icecast and ssl

Read 22881 times
I am having problems enabling SSL for the Icecast pages...

I have SSL properly configured on my website.  I followed Centova instructions to enable SSL with Centova pages and they both work properly.

My problem is the Icecast pages do not serve SSL.  I updated /usr/local/icecast/etc/icecast.xml and placed the ssl 1 option under each port and also added my PEM file reference under the paths section.  That didn't appear to modify the pages and I learned that there is another location /usr/local/centovacast/var/vhosts/.../etc/server.conf that acts as the icecast.xml file.  I made the same changes here.

I am unable to see the encrypted page, I can only see the encrypted domain and the IP.

One concern I have is if I created the PEM file properly.  The icecast instructions say it should be one file the private and public key.  I took the private key pasted it into a pem text file and then pasted the public key in after it.
So I was able to get this to work...on both Centovacast and IceCast standalone as well as Ubuntu and CentOS7.  I now have 2 Icecast ports active on the same stream... one SSL and the other unencrypted.

Note: I also setup SSL with Centovacast before ever starting the stuff below using this command: /usr/local/centovacast/sbin/setssl /root/cc.key /path/to/certificate.pem  This command was taken from:

Pre-Requisites:  You need to have certain SSL packages installed BEFORE installing IceCast.  For some reason, Icecast does not consider these SSL packages as dependencies to the install so it will not automatically add them.  These are the packages I installed for Ubuntu/Deb based system: autoconf autotools-dev automake libtool libxml2-dev libssl-dev libvorbis-dev libcurl4-gnutls-dev libxslt-dev libspeex-dev openssl

CentOS packages: curl-devel libtheora-devel libvorbis-devel libxslt-devel speex-devel
I think I also had openssl and openssl-dev???

I don't remember if Centovacast installs these dependencies... I think they do??

For standalone instances, I see ALOT of instructions for manual package creation and installation... I highly recommend using the Xiph repository.  It is available for Debian/Ubuntu and I believe RHEL based systems as well!!!    I have nothing to prove, would rather be able to use repository to update/upgrade rather than doing so manually.

Setting up SSL with Icecast
1. This works with Icecast2 and icescc or liquidsoap
2.  Get your certificate, format the certificate in PEM format, include the private key and entire trust chain.  Pay very close attention to how you create this file.  If you do not copy and paste things properly, you will have problems.  Instructions are here:

3.  Copy your certificate into a directory that can be accessed by the service running icecast
4.  chmod and chown file to the user and group.
5. Enable editing of your raw configuration files within Centovacast.  This is under limits, Raw configuration, "Permitted"
6.  Modify your IceCast config by clicking on the "raw configuration" button on bottom right from the settings page.  Select IceCast and you should now be in the configuration editor.  Comment out the bind address and port.  (Note if you make any GUI changes to your config, Centovacast will automatically add bind settings.  Bind settings restrict only one port thus making your additional ssl port useless.  It may also stop your server from streaming till you remove ssl settings or remove bind settings.)
7.  The changes I added to the config file are as follows...


Additionally you want to add your path to the pem file in your config file.  I placed this just above the alias source entry under the paths section.


This link can provide some additional information about configuring the file:

I did for troubleshooting purposes enable logging to 4 and tail the log while saving and restarting services.  There is an additional setting to harden the ciphers used but I haven't taken the time to harden this part yet.  I have managed to score 95 on ssl labs certificate security test on the main website though.

Now you can browse to and you should see your icecast page.  Also try the unencrytped port with http://.

Your next problem is finding players that are configured to work with secure radio streams or where the code is designed properly enough to browse via https and not throw browser warnings for URLs to unencrypted traffic.

I am working with 3 different player developers to "fix" their software to work with encrypted streams or encrypted browser sessions.  The common problem is they strip http(s):// from your config and then statically map http:// for metadata or stream connection.  Another common problem I have found with players is that they are not designed to handle metadata from Icecast 2.4.1 or greater.  Some are parsing the status.xsl file still when they should be parsing status-json.xsl.

Sorry for all of the read... I hate to hear from Centova that they don't support soemthing and there are very few instructions that are complete.  Hope this helps someone in the future so they don't have to put the hours into it like I have.
Hey Walter,

I'm in the process of configuring my system this way as well, but I may be missing some of your steps.

Is the Icecast version you're using a manual build?  I'm using Centovacast on Centos 7 and using the version that comes from the installation, from updates.


Sorry for the delay in answering.  The steps I posted above for the most part are a standalone install of icecast without Centova Cast using Xiph repositories to install icecast.

When installing Centova Cast, I installed the pre-requisites first:

Ubuntu/Deb based system: autoconf autotools-dev automake libtool libxml2-dev libssl-dev libvorbis-dev libcurl4-gnutls-dev libxslt-dev libspeex-dev openssl

CentOS packages: curl-devel libtheora-devel libvorbis-devel libxslt-devel speex-devel
I think I also had openssl and openssl-dev???

Then followed the instructions with Centova to install Centova Cast.

Then you would follow the instructions starting from: Setting up SSL with Icecast
Thanks Walter,

I got it working ... I just missed the step with the PEM files.
We instaled the SSL using the steps.

I try to copy the content from cert.pem and privkey.pem and made a new file called icecast.pem but not works...

Any special permission in the icecast.pem file?

In the error log I can only read:

[2018-07-05 12:50:52] INFO connection/get_ssl_certificate No SSL capability.

I am making that in a existing instalation of centovacast, I am not sure if need make some thing with the icecast binary...
Last Edit: July 04, 2018, 09:28:31 pm by audiobras
Some issue here. After install let'sEncrypt following the steps in centova manual the https://server:2199 work fine.
However, the icecast2 is not working in SSL mode.
My error log say:

WARN connection/get_ssl_certificate Invalid cert file /usr/local/centovacast/etc/ssl/certs/HOSTNAME/

Into the directory "/usr/local/centovacast/etc/ssl/certs/HOSTNAME/" is the all certs files generated by centova:
-rw-------  1 root   ccuser 1700 oct  9 13:08 cert-1539083280.csr
-rw-------  1 root   ccuser 2545 oct  9 13:08 cert-1539083280.pem
lrwxrwxrwx 1 root   ccuser   19 oct  9 13:08 cert.csr -> cert-1539083280.csr
lrwxrwxrwx 1 root   ccuser   19 oct  9 13:08 cert.pem -> cert-1539083280.pem
-rw------- 1 root   ccuser 1648 oct  9 13:08 chain-1539083280.pem
lrwxrwxrwx 1 root   ccuser   20 oct  9 13:08 chain.pem -> chain-1539083280.pem
-rw------- 1 root   ccuser 4193 oct  9 13:08 fullchain-1539083280.pem
lrwxrwxrwx 1 root   ccuser   24 oct  9 13:08 fullchain.pem -> fullchain-1539083280.pem
-rw------- 1 root   ccuser 3243 oct  9 13:08 privkey-1539083280.pem
lrwxrwxrwx 1 root   ccuser   22 oct  9 13:08 privkey.pem -> privkey-1539083280.pem

I try to move the pem file and discard permissions issues.

Has someone managed to launch icecast under ssl? Any comments are welcome. Thanks
Last Edit: October 09, 2018, 09:40:32 am by dbellota