Steve Matzura
2020-Nov-27 22:17 UTC
[Icecast] Icecast2 with SSL, includes error.log extract
After placing "<ssl>1</ssl>" in the listen-sockets stanza and the path to my PEM-format certificate in the paths stanza, I restarted Icecast2. In /usr/share/icecast2/log I got the following in error.log: [2020-11-27 22:00:07] INFO connection/get_ssl_certificate SSL certificate found at /etc/ssl/2020/icecast.pem [2020-11-27 22:00:07] INFO connection/get_ssl_certificate SSL using ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA I have absolutely no idea what any of this means, good or bad, but I do know that after restarting Icecast, I couldn't restart ices and therefore couldn't connect to the server. Apparently something is wrong with my PEM certificate file, but I truly don't know what it could be. I created it by concatenating my server's public key plus its certifying authority (CA) key provided by the hosting company plus the server's private key according to many articles and Web pages, not to mention several helpful messages on this very list. After restarting Icecast, I could not restart ices, which probably means I need something else in the ices configuration about which I do not know, or my certificate PEM file is bad. Any help on solving this would be greatly appreaciated. I feel I'm very close, jut one detail away from getting it right. Thanks in advance.
Jordan Erickson
2020-Nov-27 22:22 UTC
[Icecast] Icecast2 with SSL, includes error.log extract
Hey Steve, I don't believe ices supports SSL, does it? Cheers, Jordan Erickson On 11/27/20 2:17 PM, Steve Matzura wrote:> After placing "<ssl>1</ssl>" in the listen-sockets stanza and the path > to my PEM-format certificate in the paths stanza, I restarted Icecast2. > In /usr/share/icecast2/log I got the following in error.log: > > > [2020-11-27 22:00:07] INFO connection/get_ssl_certificate SSL > certificate found at /etc/ssl/2020/icecast.pem > [2020-11-27 22:00:07] INFO connection/get_ssl_certificate SSL using > ciphers > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > > > I have absolutely no idea what any of this means, good or bad, but I do > know that after restarting Icecast, I couldn't restart ices and > therefore couldn't connect to the server. Apparently something is wrong > with my PEM certificate file, but I truly don't know what it could be. I > created it by concatenating my server's public key plus its certifying > authority (CA) key provided by the hosting company plus the server's > private key according to many articles and Web pages, not to mention > several helpful messages on this very list. After restarting Icecast, I > could not restart ices, which probably means I need something else in > the ices configuration about which I do not know, or my certificate PEM > file is bad. Any help on solving this would be greatly appreaciated. I > feel I'm very close, jut one detail away from getting it right. > > > Thanks in advance. > > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast
Norbert Deleutre
2020-Nov-28 05:56 UTC
[Icecast] Icecast2 with SSL, includes error.log extract
Hello Steeve, 5 important things for having icecast with SSL : Install icecast with open ssl : https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories) Concatenate fullchain.pen and privacy.pem => bundle.pem Add in icecast.xml : <ssl>1</ssl> and <ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate> Check local firewall (netstat -pantu | grep icecast) Restart icecast ALL you MUST do is here explain here : https://mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/ -------- Norbert Deleutre <http://www.lmgc.univ-montp2.fr/perso/norbert-deleutre/> P 0467149655 UMR CNRS 5508 <http://www.lmgc.univ-montp2.fr/> A Campus Saint-Priest/Montpellier> Le 27 nov. 2020 à 23:17, Steve Matzura <sm at noisynotes.com> a écrit : > > I have absolutely no idea what any of this means, good or bad, but I do know that after restarting Icecast, I couldn't restart ices and therefore couldn't connect to the server. Apparently something is wrong with my PEM certificate file, but I truly don't know what it could be. I created it by concatenating my server's public key plus its certifying authority (CA) key provided by the hosting company plus the server's private key according to many articles and Web pages, not to mention several helpful messages on this very list. After restarting Icecast, I could not restart ices, which probably means I need something else in the ices configuration about which I do not know, or my certificate PEM file is bad. Any help on solving this would be greatly appreaciated. I feel I'm very close, jut one detail away from getting it right.-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.xiph.org/pipermail/icecast/attachments/20201128/4dc035f1/attachment.html>