Problems with SSL streaming please help :)

Read 18375 times
Hi. I switched over from MediaCP (horrible experience). They had icecast running with a particular configuration:

https://mydomain.com:8000/stream for all SSL
http://mydomain.com:18000/stream for non-SSL

Basically, all NON-SSL were routed to a port with an increase of 1000.
So if I created port 8002, then there would automatically be a stream created for port 18002.

So my first question: Can I configure CentovaCast to do this too? I unfortunately have sent these details out to so many people that it would be impossible to change now.

On this configuration I would actually stream to port 18000 but it would generate both ports 8000 and 18000 at the same time.

Second thing:

I followed the steps for setting up SSL but I am unable to connect. I can stream to: http://mydomain:8000/stream and I can also listen there too but I am unable to listen on https://mydomain:8000/stream

I am using Cloudflare's SSL certificate and it's loading Centovacast without giving an SSL error. I don't know if this is causing an issue with the listening port though.

I am thinking maybe I should re-do my DNS with my domain provider and then install an SSL certificate. The problem is that I've run out of limits with Let's Encrypt and they won't give me a new certificate for a week. This was due to the constant troubleshooting with MediaCP (again, horrible experience, horrible software, horrible company, double billings, no reply from tech support for several days and when they would reply, they would just string me along, etc. etc.)

Anyway, at the end of the day, can I maybe hire someone from here to set things up for me? Centovacast is installed and working but the SSL functionality is still not working correctly.

Worst case, I can set my encoders to run on both 8000 and 18000 (even though I would have to do this for 5 streams, which would now be 10).  But I need to get the SSL working ASAP.

thank you for your help!
Last Edit: October 28, 2019, 02:34:53 pm by cg1313
At this time it is better when using an SSL-Proxy. SHOUTcast 2 Supports SSL only with an premium account on radionomy.
For Icecast it is better to wait for Version 2.5
I assume you followed the steps from centova for ssl...which is only for the web interface...
in order to have streams in ssl, you need a proxy or reverse proxy...i heard cases it was achieve via stunnels.
My solution is using Apache proxy.
You can setup Certbot for LetsEncrypt (https://certbot.eff.org/lets-encrypt/debianjessie-apache), create a subdomain and use the ProxyPass module by Apache (2+) to passing over the streaming port.
Works with Shoutcast and Icecast. The only things to do is to enter manually every new server created in apache conf and restart the daemon

Hope it helps!

<VirtualHost *:443>
   ServerName proxy.yourdomain.it
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   ProxyPass "/8014/""http://xx.xxx.xxx.xx:8014/"
   ProxyPassReverse "/8014/""http://xx.xxx.xxx.xx:8014/"

   ProxyPass "/8116/""http://xx.xxx.xxx.xx:8116/"
   ProxyPassReverse "/8116/""http://xx.xxx.xxx.xx:8116/"

   ProxyPass "/8010/""http://xx.xxx.xxx.xx:8010/"
   ProxyPassReverse "/8010/""http://xx.xxx.xxx.xx:8010/"

   SSLCertificateFile /etc/letsencrypt/live/....domainname...../fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/.....domainname...../privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

To activate the ProxyPass (in SSH):
a2enmod proxy
a2enmod proxy_http

Hi. I switched over from MediaCP (horrible experience). They had icecast running with a particular configuration:

https://mydomain.com:8000/stream for all SSL
http://mydomain.com:18000/stream for non-SSL

Basically, all NON-SSL were routed to a port with an increase of 1000.
So if I created port 8002, then there would automatically be a stream created for port 18002.

So my first question: Can I configure CentovaCast to do this too? I unfortunately have sent these details out to so many people that it would be impossible to change now.

On this configuration I would actually stream to port 18000 but it would generate both ports 8000 and 18000 at the same time.

Second thing:

I followed the steps for setting up SSL but I am unable to connect. I can stream to: http://mydomain:8000/stream and I can also listen there too but I am unable to listen on https://mydomain:8000/stream

I am using Cloudflare's SSL certificate and it's loading Centovacast without giving an SSL error. I don't know if this is causing an issue with the listening port though.

I am thinking maybe I should re-do my DNS with my domain provider and then install an SSL certificate. The problem is that I've run out of limits with Let's Encrypt and they won't give me a new certificate for a week. This was due to the constant troubleshooting with MediaCP (again, horrible experience, horrible software, horrible company, double billings, no reply from tech support for several days and when they would reply, they would just string me along, etc. etc.)

Anyway, at the end of the day, can I maybe hire someone from here to set things up for me? Centovacast is installed and working but the SSL functionality is still not working correctly.

Worst case, I can set my encoders to run on both 8000 and 18000 (even though I would have to do this for 5 streams, which would now be 10).  But I need to get the SSL working ASAP.

thank you for your help!
"To activate the ProxyPass (in SSH):
a2enmod proxy
a2enmod proxy_http"

When I try this in my centos 7 server , i get "command not found"

can you elaborate on this step please?
You can achieve SLL for the streams with the stunnel method in centos.

https://www.interserver.net/tips/kb/using-stunnel-to-add-ssl-to-shoutcast-or-any-service-that-does-not-have-ssl/

I have done it, and it works very well..
Hi, I also have the SSL problem.

