Need some advice on 'Internet radiostation stream architecture'

Dear people,

please share your thoughts/advice on howto get to the following ‘architecture’ when using Libretime/Icecast as a radio application:

  1. A secure icecast stream (on port 8000), for the listeners, on the internet.

  2. A secure source icecast stream (on port 8001), for the deejay, accessible from ‘outside’, from the internet.

  3. Another secure source icecast stream (on port 8002) : for another deejay, accessible from ‘outside’, from the internet.

Topic 1 : A secure icecast stream (port 8000) (more or less solved)

This can be achieved using the native icecast-ssl support and a certificate as documented in :

secure libretime icecast

Question 1-1: When obtaining a certificate from ‘Let’s Encrypt’ for a certain domain, like ‘’, can it be used in a domain like, ‘’?

Topic 2 : A secure source icecast stream (port 8001) (NOT SOLVED)

The deejays are creating their shows ‘outside’ the local network and they like to use the program MIXXX for creating their shows and stream it up to icecast/libretime.

Question 2-1: How do we secure the icecast source stream?

Question 2-2: Can we use the same certificate (as the certificate used for the listener-stream (8000)) to secure the source stream?

Question 2-3: Can we still use the program MIXXX for doing shows: does it have a ssl capable icecast-client?

Question 2-4: Or should the deejays use VPN to connect to the icecast/libretime soource stream?

Question 2-5: Or should the deejay do the upstreaming via a out-going proxy into a in-coming proxy which is in front of the source port of libretime/icecast?

Topic 3 : Another secure source icecast stream (port 8001) (NOT SOLVED)

Question 3-1: How do we secure another icecast source stream?

Question 3-2: Can we use the same certificate (as the certificate used for the listener-stream (8000)) to secure the source stream?

Question 3-3: Is Libretime capable of ‘blending’ the two source-streams in a way that a smooth transition from a show into another can be achieved?

Please, correct me if i am wrong, (i would like to learn) and provide suggestions and alternatives.

Kind regards,


Hi Pim,


You will probably want to have 2 ports for icecast, one being the default 8000 and insecure, and the secure port at 8443.


You can either have multiple certificates, one per domain, or have a single certificate for both domains, but you cannot use a certificate for one domain to secure another domain. If you need this certificate for Icecast, I’d go with a single certificate for multiple domains.



Securing the input harbor is not yet supported by LibreTime, I’ve been working on this for a while, and adding a way to secure the input harbor isn’t far away. Maybe I can squeeze this in v3.1.


Sure, the only requirement is that you use the same domain name to access the endpoint.

I’d avoid having those services running on different servers, and recommend running the let’sencrypt client on the same server (doing TLS termination on a reverse proxy on some other server will make managing certificates difficult).


Good question, I don’t use it, you will probably find more details on their documentation. I think BUTT is able to handle secure input stream, you could check by directly streaming to Icecast once you have it running and secured.


According to 2.1 (no ssl support on the input stream), this will probably be a more elegant solution if you really need to secure the input stream. It might make it more difficult for no tech savvy people, and adds an extra tool to learn.


Not exactly sure to understand your question.

I’ve never tried to send an icecast stream over a proxy, it should be working, but I cannot confirm.



Currently LibreTime only supports 2 input streams:

  • 1 main input stream (port 8001) (master) that isn’t bound to any show. If you start streaming and turn the main stream on, it will output your main stream. I would use this for the output of a studio for example.
  • 1 show input stream (port 8002) that is bound to a show. Streaming is only allowed for the host/DJ of the current show. You must authenticate using your account/some credentials. The DJ will be kicked once the show ends.

From what I understand you need both DJs to send on the same port 8002 at the same time. I haven’t tested to send 2 streams on the same input, I doubt it works.




Maybe the fade transition configuration when connecting/disconnecting an input source is enough for you ?