> > > > > > Hi Folks, > > > > > > > > > > > > I’m having a problem getting a the SSL cert file formatted > > > > > > just like icecast wants… I’m running 2.4.2 … and it doesn’t > > > > > > seem to want to use my combined key + cert chain no matter in > > > > > > what order I put it. > > > > > > Presently, I have it in this format.. with spaces between each > > > > > > key/cert… > > > > > > > > > > > > KEY > > > > > > > > > > > > CERTCHAIN-1 > > > > > > > > > > > > CERTCHAIN-2 > > > > > > > > > > > > CERTCHAIN-3 > > > > > > > > > > > > MYCERT > > > > > > > > > > > > And… well… not sure what else to do here. I have the file > > > > > > owned by icecast:icecast … and … it should be readable in its > > > > > > present location… so, not sure what else would be wrong. > > > > > > > > > > > > > > > > Firtsly, what operative system are you running ?. On Debian > > > > > GNU/Linux user > > > > > icecast2 and group icecast, then icecast2:icecast. > > > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast ... > > > > > > > > > Secondly, check the Icecast2's error.log looking about SSL or > > > > > TLS capability. > > > > > On Debian GNU/Linux /var/log/icecast2/error.log. > > > > > > > > From the log, I get a simple: > > > > > > > > WARN connection/get_ssl_certificate Invalid cert file <my cert > > > > filepath> > > > > INFO connection/get_ssl_certificate No SSL capability on any > > > > configured ports > > > > > > > > > > Make sure you have set up Icecast correctly: > > > > > > <listen-socket> > > > <port>8443</port> > > > <ssl>1</ssl> > > > </listen-socket> > > > > Yeah... it's setup properly... > > > > > <paths> > > > ... > > > <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl- > > > certificate> > > > </paths> > > > > Yes... correct for me. > > > > > Also, there is the possibility that Icecast2 package does not > > > support encrypted connections via openssl. > > > In my case I saw something similar to this: > > > [2017-08-08 03:05:34] INFO connection/get_ssl_certificate No SSL > > > capability Then, like solution I should have compiled Icecast with > > > openssl support enabled. > > > > Well... I believe it to be setup correctly... the RPM has a libssl > > requirement... and the fact that it tries to check the SSL cert file > > indicates that it has capability... > I agree. > I generated the certificate with: > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout > /usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem Then > you need only change owner and group, nothing more.Well... I was able to get it to work with a self-signed cert... so, something must be up with my Starfield signed cert... looks like they're configuring certs using "Subject Alternative Name" entries by default... could that be causing Icecast to barf on the cert? Also... I setup another <listen-socket> entry for SSL... but Icecast doesn't seem to want to listen on that port when the service comes up. Any idea why that might be?
On 08/28/2017 01:23 PM, Speagle, Andy wrote: *bigsnip*> Also... I setup another <listen-socket> entry for SSL... but Icecast doesn't seem to want to listen on that port when the service comes up. Any idea why that might be?What port are you using? If < 1024 (such as 443) you must first run as a privileged user (like root) and then <changeowner> as described here: http://icecast.org/docs/icecast-2.4.1/config-file.html#security If that is not the case, please give log output. Cheers, Jordan
El lun, 28-08-2017 a las 20:23 +0000, Speagle, Andy escribió:> > > > > > > Hi Folks, > > > > > > > > > > > > > > I’m having a problem getting a the SSL cert file > > > > > > > formatted > > > > > > > just like icecast wants… I’m running 2.4.2 … and it > > > > > > > doesn’t > > > > > > > seem to want to use my combined key + cert chain no > > > > > > > matter in > > > > > > > what order I put it. > > > > > > > Presently, I have it in this format.. with spaces between > > > > > > > each > > > > > > > key/cert… > > > > > > > > > > > > > > KEY > > > > > > > > > > > > > > CERTCHAIN-1 > > > > > > > > > > > > > > CERTCHAIN-2 > > > > > > > > > > > > > > CERTCHAIN-3 > > > > > > > > > > > > > > MYCERT > > > > > > > > > > > > > > And… well… not sure what else to do here. I have the > > > > > > > file > > > > > > > owned by icecast:icecast … and … it should be readable in > > > > > > > its > > > > > > > present location… so, not sure what else would be wrong. > > > > > > > > > > > > > > > > > > > Firtsly, what operative system are you running ?. On Debian > > > > > > GNU/Linux user > > > > > > icecast2 and group icecast, then icecast2:icecast. > > > > > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast ... > > > > > > > > > > > Secondly, check the Icecast2's error.log looking about SSL > > > > > > or > > > > > > TLS capability. > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log. > > > > > > > > > > From the log, I get a simple: > > > > > > > > > > WARN connection/get_ssl_certificate Invalid cert file <my > > > > > cert > > > > > filepath> > > > > > INFO connection/get_ssl_certificate No SSL capability on any > > > > > configured ports > > > > > > > > > > > > > Make sure you have set up Icecast correctly: > > > > > > > > <listen-socket> > > > > <port>8443</port> > > > > <ssl>1</ssl> > > > > </listen-socket> > > > > > > Yeah... it's setup properly... > > > > > > > <paths> > > > > ... > > > > <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl- > > > > certificate> > > > > </paths> > > > > > > Yes... correct for me. > > > > > > > Also, there