Control-Allow-Origin" value="*" /> 
>>>> </http-headers>
>>>>
>>>> <paths>
>>>> <basedir>/usr/share/icecast2</basedir>
>>>> <logdir>/var/log/icecast2</logdir>
>>>> <webroot>/usr/share/icecast2/web</webroot>
>>>> <adminroot>/usr/share/icecast2/admin</adminroot>
>>>> <alias source="/" destination="/status.xsl"/>
>>>> <ssl-certificate>/usr/share/icecast2/web/bundle.pem</ssl-
>>>> certificate>
>>>> <ssl-private-key>/usr/share/icecast2/web/bundle.pem</ssl-private-
>>>> key>
>>>> </paths>
>>>>
>>>> The bundle.pem file contains the privkey.pem and fullchain.pem 
>>>> files of the dehydrated (let's encrypt) certificates, in this 
>>>> order.
>>>>
>>>>
>>>> ices2 config file:
>>>>
>>>> <instance>
>>>> <port>8443</port>
>>>> </instance>
>>>>
>>>> with <port>8000</port> (HTTP) it works, not with 8443 (HTTPS).
>>>>
>>>>
>>>> I am thankful for any help!
>>>> _______________________________________________
>>>> Icecast mailing list
>>>> Icecast at xiph.org
>>>> http://lists.xiph.org/mailman/listinfo/icecast
>>> _______________________________________________
>>> Icecast mailing list
>>> Icecast at xiph.org
>>> http://lists.xiph.org/mailman/listinfo/icecast
>>
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
_______________________________________________
Icecast mailing list
Icecast at xiph.org
http://lists.xiph.org/mailman/listinfo/icecast

More information about the Icecast mailing list