Hi Im looking for some assistance to get my Libretime instance to be HTTPS
The server (latest version of Libre) is built on Ubuntu 20.04 and all running just fine. I built a second (Test server) to try out the instructions show on the Install pages but something is wrong here and it broke everything.
Can some please point me in the right direction as its becoming a problem for me.
Best
Lee
LeeJames, Iāve just accomplished this over the weekend, when I moved from the regular system install to docker.
However, the principle is the same.
Setup your nginx server to use port 80 and 443 inserting a snippet to plug in the certificates blah.crt and blah.key
Within Icecast it is also relatively simple, but for this you need to create a pem file containing the two previously mentioned files. a good article explaining icecast and SSL is here
the SSL store provides a great article on SSL in nginx.
Hope this helps,
Chris.
Hi Chris thanks for this but i may need a bit more detail. Ive broken this too many times now and im worried about doing it on the actual libre server
Cheers
L
I understand, letās see if I can help with this.
This is the nginx conf file that contains the SSL info
server {
access_log /var/log/nginx/libretime.access.log;
error_log /var/log/nginx/libretime.error.log;
# SSL configuration
#
listen ewcmiradio.com:443 ssl default_server;
include snippets/ewcmiradio.ssl.conf;
root /usr/share/libretime/legacy/public;
index index.php index.html index.htm;
client_max_body_size 512M;
client_body_timeout 300s;
location ~ .php$ {
fastcgi_buffers 64 4K;
fastcgi_split_path_info ^(.+.php)(/.+)$;
# try_files $uri =404;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/run/libretime-legacy.sock;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ ^/(api/v2|api-auth) {
include proxy_params;
proxy_redirect off;
proxy_pass http://unix:/run/libretime-api.sock;
}
}
And the following is the file in the snippet location.
ssl_certificate /etc/ssl/certs/ewcmiradio_com.bundle.pem;
ssl_certificate_key /etc/ssl/private/ewcmiradio_com.key;
Of course, anything that states ewcmiradio is what you need to replace with your own information.
For the Icecast Pem certificate, we did the following.
To create the ewcmiradio_com.icecast.bundle.pem we do execute the following command;
myprompt$ cat ewcmiradio_com.crt ewcmiradio_com.key > ./ewcmiradio_com.bundle.pem
This is as snip of our icecast.xml info concerning the SSL info.
ā SNIPP
1
<paths>
<basedir>/usr/share/icecast</basedir>
<logdir>/var/log/icecast</logdir>
<webroot>/usr/share/icecast/web</webroot>
<adminroot>/usr/share/icecast/admin</adminroot>
<alias source="/" destination="/status.xsl"/>
<ssl-certificate>/etc/ssl/certs/ewcmiradio_com.bundle.pem</ssl-certificate>
</paths>
<logging>
<āSNIPP
All this together worked for me, if you need to create certificates for your test server I suggest to create a self signed one for that purpose.
OK so ive gotten so far.
The web domain is set up at rockradio.ddns.net but it returns an error saying
This page isnāt working at the moment
rockradio.ddns.net canāt currently handle this request.
HTTP ERROR 503
However if i appent the url with absoluty anything it loads the libretime tape graphic and says
Opps something went wrong (Example https://rockradio.ddns.net/whatever
So I must be close here but definatly stck at this point
Next thing I would look at is where the HTML files are truly living.
one of the files that is in the location that produces your page is robots.txt which in my, and most other cases will be in something/something/legacy/public
Which means that in your websites conf file the root needs to set to;
something/something/legacy/public OR something/something/html/public
The tape graphic page was appearing when conf file was pointing to HTTP files and the nginx conf was pointing to HTTPS.
it is most likely something silly like that.
Chris.
sorry it took a while to get back to you. I got it all working now. Ended up doing a fresh build and followed the instructions on the install setup page. And as if by magic . . . All worked without any real issues! Thanks for your assistance
I have a little bit different problem but still is connected to HTTPS on Libretime.
