Hello, this is the most lively topic on the forum about installing an SSL certificate. I have another question what will happen to the live broadcast that is broadcast via MIXXX with a live presenter - to the radio site, after installing an SSL certificate on the libretime and radio site. The 8002/show settings remain on the http protocol. But in your instructions for the reverse proxy server it says that the stream will not be broadcast if the streams are in a different format
I see all of the posts are regarding SSL and Ubuntu 18. How about Icecast2 and Ubuntu22? I have tried to get the Icecast2 download from Xiph for Ubuntu 22, but with no luck. Any suggestions? Iām not a noob on this, but Iām not experienced either. Kinda in the middleā¦
Thanks.
Scott
I think this is now the best way to secure your icecast2 plus and any recent versions of Ubuntu:
Thanks, boydbadten. Iāll give it a shot pretty soon.
Hello,
I know Iām a bit late to the party, but I just wanted to leave this comment here for anyone who may end up in the same situation as I did.
I have icecast (2.4.4) running on Windows 10, and I have requested my certificates using the ānormalā method using certbot. After I received my certificates, Iāve concatenated them into that file and Iāve notices that the key is VERY small compared to my previous one (just 3-4 rows).
When Iāve tried to connect to the server Iāve got an error from FireFox saying SSL_ERROR_NO_CYPHER_OVERLAP.
Upon further investigation certbot is using the key type ecdsa as a default. So, what I did was to run certbot again but this time with the --key-type rsa option. This gave me a ānormalā key that I could paste in the config file and get it going
Example command: certbot --standalone --key-type rsa
This took me about 6-7 hours to figure out. Donāt be like me
for clarification, do any of the listen-sockets have to be running on port 80?
I believe so. Since thereās no SSL certificate when the certbot first requests one it connects on port 80, not port 443.
Our web server automatically redirects port 80 requests to port 443, but certbot seems to deal with that and still updates automatically.
āBob.
I got from letās encrypt 3 files:
ca_bundle.crt
certificate.crt
private.key
The certificate.crt files has inside 2 sections of
-----BEGIN CERTIFICATE-----
bla bla bla
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ble ble ble
-----END CERTIFICATE-----
How Can I get the .pem file needed for icecast?
Regards folks!!!
Two files fullchain.pem and privkey.pem need to be concatenated for Icecast.
To do this automatically every time certbot updates the cert, Iāve created the following script in the folder /etc/letsencrypt/renewal-hooks/deploy :
#! /bin/bash
# Program : bundle4icecast
# Purpose : Create the bundle.pem file after cert updates
# Author : Bob Jonkman bob@radiowaterloo.ca
# Date : 19 May 2024
# Note : This file is intended to run from /etc/letsencrypt/renewal-hooks/deploy
# (renewal-hooks/post runs for every renewal attempt; deploy only for successful ones)
# - Need to run 'systemctl restart icecast2' because a reload doesn't work
# Modified : 10 November 2024 : Bob Jonkman
# - Using the LetsEncrypt environment variable ${CERTBOT_DOMAIN} to find the domain being updated
# - Explicitly set CERTBOT_DOMAIN variable; Certbot version 0.40 does not supply it. Maybe a later version...
CERTBOT_DOMAIN=dev.radiowaterloo.ca
cat /etc/letsencrypt/live/${CERTBOT_DOMAIN}/fullchain.pem /etc/letsencrypt/live/${CERTBOT_DOMAIN}/privkey.pem > /etc/icecast2/bundle.pem
systemctl restart icecast2
echo Done systemctl restart icecast2, errorlevel= $?
# EOF: bundle4icecast
Hope this helps!
āBob.
1 Like
are you meaning the full chain .pem & privkey.pem have to be put inside a bundle.pem