> > > > > > > > > > Hi Folks, > > > > > > > > > > > > > > > > > > > > I’m having a problem getting a the SSL cert file > > > > > > > > > > formatted just like icecast wants… I’m running 2.4.2 … > > > > > > > > > > and it doesn’t seem to want to use my combined key + > > > > > > > > > > cert chain no matter in what order I put it. > > > > > > > > > > Presently, I have it in this format.. with spaces > > > > > > > > > > between each key/cert… > > > > > > > > > > > > > > > > > > > > KEY > > > > > > > > > > > > > > > > > > > > CERTCHAIN-1 > > > > > > > > > > > > > > > > > > > > CERTCHAIN-2 > > > > > > > > > > > > > > > > > > > > CERTCHAIN-3 > > > > > > > > > > > > > > > > > > > > MYCERT > > > > > > > > > > > > > > > > > > > > And… well… not sure what else to do here. I have the > > > > > > > > > > file owned by icecast:icecast … and … it should be > > > > > > > > > > readable in its present location… so, not sure what > > > > > > > > > > else would be wrong. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Firtsly, what operative system are you running ?. On > > > > > > > > > Debian GNU/Linux user > > > > > > > > > icecast2 and group icecast, then icecast2:icecast. > > > > > > > > > > > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast ... > > > > > > > > > > > > > > > > > Secondly, check the Icecast2's error.log looking about > > > > > > > > > SSL or TLS capability. > > > > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log. > > > > > > > > > > > > > > > > From the log, I get a simple: > > > > > > > > > > > > > > > > WARN connection/get_ssl_certificate Invalid cert file <my > > > > > > > > cert > > > > > > > > filepath> > > > > > > > > INFO connection/get_ssl_certificate No SSL capability on > > > > > > > > any configured ports > > > > > > > > > > > > > > > > > > > > > > Make sure you have set up Icecast correctly: > > > > > > > > > > > > > > <listen-socket> > > > > > > > <port>8443</port> > > > > > > > <ssl>1</ssl> > > > > > > > </listen-socket> > > > > > > > > > > > > Yeah... it's setup properly... > > > > > > > > > > > > > <paths> > > > > > > > ... > > > > > > > <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl- > > > > > > > certificate> > > > > > > > </paths> > > > > > > > > > > > > Yes... correct for me. > > > > > > > > > > > > > Also, there is the possibility that Icecast2 package does > > > > > > > not > > > > > > > support encrypted connections via openssl. > > > > > > > In my case I saw something similar to this: > > > > > > > [2017-08-08 03:05:34] INFO connection/get_ssl_certificate > > > > > > > No > > > > > > > SSL capability Then, like solution I should have compiled > > > > > > > Icecast with openssl support enabled. > > > > > > > > > > > > Well... I believe it to be setup correctly... the RPM has a > > > > > > libssl > > > > > > requirement... and the fact that it tries to check the SSL > > > > > > cert > > > > > > file indicates that it has capability... > > > > > > > > > > I agree. > > > > > I generated the certificate with: > > > > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout > > > > > /usr/share/icecast2/icecast.pem -out > > > > > /usr/share/icecast2/icecast.pem > > > > > Then you need only change owner and group, nothing more. > > > > > > > > Well... I was able to get it to work with a self-signed cert... > > > > so, > > > > something must be up with my Starfield signed cert... looks like > > > > they're configuring certs using "Subject Alternative Name" > > > > entries by > > > > default... could that be causing Icecast to barf on the cert? > > > > > > > > > > Looks like something about the configuration of the certificate, > > > but I do not > > > specifically what ... I have only done tests with self-signed > > > certificates. > > > The format should be: > > > -----BEGIN PRIVATE KEY----- > > > blablabla > > > -----END PRIVATE KEY----- > > > -----BEGIN CERTIFICATE----- > > > blablabla > > > -----END