SSL... Still won't work

Okay, sorry all. I’ve read and done everything SSL-related on this site, but I simply cannot get my site (http://radiowrite.com) secured (https://radiowrite.com).

I’m on Ubuntu 18 (DigitalOcean), installed certbot and SSL certs before installing libretime.

Can anyone help me figure this out once and for all?

THANK YOU!

What exactly is not working? The link to your website leads to a Wordpress Site with a proper SSL cert.

Do you have any error messages?

Hey there, I’ve since moved the domain over to another host to try to set up a secured landing page-style site with the iframe embed code (the embed code’s not currently playing nice with a WP install + Divi theme for whatever reason).

The existing site is at http://198.199.111.37.

This one I have NOT used certbot, but the original install I was referring to did. I used certbot, got 100% install success, and then installed libretime/icetime. it was never secured via https.

In addition, importing podcasts did not work (a major requirement for the station), hence why I reinstalled on another VPS box later.

I guess if you had installed Libretime first, and then installed Certbot and got the cert, it might have worked.

You can simply go to /etc/apache2/sites-available and edit the conf file there. Mine is called airtime-le-ssl.conf but yours might be different.

In that you have to define the SSL details, point to the certs etc. Restart Apache and it should work. Let me know if you need a sample file.

I tried both ways (installing LibreTime first, then installing certbot + cert first). Neither has worked.

I’d love a sample file if you’ve got one… I don’t understand how certbot installs the certificate, but then… it’s not installed?

This is the content of my airtiime-le-ssl.conf file:

<IfModule mod_ssl.c>
<VirtualHost *:443>
   ServerAdmin foo@bar.org
   DocumentRoot /usr/share/airtime/php/airtime_mvc/public/
   php_admin_value upload_tmp_dir /tmp
   php_value post_max_size 500M
   php_value upload_max_filesize 500M
   php_value request_order "GPC"
   php_value session.gc_probability 0
   php_value session.auto_start 0

   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/json


  <Directory /usr/share/airtime/php/airtime_mvc/public/>
      RewriteEngine On
      RewriteCond %{REQUEST_FILENAME} -s [OR]
      RewriteCond %{REQUEST_FILENAME} -l [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^.*$ - [NC,L]
      RewriteRule ^.*$ index.php [NC,L]

      DirectoryIndex index.php
      AllowOverride all
      Order allow,deny
      Allow from all

      Require all granted
  </Directory>

ServerName www.radiowrite.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias radiowrite.com
SSLCertificateFile /etc/letsencrypt/live/www.radiowrite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.radiowrite.com/privkey.pem
</VirtualHost>
</IfModule>

That looks pretty much like what I have too.

One difference is that I do also have a line

ServerAdmin foo@bar.org
ServerName www.radiowrite.com
DocumentRoot /usr/share...

besides the ServerAlias. And Certbot has added your certfiles in the last two lines (SSLCertificateFile/SSLCertificateKeyFile), so that looks good.

If you browse to https://radiowrite.com, what error do you get? And your DNS is surely pointing to that server?

Thanks, but no dice. The ServerName flag appears lower in my file anyway, but I added it up there instead just in case, but it didn’t work. This is really weird — I have no idea what to try next…

Yes, the DNS is absolutely pointing to the right IP address.

What’s the error message that you get? Is there any message on the browser console?

It won’t even load… just “cannot establish secure connection” error. I’ll check the console too.

I can get to your radio page via the ip address.

When I try https://www.radiowrite.com/ I get shown a Wordpress site, which seems to be on the same ip address. Have you tried to turn off that site? If that is on the same server, then it might interfere with Libretime.

No, they’re two completely different servers. I changed the domain to point to the WP install after finally giving up with SSL… when you responded at first, I switched it back to mess around again. So you should be seeing the libretime install, not WP.

No errors in the console, either.

As a test, I disabled the firewall

sudo ufw disable

Immediately, the site showed up!

Edit: I added 443/tcp to the firewall and things are working. Please advise as to anything else I may have forgotten, and/or if this is not the proper way to do things.

Thanks for your help as well!

Ok… I’m out of ideas. SSL works, but Libretime is still pushing the stream out via http: http://radiowrite.com:8000/airtime_128.

Chrome, therefore, refuses to play the stream, as it’s “Mixed content.” Does anyone actually know if there’s a way to set this up so that Libretime AND the stream can be secured via SSL?

Libretime has to be configured to use a non SSL stream, then in the website you must use the SSL configured port. Check this website: https://basatisound.com as an example.

/etc/icecast/icecast2.xml

<listen-socket>
    <port>8000</port>
    <!-- <bind-address>127.0.0.1</bind-address> -->
    <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>

<listen-socket>
    <port>8443</port>
    <ssl>1</ssl>
</listen-socket>

Take into account that the icecast default installation does not support SSL , so you’ll have to compile it from xiph with SSL support.

