<div dir="ltr"><div dir="ltr"><div>Hi</div><div><br></div><div>These instructions are very useful, as previously shared:</div><div></div><div><ul><li><a href="https://serverok.in/centovacast-enable-ssl-on-icecast">https://serverok.in/centovacast-enable-ssl-on-icecast</a></li></ul></div><div></div><div>However, I think this step caused me problems using Letsencrypt (LE) and the icecast.pem file might have been in error:<br></div><div><br></div><div><div style="margin-left:40px">Paste your SSL in following order<br>1) Your private key<br>2) Your SSL cert<br>3) CA Bundle<br></div><br></div></div><div>I don't think LE creates a 'CA Bundle'. Following some other instructions I was making the *.pem file like this:</div><div><br></div><div style="margin-left:40px"><span style="font-family:monospace">cat
<span style="font-family:monospace"><span style="font-family:monospace">cert.pem </span></span>privkey.pem > icecast.pem</span> <b><= this is not a good method</b><br></div><div><br></div><div>Test your stream using this:</div><div><br></div><div style="margin-left:40px"><span style="font-family:monospace">curl -v <a href="https://example.com:8001/mountpoint">https://example.com:8001/mountpoint</a></span></div><div><br></div><div>If curl is not happy with your SSL cert it will throw an error like this:</div><div><br></div><div><div style="margin-left:40px"><span style="font-family:monospace">[chip@machine ~]$
curl -v <a href="https://example.com:8001/mountpoint">https://example.com:8001/mountpoint</a>
</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> About to connect() to <a href="http://example.com">example.com</a> port 8001 (#0)</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> Trying 192.168.1.50… connected</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> Connected to <a href="http://example.com">example.com</a> (192.168.1.50) port 8001 (#0)</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> Initializing NSS with certpath: sql:/etc/pki/nssdb</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> CAfile: /etc/pki/tls/certs/ca-bundle.crt</span><br><span style="font-family:monospace"> CApath: none</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> Peer’s certificate issuer is not recognized: ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> NSS error -8179</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> Closing connection #0</span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> Peer certificate cannot be authenticated with known CA certificates</span><br><span style="font-family:monospace"> curl: (60) Peer certificate cannot be authenticated with known CA certificates</span><br><span style="font-family:monospace"> More details here: <a href="http://curl.haxx.se/docs/sslcerts.html">http://curl.haxx.se/docs/sslcerts.html</a></span><br><span style="font-family:monospace"></span><br><span style="font-family:monospace"> curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.</span><br></div><br></div><div>If you are using LE then this, IMHO, is a <u>better way</u> to make the icecast.pem file:</div><div><br></div><div style="margin-left:40px"><span style="font-family:monospace">cat privkey.pem fullchain.pem > icecast.pem</span></div><div><br></div><div></div><div>The above creates a more 'correct' SSL cert which, for example, Alexa devices are able to stream.</div><div><br></div><div>And you can check your SSL stream here:</div><div></div><div><ul><li><a href="https://check-your-website.server-daten.de/?q=">https://check-your-website.server-daten.de/?q=</a></li></ul></div><div></div><div>Thanks</div><div><br></div><div>Chip Scooter<br></div><div><br></div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 6 Feb 2020 at 07:58, H. van de Ridder <<a href="mailto:hvdridder@solcon.nl">hvdridder@solcon.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span style="font-size:12px"><span style="font-family:Times New Roman,Times,serif">Thanks a lot.<br>
This manual solves my problem.<br>
<br>
Kind regards,<br>
Henk<br>
<hr style="width:0px;margin:0px;border-style:none">
<hr style="width:0px;margin:0px;border-style:none"><br>
<br>
----- Original Message ----<br>
From: Chip <<a href="mailto:chiapas@aktivix.org" target="_blank">chiapas@aktivix.org</a>><br>
To: Icecast streaming server user discussions <<a href="mailto:icecast@xiph.org" target="_blank">icecast@xiph.org</a>><br>
Sent: Woe, 05 Feb 2020 23:57<br>
Subject: Re: [Icecast] Icecast streaming https<br>
<br>
<div dir="ltr">
<div>Of course...</div>
<div><br>
</div>
<div>Best print it to PDF in case it ever disappears!</div>
<div><br>
</div>
<div>All the best</div>
<div><br>
</div>
<div>Chip Scooter<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr">On Wed, 5 Feb 2020 at 22:07, Richard Elen <<a href="mailto:relen@brideswell.com" rel="nofollow" target="_blank">relen@brideswell.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>That's a useful site! Thanks for that!</p>
<p>R<br>
</p>
<div>On 05-Feb-20 18:52, Chip wrote:<br>
</div>
<blockquote>
<div>Here you go:</div>
<div>
<ul>
<li><a href="https://serverok.in/centovacast-enable-ssl-on-icecast" rel="nofollow" target="_blank">https://serverok.in/centovacast-enable-ssl-on-icecast</a></li>
</ul>
</div>
<div>No problem, you're welcome!</div>
<div><br>
</div>
<div>Chip Scooter</div>
</blockquote>
</div>
_______________________________________________<br>
Icecast mailing list<br>
<a href="mailto:Icecast@xiph.org" rel="nofollow" target="_blank">Icecast@xiph.org</a><br>
<a href="http://lists.xiph.org/mailman/listinfo/icecast" rel="nofollow" target="_blank">http://lists.xiph.org/mailman/listinfo/icecast</a><br>
</blockquote>
</div>
</span></span>
</blockquote></div></div></div>