CERTIFICATE----- > > > > Also... I setup another <listen-socket> entry for SSL... but > > > > Icecast > > > > doesn't seem to want to listen on that port when the service > > > > comes up. > > > > Any idea why that might be? > > > > > > > > > > Do you mean with different port than 8443, by exemple 8765 ?. If > > > so, what is > > > the output of: > > > netstat -tulpn | grep ':8765' > > > > Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 ... > > very strange. > > > After restart the Icecast2 server ? ...Yeah... after the restart... the port doesn't appear. Does icecast2 play well with selinux?
El lun, 28-08-2017 a las 21:56 +0000, Speagle, Andy escribió:> > > > > > > > > > > Hi Folks, > > > > > > > > > > > > > > > > > > > > > > I’m having a problem getting a the SSL cert file > > > > > > > > > > > formatted just like icecast wants… I’m running > > > > > > > > > > > 2.4.2 … > > > > > > > > > > > and it doesn’t seem to want to use my combined > > > > > > > > > > > key + > > > > > > > > > > > cert chain no matter in what order I put it. > > > > > > > > > > > Presently, I have it in this format.. with spaces > > > > > > > > > > > between each key/cert… > > > > > > > > > > > > > > > > > > > > > > KEY > > > > > > > > > > > > > > > > > > > > > > CERTCHAIN-1 > > > > > > > > > > > > > > > > > > > > > > CERTCHAIN-2 > > > > > > > > > > > > > > > > > > > > > > CERTCHAIN-3 > > > > > > > > > > > > > > > > > > > > > > MYCERT > > > > > > > > > > > > > > > > > > > > > > And… well… not sure what else to do here. I have > > > > > > > > > > > the > > > > > > > > > > > file owned by icecast:icecast … and … it should > > > > > > > > > > > be > > > > > > > > > > > readable in its present location… so, not sure > > > > > > > > > > > what > > > > > > > > > > > else would be wrong. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Firtsly, what operative system are you running ?. > > > > > > > > > > On > > > > > > > > > > Debian GNU/Linux user > > > > > > > > > > icecast2 and group icecast, then icecast2:icecast. > > > > > > > > > > > > > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast > > > > > > > > > ... > > > > > > > > > > > > > > > > > > > Secondly, check the Icecast2's error.log looking > > > > > > > > > > about > > > > > > > > > > SSL or TLS capability. > > > > > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log. > > > > > > > > > > > > > > > > > > From the log, I get a simple: > > > > > > > > > > > > > > > > > > WARN connection/get_ssl_certificate Invalid cert file > > > > > > > > > <my > > > > > > > > > cert > > > > > > > > > filepath> > > > > > > > > > INFO connection/get_ssl_certificate No SSL capability > > > > > > > > > on > > > > > > > > > any configured ports > > > > > > > > > > > > > > > > > > > > > > > > > Make sure you have set up Icecast correctly: > > > > > > > > > > > > > > > > <listen-socket> > > > > > > > > <port>8443</port> > > > > > > > > <ssl>1</ssl> > > > > > > > > </listen-socket> > > > > > > > > > > > > > > Yeah... it's setup properly... > > > > > > > > > > > > > > > <paths> > > > > > > > > ... > > > > > > > > <ssl- > > > > > > > > certificate>/usr/share/icecast2/icecast.pem</ssl- > > > > > > > > certificate> > > > > > > > > </paths> > > > > > > > > > > > > > > Yes... correct for me. > > > > > > > > > > > > > > > Also, there is the possibility that Icecast2 package > > > > > > > > does > > > > > > > > not > > > > > > > > support encrypted connections via openssl. > > > > > > > > In my case I saw something similar to this: > > > > > > > > [2017-08-08 03:05:34] INFO > > > > > > > > connection/get_ssl_certificate > > > > > > > > No > > > > > > > > SSL capability Then, like solution I should have > > > > > > > > compiled > > > > > > > > Icecast with openssl support enabled. > > > > > > > > > > > > > > Well... I believe it to be setup correctly... the RPM has > > > > > > > a > > > > > > > libssl > > > > > > > requirement... and the fact