I have a dedicated where I only have centovacast.

can you guide us how to install Stunnel correctly, have I read that we need to install Certbot before?

Can you give us a guide?

thanks.

You can achieve SLL for the streams with the stunnel method in centos.

https://www.interserver.net/tips/kb/using-stunnel-to-add-ssl-to-shoutcast-or-any-service-that-does-not-have-ssl/

I have done it, and it works very well..
My solution is using Apache proxy.
You can setup Certbot for LetsEncrypt (https://certbot.eff.org/lets-encrypt/debianjessie-apache), create a subdomain and use the ProxyPass module by Apache (2+) to passing over the streaming port.
Works with Shoutcast and Icecast. The only things to do is to enter manually every new server created in apache conf and restart the daemon

Hope it helps!

<VirtualHost *:443>
   ServerName proxy.yourdomain.it
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   ProxyPass "/8014/""http://xx.xxx.xxx.xx:8014/"
   ProxyPassReverse "/8014/""http://xx.xxx.xxx.xx:8014/"

   ProxyPass "/8116/""http://xx.xxx.xxx.xx:8116/"
   ProxyPassReverse "/8116/""http://xx.xxx.xxx.xx:8116/"

   ProxyPass "/8010/""http://xx.xxx.xxx.xx:8010/"
   ProxyPassReverse "/8010/""http://xx.xxx.xxx.xx:8010/"

   SSLCertificateFile /etc/letsencrypt/live/....domainname...../fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/.....domainname...../privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

To activate the ProxyPass (in SSH):
a2enmod proxy
a2enmod proxy_http

Hi. I switched over from MediaCP (horrible experience). They had icecast running with a particular configuration:

https://mydomain.com:8000/stream for all SSL
http://mydomain.com:18000/stream for non-SSL

Basically, all NON-SSL were routed to a port with an increase of 1000.
So if I created port 8002, then there would automatically be a stream created for port 18002.

So my first question: Can I configure CentovaCast to do this too? I unfortunately have sent these details out to so many people that it would be impossible to change now.

On this configuration I would actually stream to port 18000 but it would generate both ports 8000 and 18000 at the same time.

Second thing:

I followed the steps for setting up SSL but I am unable to connect. I can stream to: http://mydomain:8000/stream and I can also listen there too but I am unable to listen on https://mydomain:8000/stream

I am using Cloudflare's SSL certificate and it's loading Centovacast without giving an SSL error. I don't know if this is causing an issue with the listening port though.

I am thinking maybe I should re-do my DNS with my domain provider and then install an SSL certificate. The problem is that I've run out of limits with Let's Encrypt and they won't give me a new certificate for a week. This was due to the constant troubleshooting with MediaCP (again, horrible experience, horrible software, horrible company, double billings, no reply from tech support for several days and when they would reply, they would just string me along, etc. etc.)

Anyway, at the end of the day, can I maybe hire someone from here to set things up for me? Centovacast is installed and working but the SSL functionality is still not working correctly.

Worst case, I can set my encoders to run on both 8000 and 18000 (even though I would have to do this for 5 streams, which would now be 10).  But I need to get the SSL working ASAP.

thank you for your help!

hi. its not working if include port :

ProxyPass "/8010/""http://xx.xxx.xxx.xx:8010/"
ProxyPassReverse "/8010/""http://xx.xxx.xxx.xx:8010/"

i have change to

ProxyPass "/""http://xx.xxx.xxx.xx:8010/"
ProxyPassReverse "/""http://xx.xxx.xxx.xx:8010/"

the result i can access stream page at http://xx.xxx.xxx.xx not http://xx.xxx.xxx.xx:8010

can you guide me details?
Hi. I switched over from MediaCP (horrible experience). They had icecast running with a particular configuration:

https://mydomain.com:8000/stream for all SSL
http://mydomain.com:18000/stream for non-SSL

Basically, all NON-SSL were routed to a port with an increase of 1000.
So if I created port 8002, then there would automatically be a stream created for port 18002.

So my first question: Can I configure CentovaCast to do this too? I unfortunately have sent these details out to so many people that it would be impossible to change now.

On this configuration I would actually stream to port 18000 but it would generate both ports 8000 and 18000 at the same time.

Second thing:

I followed the steps for setting up SSL but I am unable to connect. I can stream to: http://mydomain:8000/stream and I can also listen there too but I am unable to listen on https://mydomain:8000/stream

I am using Cloudflare's SSL certificate and it's loading Centovacast without giving an SSL error. I don't know if this is causing an issue with the listening port though.

I am thinking maybe I should re-do my DNS with my domain provider and then install an SSL certificate. The problem is that I've run out of limits with Let's Encrypt and they won't give me a new certificate for a week. This was due to the constant troubleshooting with MediaCP (again, horrible experience, horrible software, horrible company, double billings, no reply from tech support for several days and when they would reply, they would just string me along, etc. etc.)

