Add ssl to your Icecast2 stream - sweet and simple

This assumes that you are using Ubuntu 18.04 and have followed instructions to install Letsencrypt using certbot to add ssl to your Apache2/Libretime admin panel and that you therefor have an /etc/letsencrypt folder.

Most people seem to have an easy time with the certbot/letsencrypt step. What we are doing here though is making it so you can put a radio player on your webpage which pulls from your Libretime/Icecast2 via an https stream–and your visitors web browsers won’t give them scary security warnings. This is a separate step. Many people (I’ve done it also) proxy the audio stream from icecast through apache. It could be a little bumpy if you’re not accustomed to mucking in the bowels of apache though. Icecast2 can do ssl natively–you just need a version that is compiled to support ssl and then configure a certificate in the /etc/icecast2/icecast.xml config file.

First you have to upgrade to a version of Icecast2 that supports SSL. The version that gets installed with Libretime on Ubuntu does not. If you are running on ubuntu 18.04—we’ll add the xiph repositories and install a newer version from them (be sure to get the first command all on one line):

sudo sh -c “echo deb Index of /repositories/multimedia:/xiph/xUbuntu_18.04 ./ >>/etc/apt/sources.list.d/icecast.list”
sudo wget -qO - http://icecast.org/multimedia-obs.key | sudo apt-key add -
sudo apt update
sudo apt install icecast2

Check that you now have version 2.4.4 of icecast2 running:
sudo icecast2 -v

Next is what I think is an easier way to encrypt the icecast stream (compared to proxying via apache). The trick is that icecast certificates must be in the form of one pem file which contains the certificate, intermediate certificates and the private key. Letsencrypt does not supply this format in one file. But the Letsencrypt automatic certificate renewal process allows us to add a little post-renewal command which concatenates the certs+key, replaces the old one and restarts icecast2.

Open this renewal configuration file—you must use YOUR DOMAIN NAME in the following string in place of “my.cooldomain.com”:
sudo nano /etc/letsencrypt/renewal/my.cooldomain.com.conf

Append (paste) the following string at the very end of the [renewal params] section of the script in a new line. REPLACE YOUR DOMAIN NAME and any other variables that you know should be different for your situation (all one line):

post_hook = cat /etc/letsencrypt/live/my.cooldomain.com/fullchain.pem /etc/letsencrypt/live/my.cooldomain.com/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart

Save this configuration file and exit.

Next edit the Icecast2 config file in two places in order to enable ssl natively. You have to uncomment these sections and put the new info in them:

sudo nano /etc/icecast2/icecast.xml

Uncomment/unhide and edit to suite–you don’t have to use port 8443, but it is easy to remember:

<listen-socket>
    <port>8443</port>
    <ssl>1</ssl>
</listen-socket>

and

<ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>	

Save and exit. Now paste the following string into your terminal, REPLACE YOUR DOMAIN NAME in 2 places first, and hit enter to create the bundled pem file for the first time and restart your icecast to activate the ssl (all one line):

sudo cat /etc/letsencrypt/live/my.cooldomain.com/fullchain.pem /etc/letsencrypt/live/my.cooldomain.com/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart

Make sure you open port 8443 on your firewall as well as 443 for your https enabled Icecast2 stream and for the Libretime admin panel.

You can test it if you have radio programming running in your Libretime by trying this url with YOUR DOMAIN NAME and STREAM KEY settings–you should get an audio player and a padlock in the URL field:

https://my.cooldomain.com:8443/mystreamkey

I hope I didn’t make any stupid typos that causes you a headache. Please let me know if so in the comments and I will fix it.

I have set up a number of instances of icecast in the past just like this and they work like the dickens.

1 Like

Don’t know what I’m missing, I have configured /etc/icecast2/icecast.xml correctly but still not working.
Followed these steps: Icecast HTTPS/SSL with Let's Encrypt: Setup Guide which are the same as yours @boydbadten just a slightly different approach.

Hi kteddiey—I would be willing to help you–but you will have to give me a little more info.

