There are some things to consider if you want Icecast to serve https: The ssl certificate file needs BOTH the private key AND the chain into one file. The order did not make a difference in my setups. The <ssl-private-key> is not needed, only the <ssl-certificate> Make sure that the icecast2 user is the owner of the certificate: chown icecast2:icecast /usr/share/icecast2/icecast.pem Make sure NOT to put it in the "web" directory, the pem file should NOT be publicly accessible. I have used both /etc/icecast2/ and /usr/share/icecast2/ directories successfully. I am using letsencrypt and have use a post-hook script so that it only updates after a new certificate has been deployed: #!/bin/bash /bin/cat /etc/letsencrypt/live/YOURDOMAIN/privkey.pem /etc/letsencrypt/live/ YOURDOMAIN/fullchain.pem > /usr/share/icecast2/icecast.pem && /usr/bin/systemctl restart icecast2 Make sure you are NOT using the version from the Debian repositories, as they are compiled without SSL support. Instead use the repositories described here: https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories) I also had to add a priority file to make sure apt grabs the right one, as the version number on both repositories is the same, but only the version on the official Xiph repo has SSL support. After adding the official xiph repository add a file /etc/apt/preferences.d/icecast with the following: Package: icecast2 Pin: origin "download.opensuse.org" Pin-Priority: 999 Then do a reinstall with: apt update apt reinstall icecast2 This are the relevant parts of my icecast2.xml: <listen-socket> <port>8443</port> <ssl>1</ssl> </listen-socket> <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate> Of course restart icecast2 after updating the ssl-certificate as it is only read during startup, that is also why I do a restart (and not a reload) in the certbot post-hook: Systemctl restart icecast2 Also close and reopen your browser to test so that you are sure the certificate is not being cached locally. Worked for me with Debian 9 and 10. Regards, Paul -----Oorspronkelijk bericht----- Van: Icecast <icecast-bounces at xiph.org> Namens Marvin Scholz Verzonden: Monday, 4 January 2021 20:59 Aan: Icecast streaming server user discussions <icecast at xiph.org> Onderwerp: Re: [Icecast] Icecast and HTTPS Icecast does support TLS and nearly all modern players do support streams over HTTPS too. On 4 Jan 2021, at 20:56, Norbert Deleutre wrote:> With a free player ? Which one ? > > ?- > N.D > LMGC > > >> Le 4 janv. 2021 ? 20:34, John McHarry <jmcharry at gmx.net> a ?crit : >> >> ?It does. https://audio-mp3.ibiblio.org/whqr_hd1 is served from an >> icecast2 server. Check http://audio-mp3.ibiblio.org:8000 >> >> >> On Mon, 2021-01-04 at 20:14 +0100, Norbert Deleutre wrote: >>> I had made the same resquest in septembre 2020. >>> And my conclusion is that icecast doesn?t Work with ssl- >>> >>> ?- >>> N.D >>> LMGC >>> >>> >>>> Le 4 janv. 2021 ? 19:06, Wangr <Wang at pc-factory.at> a ?crit : >>>> >>>> ?Hello to all! >>>> >>>> I have tried for days now to use icecast2 (version 2.4.99.2) with >>>> HTTPS. Been through so many manuals and howtos, but nothing works. >>>> >>>> I have used the Debian version, as well as compiled from source. >>>> >>>> Ports 8000 and 8443 are open on the firewall. >>>> >>>> >>>> Here is some relevant info: >>>> >>>> /etc/icecast2/icecast.xml: >>>> >>>> <listen-socket> >>>> <port>8000</port> >>>> </listen-socket> >>>> <listen-socket> >>>> <port>8443</port> >>>> <ssl>1</ssl> >>>> </listen-socket> >>>> >>>> <http-headers> >>>> <header name="Access-Control-Allow-Origin" value="*" /> >>>> </http-headers> >>>> >>>> <paths> >>>> <basedir>/usr/share/icecast2</basedir> >>>> <logdir>/var/log/icecast2</logdir> >>>> <webroot>/usr/share/icecast2/web</webroot> >>>> <adminroot>/usr/share/icecast2/admin</adminroot> >>>> <alias source="/" destination="/status.xsl"/> >>>> <ssl-certificate>/usr/share/icecast2/web/bundle.pem</ssl- >>>> certificate> >>>> <ssl-private-key>/usr/share/icecast2/web/bundle.pem</ssl-private- >>>> key> >>>> </paths> >>>> >>>> The bundle.pem file contains the privkey.pem and fullchain.pem >>>> files of the dehydrated (let's encrypt) certificates, in this >>>> order. >>>> >>>> >>>> ices2 config file: >>>> >>>> <instance> >>>> <port>8443</port> >>>> </instance> >>>> >>>> with <port>8000</port> (HTTP) it works, not with 8443 (HTTPS). >>>> >>>> >>>> I am thankful for any help! >>>> _______________________________________________ >>>> Icecast mailing list >>>> Icecast at xiph.org >>>> http://lists.xiph.org/mailman/listinfo/icecast >>> _______________________________________________ >>> Icecast mailing list >>> Icecast at xiph.org >>> http://lists.xiph.org/mailman/listinfo/icecast >> >> _______________________________________________ >> Icecast mailing list >> Icecast at xiph.org >> http://lists.xiph.org/mailman/listinfo/icecast > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast_______________________________________________ Icecast mailing list Icecast at xiph.org http://lists.xiph.org/mailman/listinfo/icecast
BTW, if you are on an ARM device like the Raspberry Pi you have to compile icecast2 from source to get ssl support ! There is only an ARM64 version available for Debian 9. Paul -----Oorspronkelijk bericht----- Van: Icecast <icecast-bounces at xiph.org> Namens _zer0_ gravity Verzonden: Monday, 4 January 2021 21:56 Aan: Icecast streaming server user discussions <icecast at xiph.org> Onderwerp: Re: [Icecast] Icecast and HTTPS There are some things to consider if you want Icecast to serve https: The ssl certificate file needs BOTH the private key AND the chain into one file. The order did not make a difference in my setups. The <ssl-private-key> is not needed, only the <ssl-certificate> Make sure that the icecast2 user is the owner of the certificate: chown icecast2:icecast /usr/share/icecast2/icecast.pem Make sure NOT to put it in the "web" directory, the pem file should NOT be publicly accessible. I have used both /etc/icecast2/ and /usr/share/icecast2/ directories successfully. I am using letsencrypt and have use a post-hook script so that it only updates after a new certificate has been deployed: #!/bin/bash /bin/cat /etc/letsencrypt/live/YOURDOMAIN/privkey.pem /etc/letsencrypt/live/ YOURDOMAIN/fullchain.pem > /usr/share/icecast2/icecast.pem && /usr/bin/systemctl restart icecast2 Make sure you are NOT using the version from the Debian repositories, as they are compiled without SSL support. Instead use the repositories described here: https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories) I also had to add a priority file to make sure apt grabs the right one, as the version number on both repositories is the same, but only the version on the official Xiph repo has SSL support. After adding the official xiph repository add a file /etc/apt/preferences.d/icecast with the following: Package: icecast2 Pin: origin "download.opensuse.org" Pin-Priority: 999 Then do a reinstall with: apt update apt reinstall icecast2 This are the relevant parts of my icecast2.xml: <listen-socket> <port>8443</port> <ssl>1</ssl> </listen-socket> <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate> Of course restart icecast2 after updating the ssl-certificate as it is only read during startup, that is also why I do a restart (and not a reload) in the certbot post-hook: Systemctl restart icecast2 Also close and reopen your browser to test so that you are sure the certificate is not being cached locally. Worked for me with Debian 9 and 10. Regards, Paul -----Oorspronkelijk bericht----- Van: Icecast <icecast-bounces at xiph.org> Namens Marvin Scholz Verzonden: Monday, 4 January 2021 20:59 Aan: Icecast streaming server user discussions <icecast at xiph.org> Onderwerp: Re: [Icecast] Icecast and HTTPS Icecast does support TLS and nearly all modern players do support streams over HTTPS too. On 4 Jan 2021, at 20:56, Norbert Deleutre wrote:> With a free player ? Which one ? > > ?- > N.D > LMGC > > >> Le 4 janv. 2021 ? 20:34, John McHarry <jmcharry at gmx.net> a ?crit : >> >> ?It does. https://audio-mp3.ibiblio.org/whqr_hd1 is served from an >> icecast2 server. Check http://audio-mp3.ibiblio.org:8000 >> >> >> On Mon, 2021-01-04 at 20:14 +0100, Norbert Deleutre wrote: >>> I had made the same resquest in septembre 2020. >>> And my conclusion is that icecast doesn?t Work with ssl- >>> >>> ?- >>> N.D >>> LMGC >>> >>> >>>> Le 4 janv. 2021 ? 