SSL... Still won't work

Thanks, but no dice. The ServerName flag appears lower in my file anyway, but I added it up there instead just in case, but it didn’t work. This is really weird — I have no idea what to try next…

Yes, the DNS is absolutely pointing to the right IP address.

What’s the error message that you get? Is there any message on the browser console?

It won’t even load… just “cannot establish secure connection” error. I’ll check the console too.

I can get to your radio page via the ip address.

When I try https://www.radiowrite.com/ I get shown a Wordpress site, which seems to be on the same ip address. Have you tried to turn off that site? If that is on the same server, then it might interfere with Libretime.

1 Like

No, they’re two completely different servers. I changed the domain to point to the WP install after finally giving up with SSL… when you responded at first, I switched it back to mess around again. So you should be seeing the libretime install, not WP.

No errors in the console, either.

As a test, I disabled the firewall

sudo ufw disable

Immediately, the site showed up!

Edit: I added 443/tcp to the firewall and things are working. Please advise as to anything else I may have forgotten, and/or if this is not the proper way to do things.

Thanks for your help as well!

Ok… I’m out of ideas. SSL works, but Libretime is still pushing the stream out via http: http://radiowrite.com:8000/airtime_128.

Chrome, therefore, refuses to play the stream, as it’s “Mixed content.” Does anyone actually know if there’s a way to set this up so that Libretime AND the stream can be secured via SSL?

Libretime has to be configured to use a non SSL stream, then in the website you must use the SSL configured port. Check this website: https://basatisound.com as an example.

/etc/icecast/icecast2.xml

<listen-socket>
    <port>8000</port>
    <!-- <bind-address>127.0.0.1</bind-address> -->
    <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>

<listen-socket>
    <port>8443</port>
    <ssl>1</ssl>
</listen-socket>

Take into account that the icecast default installation does not support SSL , so you’ll have to compile it from xiph with SSL support.

Another possibility is to create a reverse proxy with apache. I did that on this site: https://97irratia.info

Insane that Libretime is not secure out of the box…

you’ll have to compile it from xiph with SSL support.

How do I do that?

Another possibility is to create a reverse proxy with apache. I did that on this site: https://97irratia.info

Yeah, I think this is the option I want. However, every comment/tutorial/explanation I’ve read does not work.

This is ridiculous. I feel like an idiot, lol. Can I just pay you to do it for me?

This is what I have for reverse proxy in https://97irratia.info

/etc/apache2/sites-enabled/airtime.conf

<VirtualHost *:80>
   ServerAdmin foo@bar.org
   DocumentRoot /usr/share/airtime/php/airtime_mvc/public/
   php_admin_value upload_tmp_dir /tmp
   php_value post_max_size 500M
   php_value upload_max_filesize 500M
   php_value request_order "GPC"
   php_value session.gc_probability 0
   php_value session.auto_start 0

   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/json


  <Directory /usr/share/airtime/php/airtime_mvc/public/>
      RewriteEngine On
      RewriteCond %{REQUEST_FILENAME} -s [OR]
      RewriteCond %{REQUEST_FILENAME} -l [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^.*$ - [NC,L]
      RewriteRule ^.*$ index.php [NC,L]

      DirectoryIndex index.php
      AllowOverride all
      Order allow,deny
      Allow from all

      Require all granted
  </Directory>
</VirtualHost>

/etc/apache2/sites-enabled/airtime-ssl.conf

<VirtualHost *:443>
   ServerAdmin foo@bar.org
   DocumentRoot /usr/share/airtime/php/airtime_mvc/public/
   php_admin_value upload_tmp_dir /tmp
   php_value post_max_size 500M
   php_value upload_max_filesize 500M
   php_value request_order "GPC"
   php_value session.gc_probability 0
   php_value session.auto_start 0

   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/json

   #Proxy Config 
   SSLProxyEngine on
   ProxyRequests Off 
   ProxyPreserveHost On 
   <Proxy *> 
      AddDefaultCharset Off 
      Order deny,allow 
      Allow from all 
   </Proxy> 
   Proxypass /radio-ssl.mp3 http://your_stream_url:8000/radio.mp3
   ProxyPassReverse /radio-ssl.mp3 http://your_stream_url:8000/radio.mp3
   Proxypass /radio-ssl.ogg http://your_stream_url:8000/radio.ogg
   ProxyPassReverse /radio-ssl.ogg http://your_stream_url:8000/radio.ogg

