My reverse proxy(machine#1) and libretime+icecast(machine#2) installations are running on separate machines. Libretime is secured , but I am not able to secure the icecast output stream.
More specifically I am stuck at this part of the manual for configuring secure icecast stream - Before you start, make sure to have a working and secured LibreTime server, and that the TLS certificates generated by Cerbot are on the same host as Icecast.
In my case, tls certificates for radio.placeholder.com are stored in machine#1. The /etc/icecast2/icecast.xml file is in machine#2.
- copied tls certificates privkey.pem and fullchain.pem) from machine#1 to machine#2 using scp
- generated a bundle.pem and stored it at /etc/icecast2/bundle.pem
- updated /etc/icecast2/icecast.xml and /etc/libretime/config.yml
- opened port 8443 of my network.
- restarted icecast and libretime services.
https://radio.placeholder.com accessible over ssl but :8443 gives PR_END_OF_FILE_ERROR in firefox and ERR_CONNECTION_CLOSED in chrome
How do I get to the root of this problem?
I was unsure about manually copy-pasting tls certificates from one machine to another (using scp).
I would recommend not to copy TLS certs across machines.
Maybe you can use a dedicated subdomain for the icecast server only, and use certbot to generate a certificate for that subdomain. This makes your server more self-contained, and external failures should not break your icecast server.
Then you should probably read the icecast logs to have a better idea why you cannot connect to the secure port of icecast.
For my setups, I reverse proxy the icecast server using HAproxy, but this is not an exact science, so if you know your way around you could try, but it’s at your own risk.
thanks for responding!
Turns out it was a stupid mistake in the icecast.xml file. I had put the wrong address for the bundle.pem file. Fixed now and everything is up and running.
Re. the tls certs - I can anticipate trouble down the road when certbot renews certs on my reverse proxy machine. Still thinking about the idea of making a dedicated subdomain for icecast - I would still have to install icecast and the subdomain certs on the same machine. Currently I am using an SBC running an nginx reverse proxy that forwards requests to other machines in its local network. I don’t want to overload it with having to handle icecast.
Perhaps there could be some way of managing sharing of certificates within a local network…
Thanks for the help! Will revive this thread if I figure something out.