HTTPS on Libretime

Hi Im looking for some assistance to get my Libretime instance to be HTTPS

The server (latest version of Libre) is built on Ubuntu 20.04 and all running just fine. I built a second (Test server) to try out the instructions show on the Install pages but something is wrong here and it broke everything.

Can some please point me in the right direction as its becoming a problem for me.



LeeJames, I’ve just accomplished this over the weekend, when I moved from the regular system install to docker.
However, the principle is the same.
Setup your nginx server to use port 80 and 443 inserting a snippet to plug in the certificates blah.crt and blah.key
Within Icecast it is also relatively simple, but for this you need to create a pem file containing the two previously mentioned files. a good article explaining icecast and SSL is here
the SSL store provides a great article on SSL in nginx.
Hope this helps,

Hi Chris thanks for this but i may need a bit more detail. Ive broken this too many times now and im worried about doing it on the actual libre server



I understand, let’s see if I can help with this.
This is the nginx conf file that contains the SSL info
server {

access_log /var/log/nginx/libretime.access.log;
error_log /var/log/nginx/libretime.error.log;

# SSL configuration
listen ssl default_server;
include snippets/ewcmiradio.ssl.conf;

root /usr/share/libretime/legacy/public;

index index.php index.html index.htm;

client_max_body_size 512M;
client_body_timeout 300s;

location ~ .php$ {
fastcgi_buffers 64 4K;
fastcgi_split_path_info ^(.+.php)(/.+)$;

# try_files $uri =404;
try_files $fastcgi_script_name =404;

include fastcgi_params;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
include fastcgi_params;

fastcgi_index index.php;
fastcgi_pass unix:/run/libretime-legacy.sock;


location / {
try_files $uri $uri/ /index.php$is_args$args;

location ~ ^/(api/v2|api-auth) {
include proxy_params;
proxy_redirect off;
proxy_pass http://unix:/run/libretime-api.sock;

And the following is the file in the snippet location.

Signed certificates generated by the ssl-cert package

ssl_certificate /etc/ssl/certs/ewcmiradio_com.bundle.pem;
ssl_certificate_key /etc/ssl/private/ewcmiradio_com.key;

Of course, anything that states ewcmiradio is what you need to replace with your own information.
For the Icecast Pem certificate, we did the following.
To create the ewcmiradio_com.icecast.bundle.pem we do execute the following command;

myprompt$  cat ewcmiradio_com.crt ewcmiradio_com.key > ./ewcmiradio_com.bundle.pem

This is as snip of our icecast.xml info concerning the SSL info.



    <alias source="/" destination="/status.xsl"/>




All this together worked for me, if you need to create certificates for your test server I suggest to create a self signed one for that purpose.

OK so ive gotten so far.
The web domain is set up at but it returns an error saying
This page isn’t working at the moment can’t currently handle this request.


However if i appent the url with absoluty anything it loads the libretime tape graphic and says
Opps something went wrong (Example

So I must be close here but definatly stck at this point

Next thing I would look at is where the HTML files are truly living.
one of the files that is in the location that produces your page is robots.txt which in my, and most other cases will be in something/something/legacy/public
Which means that in your websites conf file the root needs to set to;
something/something/legacy/public OR something/something/html/public
The tape graphic page was appearing when conf file was pointing to HTTP files and the nginx conf was pointing to HTTPS.
it is most likely something silly like that.

sorry it took a while to get back to you. I got it all working now. Ended up doing a fresh build and followed the instructions on the install setup page. And as if by magic . . . All worked without any real issues! Thanks for your assistance

1 Like

I have a little bit different problem but still is connected to HTTPS on Libretime.

Im using proxmox container

root@Radio:~# cat /etc/os-release 
VERSION="20.04.6 LTS (Focal Fossa)"
PRETTY_NAME="Ubuntu 20.04.6 LTS"

and latest Libretime Release


root@Radio:~# sudo systemctl --all --plain | grep libretime
  libretime-analyzer.service             loaded    active   running   LibreTime Media Analyzer Service                             
  libretime-api.service                  loaded    active   running   LibreTime API Service                                        
  libretime-liquidsoap.service           loaded    active   running   LibreTime Liquidsoap Service                                 
  libretime-playout.service              loaded    active   running   LibreTime Playout Service                                    
  libretime-worker.service               loaded    active   running   LibreTime Worker Service                                     
  libretime-api.socket                   loaded    active   running   LibreTime API Socket                                                         loaded    active   active    LibreTime Services                                     