19:06, Wangr <Wang at pc-factory.at> a ?crit : >>>> >>>> ?Hello to all! >>>> >>>> I have tried for days now to use icecast2 (version 2.4.99.2) with >>>> HTTPS. Been through so many manuals and howtos, but nothing works. >>>> >>>> I have used the Debian version, as well as compiled from source. >>>> >>>> Ports 8000 and 8443 are open on the firewall. >>>> >>>> >>>> Here is some relevant info: >>>> >>>> /etc/icecast2/icecast.xml: >>>> >>>> <listen-socket> >>>> <port>8000</port> >>>> </listen-socket> >>>> <listen-socket> >>>> <port>8443</port> >>>> <ssl>1</ssl> >>>> </listen-socket> >>>> >>>> <http-headers> >>>> <header name="Access-Control-Allow-Origin" value="*" /> >>>> </http-headers> >>>> >>>> <paths> >>>> <basedir>/usr/share/icecast2</basedir> >>>> <logdir>/var/log/icecast2</logdir> >>>> <webroot>/usr/share/icecast2/web</webroot> >>>> <adminroot>/usr/share/icecast2/admin</adminroot> >>>> <alias source="/" destination="/status.xsl"/> >>>> <ssl-certificate>/usr/share/icecast2/web/bundle.pem</ssl- >>>> certificate> >>>> <ssl-private-key>/usr/share/icecast2/web/bundle.pem</ssl-private- >>>> key> >>>> </paths> >>>> >>>> The bundle.pem file contains the privkey.pem and fullchain.pem >>>> files of the dehydrated (let's encrypt) certificates, in this >>>> order. >>>> >>>> >>>> ices2 config file: >>>> >>>> <instance> >>>> <port>8443</port> >>>> </instance> >>>> >>>> with <port>8000</port> (HTTP) it works, not with 8443 (HTTPS). >>>> >>>> >>>> I am thankful for any help! >>>> _______________________________________________ >>>> Icecast mailing list >>>> Icecast at xiph.org >>>> http://lists.xiph.org/mailman/listinfo/icecast >>> _______________________________________________ >>> Icecast mailing list >>> Icecast at xiph.org >>> http://lists.xiph.org/mailman/listinfo/icecast >> >> _______________________________________________ >> Icecast mailing list >> Icecast at xiph.org >> http://lists.xiph.org/mailman/listinfo/icecast > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast_______________________________________________ Icecast mailing list Icecast at xiph.org http://lists.xiph.org/mailman/listinfo/icecast _______________________________________________ Icecast mailing list Icecast at xiph.org http://lists.xiph.org/mailman/listinfo/icecast
Thank you all for your answers, especially this one here! Thank you, Paul, for the many good advices. I actually got it working! In pretty much the same way you described it. () As players I tried with success: mpv, mplayer, vlc, cvlc (Linux). Also inside an <audio> tag in a https page, it worked! This was the reason I wanted to use https, because I wanted to embed the stream in an https site; if icecast runs only with http, chromium complains; in Firefox it worked well. _zer0_ gravity <zer0___ at hotmail.com> schrieb am 04.01.2021 20:56:> There are some things to consider if you want Icecast to serve https: > > The ssl certificate file needs BOTH the private key AND the chain into one file. The order did not make a difference in my setups. > The <ssl-private-key> is not needed, only the <ssl-certificate> > > Make sure that the icecast2 user is the owner of the certificate: > chown icecast2:icecast /usr/share/icecast2/icecast.pem > > Make sure NOT to put it in the "web" directory, the pem file should NOT be publicly accessible. > I have used both /etc/icecast2/ and /usr/share/icecast2/ directories successfully. > > I am using letsencrypt and have use a post-hook script so that it only updates after a new certificate has been deployed: > #!/bin/bash > /bin/cat /etc/letsencrypt/live/YOURDOMAIN/privkey.pem /etc/letsencrypt/live/ YOURDOMAIN/fullchain.pem > /usr/share/icecast2/icecast.pem && /usr/bin/systemctl restart icecast2 > > Make sure you are NOT using the version from the Debian repositories, as they are compiled without SSL support. > Instead use the repositories described here: https://wiki.xiph.org/Icecast_Server/Installing_latest_version_(official_Xiph_repositories) > > I also had to add a priority file to make sure apt grabs the right one, as the version number on both repositories is the same, but only the version on the official Xiph repo has SSL support. > After adding the official xiph repository add