is the possibility that Icecast2 package does not > > > > support encrypted connections via openssl. > > > > In my case I saw something similar to this: > > > > [2017-08-08 03:05:34] INFO connection/get_ssl_certificate No > > > > SSL > > > > capability Then, like solution I should have compiled Icecast > > > > with > > > > openssl support enabled. > > > > > > Well... I believe it to be setup correctly... the RPM has a > > > libssl > > > requirement... and the fact that it tries to check the SSL cert > > > file > > > indicates that it has capability... > > > > I agree. > > I generated the certificate with: > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout > > /usr/share/icecast2/icecast.pem -out > > /usr/share/icecast2/icecast.pem Then > > you need only change owner and group, nothing more. > > Well... I was able to get it to work with a self-signed cert... so, > something must be up with my Starfield signed cert... looks like > they're configuring certs using "Subject Alternative Name" entries by > default... could that be causing Icecast to barf on the cert? >Looks like something about the configuration of the certificate, but I do not specifically what ... I have only done tests with self-signed certificates. The format should be: -----BEGIN PRIVATE KEY----- blablabla -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- blablabla -----END CERTIFICATE-----> Also... I setup another <listen-socket> entry for SSL... but Icecast > doesn't seem to want to listen on that port when the service comes > up. Any idea why that might be? >Do you mean with different port than 8443, by exemple 8765 ?. If so, what is the output of: netstat -tulpn | grep ':8765'
> > > > > > > > Hi Folks, > > > > > > > > > > > > > > > > I’m having a problem getting a the SSL cert file formatted > > > > > > > > just like icecast wants… I’m running 2.4.2 … and it > > > > > > > > doesn’t seem to want to use my combined key + cert chain > > > > > > > > no matter in what order I put it. > > > > > > > > Presently, I have it in this format.. with spaces between > > > > > > > > each key/cert… > > > > > > > > > > > > > > > > KEY > > > > > > > > > > > > > > > > CERTCHAIN-1 > > > > > > > > > > > > > > > > CERTCHAIN-2 > > > > > > > > > > > > > > > > CERTCHAIN-3 > > > > > > > > > > > > > > > > MYCERT > > > > > > > > > > > > > > > > And… well… not sure what else to do here. I have the file > > > > > > > > owned by icecast:icecast … and … it should be readable in > > > > > > > > its present location… so, not sure what else would be > > > > > > > > wrong. > > > > > > > > > > > > > > > > > > > > > > Firtsly, what operative system are you running ?. On Debian > > > > > > > GNU/Linux user > > > > > > > icecast2 and group icecast, then icecast2:icecast. > > > > > > > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast ... > > > > > > > > > > > > > Secondly, check the Icecast2's error.log looking about SSL > > > > > > > or TLS capability. > > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log. > > > > > > > > > > > > From the log, I get a simple: > > > > > > > > > > > > WARN connection/get_ssl_certificate Invalid cert file <my cert > > > > > > filepath> > > > > > > INFO connection/get_ssl_certificate No SSL capability on any > > > > > > configured ports > > > > > > > > > > > > > > > > Make sure you have set up Icecast correctly: > > > > > > > > > > <listen-socket> > > > > > <port>8443</port> > > > > > <ssl>1</ssl> > > > > > </listen-socket> > > > > > > > > Yeah... it's setup properly... > > > > > > > > > <paths> > > > > > ... > > > > > <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl- > > > > > certificate> > > > > > </paths> > > > > > > > > Yes... correct for me. > > > > > > > > > Also, there is the possibility that Icecast2 package does not > > > > > support encrypted connections via openssl. > > > > > In my case I saw something similar to this: > > > > > [2017-08-08 03:05:34] INFO connection/get_ssl_certificate No > > > > > SSL capability Then, like solution I should have compiled > > > > > Icecast with openssl support enabled. > > > > > > > > Well... I believe it to be setup correctly... the RPM has a libssl > > > > requirement... and the fact that it tries to check the SSL cert > > > > file indicates that it has capability... > > > > > > I agree. > > > I generated the certificate with: > > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout > > > /usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem > > > Then you need only change owner and group, nothing more. > > > > Well... I was able to get it to work with a self-signed cert... so, > > something must be up with my Starfield signed cert... looks like > > they're configuring certs using "Subject Alternative Name" entries by > > default... could that be causing Icecast to barf on the cert? > > > Looks like something about the configuration of the certificate, but I do not > specifically what ... I have only done tests with self-signed certificates. > The format should be: > -----BEGIN PRIVATE KEY----- > blablabla > -----END PRIVATE KEY----- > -----BEGIN CERTIFICATE----- > blablabla > -----END CERTIFICATE----- > > Also... I setup another <listen-socket> entry for SSL... but Icecast > > doesn't seem to want to listen on that port when the service comes up. > > Any idea why that might be? > > > Do you mean with different port than 8443, by exemple 8765 ?. If so, what is > the output of: > netstat -tulpn | grep ':8765'Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 ... very strange.