I manage to secure my Libretime website, and i can login, add songs
Now im trying to secure icecast and liquidsoap

I follow the instalation guide which include secure part

Here is more info about ports:

root@Radio:~# ss -tulpn
Netid     State      Recv-Q     Send-Q              Local Address:Port          Peer Address:Port    Process                                                                                              
udp       UNCONN     0          0                *        users:(("systemd-resolve",pid=99,fd=12))                                                            
udp       UNCONN     0          0           *        users:(("systemd-network",pid=82,fd=18))                                                            
tcp       LISTEN     0          128                 *        users:(("beam.smp",pid=151,fd=77))                                                                  
tcp       LISTEN     0          511                    *        users:(("nginx",pid=402,fd=12),("nginx",pid=401,fd=12))                                             
tcp       LISTEN     0          511                  *        users:(("nginx",pid=402,fd=8),("nginx",pid=401,fd=8))                                               
tcp       LISTEN     0          10                 *        users:(("liquidsoap",pid=13825,fd=13))                                                              
tcp       LISTEN     0          4096             *        users:(("systemd-resolve",pid=99,fd=13))                                                            
tcp       LISTEN     0          244                *        users:(("postgres",pid=472,fd=4))                                                                   
tcp       LISTEN     0          100                  *        users:(("master",pid=527,fd=13))                                                                    
tcp       LISTEN     0          5                    *        users:(("icecast2",pid=407,fd=4))                                                                   
tcp       LISTEN     0          511                   *        users:(("nginx",pid=402,fd=11),("nginx",pid=401,fd=11))                                             
tcp       LISTEN     0          5                    *        users:(("icecast2",pid=407,fd=5))                                                                   
tcp       LISTEN     0          2                    *        users:(("liquidsoap",pid=13825,fd=16))                                                              
tcp       LISTEN     0          2                    *        users:(("liquidsoap",pid=13825,fd=19))                                                              
tcp       LISTEN     0          128                             *:5672                     *:*        users:(("beam.smp",pid=151,fd=92))                                                                  
tcp       LISTEN     0          511                          [::]:80                    [::]:*        users:(("nginx",pid=402,fd=13),("nginx",pid=401,fd=13))                                             
tcp       LISTEN     0          511                          [::]:8080                  [::]:*        users:(("nginx",pid=402,fd=9),("nginx",pid=401,fd=9))                                               
tcp       LISTEN     0          4096                            *:4369                     *:*        users:(("epmd",pid=114,fd=3),("systemd",pid=1,fd=38))                                               
tcp       LISTEN     0          4096                            *:22                       *:*        users:(("systemd",pid=1,fd=40))                                                                     
tcp       LISTEN     0          244                         [::1]:5432                  [::]:*        users:(("postgres",pid=472,fd=3))                                                                   
tcp       LISTEN     0          100                         [::1]:25                    [::]:*        users:(("master",pid=527,fd=14))                                                                    
tcp       LISTEN     0          511                          [::]:443                   [::]:*        users:(("nginx",pid=402,fd=10),("nginx",pid=401,fd=10))  

Now when im trying to open it says it says it cannot be reached
but still works

I notice that after sudo systemctl restart at one point in Settings > Streams, section Port (Required) field is 8443, but after site refresh it became 8000 again :confused:

Better show us your icecast configuration file. Did you create a pem file? And did you modify your icecast conf file?
This post shows how to do this: Add ssl to your Icecast2 stream - sweet and simple

In my case the issue was not with the icecast configuration, this was all ok, my problem was with the proxy server in front of it.
The problem that Icecast does not run on port 443 or other for that case.

server {

if ($host = {
    #return 301 https://$host$request_uri;
    rewrite ^$request_uri? permanent;

location /stream {


server {
listen ssl;

ssl_certificate /etc/ssl/certs/xxxxxxxx.xxxxxx.xxxxx.pem;
ssl_certificate_key /etc/ssl/private/xxxxxxxxxxxxxx.key;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

location / {
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;


location /stream {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # Set HTTP/1.1 support for the reverse proxy
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

location /stream.mp3 {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # Set HTTP/1.1 support for the reverse proxy
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

location /stream.m3u {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # Set HTTP/1.1 support for the reverse proxy
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

client_max_body_size 96m;


This conf file solved it for me, and even Alexa is accepting the stream without any issues.

btw I have a second server running on 80 and 443, thus the use of high ports.