Enable Native TLS for Icecast

Read 20760 times
Can somebody help me to know if the enable native TLS feature is working correctly for icecast accounts?
I have the last version of centova 3.2.15
When filling the field of certificate chain and cerfitificate private key, the Test TLS configuration run and show the correctly information of the certificate, but when update and restart the account, and coming back to the certificate chain field, show an empty field and logically the https is not working.
I'm having the same issue and nothing seems to get it to work at all.
If anyone can help i'd be interested in how you get it working
I confirm this behaviour too.

Here's what I see happening here after filling out a valid (passes Test TLS configuration) cert and key in the TLS/SSL tabe with Icecast servers:

* The line "<ssl-certificate>etc/ssl/certandkey.pem</ssl-certificate>" get's added to server.conf and this file certandkey.pem contains both the certificate and the private key.

* An extra port is also setup in server.conf with your
  <listen-socket>
    <port>[auto_assigned_port_is_here]</port>
    <bind-address>[server_ip_is_here]</bind-address>
    <ssl>1</ssl>
  </listen-socket>

* The "Certificate private key" field is then overwritten with contents of the certandkey.pem file.

I can't connect on the auto assigned or original port using SSL (https). The original http / port still works as before. It's as if nothing changed after adding the certificate / key.

As a side note, the TLS/SSL feature on Shoutcast 2.6 servers doesn't work either. See this thread: https://centova.com/forums/index.php?topic=5740.0 (I'm not sure if a Shoutcast "Premium" account needs to be paid for for this to work though).
Checking the logs I see " INFO connection/get_ssl_certificate No SSL capability". I suspect this might be an issue that Icecast hasn't been compiled with SSL enabled. A few days ago I upgraded to Centova Cast v3.2.15 which in turn upgraded my Icecast from v2.4.2 to v2.4.4 so it was freshly compiled so I don't see why it wouldn't have SSL enabled after being recompiled so recently.
Hello!

After upgrade, were you able to enable native TLS / SSL with icecast? With the original port assigned.

Before these updates, I had assigned the certificate in the icecast skeletor, so when a new station was assigned, it would automatically assign the certificate path. This worked fine.
But this no longer works in new versions of centova, it is not possible to automatically assign the default certificate path.

I would like to know if you have been able to find any alternative to use icecast with SSL automatically in same port.

(I'm using Icecast KH)

Thank you
Hello everyone,
I found this thread since experiencing the very same issue: Icecast not streaming via SSL despite all steps done for installation and configuration.

I also confirm that in Centova Cast Account/Stream configuration under "SSL/TLS" tab, after pasting Certificate and Private Key and saving configuration, the Certificate moves to the Private Key window and verification fails, but this issue is just cosmetic.

To fix the main issue (Icecast not streaming on https), I had to re-compile Icecast 2.4.4 with SSL and re-install it.
This guide I found is very helpful: https://serverok.in/centovacast-enable-ssl-on-icecast

Since Icecast installation files are already placed by Centova Cast 3.2.15 installation, it not necessary to re-download it.
Therefore, in the guide, you can skip following commands:
wget http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz
tar xvf icecast-2.4.4.tar.gz

IMPORTANT: it is *mandatory* to install "openssl-devel" before compiling and installing Icecast 2.4.4!

Here are the steps:
1. yum install -y openssl-devel
2. cd /usr/local/src/icecast-2.4.4
3. grep lssl config.status (if nothing appears, you have the confirmations that Icecast was installed by Centova Cast without SSL support)
4. ./configure --prefix=/usr/serverok/icecast --with-curl --with-openssl (this will compile Icecast with SSL support in folder /usr/serverok)
5. grep lssl config.status (you should now see something like S["XIPH_LIBS"]=" -lssl -lcrypto  -lcurl   -lspeex  -ltheora  -lvorbis -logg  -L/usr/lib64 -lxslt -lxml2 -lz -ldl -lm ")
6. make (first installation step)
7. make install (second installation step)
8. ln -s /usr/serverok/icecast/bin/icecast /usr/local/icecast/bin/icecast (this creates a symlink to the correct SSL enabled Icecast binary leaving the original one intact in /usr/local/Icecast/bin. The original Icecast binary is renamed "icecast-old")
9. service centovacast restart (restarts Centova Cast)
10. configure and restart all Accounts/Streams for SSL/TLS

Happy streaming!
   Cande