This assumes that you are using Ubuntu 18.04 and have followed instructions to install Letsencrypt using certbot to add ssl to your Apache2/Libretime admin panel and that you therefor have an /etc/letsencrypt folder.
Most people seem to have an easy time with the certbot/letsencrypt step. What we are doing here though is making it so you can put a radio player on your webpage which pulls from your Libretime/Icecast2 via an https stream–and your visitors web browsers won’t give them scary security warnings. This is a separate step. Many people (I’ve done it also) proxy the audio stream from icecast through apache. It could be a little bumpy if you’re not accustomed to mucking in the bowels of apache though. Icecast2 can do ssl natively–you just need a version that is compiled to support ssl and then configure a certificate in the /etc/icecast2/icecast.xml config file.
First you have to upgrade to a version of Icecast2 that supports SSL. The version that gets installed with Libretime on Ubuntu does not. If you are running on ubuntu 18.04—we’ll add the xiph repositories and install a newer version from them (be sure to get the first command all on one line):
sudo sh -c “echo deb Index of /repositories/multimedia:/xiph/xUbuntu_18.04 ./ >>/etc/apt/sources.list.d/icecast.list”
sudo wget -qO - http://icecast.org/multimedia-obs.key | sudo apt-key add -
sudo apt update
sudo apt install icecast2
Check that you now have version 2.4.4 of icecast2 running:
sudo icecast2 -v
Next is what I think is an easier way to encrypt the icecast stream (compared to proxying via apache). The trick is that icecast certificates must be in the form of one pem file which contains the certificate, intermediate certificates and the private key. Letsencrypt does not supply this format in one file. But the Letsencrypt automatic certificate renewal process allows us to add a little post-renewal command which concatenates the certs+key, replaces the old one and restarts icecast2.
Open this renewal configuration file—you must use YOUR DOMAIN NAME in the following string in place of “my.cooldomain.com”:
sudo nano /etc/letsencrypt/renewal/my.cooldomain.com.conf
Append (paste) the following string at the very end of the [renewal params] section of the script in a new line. REPLACE YOUR DOMAIN NAME and any other variables that you know should be different for your situation (all one line):
post_hook = cat /etc/letsencrypt/live/my.cooldomain.com/fullchain.pem /etc/letsencrypt/live/my.cooldomain.com/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart
Save this configuration file and exit.
Next edit the Icecast2 config file in two places in order to enable ssl natively. You have to uncomment these sections and put the new info in them:
sudo nano /etc/icecast2/icecast.xml
Uncomment/unhide and edit to suite–you don’t have to use port 8443, but it is easy to remember:
<listen-socket> <port>8443</port> <ssl>1</ssl> </listen-socket>
Save and exit. Now paste the following string into your terminal, REPLACE YOUR DOMAIN NAME in 2 places first, and hit enter to create the bundled pem file for the first time and restart your icecast to activate the ssl (all one line):
sudo cat /etc/letsencrypt/live/my.cooldomain.com/fullchain.pem /etc/letsencrypt/live/my.cooldomain.com/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart
Make sure you open port 8443 on your firewall as well as 443 for your https enabled Icecast2 stream and for the Libretime admin panel.
You can test it if you have radio programming running in your Libretime by trying this url with YOUR DOMAIN NAME and STREAM KEY settings–you should get an audio player and a padlock in the URL field:
I hope I didn’t make any stupid typos that causes you a headache. Please let me know if so in the comments and I will fix it.
I have set up a number of instances of icecast in the past just like this and they work like the dickens.