Securing Icecast Stream with SSL Letsencrypt

Icecast is a popular and well loved live audio streaming application. It is free, and requires very limited resources to run. In this guide, we’ll explain how to enable HTTPS on Icecast, and how to generate SSL certificates for free via Lets Encrypt. This guide assumes you’re running Debian 11 or newer. Older versions may work, but there’s a lot of painful stuffing around with package dependencies.

Some online guides show you how to place Nginx or Apache in front of Icecast for SSL termination, but that’s not necessary. Now, you can install or update Icecast:

apt-get install icecast2

At this point, you may need to configure Icecast. If this is an existing installation, Icecast should still be running with your existing configuration. Make sure you test this now.

Icecast Configuration

To open Icecast configuration , type the following and press enter:

nano /etc/icecast2/icecast.xml

For now, we’re only going to change two settings – the port number, and the user that Icecast runs under.

Using your arrow keys, scroll until you see the line ‘8000’. Change the number ‘8000’ to ’80’. This puts Icecast on the default HTTP port, making it easier for people to listen behind a corporate firewall.

Next, scroll right to the bottom of the file where you can see a security section. Delete the text ‘<!–’ and ‘–>’  (leaving everything in the middle)

To exit and save, press Ctrl + X, Y and Enter.

We also need to change one more file to make this work. Type in:

nano /etc/default/icecast2

Change the USERID and GROUPID values to ‘root’

To exit and save, press Ctrl + X, Y and Enter.

Finally, we probably need to change the log file ownership with this command:

chown -R nobody /var/log/icecast2/

Then, you need to restart the service with the following command:

service icecast2 restart

Installing and running Lets Encrypt Certbot for Icecast

In order for the SSL Certificate validation to work, you will need to have DNS setup and pointing to this server. Icecast must already be running on Port 80.

Now, we can begin to install and run the tools needed to generate an SSL certificate. This section assumes your server can be located at ‘stream.example.com’.

apt-get install certbot

Run certbot with the correct domain for your server:

certbot certonly --webroot-path="/usr/share/icecast2/web" -d 'stream.example.com'

When prompted, select the ‘webroot’ option and input your email address. Your certificate should be generated at this point. If you receive errors, take note of them and start doing some research online. The most common error is the inability to validate – in this case, make sure Icecast is accessible via DNS on Port 80, and check your webfoot is indeed ‘/usr/share/icecast2/web’.

We now need to concatenate two certificate files so they are in the correct format for Icecast to use:

cat /etc/letsencrypt/live/stream.example.com/fullchain.pem /etc/letsencrypt/live/stream1.example.com/privkey.pem > /etc/icecast2/bundle.pem

Also:

chmod 666 /etc/icecast2/bundle.pem

If you know which user Icecast is running under, you can run a chown instead of a chmod. Icecast needs to be able to read this new PEM file – that’s the goal here.

While we’re thinking about it, we should also make sure certificate renewals run correctly. Open the certificate config file in a text editor:

nano /etc/letsencrypt/renewal/stream.example.com.conf

Add this line to the [renewalparams] section:

post_hook = cat /etc/letsencrypt/live/stream.example.com/fullchain.pem /etc/letsencrypt/live/stream.example/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart

You can validate the renewal process to make sure it works correctly:

certbot renew --dry-run

Configure Icecast for SSL

We are now ready to finish this off and get Icecast running with our new certificate.
Edit Icecast.xml in a text editor:

nano /etc/icecast2/icecast.xml

Add this line to the section:

/etc/icecast2/bundle.pem

Now, add this section to the document (in the root XML node):

<listen-socket>
<port>443</port>
<ssl>1</ssl>
</listen-socket>

Quit the text editor, and now restart Icecast:

service icecast2 restart

If all goes well, you can now browse to httsp://stream.example.com/ and also listen to your internet streams over HTTPS.

source: https: //mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/

Comments are closed.