Another possibility is to create a reverse proxy with apache. I did that on this site: https://97irratia.info

Insane that Libretime is not secure out of the box…

you’ll have to compile it from xiph with SSL support.

How do I do that?

Another possibility is to create a reverse proxy with apache. I did that on this site: https://97irratia.info

Yeah, I think this is the option I want. However, every comment/tutorial/explanation I’ve read does not work.

This is ridiculous. I feel like an idiot, lol. Can I just pay you to do it for me?

This is what I have for reverse proxy in https://97irratia.info

/etc/apache2/sites-enabled/airtime.conf

<VirtualHost *:80>
   ServerAdmin foo@bar.org
   DocumentRoot /usr/share/airtime/php/airtime_mvc/public/
   php_admin_value upload_tmp_dir /tmp
   php_value post_max_size 500M
   php_value upload_max_filesize 500M
   php_value request_order "GPC"
   php_value session.gc_probability 0
   php_value session.auto_start 0

   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/json


  <Directory /usr/share/airtime/php/airtime_mvc/public/>
      RewriteEngine On
      RewriteCond %{REQUEST_FILENAME} -s [OR]
      RewriteCond %{REQUEST_FILENAME} -l [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^.*$ - [NC,L]
      RewriteRule ^.*$ index.php [NC,L]

      DirectoryIndex index.php
      AllowOverride all
      Order allow,deny
      Allow from all

      Require all granted
  </Directory>
</VirtualHost>

/etc/apache2/sites-enabled/airtime-ssl.conf

<VirtualHost *:443>
   ServerAdmin foo@bar.org
   DocumentRoot /usr/share/airtime/php/airtime_mvc/public/
   php_admin_value upload_tmp_dir /tmp
   php_value post_max_size 500M
   php_value upload_max_filesize 500M
   php_value request_order "GPC"
   php_value session.gc_probability 0
   php_value session.auto_start 0

   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/json

   #Proxy Config 
   SSLProxyEngine on
   ProxyRequests Off 
   ProxyPreserveHost On 
   <Proxy *> 
      AddDefaultCharset Off 
      Order deny,allow 
      Allow from all 
   </Proxy> 
   Proxypass /radio-ssl.mp3 http://your_stream_url:8000/radio.mp3
   ProxyPassReverse /radio-ssl.mp3 http://your_stream_url:8000/radio.mp3
   Proxypass /radio-ssl.ogg http://your_stream_url:8000/radio.ogg
   ProxyPassReverse /radio-ssl.ogg http://your_stream_url:8000/radio.ogg

  <Directory /usr/share/airtime/php/airtime_mvc/public/>
      RewriteEngine On
      RewriteCond %{REQUEST_FILENAME} -s [OR]
      RewriteCond %{REQUEST_FILENAME} -l [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^.*$ - [NC,L]
      RewriteRule ^.*$ index.php [NC,L]

      DirectoryIndex index.php
      AllowOverride all
      Order allow,deny
      Allow from all

      Require all granted
  </Directory>
SSLCertificateFile /etc/letsencrypt/live/libretime_url/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/libretime_url/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName libretime_url
</VirtualHost>
</IfModule>

I think that replacing your_stream_url with the url generated by libretime and libretime_url with the libretime url should work

And this are the instructions to compile icecast with openssl support:

apt update && apt install icecast2
apt remove icecast2
# Install the development tools required to build Icecast from source
apt install git gcc build-essential
# Now some of the dependencies required to compile Icecast from source
apt install libcurl4-openssl-dev libxslt1-dev libxml2-dev libogg-dev libvorbis-dev libflac-dev libtheora-dev libssl-dev 
cd /usr/src
# git clone --recursive https://gitlab.xiph.org/xiph/icecast-server.git
wget https://ftp.osuosl.org/pub/xiph/releases/icecast/icecast-2.4.4.tar.gz
tar zxvf icecast-2.4.4.tar.gz
# Move into the source directory and prepare the configuration script
# cd icecast-server; ./autogen.sh
cd icecast-2.4.4/; 
# Configure the source code with SSL support enabled
./configure --with-curl --with-openssl
# If you have a 4-core ARM, let’s use all 4 of them:
# make -j 4
# Otherwise, stick with your single core 
make
# Install Icecast:
make install
# Suponemos que hay un certicado creado ya en /etc/ssl/certs/icecast2.pem, y así lo indicaremos en el archivo icecast2.xml: <ssl-certificate>/etc/ssl/certs/icecast2.pem</ssl-certificate>. Nota: el certificado generado con ACME no funciona
# Create symbolic links to the old repository version of Icecast2, so that we can use the /etc files:
ln -s /usr/local/bin/icecast /usr/bin/icecast2 
ln -s /usr/local/share/icecast /usr/share/icecast2
# Finally start icecast
service icecast2 restart

If after trying these tips that I put above it still does not work I will do it for you