What is the URL of your site?
Did your letencrypt installation complete (did it seem successful)?
Can you access your libretime gui via https?
Did you check to make sure that there is a concatenated (key+cert) pem file in the location you configured in icecast.xml?
Did you open your firewall to the secure port configured for https in icecast.xml? I tend to use 8443 or something which does not conflict with browser use—I would not use 443.

If you tell us your domain/url I think we can get to the bottom of it.

Hi @boydbadten , thanks for your reply, below are the steps I took:

  • Install LT

  • Install ufw: apt install ufw

  • Activate ufw: ufw enable

  • Allow ports: ufw allow 22,80,8080,443,8000, 8001, 8002, 8443/tcp

  • Install Certbot: apt install certbot python3-certbot-apache

  • Get cert: certbot --apache
    (at this point my LT gui was secure ‘https://radio.timelessradio.co.ke’)

  • Concatenate two certificate files: cat /etc/letsencrypt/live/stream.example.com/fullchain.pem /etc/letsencrypt/live/stream1.example.com/privkey.pem > /etc/icecast2/bundle.pem

chmod 666 /etc/icecast2/bundle.pem

  • Configure Icecast for SSL: nano /etc/icecast2/icecast.xml
  • Add this line to the <paths></paths> section:
    <ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>
  • Uncomment:
<listen-socket>
    <port>8443</port>
    <ssl>1</ssl>
</listen-socket>
  • Restart Icecast: service icecast2 restart
1 Like

It looks like your letsencrypt installation and certificate is good–although the image logo is not being served securely at your libretime gui page https://radio.timelessradio.co.ke/ — not sure why.

I see that you are still running the version 2.4.3 of Icecast2 though. That’s the version which gets installed automatically from ubuntu repositories—but it was not compiled to include ssl. You missed the step which upgrades Icecast to 2.4.4. It only take a couple of minutes to do.

You mention in the steps you took to “Concatenate two certificate files…” Perhaps you did this with your domain name when you did it for real–but if you used the command above verbatim it will not work----you have to substitute your domain something like this:

sudo cat /etc/letsencrypt/live/radio.timelessradio.co.ke/fullchain.pem /etc/letsencrypt/live/radio.timelessradio.co.ke/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart

After you do this check to see if there is a valid bundled pem file with:

sudo nano /etc/icecast2/bundle.pem

…this should have several big blocks of characters in it—which are the certificate, private key, etc.

Upgrade Icecast and then check that your bundle.pem is a valid cert file and not a blank file.

Also, you mentioned that you issued a command to create the bundled certificate. You have to do that manually the first time. But don’t forget to add the command I mentioned into the certificate renewal script or else you’ll find that your icecast cert will expire in 90 days-----In my instructions it’s the part that starts with “Open the renewal configuration file…” . Once you do that, every time your letsencrypt cert is auto renewed it will automatically update the one used by Icecast.

You just missed a few steps. Let us know how it goes.

Hi, thanks @boydbadten for the help. I finally managed to solve the issue following your suggestion above.

  1. Upgrade Icecast to 2.4.4:
    sudo sh -c "echo deb http://download.opensuse.org/repositories/multimedia:/xiph/xUbuntu_18.04/ ./ >>/etc/apt/sources.list.d/icecast.list"
    You can find a list of different OS here
    apt update && apt upgrade

  2. Enable SSL on /etc/icecast2/icecast.xml as stated on my above post

Hi,
A very good work you’ve made and now my server website has the SSL and also for Icecast.

So the player on the home page server doesn’t work. It’s not in ssl in the setup of streams.
But for me it’s not important because the server is not the official and public website…

Really great

Thanks a lot.

Patrick

1 Like

Dear Sir,
I’m very new and blind about ssl, but I succeed, on instal libretime on my vps, under Ubuntu 18.04.
Could you help us take a look on my libretime and suggest me how to make it secure…
Thanks…
http://radioajar.live

Hi Kristono!

To get your Libretime install running securely is two [big] steps.

First start with the instructions here:

…this will get your admin interface running via https and secure a certificate for your radio station.

The second step is outlined in this post (at the beginning) which allows the audio stream to be encrypted as well.

Are you able to access and use the linux command line?

