Adding SSL to Libretime (Icecast)

hairmare · September 12, 2019, 9:22pm

I copied and translated this from my stations internal wiki, maybe it helps (it’s CentOS specific).

To use TLS with icecast you need a X509 certificate (’‘SSL/TLS certificate’’) and a private key.

How to generate a certificate and private key

sslDir=/etc/ssl/icecast

countryName="CH"                    # Two-letter (ISO 3166) country code, CH for Switzerland
stateOrProvinceName="Bern"          # The full name of the state or province. ex.: Bern, use NA if there is nothing better.
localityName="Bern"                 # Name of a locality or place, such as a city, ex.: Bern
organizationName="Station Name"     # The legal name of the organization
organizationalUnitName="NA"         # The name of the organizational unit, use NA if there is nothing better
commonName="stream.example.org"     # usually the fully qualified domain name, ex.: www.example.com
 
# Set a restrictive umask before generating the private key
oldUmask="$(umask)"
umask 027

mkdir --mode=750 "${sslDir}"
chown root:icecast "${sslDir}

openssl req \
    -out ${sslDir}/${commonName}.req.pem \
    -nodes \
    -keyout ${sslDir}/${commonName}.key.pem \
    -newkey rsa:4096 \
    -sha256 \
    -subj "/C=${countryName}/ST=${stateOrProvinceName}/L=${localityName}/O=${organizationName}/OU=${organizationalUnitName}/CN=${commonName}" \
    -new

# Restore the umask
umask $oldUmask

# Copy the PEM formatted request
cat "${sslDir}/${commonName}.req.pem"

Now need to buy a certificate that is valid for a 3 year period and get your Certificate-Request signed by the CA. We use a “Comodo PositiveSSL” certificate on our systems.

The signed certificate gets saved to /etc/ssl/icecast/stream.example.org.crt.pem, the included intermediate-CA-bundle to /etc/ssl/icecast/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem.

Icecast wants a full X.509 certificate-chain bundle including the private-key in one file

# Paste content of stream.example.org.crt
cat > ${sslDir}/${commonName}.crt.pem << EOCERT 
[...]
EOCERT

# Paste content of stream.example.org.ca-bundle
cat > ${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem << EOCERT 
[...]
EOCERT

touch "${sslDir}/${commonName}.bundle.pem"
chmod 640 "${sslDir}/${commonName}.bundle.pem"
chown root:icecast "${sslDir}/${commonName}.bundle.pem"

# Concatenate everything into a bundle
cat "${sslDir}/${commonName}.crt.pem" \
    "${sslDir}/COMODO-RSA-Domain-Validation-Secure-Server-CA.crt.pem" \
    "${sslDir}/${commonName}.key.pem" > "${sslDir}/${commonName}.bundle.pem"

After this you can configure icecast to use the generated cert/key-bundle. The config should look as follows:

       <listen-socket>
           <port>443</port>
           <ssl>1</ssl>
           <bind-address>::</bind-address>
       </listen-socket>
       <paths>
           <ssl-certificate>/etc/ssl/icecast/stream.example.org.bundle.pem</ssl-certificate>
       </paths>

Topic		Replies	Views
Icecast SSL - Tutorial?	1	759	April 20, 2021
Debian - No SSL for now (No SSL for Icecast on official package and others brakes)	4	600	April 20, 2021
Reverse proxy, Libretime, icecast and still no ssl Get Help	1	664	November 11, 2020
SSL... Still won't work	25	2198	October 1, 2023
Add ssl to your Icecast2 stream - sweet and simple Get Help	29	17222	August 28, 2025

Adding SSL to Libretime (Icecast)

Related topics