Icecast - Jul 2017 - SSL Setup

El vie, 21-07-2017 a las 19:07 +0200, Marvin Scholz
escribi?:
> 
> On 21 Jul 2017, at 18:41, Jos? Luis Artuch wrote:
> 
> > Hello !
> > 
> > El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribi?:
> > > Good morning,
> > > 
> > > 
> > > On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
> > > > IceCast is one of the last services I have that doesn't
connect
> > > > securely,?
> > > > and I am looking to close that hole....
> > > > [...]
> > > > OK... add a port for SSL for IceCast in icecast.xml...path
for
> > > > cert
> > > > file?
> > > > in same.... no biggie
> > > 
> > > The <ssl-certificate> belongs in the <paths> section
of the
> > > config
> > > file.
> > > (I'm not sure what you mean with 'in same', just
wanted to make
> > > it
> > > clear.)
> > > 
> > > 
> > > > The key/cert needs to be in a dir and file with applicable
> > > > permissions?
> > > > for the IceCast user... no biggie..
> > > > 
> > > > chown icecastusergroup:icecastusergroup??certfile
> > > 
> > > 
> > > > What I am looking to confirm is that the cert file needs to
> > > > contain:
> > > > 
> > > > -----BEGIN RSA PRIVATE KEY-----
> > > > MII
> > > > -----END RSA PRIVATE KEY-----
> > > > 
> > > > -----BEGIN CERTIFICATE-----
> > > > MI
> > > > -----END CERTIFICATE-----?
> > > > 
> > > > Where the Cert is the file/text Comodo sends me, and the key
is
> > > > the
> > > > one?
> > > > openssl spit out earlier,?
> > > > 
> > > > Combine them up in certfile, Correct? Special order?? KEY
then
> > > > Cert, or v-
> > > > v? Line separating them?
> > > 
> > > The format is the OpenSSL format: key, blank line, cert (chain).
> > > echo | cat key.pem - cert.pem > combo.pem
> > > 
> > > 
> > > > kill -HUP pidOfIcecast
> > > 
> > > As of Icecast2 2.4.x you need to restart Icecast to reload the
> > > cert.
> > > There is however a fix in 2.5.x (development) which is hopefully
> > > released with the next development update.
> > > 
> > > 
> > > > And good????
> > > > 
> > > > One thing can the web server spit out just a text file that
is
> > > > used
> > > > by?
> > > > Comodo to verify ownership of the domain? The DNS method
> > > > normally?
> > > > fails....
> > > 
> > > Sure. Just put it into the webroot (<webroot> in
<paths>).
> > > Icecast
> > > handles files in webroot according to your operating system's
> > > mine-
> > > type
> > > table.
> > > 
> > 
> > On Debian 9, in the configuration file it says:
> > 
> > <webroot>/usr/share/icecast2/web</webroot>
> >
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
> > 
> > What should be the correct path of the icecast.pem file ?.
> > Should it be /usr/share/icecast2/web/icecast.pem ?.
> 
> You certainly do not want to put your private key in your public
> webroot...
> 
Thanks Marvin. Is ok into any other directory, for example
/etc/icecast2/ssl ?.
> > 
> > Thanks.
> > > 
> > > > ie:
http://icecast.domain.invalid/somestringofletersnumbers.txt
> > > > That they?
> > > > request if its dumped in the webroot stuff of Icecast? With
out
> > > > any
> > > > XSLT?
> > > > markup?
> > > 
> > > Icecast only processes XSLT files as XSLT.
> > > 
> > > 
> > > > So if I added a listening port on 80 for this, then took it
> > > > away,?
> > > > since I don't use that for Icecast... Icecast is on its
own
> > > > server
> > > > which?
> > > > does not have Apache... web stuff for other things is on its
> > > > own
> > > > box. I?
> > > > never have used the Icecast to server up anything other than
> > > > the
> > > > default?
> > > > admin etc. stuff it does by default...
> > > 
> > > To avoid the need to run Icecast as privileged user in oder to
> > > bind
> > > to
> > > low ports (if Comodo really insists in using port 80) you can use
> > > your
> > > firewall to do a local redirect.
> > > 
> > > 
> > > Hope this is of help to you,
> > > 
> > > with best regards,
> > > 
> > > 
> > > _______________________________________________
> > > Icecast mailing list
> > > Icecast at xiph.org
> > > http://lists.xiph.org/mailman/listinfo/icecast
> > 
> > _______________________________________________
> > Icecast mailing list
> > Icecast at xiph.org
> > http://lists.xiph.org/mailman/listinfo/icecast
> 
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast

On 21 Jul 2017, at 19:27, Jos? Luis Artuch wrote:
> El vie, 21-07-2017 a las 19:07 +0200, Marvin Scholz escribi?:
>>
>> On 21 Jul 2017, at 18:41, Jos? Luis Artuch wrote:
>>
>>> Hello !