that it tries to check the > > > > > > > SSL > > > > > > > cert > > > > > > > file indicates that it has capability... > > > > > > > > > > > > I agree. > > > > > > I generated the certificate with: > > > > > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 > > > > > > -keyout > > > > > > /usr/share/icecast2/icecast.pem -out > > > > > > /usr/share/icecast2/icecast.pem > > > > > > Then you need only change owner and group, nothing more. > > > > > > > > > > Well... I was able to get it to work with a self-signed > > > > > cert... > > > > > so, > > > > > something must be up with my Starfield signed cert... looks > > > > > like > > > > > they're configuring certs using "Subject Alternative Name" > > > > > entries by > > > > > default... could that be causing Icecast to barf on the cert? > > > > > > > > > > > > > Looks like something about the configuration of the > > > > certificate, > > > > but I do not > > > > specifically what ... I have only done tests with self-signed > > > > certificates. > > > > The format should be: > > > > -----BEGIN PRIVATE KEY----- > > > > blablabla > > > > -----END PRIVATE KEY----- > > > > -----BEGIN CERTIFICATE----- > > > > blablabla > > > > -----END CERTIFICATE----- > > > > > Also... I setup another <listen-socket> entry for SSL... but > > > > > Icecast > > > > > doesn't seem to want to listen on that port when the service > > > > > comes up. > > > > > Any idea why that might be? > > > > > > > > > > > > > Do you mean with different port than 8443, by exemple 8765 ?. > > > > If > > > > so, what is > > > > the output of: > > > > netstat -tulpn | grep ':8765' > > > > > > Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 > > > ... > > > very strange. > > > > > > > After restart the Icecast2 server ? ... > > Yeah... after the restart... the port doesn't appear. Does icecast2 > play well with selinux? >Are you in the same LAN than the server ?. What about the firewall ? ... ufw allow proto tcp from any to xxx.xxx.xxx.xxx port 8443 I have not worked with SELinux, I do not know :(
> > > > > > > > > > > > Hi Folks, > > > > > > > > > > > > > > > > > > > > > > > > I’m having a problem getting a the SSL cert file > > > > > > > > > > > > formatted just like icecast wants… I’m running > > > > > > > > > > > > 2.4.2 … > > > > > > > > > > > > and it doesn’t seem to want to use my combined key > > > > > > > > > > > > + cert chain no matter in what order I put it. > > > > > > > > > > > > Presently, I have it in this format.. with spaces > > > > > > > > > > > > between each key/cert… > > > > > > > > > > > > > > > > > > > > > > > > KEY > > > > > > > > > > > > > > > > > > > > > > > > CERTCHAIN-1 > > > > > > > > > > > > > > > > > > > > > > > > CERTCHAIN-2 > > > > > > > > > > > > > > > > > > > > > > > > CERTCHAIN-3 > > > > > > > > > > > > > > > > > > > > > > > > MYCERT > > > > > > > > > > > > > > > > > > > > > > > > And… well… not sure what else to do here. I have > > > > > > > > > > > > the file owned by icecast:icecast … and … it > > > > > > > > > > > > should be readable in its present location… so, > > > > > > > > > > > > not sure what else would be wrong. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Firtsly, what operative system are you running ?. > > > > > > > > > > > On > > > > > > > > > > > Debian GNU/Linux user > > > > > > > > > > > icecast2 and group icecast, then icecast2:icecast. > > > > > > > > > > > > > > > > > > > > I'm on RHEL 7, so the user/group is icecast:icecast > > > > > > > > > > ... > > > > > > > > > > > > > > > > > > > > > Secondly, check the Icecast2's error.log looking > > > > > > > > > > > about SSL or TLS capability. > > > > > > > > > > > On Debian GNU/Linux /var/log/icecast2/error.log. > > > > > > > > > > > > > > > > > > > > From the log, I get a simple: > > > > > > > > > > > > > > > > > > > > WARN connection/get_ssl_certificate Invalid cert file > > > > > > > > > > <my cert > > > > > > > > > > filepath> > > > > > > > > > > INFO