Adding SSL to Libretime (Icecast)

I’m in the process of setting up an Alexa skill for my stream, but Amazon require an SSL connection. I can get this installed on the server, but I’ve read that Icecast requires it to be installed before installing icecast is installed.

Has anybody had any experience in this before I go ahead and break something :smile:

Try doing this after you install Libretime, assuming you already have SSL:

On /etc/apache2/sites-enabled/airtime-le-ssl.conf add this above <Directory>:

   SSLProxyEngine on
   ProxyPreserveHost On
   ProxyRequests Off
   ProxyPass /live  http://your-site.com:8443/live
   ProxyPassReverse /live  http://your-site.com:8443/live

*I just renamed the mount point from ‘_a’ to ‘live’, so if you’re using _a just replace it like this:

ProxyPass /live  http://your-site.com:8443/_a
ProxyPassReverse /live  http://your-site.com:8443/_a

Then you can use https://your-site.com/live for the stream

2 Likes

Thanks for the reply. I’ll give this a go when I get a spare moment and report back :grin:

You can also configure icecast to do ssl directly which would negate the need for a TLS terminating reverse proxy.

1 Like

Thanks, I’ll take a look at that!

I would love for us to integrate letsencrypt directly into the install process so that these kind of headaches would disappear but this would be a bit of work I imagine and probably introduce additional headaches when certbot fails etc.

@James - slightly off-topic…I’m curious about your Alexa skill. Is it the sort of thing where a listener could ask, “what song is this?” or “what is the name of this track?” and get back artist and track title information?

My primary function would be to say, “Alexa, play < station name > which then just streams from a URL.

You can hook up functionality like the artist and track playing though.

Mainly, I can’t get my station into tune-in, so want to make it easy to listen to for people with smart speakers :slight_smile:

Struggling to get this working properly…

I went for a Certbot install (this guide) on the sub-domain that the software is on and whilst the admin page loads using SSL, the widgets have seemed to have broken.

Also, the thing I wanted it for the most (Icecast SSL enabled), doesn’t seem to work. I’ve enabled the listen port as follows

<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>

Really keen to get SSL enabled on the stream, so any help would be appreciated!

just in case, for icecast-SSL you also need


/etc/icecast/your.pem

you also need

<paths>
<ssl-certificate> /path/to/your/PEM</ssl-certificate>
</paths>

I copied and translated this from my stations internal wiki, maybe it helps (it’s CentOS specific).

To use TLS with icecast you need a X509 certificate (’‘SSL/TLS certificate’’) and a private key.

How to generate a certificate and private key

sslDir=/etc/ssl/icecast

countryName="CH"                    # Two-letter (ISO 3166) country code, CH for Switzerland
stateOrProvinceName="Bern"          # The full name of the state or province. ex.: Bern, use NA if there is nothing better.
localityName="Bern"                 # Name of a locality or place, such as a city, ex.: Bern
organizationName="Station Name"     # The legal name of the organization
organizationalUnitName="NA"         # The name of the organizational unit, use NA if there is nothing better
commonName="stream.example.org"     # usually the fully qualified domain name, ex.: www.example.com
 
# Set a restrictive umask before generating the private key
oldUmask="$(umask)"
umask 027

mkdir --mode=750 "${sslDir}"
chown root:icecast "${sslDir}

openssl req \
    -out ${sslDir}/${commonName}.req.pem \
    -nodes \
    -keyout ${sslDir}/${commonName}.key.pem \
    -newkey rsa:4096 \
    -sha256 \
    -subj "/C=${countryName}/ST=${stateOrProvinceName}/L=${localityName}/O=${organizationName}/OU=${organizationalUnitName}/CN=${commonName}" \
    -new

# Restore the umask
umask $oldUmask

# Copy the PEM formatted request
cat "${sslDir}/${commonName}.req.pem"

Now need to buy a certificate that is valid for a 3 year period and get your Certificate-Request signed by the CA. We use a “Comodo PositiveSSL” certificate on our systems.

The signed certificate gets saved to /etc/ssl/icecast/stream.example.org.crt.pem, the included intermediate-CA-bundle to /etc/ssl/icecast/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem.

Icecast wants a full X.509 certificate-chain bundle including the private-key in one file

# Paste content of stream.example.org.crt
cat > ${sslDir}/${commonName}.crt.pem << EOCERT 
[...]
EOCERT

# Paste content of stream.example.org.ca-bundle
cat > ${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem << EOCERT 
[...]
EOCERT

touch "${sslDir}/${commonName}.bundle.pem"
chmod 640 "${sslDir}/${commonName}.bundle.pem"
chown root:icecast "${sslDir}/${commonName}.bundle.pem"

# Concatenate everything into a bundle
cat "${sslDir}/${commonName}.crt.pem" \
    "${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem" \
    "${sslDir}/${commonName}.key.pem" > "${sslDir}/${commonName}.bundle.pem"

After this you can configure icecast to use the generated cert/key-bundle. The config should look as follows:

       <listen-socket>
           <port>443</port>
           <ssl>1</ssl>
           <bind-address>::</bind-address>
       </listen-socket>
       <paths>
           <ssl-certificate>/etc/ssl/icecast/stream.example.org.bundle.pem</ssl-certificate>
       </paths>
1 Like