Im using proxmox container
root@Radio:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
and latest Libretime Release
wget https://github.com/libretime/libretime/releases/download/3.1.0/libretime-3.1.0.tar.gz
root@Radio:~# sudo systemctl --all --plain | grep libretime
libretime-analyzer.service loaded active running LibreTime Media Analyzer Service
libretime-api.service loaded active running LibreTime API Service
libretime-liquidsoap.service loaded active running LibreTime Liquidsoap Service
libretime-playout.service loaded active running LibreTime Playout Service
libretime-worker.service loaded active running LibreTime Worker Service
libretime-api.socket loaded active running LibreTime API Socket
libretime.target loaded active active LibreTime Services
I manage to secure my Libretime website, and i can login, add songs
Now im trying to secure icecast and liquidsoap
I follow the instalation guide which include secure part
Here is more info about ports:
root@Radio:~# ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=99,fd=12))
udp UNCONN 0 0 192.168.88.17%eth0:68 0.0.0.0:* users:(("systemd-network",pid=82,fd=18))
tcp LISTEN 0 128 0.0.0.0:25672 0.0.0.0:* users:(("beam.smp",pid=151,fd=77))
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=402,fd=12),("nginx",pid=401,fd=12))
tcp LISTEN 0 511 0.0.0.0:8080 0.0.0.0:* users:(("nginx",pid=402,fd=8),("nginx",pid=401,fd=8))
tcp LISTEN 0 10 127.0.0.1:1234 0.0.0.0:* users:(("liquidsoap",pid=13825,fd=13))
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=99,fd=13))
tcp LISTEN 0 244 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=472,fd=4))
tcp LISTEN 0 100 127.0.0.1:25 0.0.0.0:* users:(("master",pid=527,fd=13))
tcp LISTEN 0 5 0.0.0.0:8443 0.0.0.0:* users:(("icecast2",pid=407,fd=4))
tcp LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=402,fd=11),("nginx",pid=401,fd=11))
tcp LISTEN 0 5 0.0.0.0:8000 0.0.0.0:* users:(("icecast2",pid=407,fd=5))
tcp LISTEN 0 2 0.0.0.0:8001 0.0.0.0:* users:(("liquidsoap",pid=13825,fd=16))
tcp LISTEN 0 2 0.0.0.0:8002 0.0.0.0:* users:(("liquidsoap",pid=13825,fd=19))
tcp LISTEN 0 128 *:5672 *:* users:(("beam.smp",pid=151,fd=92))
tcp LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=402,fd=13),("nginx",pid=401,fd=13))
tcp LISTEN 0 511 [::]:8080 [::]:* users:(("nginx",pid=402,fd=9),("nginx",pid=401,fd=9))
tcp LISTEN 0 4096 *:4369 *:* users:(("epmd",pid=114,fd=3),("systemd",pid=1,fd=38))
tcp LISTEN 0 4096 *:22 *:* users:(("systemd",pid=1,fd=40))
tcp LISTEN 0 244 [::1]:5432 [::]:* users:(("postgres",pid=472,fd=3))
tcp LISTEN 0 100 [::1]:25 [::]:* users:(("master",pid=527,fd=14))
tcp LISTEN 0 511 [::]:443 [::]:* users:(("nginx",pid=402,fd=10),("nginx",pid=401,fd=10))
Now when im trying to open it says http://my.site.net:8443/ it says it cannot be reached
but http://my.site.net:8000/ still works
I notice that after sudo systemctl restart libretime.target at one point in Settings > Streams, section Port (Required) field is 8443, but after site refresh it became 8000 again 
Better show us your icecast configuration file. Did you create a pem file? And did you modify your icecast conf file?
This post shows how to do this: Add ssl to your Icecast2 stream - sweet and simple
In my case the issue was not with the icecast configuration, this was all ok, my problem was with the proxy server in front of it.
The problem that Icecast does not run on port 443 or other for that case.
server {
listen ewcmiradio.com:80;
server_name ewcmiradio.com;
if ($host = ewcmiradio.com) {
#return 301 https://$host$request_uri;
rewrite ^ https://ewcmiradio.com/$request_uri? permanent;
}
location /stream {
proxy_pass http://xxx.xxx.xxx.xxx:8000/stream;
}
}
server {
listen ewcmiradio.com:443 ssl;
server_name ewcmiradio.com;
ssl_certificate /etc/ssl/certs/xxxxxxxx.xxxxxx.xxxxx.pem;
ssl_certificate_key /etc/ssl/private/xxxxxxxxxxxxxx.key;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://xxx.xxx.xxx.xxx:8080/;
}
location /stream {
proxy_pass http://xxx.xxx.xxx.xxx:8443/stream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Set HTTP/1.1 support for the reverse proxy
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /stream.mp3 {
proxy_pass http://xxx.xxx.xxx.xxx:8443/stream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Set HTTP/1.1 support for the reverse proxy
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /stream.m3u {
proxy_pass http://xxx.xxx.xxx.xxx:8443/stream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Set HTTP/1.1 support for the reverse proxy
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
client_max_body_size 96m;
}
This conf file solved it for me, and even Alexa is accepting the stream without any issues.
btw I have a second server running on 80 and 443, thus the use of high ports.