11

I am trying to make work icecast 2 and my letsencrypt SSL with no luck. So far what I did is built icecast 2 with openssl support and I also made it run but it always give the next error in the log file.

[2018-03-15  12:48:21] WARN connection/get_ssl_certificate Invalid private key file /usr/local/icecast/share/fullchain.pem
[2018-03-15  12:48:21] INFO connection/get_ssl_certificate No SSL capability on any configured ports

I have set these cert files readable by user: richard and of course I am also running the server itself with the richard user.

Maybe you have any idea what is wrong?

You may also see my config file here:

  <listen-socket>
        <port>8443</port>
        <ssl>1</ssl>
  </listen-socket>

In the path section I have set the ssl-certificate part to the SSL.

 <ssl-certificate>/usr/local/icecast/share/icecast/fullchain.pem</ssl-certificate>

Nothing so far. The server itself is starting on the port, however when visiting it through https:// it just doesn't load. with http:// the port (8443) works fine.

Any help appricated.

Marcell
  • 500
  • 1
  • 4
  • 19
  • It seems the approved solution is outdated: I found your article before I found this on stackoverflow. ... See my note below your approved answer - YOURS works, the other does not! – Richard T Oct 19 '22 at 03:57

3 Answers3

11

Actually, I solved the issue myself.

The problem was the SSL not the configurations. Seems the LetsEncrypt SSL that is generated (fullchain.pem) is not working correctly. So instead of using that, I have copied the content from cert.pem and privkey.pem and made a new file named icecast.pem and pasted both into one. (first cert and then the privkey) and now everything is works fine and secure!

I am a genius!!!

Marcell
  • 500
  • 1
  • 4
  • 19
  • 4
    i read the icecastt explanation first and it was not enough, this post saved my day, since the crucial point here is that order matter and cert full chain should be first, what is not you might expect reading doc. – philippe lhardy Apr 20 '19 at 19:17
  • 1
    I did not reach out for a while that we have to compile icecast with SSL support by our selfe. If it helps someone in future, i followed this steps to solve this. https://weekly-geekly.github.io/articles/350236/index.html – Jakob Kronsteiner Sep 17 '19 at 17:05
  • 3
    You should concat fullchain.pem (not cert.pem) and privkey.pem into icecast.pem. Otherwise you will have problems with some clients. – OriolJ Nov 15 '19 at 18:20
  • Good Stuff. INSTANTLY solved the problem. You sir, are a Coding GENIOUS ! (...) Grinz – James Walker Jan 08 '21 at 02:41
  • @JakobKronsteiner FYI - your list is now goes to a 404 page – wruckie Nov 17 '21 at 21:50
  • THIS works, the approved answer does not - on my Fedora 35 server. – Richard T Oct 19 '22 at 04:02
1

For the Icecast2 complete certificate, you can use the command:

cat /etc/letsencrypt/live/domain.com/fullcert.pem /etc/letsencrypt/live/domain.com/privkey.pem > /etc/icecast2/bundle.pem

This will concatenate and save both certificates to a single file called bundle.pem under icecast2 folder, to which you can point the icecast2 configuration.

I have also found this very helpful and complete guide for reference: https://mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/

George
  • 6,886
  • 3
  • 44
  • 56
  • 1
    Thanks George, it was for my friend who was in an online-radio project, although I helped him to find the mystery why it did not work. It's still nice to know in case I need it in the future. – Marcell Sep 10 '21 at 11:38
  • Thank you as well, @Marcell! I am just leaving those here for reference as well to help more people :) – George Sep 10 '21 at 11:44
  • That is NOT working on MY fedora 35 system! My symptoms are just like Marcell's, those filenames also appear to be wrong for my version. HIS answer worked, yours does NOT! – Richard T Oct 19 '22 at 04:00
  • 1
    It's worth saying filenames was not the only difference: there's something about copying and then catting to append that's different to cat both at once. I have NO IDEA why, but I tried it several times. – Richard T Oct 19 '22 at 04:59
0

There is another way, by forwarding of Nginx, whose config is common on internet. So that the server only expose 80 and 443 port for http web. Then use letsencrypt for SSL of Nginx.

sdrkyj
  • 75
  • 1
  • 10