I use a putty to install, but I dont know what to configure my server to become SSL radio streaming… Poorme…

cat /etc/letsencrypt/live/stream.urban-entertainment.live/fullchain.pem /etc/letsencrypt/live/stream.urban-entertainment.live/privkey.pem > /etc/icecast2/bundle.pem

doesn’t work, says “-bash: /etc/icecast2/bundle.pem: Permission Denied”

Icecast is basically useless for me even after reinstalling ubuntu 18.04 3 times in a night.
Tried using Icecast 2.4.3 as well 2.4.4

I have tried to include “sudo” before cat as well
still same issue.

I also tried to install SSL on icecast. I am running Icecast 2.4.4 on Debian 10 (upgrade to Debian bullseye is going to happen very soon) and in the icecast error.log file i see an entry “NO TSL capable”. It looks like a lincensing problem between Xiph and Debian is at the origin of this problem. So i reached out to the makers of Icecast and they told me to install Icecast 2.5 beta. Till this day i was not able to install this version, not even on a fresh installed Debian Bullseye. I will get in touch with the people at Xiph or if anyone has a solution here?

Did you get the icecast v2.44 you have installed from the Xiph repository or from Debian? All of my experience with this is that if you add the Xiph repository and install from there, that the Icecast you have is TLS-SSL capable. I use Ubuntu, not Debian—but I don’t see how that could be a problem.

It’s not everybody’s favorite thing, but you also could try compiling Icecast from source and adding ssl to the brew.

As of today i am installing new hardware and a fresh install of Libretime. Before installing i added the Xiph repository. So i hope that on the new server it will work. I have another question about the postgresql database but as that is off-topic here i will post the question separately if i can’t find the answer elsewhere here on the forum. The new server is scheduled to go online next week if everything goes according to plan and i will of course tell here if everything works fine now.

This should give you a good version of icecast—which supports ssl streaming:

https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories)

Please use Joola’s more up-to-date instructions for adding ssl to your icecast stream:

https://libretime.org/blog/2023/04/21/install-libretime-3.0.2-on-debian-11/#3-securing-libretime

The Libretime development team has made very large improvements to the fundamental structures of Libretime. These improvements/changes are reflected in Joola’s secure icecast instructions—follow them instead of the older method described in this post if you are working on a recent (newer than v3.0.0) version of Libretime.

I have my own myserver.key (the private key) and domain.crt (the .crt file I got from my ssl key provider, it works fine in apache with https). I put both into bundle.pem and point to that in the icecast.xml file. I have the following lines in there.

    <listen-socket>
    <port>8000</port>
    <bind-address>192.168.0.16</bind-address>
    <shoutcast-mount>/stream</shoutcast-mount>
</listen-socket>
<!--
<listen-socket>
    <port>8080</port>
</listen-socket>
-->

<listen-socket>
    <port>8443</port>
    <ssl>1</ssl>
</listen-socket>

and:

/Apache24/bundle.pem

What am I doing wrong? You can go to http://shsbbs.net:8000,but the main page shows the wrong stream url, which I was unable to find anywhere. You can see that I don’t have a problem with my ssl keys at: https://shsbbs.net

Reply

Maybe you did this also, but didn’t mention it—you have to adjust this line farther down in icecast.xml config file:

    <ssl-certificate>/etc/icecast2/pems/bundle.pem</ssl-certificate>

Unhide it and put the path to the pem file in it.

If that doesn’t fix it—another thing to check is that it might matter what you put into the pem file and the order of the items. I’ve built a number of applications that use a concatenated pem file like this. The ones I build always work correctly and the order of the keys is 1-certificate, 2-intermediate cert1, 3-intermediate cert2, 4-private key. Are you putting the intermediate certs in? And are you sure that the data is in “pem” format?

You’ll get it!! Good luck!

1 Like

Hi @boydbadten, this helped me to est up SSL with Icecast using Apache. Can LibreTime be configured to work with Apache? I have about 10 domains plus sub-domains on the server and moving to Nginx would be risky with all the plugins and .htaccess files involved in the new set up.

Thanks.