>>>
>>> El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribi?:
>>>> Good morning,
>>>>
>>>>
>>>> On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
>>>>> IceCast is one of the last services I have that doesn't
connect
>>>>> securely,?
>>>>> and I am looking to close that hole....
>>>>> [...]
>>>>> OK... add a port for SSL for IceCast in icecast.xml...path
for
>>>>> cert
>>>>> file?
>>>>> in same.... no biggie
>>>>
>>>> The <ssl-certificate> belongs in the <paths>
section of the
>>>> config
>>>> file.
>>>> (I'm not sure what you mean with 'in same', just
wanted to make
>>>> it
>>>> clear.)
>>>>
>>>>
>>>>> The key/cert needs to be in a dir and file with applicable
>>>>> permissions?
>>>>> for the IceCast user... no biggie..
>>>>>
>>>>> chown icecastusergroup:icecastusergroup??certfile
>>>>
>>>>
>>>>> What I am looking to confirm is that the cert file needs to
>>>>> contain:
>>>>>
>>>>> -----BEGIN RSA PRIVATE KEY-----
>>>>> MII
>>>>> -----END RSA PRIVATE KEY-----
>>>>>
>>>>> -----BEGIN CERTIFICATE-----
>>>>> MI
>>>>> -----END CERTIFICATE-----?
>>>>>
>>>>> Where the Cert is the file/text Comodo sends me, and the
key is
>>>>> the
>>>>> one?
>>>>> openssl spit out earlier,?
>>>>>
>>>>> Combine them up in certfile, Correct? Special order?? KEY
then
>>>>> Cert, or v-
>>>>> v? Line separating them?
>>>>
>>>> The format is the OpenSSL format: key, blank line, cert
(chain).
>>>> echo | cat key.pem - cert.pem > combo.pem
>>>>
>>>>
>>>>> kill -HUP pidOfIcecast
>>>>
>>>> As of Icecast2 2.4.x you need to restart Icecast to reload the
>>>> cert.
>>>> There is however a fix in 2.5.x (development) which is
hopefully
>>>> released with the next development update.
>>>>
>>>>
>>>>> And good????
>>>>>
>>>>> One thing can the web server spit out just a text file that
is
>>>>> used
>>>>> by?
>>>>> Comodo to verify ownership of the domain? The DNS method
>>>>> normally?
>>>>> fails....
>>>>
>>>> Sure. Just put it into the webroot (<webroot> in
<paths>).
>>>> Icecast
>>>> handles files in webroot according to your operating
system's
>>>> mine-
>>>> type
>>>> table.
>>>>
>>>
>>> On Debian 9, in the configuration file it says:
>>>
>>> <webroot>/usr/share/icecast2/web</webroot>
>>>
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
>>>
>>> What should be the correct path of the icecast.pem file ?.
>>> Should it be /usr/share/icecast2/web/icecast.pem ?.
>>
>> You certainly do not want to put your private key in your public
>> webroot...
>>
> Thanks Marvin. Is ok into any other directory, for example
> /etc/icecast2/ssl ?.
I think so, yes.
>>>
>>> Thanks.
>>>>
>>>>> ie:
http://icecast.domain.invalid/somestringofletersnumbers.txt
>>>>> That they?
>>>>> request if its dumped in the webroot stuff of Icecast? With
out
>>>>> any
>>>>> XSLT?
>>>>> markup?
>>>>
>>>> Icecast only processes XSLT files as XSLT.
>>>>
>>>>
>>>>> So if I added a listening port on 80 for this, then took it
>>>>> away,?
>>>>> since I don't use that for Icecast... Icecast is on its
own
>>>>> server
>>>>> which?
>>>>> does not have Apache... web stuff for other things is on
its
>>>>> own
>>>>> box. I?
>>>>> never have used the Icecast to server up anything other
than
>>>>> the
>>>>> default?
>>>>> admin etc. stuff it does by default...
>>>>
>>>> To avoid the need to run Icecast as privileged user in oder to
>>>> bind
>>>> to
>>>> low ports (if Comodo really insists in using port 80) you can
use
>>>> your
>>>> firewall to do a local redirect.
>>>>
>>>>
>>>> Hope this is of help to you,
>>>>
>>>> with best regards,
>>>>
>>>>
>>>> _______________________________________________
>>>> Icecast mailing list
>>>> Icecast at xiph.org
>>>> http://lists.xiph.org/mailman/listinfo/icecast
>>>
>>> _______________________________________________
>>> Icecast mailing list
>>> Icecast at xiph.org
>>> http://lists.xiph.org/mailman/listinfo/icecast
>>
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast