Adding SSL to Libretime (Icecast)

I’m in the process of setting up an Alexa skill for my stream, but Amazon require an SSL connection. I can get this installed on the server, but I’ve read that Icecast requires it to be installed before installing icecast is installed.

Has anybody had any experience in this before I go ahead and break something :smile:

Try doing this after you install Libretime, assuming you already have SSL:

On /etc/apache2/sites-enabled/airtime-le-ssl.conf add this above <Directory>:

   SSLProxyEngine on
   ProxyPreserveHost On
   ProxyRequests Off
   ProxyPass /live
   ProxyPassReverse /live

*I just renamed the mount point from ‘_a’ to ‘live’, so if you’re using _a just replace it like this:

ProxyPass /live
ProxyPassReverse /live

Then you can use for the stream


Thanks for the reply. I’ll give this a go when I get a spare moment and report back :grin:

You can also configure icecast to do ssl directly which would negate the need for a TLS terminating reverse proxy.

1 Like

Thanks, I’ll take a look at that!

I would love for us to integrate letsencrypt directly into the install process so that these kind of headaches would disappear but this would be a bit of work I imagine and probably introduce additional headaches when certbot fails etc.

@James - slightly off-topic…I’m curious about your Alexa skill. Is it the sort of thing where a listener could ask, “what song is this?” or “what is the name of this track?” and get back artist and track title information?

My primary function would be to say, “Alexa, play < station name > which then just streams from a URL.

You can hook up functionality like the artist and track playing though.

Mainly, I can’t get my station into tune-in, so want to make it easy to listen to for people with smart speakers :slight_smile:

Struggling to get this working properly…

I went for a Certbot install (this guide) on the sub-domain that the software is on and whilst the admin page loads using SSL, the widgets have seemed to have broken.

Also, the thing I wanted it for the most (Icecast SSL enabled), doesn’t seem to work. I’ve enabled the listen port as follows


Really keen to get SSL enabled on the stream, so any help would be appreciated!

just in case, for icecast-SSL you also need


you also need

<ssl-certificate> /path/to/your/PEM</ssl-certificate>

I copied and translated this from my stations internal wiki, maybe it helps (it’s CentOS specific).

To use TLS with icecast you need a X509 certificate (’‘SSL/TLS certificate’’) and a private key.

How to generate a certificate and private key


countryName="CH"                    # Two-letter (ISO 3166) country code, CH for Switzerland
stateOrProvinceName="Bern"          # The full name of the state or province. ex.: Bern, use NA if there is nothing better.
localityName="Bern"                 # Name of a locality or place, such as a city, ex.: Bern
organizationName="Station Name"     # The legal name of the organization
organizationalUnitName="NA"         # The name of the organizational unit, use NA if there is nothing better
commonName=""     # usually the fully qualified domain name, ex.:
# Set a restrictive umask before generating the private key
umask 027

mkdir --mode=750 "${sslDir}"
chown root:icecast "${sslDir}

openssl req \
    -out ${sslDir}/${commonName}.req.pem \
    -nodes \
    -keyout ${sslDir}/${commonName}.key.pem \
    -newkey rsa:4096 \
    -sha256 \
    -subj "/C=${countryName}/ST=${stateOrProvinceName}/L=${localityName}/O=${organizationName}/OU=${organizationalUnitName}/CN=${commonName}" \

# Restore the umask
umask $oldUmask

# Copy the PEM formatted request
cat "${sslDir}/${commonName}.req.pem"

Now need to buy a certificate that is valid for a 3 year period and get your Certificate-Request signed by the CA. We use a “Comodo PositiveSSL” certificate on our systems.

The signed certificate gets saved to /etc/ssl/icecast/, the included intermediate-CA-bundle to /etc/ssl/icecast/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem.

Icecast wants a full X.509 certificate-chain bundle including the private-key in one file

# Paste content of
cat > ${sslDir}/${commonName}.crt.pem << EOCERT 

# Paste content of
cat > ${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem << EOCERT 

touch "${sslDir}/${commonName}.bundle.pem"
chmod 640 "${sslDir}/${commonName}.bundle.pem"
chown root:icecast "${sslDir}/${commonName}.bundle.pem"

# Concatenate everything into a bundle
cat "${sslDir}/${commonName}.crt.pem" \
    "${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem" \
    "${sslDir}/${commonName}.key.pem" > "${sslDir}/${commonName}.bundle.pem"

After this you can configure icecast to use the generated cert/key-bundle. The config should look as follows:

1 Like

This maybe works only, if you have some other vps or something, if you use icecast and libretime same machine and libretime already ssl certificated you must use other ssl port in icecast and then this not working…because libretime stream settings not support ssl

with nginx

you create a subdomain like and you make a reverse proxy in nging and then you can join with

example configuration in nginx

sorry about my bad english finally thank you google, me i am french speaker from belgium :wink:

le nom du fichier ou je met le reverse proxy? stp

merci pour ton aide

I’m very new in icecast ssl seting. Please help for complete step … I use Ubuntu 18.04 and the previous of libretime git. Thanks

I have the same. The widgets are broken after ssl install.
Is there anything i can do about this?

This will be fixable once 3.0.0-beta.0 is released.

1 Like