connection/get_ssl_certificate No SSL capability > > > > > > > > > > on any configured ports > > > > > > > > > > > > > > > > > > > > > > > > > > > > Make sure you have set up Icecast correctly: > > > > > > > > > > > > > > > > > > <listen-socket> > > > > > > > > > <port>8443</port> > > > > > > > > > <ssl>1</ssl> > > > > > > > > > </listen-socket> > > > > > > > > > > > > > > > > Yeah... it's setup properly... > > > > > > > > > > > > > > > > > <paths> > > > > > > > > > ... > > > > > > > > > <ssl- > > > > > > > > > certificate>/usr/share/icecast2/icecast.pem</ssl- > > > > > > > > > certificate> > > > > > > > > > </paths> > > > > > > > > > > > > > > > > Yes... correct for me. > > > > > > > > > > > > > > > > > Also, there is the possibility that Icecast2 package > > > > > > > > > does > > > > > > > > > not > > > > > > > > > support encrypted connections via openssl. > > > > > > > > > In my case I saw something similar to this: > > > > > > > > > [2017-08-08 03:05:34] INFO > > > > > > > > > connection/get_ssl_certificate > > > > > > > > > No > > > > > > > > > SSL capability Then, like solution I should have > > > > > > > > > compiled > > > > > > > > > Icecast with openssl support enabled. > > > > > > > > > > > > > > > > Well... I believe it to be setup correctly... the RPM has > > > > > > > > a > > > > > > > > libssl > > > > > > > > requirement... and the fact that it tries to check the > > > > > > > > SSL > > > > > > > > cert > > > > > > > > file indicates that it has capability... > > > > > > > > > > > > > > I agree. > > > > > > > I generated the certificate with: > > > > > > > openssl req -x509 -nodes -days 1095 -newkey rsa:2048 > > > > > > > -keyout > > > > > > > /usr/share/icecast2/icecast.pem -out > > > > > > > /usr/share/icecast2/icecast.pem > > > > > > > Then you need only change owner and group, nothing more. > > > > > > > > > > > > Well... I was able to get it to work with a self-signed > > > > > > cert... > > > > > > so, > > > > > > something must be up with my Starfield signed cert... looks > > > > > > like > > > > > > they're configuring certs using "Subject Alternative Name" > > > > > > entries by > > > > > > default... could that be causing Icecast to barf on the cert? > > > > > > > > > > > > > > > > Looks like something about the configuration of the > > > > > certificate, > > > > > but I do not > > > > > specifically what ... I have only done tests with self-signed > > > > > certificates. > > > > > The format should be: > > > > > -----BEGIN PRIVATE KEY----- > > > > > blablabla > > > > > -----END PRIVATE KEY----- > > > > > -----BEGIN CERTIFICATE----- > > > > > blablabla > > > > > -----END CERTIFICATE----- > > > > > > Also... I setup another <listen-socket> entry for SSL... but > > > > > > Icecast > > > > > > doesn't seem to want to listen on that port when the service > > > > > > comes up. > > > > > > Any idea why that might be? > > > > > > > > > > > > > > > > Do you mean with different port than 8443, by exemple 8765 ?. > > > > > If > > > > > so, what is > > > > > the output of: > > > > > netstat -tulpn | grep ':8765' > > > > > > > > Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 > > > > ... > > > > very strange. > > > > > > > > > > After restart the Icecast2 server ? ... > > > > Yeah... after the restart... the port doesn't appear. Does icecast2 > > play well with selinux? > > > Are you in the same LAN than the server ?. > What about the firewall ? ... > ufw allow proto tcp from any to xxx.xxx.xxx.xxx port 8443 > > I have not worked with SELinux, I do not know :(I have found some info about SELinux that I'll work through... though, it's not a firewall problem... I already have that configured... I presently just can't get Icecast to open the port. Thanks for the help on that. I just wish I knew what was up with my SSL cert... I need a real world cert... not a self-signed one... and my cert provider is being difficult.