  <Directory /usr/share/airtime/php/airtime_mvc/public/>
      RewriteEngine On
      RewriteCond %{REQUEST_FILENAME} -s [OR]
      RewriteCond %{REQUEST_FILENAME} -l [OR]
      RewriteCond %{REQUEST_FILENAME} -d
      RewriteRule ^.*$ - [NC,L]
      RewriteRule ^.*$ index.php [NC,L]

      DirectoryIndex index.php
      AllowOverride all
      Order allow,deny
      Allow from all

      Require all granted
  </Directory>
SSLCertificateFile /etc/letsencrypt/live/libretime_url/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/libretime_url/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName libretime_url
</VirtualHost>
</IfModule>

I think that replacing your_stream_url with the url generated by libretime and libretime_url with the libretime url should work

And this are the instructions to compile icecast with openssl support:

apt update && apt install icecast2
apt remove icecast2
# Install the development tools required to build Icecast from source
apt install git gcc build-essential
# Now some of the dependencies required to compile Icecast from source
apt install libcurl4-openssl-dev libxslt1-dev libxml2-dev libogg-dev libvorbis-dev libflac-dev libtheora-dev libssl-dev 
cd /usr/src
# git clone --recursive https://gitlab.xiph.org/xiph/icecast-server.git
wget https://ftp.osuosl.org/pub/xiph/releases/icecast/icecast-2.4.4.tar.gz
tar zxvf icecast-2.4.4.tar.gz
# Move into the source directory and prepare the configuration script
# cd icecast-server; ./autogen.sh
cd icecast-2.4.4/; 
# Configure the source code with SSL support enabled
./configure --with-curl --with-openssl
# If you have a 4-core ARM, let’s use all 4 of them:
# make -j 4
# Otherwise, stick with your single core 
make
# Install Icecast:
make install
# Suponemos que hay un certicado creado ya en /etc/ssl/certs/icecast2.pem, y así lo indicaremos en el archivo icecast2.xml: <ssl-certificate>/etc/ssl/certs/icecast2.pem</ssl-certificate>. Nota: el certificado generado con ACME no funciona
# Create symbolic links to the old repository version of Icecast2, so that we can use the /etc files:
ln -s /usr/local/bin/icecast /usr/bin/icecast2 
ln -s /usr/local/share/icecast /usr/share/icecast2
# Finally start icecast
service icecast2 restart

If after trying these tips that I put above it still does not work I will do it for you

Proxypass /radio-ssl.mp3 http://your_stream_url:8000/radio.mp3
ProxyPassReverse /radio-ssl.mp3 http://your_stream_url:8000/radio.mp3
Proxypass /radio-ssl.ogg http://your_stream_url:8000/radio.ogg
ProxyPassReverse /radio-ssl.ogg http://your_stream_url:8000/radio.ogg

I tried this:

Proxypass /radio-ssl.mp3 http://radiowrite.com:8000/radio.mp3
ProxyPassReverse /radio-ssl.mp3 http://radiowrite.com:8000/radio.mp3
Proxypass /radio-ssl.ogg http://radiowrite.com:8000/radio.ogg
ProxyPassReverse /radio-ssl.ogg http://radiowrite.com:8000/radio.ogg

That got https://www.radiowrite.com/radio-ssl.mp3 to work properly. THANKS!

So now, I just need to figure out how to replace the libretime mini site URL with this one.

@xabispacebiker
I need your help with my SSL page, I just came here after spending hours unending trying tonnes of options. The site works with HTTP, but what changed to HTTPS, all goes blank.

Is there any new option?

Hi all
I need someone who can help install LIBRETIME with SSL listening or better still how to use a proxy to get SSL listening. I need to embed a radio in https page. Any help would be great.

1 Like

Did you have to enable any extra Apache modules?

@JoaoHerberto - I just figured this out. You need to install and enable the following mods to complete this

sudo a2enmod proxy
sudo a2enmod proxy_http

Thank you @NickThacker and @xabispacebiker for making this documentation available.

2 Likes

Sorry @Scar , I didn’t see your message. I imagine that after so much time you have solved it or given up, but let me know If you need my help.