a file /etc/apt/preferences.d/icecast with the following: > > Package: icecast2 > Pin: origin "download.opensuse.org" > Pin-Priority: 999 > > Then do a reinstall with: > > apt update > apt reinstall icecast2 > > This are the relevant parts of my icecast2.xml: > > <listen-socket> > <port>8443</port> > <ssl>1</ssl> > </listen-socket> > > <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate> > > Of course restart icecast2 after updating the ssl-certificate as it is only read during startup, that is also why I do a restart (and not a reload) in the certbot post-hook: > Systemctl restart icecast2 > Also close and reopen your browser to test so that you are sure the certificate is not being cached locally. > > Worked for me with Debian 9 and 10. > > Regards, Paul > > > -----Oorspronkelijk bericht----- > Van: Icecast <icecast-bounces at xiph.org> Namens Marvin Scholz > Verzonden: Monday, 4 January 2021 20:59 > Aan: Icecast streaming server user discussions <icecast at xiph.org> > Onderwerp: Re: [Icecast] Icecast and HTTPS > > Icecast does support TLS and nearly all modern players do support streams over HTTPS too. > > On 4 Jan 2021, at 20:56, Norbert Deleutre wrote: > > > With a free player ? Which one ? > > > > ?- > > N.D > > LMGC > > > > > >> Le 4 janv. 2021 ? 20:34, John McHarry <jmcharry at gmx.net> a ?crit : > >> > >> ?It does. https://audio-mp3.ibiblio.org/whqr_hd1 is served from an > >> icecast2 server. Check http://audio-mp3.ibiblio.org:8000 > >> > >> > >> On Mon, 2021-01-04 at 20:14 +0100, Norbert Deleutre wrote: > >>> I had made the same resquest in septembre 2020. > >>> And my conclusion is that icecast doesn?t Work with ssl- > >>> > >>> ?- > >>> N.D > >>> LMGC > >>> > >>> > >>>> Le 4 janv. 2021 ? 19:06, Wangr <Wang at pc-factory.at> a ?crit : > >>>> > >>>> ?Hello to all! > >>>> > >>>> I have tried for days now to use icecast2 (version 2.4.99.2) with > >>>> HTTPS. Been through so many manuals and howtos, but nothing works. > >>>> > >>>> I have used the Debian version, as well as compiled from source. > >>>> > >>>> Ports 8000 and 8443 are open on the firewall. > >>>> > >>>> > >>>> Here is some relevant info: > >>>> > >>>> /etc/icecast2/icecast.xml: > >>>> > >>>> <listen-socket> > >>>> <port>8000</port> > >>>> </listen-socket> > >>>> <listen-socket> > >>>> <port>8443</port> > >>>> <ssl>1</ssl> > >>>> </listen-socket> > >>>> > >>>> <http-headers> > >>>> <header name="Access-Control-Allow-Origin" value="*" /> > >>>> </http-headers> > >>>> > >>>> <paths> > >>>> <basedir>/usr/share/icecast2</basedir> > >>>> <logdir>/var/log/icecast2</logdir> > >>>> <webroot>/usr/share/icecast2/web</webroot> > >>>> <adminroot>/usr/share/icecast2/admin</adminroot> > >>>> <alias source="/" destination="/status.xsl"/> > >>>> <ssl-certificate>/usr/share/icecast2/web/bundle.pem</ssl- > >>>> certificate> > >>>> <ssl-private-key>/usr/share/icecast2/web/bundle.pem</ssl-private- > >>>> key> > >>>> </paths> > >>>> > >>>> The bundle.pem file contains the privkey.pem and fullchain.pem > >>>> files of the dehydrated (let's encrypt) certificates, in this > >>>> order. > >>>> > >>>> > >>>> ices2 config file: > >>>> > >>>> <instance> > >>>> <port>8443</port> > >>>> </instance> > >>>> > >>>> with <port>8000</port> (HTTP) it works, not with 8443 (HTTPS). > >>>> > >>>> > >>>> I am thankful for any help! > >>>> _______________________________________________ > >>>> Icecast mailing list > >>>> Icecast at xiph.org > >>>> http://lists.xiph.org/mailman/listinfo/icecast > >>> _______________________________________________ > >>> Icecast mailing list > >>> Icecast at xiph.org > >>> http://lists.xiph.org/mailman/listinfo/icecast > >> > >> _______________________________________________ > >> Icecast mailing list > >> Icecast at xiph.org > >> http://lists.xiph.org/mailman/listinfo/icecast > > _______________________________________________ > > Icecast mailing list > > Icecast at xiph.org > > http://lists.xiph.org/mailman/listinfo/icecast > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast > _______________________________________________ > Icecast mailing list > Icecast at xiph.org > http://lists.xiph.org/mailman/listinfo/icecast-- Das School Community System https://pc-factory.at/school