Anyway, at the end of the day, can I maybe hire someone from here to set things up for me? Centovacast is installed and working but the SSL functionality is still not working correctly.

Worst case, I can set my encoders to run on both 8000 and 18000 (even though I would have to do this for 5 streams, which would now be 10).  But I need to get the SSL working ASAP.

thank you for your help!

I just used Icecast-kh for me and all my stations (have 5). This needs no configuration, since it supports SSL and no-SSL on the very same port.
Hi , i don`t know if you got it fixed yet,
but i know a lot of people are searching the forum and web to get shoutcast running under ssl.

i am using stunnel, it is realy the fastest way to get it fixed.
Below you will find how (on Centos 7)

1. Make sure apache isnt running

Is Apache 2 service running? Run the following systemctl command:
sudo systemctl status httpd

Next find out if httpd enabled at boot time:
sudo systemctl is-enabled httpd

If enabled at boot time, disable it, run:
sudo systemctl disable httpd

Stop the service, execute:
sudo systemctl stop httpd
sudo systemctl mask httpd

Verify it:
sudo systemctl status httpd
sudo systemctl is-enabled httpd

Now to generate letsencrypt, centova needs to listen on port 80

In SSH go to :
/usr/local/centovacast/etc/cc-panel.conf
and add : listen 80;
right below : listen 2199 default ssl;

and save

service centovacast restart

/usr/local/centovacast/sbin/setssl letsencrypt your.domain.com

service centovacast restart

Now when letsencrypt is succesful we can start install and configurate stunnel.

Login true ssh
yum install stunnel

then create in the folder /etc/stunnel/
a file called : stunnel.conf

and fill it like this

client=no
sslVersion = TLSv1.2
[shoutcast-stream1]
accept=8002
connect=domainofyourcentovaserver.com:8000
cert = /usr/local/centovacast/etc/ssl/certs/domainofyourcentovaserver.com/fullchain.pem
key = /usr/local/centovacast/etc/ssl/certs/domainofyourcentovaserver.com/privkey.pem

save it, and start stunnel with the command : stunnel
To stop stunnel : sudo killall stunnel

So in config accept is the port you want it to be ssl, and connect is the real shoutcast port where it connects to.

Thats it ;)

https://domainofyourcentovaserver.com:8000/stream for a ssl working shoutcast stream.
Thanks so much for the help! awesome  :-*

Hi , i don`t know if you got it fixed yet,
but i know a lot of people are searching the forum and web to get shoutcast running under ssl.
Hi , i don`t know if you got it fixed yet,
but i know a lot of people are searching the forum and web to get shoutcast running under ssl.

i am using stunnel, it is realy the fastest way to get it fixed.
Below you will find how (on Centos 7)

1. Make sure apache isnt running

Is Apache 2 service running? Run the following systemctl command:
sudo systemctl status httpd

Next find out if httpd enabled at boot time:
sudo systemctl is-enabled httpd

If enabled at boot time, disable it, run:
sudo systemctl disable httpd

Stop the service, execute:
sudo systemctl stop httpd
sudo systemctl mask httpd

Verify it:
sudo systemctl status httpd
sudo systemctl is-enabled httpd

Now to generate letsencrypt, centova needs to listen on port 80

In SSH go to :
/usr/local/centovacast/etc/cc-panel.conf
and add : listen 80;
right below : listen 2199 default ssl;

and save

service centovacast restart

/usr/local/centovacast/sbin/setssl letsencrypt your.domain.com

service centovacast restart

Now when letsencrypt is succesful we can start install and configurate stunnel.

Login true ssh
yum install stunnel

then create in the folder /etc/stunnel/
a file called : stunnel.conf

and fill it like this

client=no
sslVersion = TLSv1.2
[shoutcast-stream1]
accept=8002
connect=domainofyourcentovaserver.com:8000
cert = /usr/local/centovacast/etc/ssl/certs/domainofyourcentovaserver.com/fullchain.pem
key = /usr/local/centovacast/etc/ssl/certs/domainofyourcentovaserver.com/privkey.pem

save it, and start stunnel with the command : stunnel
To stop stunnel : sudo killall stunnel

So in config accept is the port you want it to be ssl, and connect is the real shoutcast port where it connects to.

Thats it ;)

https://domainofyourcentovaserver.com:8000/stream for a ssl working shoutcast stream.


Hello, using this method the listeners stats only show the proxy IP,  do you know how solve this and show the listener real IP?

Thank you.
Hello, before v 3.2.15 SSL certs are not stored on this paths:

cert = /usr/local/centovacast/etc/ssl/certs/domainofyourcentovaserver.com/fullchain.pem
key = /usr/local/centovacast/etc/ssl/certs/domainofyourcentovaserver.com/privkey.pem

Anyone knows what files can be used with stunnel?
Many customers are using the SSL link generated with stunnel on their players and other settings so we need to keep stunnel working even after upgrading to version 3.2.15, your help will be appreciated