I’m in the process of setting up an Alexa skill for my stream, but Amazon require an SSL connection. I can get this installed on the server, but I’ve read that Icecast requires it to be installed before installing icecast is installed.
Has anybody had any experience in this before I go ahead and break something 
Try doing this after you install Libretime, assuming you already have SSL:
On /etc/apache2/sites-enabled/airtime-le-ssl.conf add this above <Directory>:
SSLProxyEngine on
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /live http://your-site.com:8443/live
ProxyPassReverse /live http://your-site.com:8443/live
*I just renamed the mount point from ‘_a’ to ‘live’, so if you’re using _a just replace it like this:
ProxyPass /live http://your-site.com:8443/_a
ProxyPassReverse /live http://your-site.com:8443/_a
Then you can use https://your-site.com/live for the stream
Thanks for the reply. I’ll give this a go when I get a spare moment and report back 
You can also configure icecast to do ssl directly which would negate the need for a TLS terminating reverse proxy.
Thanks, I’ll take a look at that!
I would love for us to integrate letsencrypt directly into the install process so that these kind of headaches would disappear but this would be a bit of work I imagine and probably introduce additional headaches when certbot fails etc.
@James - slightly off-topic…I’m curious about your Alexa skill. Is it the sort of thing where a listener could ask, “what song is this?” or “what is the name of this track?” and get back artist and track title information?
My primary function would be to say, “Alexa, play < station name > which then just streams from a URL.
You can hook up functionality like the artist and track playing though.
Mainly, I can’t get my station into tune-in, so want to make it easy to listen to for people with smart speakers 
Struggling to get this working properly…
I went for a Certbot install (this guide) on the sub-domain that the software is on and whilst the admin page loads using SSL, the widgets have seemed to have broken.
Also, the thing I wanted it for the most (Icecast SSL enabled), doesn’t seem to work. I’ve enabled the listen port as follows
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Really keen to get SSL enabled on the stream, so any help would be appreciated!
just in case, for icecast-SSL you also need
…
/etc/icecast/your.pem
…
you also need
<paths>
<ssl-certificate> /path/to/your/PEM</ssl-certificate>
</paths>
I copied and translated this from my stations internal wiki, maybe it helps (it’s CentOS specific).
To use TLS with icecast you need a X509 certificate (’‘SSL/TLS certificate’’) and a private key.
How to generate a certificate and private key
sslDir=/etc/ssl/icecast
countryName="CH" # Two-letter (ISO 3166) country code, CH for Switzerland
stateOrProvinceName="Bern" # The full name of the state or province. ex.: Bern, use NA if there is nothing better.
localityName="Bern" # Name of a locality or place, such as a city, ex.: Bern
organizationName="Station Name" # The legal name of the organization
organizationalUnitName="NA" # The name of the organizational unit, use NA if there is nothing better
commonName="stream.example.org" # usually the fully qualified domain name, ex.: www.example.com
# Set a restrictive umask before generating the private key
oldUmask="$(umask)"
umask 027
mkdir --mode=750 "${sslDir}"
chown root:icecast "${sslDir}
openssl req \
-out ${sslDir}/${commonName}.req.pem \
-nodes \
-keyout ${sslDir}/${commonName}.key.pem \
-newkey rsa:4096 \
-sha256 \
-subj "/C=${countryName}/ST=${stateOrProvinceName}/L=${localityName}/O=${organizationName}/OU=${organizationalUnitName}/CN=${commonName}" \
-new
# Restore the umask
umask $oldUmask
# Copy the PEM formatted request
cat "${sslDir}/${commonName}.req.pem"
Now need to buy a certificate that is valid for a 3 year period and get your Certificate-Request signed by the CA. We use a “Comodo PositiveSSL” certificate on our systems.
The signed certificate gets saved to /etc/ssl/icecast/stream.example.org.crt.pem, the included intermediate-CA-bundle to /etc/ssl/icecast/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem.
Icecast wants a full X.509 certificate-chain bundle including the private-key in one file
# Paste content of stream.example.org.crt
cat > ${sslDir}/${commonName}.crt.pem << EOCERT
[...]
EOCERT
# Paste content of stream.example.org.ca-bundle
cat > ${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem << EOCERT
[...]
EOCERT
touch "${sslDir}/${commonName}.bundle.pem"
chmod 640 "${sslDir}/${commonName}.bundle.pem"
chown root:icecast "${sslDir}/${commonName}.bundle.pem"
# Concatenate everything into a bundle
cat "${sslDir}/${commonName}.crt.pem" \
"${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem" \
"${sslDir}/${commonName}.key.pem" > "${sslDir}/${commonName}.bundle.pem"
After this you can configure icecast to use the generated cert/key-bundle. The config should look as follows:
<listen-socket>
<port>443</port>
<ssl>1</ssl>
<bind-address>::</bind-address>
</listen-socket>
<paths>
<ssl-certificate>/etc/ssl/icecast/stream.example.org.bundle.pem</ssl-certificate>
</paths>
This maybe works only, if you have some other vps or something, if you use icecast and libretime same machine and libretime already ssl certificated you must use other ssl port in icecast and then this not working…because libretime stream settings not support ssl
with nginx
you create a subdomain like radio.xbeat.org and you make a reverse proxy in nging and then you can join with https://radio.xbeat.org/stream
example configuration in nginx
sorry about my bad english finally thank you google, me i am french speaker from belgium 
Bonjour,
le nom du fichier ou je met le reverse proxy? stp
merci pour ton aide
I’m very new in icecast ssl seting. Please help for complete step … I use Ubuntu 18.04 and the previous of libretime git. Thanks
I have the same. The widgets are broken after ssl install.
Is there anything i can do about this?
This will be fixable once 3.0.0-beta.0 is released.
