So I was able to get this to work...on both Centovacast and IceCast standalone as well as Ubuntu and CentOS7. I now have 2 Icecast ports active on the same stream... one SSL and the other unencrypted.
Note: I also setup SSL with Centovacast before ever starting the stuff below using this command: /usr/local/centovacast/sbin/setssl /root/cc.key /path/to/certificate.pem This command was taken from: http://www.centova.com/doc/cast/installation_manual/08_Configuring_SSL
Pre-Requisites: You need to have certain SSL packages installed BEFORE installing IceCast. For some reason, Icecast does not consider these SSL packages as dependencies to the install so it will not automatically add them. These are the packages I installed for Ubuntu/Deb based system: autoconf autotools-dev automake libtool libxml2-dev libssl-dev libvorbis-dev libcurl4-gnutls-dev libxslt-dev libspeex-dev openssl
CentOS packages: curl-devel libtheora-devel libvorbis-devel libxslt-devel speex-devel
I think I also had openssl and openssl-dev???
I don't remember if Centovacast installs these dependencies... I think they do??
For standalone instances, I see ALOT of instructions for manual package creation and installation... I highly recommend using the Xiph repository. It is available for Debian/Ubuntu and I believe RHEL based systems as well!!! I have nothing to prove, would rather be able to use repository to update/upgrade rather than doing so manually.
Setting up SSL with Icecast
1. This works with Icecast2 and icescc or liquidsoap
2. Get your certificate, format the certificate in PEM format, include the private key and entire trust chain. Pay very close attention to how you create this file. If you do not copy and paste things properly, you will have problems. Instructions are here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm
3. Copy your certificate into a directory that can be accessed by the service running icecast
4. chmod and chown file to the user and group.
5. Enable editing of your raw configuration files within Centovacast. This is under limits, Raw configuration, "Permitted"
6. Modify your IceCast config by clicking on the "raw configuration" button on bottom right from the settings page. Select IceCast and you should now be in the configuration editor. Comment out the bind address and port. (Note if you make any GUI changes to your config, Centovacast will automatically add bind settings. Bind settings restrict only one port thus making your additional ssl port useless. It may also stop your server from streaming till you remove ssl settings or remove bind settings.)
7. The changes I added to the config file are as follows...
Additionally you want to add your path to the pem file in your config file. I placed this just above the alias source entry under the paths section.
This link can provide some additional information about configuring the file: http://icecast.org/docs/icecast-2.4.1/config-file.html
I did for troubleshooting purposes enable logging to 4 and tail the log while saving and restarting services. There is an additional setting to harden the ciphers used but I haven't taken the time to harden this part yet. I have managed to score 95 on ssl labs certificate security test on the main website though.
Now you can browse to https://yourdomain.com
:encryptedport/mountpoint and you should see your icecast page. Also try the unencrytped port with http://.
Your next problem is finding players that are configured to work with secure radio streams or where the code is designed properly enough to browse via https and not throw browser warnings for URLs to unencrypted traffic.
I am working with 3 different player developers to "fix" their software to work with encrypted streams or encrypted browser sessions. The common problem is they strip http(s):// from your config and then statically map http:// for metadata or stream connection. Another common problem I have found with players is that they are not designed to handle metadata from Icecast 2.4.1 or greater. Some are parsing the status.xsl file still when they should be parsing status-json.xsl.
Sorry for all of the read... I hate to hear from Centova that they don't support soemthing and there are very few instructions that are complete. Hope this helps someone in the future so they don't have to put the hours into it like I have.