Icecast is a popular and well loved live audio streaming application. It is free, and requires very limited resources to run. In this guide, we’ll explain how to enable HTTPS on Icecast, and how to generate SSL certificates for free via Lets Encrypt. This guide assumes you’re running Debian 11 or newer. Older versions may work, but there’s a lot of painful stuffing around with package dependencies.<\/p>\n
Some online guides show you how to place Nginx or Apache in front of Icecast for SSL termination, but that’s not necessary. Now, you can install or update Icecast:<\/p>\n
At this point, you may need to configure Icecast. If this is an existing installation, Icecast should still be running with your existing configuration. Make sure you test this now. Icecast Configuration<\/strong><\/p>\n To open Icecast configuration , type the following and press enter:<\/p>\n For now, we’re only going to change two settings \u2013 the port number, and the user that Icecast runs under.<\/p>\n Using your arrow keys, scroll until you see the line ‘8000’. Change the number ‘8000’ to ’80’. This puts Icecast on the default HTTP port, making it easier for people to listen behind a corporate firewall.<\/p>\n Next, scroll right to the bottom of the file where you can see a security section. Delete the text ‘<!\u2013’ and ‘\u2013>’\u00a0 (leaving everything in the middle)<\/p>\n To exit and save, press Ctrl + X, Y and Enter.<\/p>\n We also need to change one more file to make this work. Type in:<\/p>\n Change the USERID and GROUPID values to ‘root’<\/p>\n To exit and save, press Ctrl + X, Y and Enter.<\/p>\n Finally, we probably need to change the log file ownership with this command:<\/p>\n Then, you need to restart the service with the following command:<\/p>\n Installing and running Lets Encrypt Certbot for Icecast<\/strong><\/p>\n In order for the SSL Certificate validation to work, you will need to have DNS setup and pointing to this server. Icecast must already be running on Port 80.<\/p>\n Now, we can begin to install and run the tools needed to generate an SSL certificate. This section assumes your server can be located at ‘stream.example.com’.<\/p>\n Run certbot with the correct domain for your server:<\/p>\n When prompted, select the ‘webroot’ option and input your email address. Your certificate should be generated at this point. If you receive errors, take note of them and start doing some research online. The most common error is the inability to validate \u2013 in this case, make sure Icecast is accessible via DNS on Port 80, and check your webfoot is indeed ‘\/usr\/share\/icecast2\/web’.<\/p>\n We now need to concatenate two certificate files so they are in the correct format for Icecast to use:<\/p>\n Also:<\/p>\n If you know which user Icecast is running under, you can run a chown instead of a chmod. Icecast needs to be able to read this new PEM file \u2013 that’s the goal here.<\/p>\n While we’re thinking about it, we should also make sure certificate renewals run correctly. Open the certificate config file in a text editor:<\/p>\n Add this line to the [renewalparams] section:<\/p>\n You can validate the renewal process to make sure it works correctly:<\/p>\n Configure Icecast for SSL<\/strong><\/p>\n We are now ready to finish this off and get Icecast running with our new certificate. Add this line to the < paths>< \/paths> section:<\/p>\n < ssl-certificate>\/etc\/icecast2\/bundle.pem< \/ssl-certificate> <listen-socket> Quit the text editor, and now restart Icecast:<\/p>\n If all goes well, you can now browse to httsp:\/\/stream.example.com\/ and also listen to your internet streams over HTTPS.<\/p>\n source: https: \/\/mediarealm.com.au\/articles\/icecast-https-ssl-setup-lets-encrypt\/<\/p>\n","protected":false},"excerpt":{"rendered":" Icecast is a popular and well loved live audio streaming application. It is free, and requires very limited resources to run. In this guide, we’ll explain how to enable HTTPS on Icecast, and how to generate SSL certificates for free via Lets Encrypt. This guide assumes you’re running Debian 11 or newer. Older versions may\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1358","post","type-post","status-publish","format-standard","hentry","category-tutorial"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/1358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/comments?post=1358"}],"version-history":[{"count":10,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/1358\/revisions"}],"predecessor-version":[{"id":1407,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/1358\/revisions\/1407"}],"wp:attachment":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/media?parent=1358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/categories?post=1358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/tags?post=1358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}apt-get install icecast2<\/code><\/p>\n
\n<\/p>\nnano \/etc\/icecast2\/icecast.xml<\/code><\/p>\nnano \/etc\/default\/icecast2<\/code><\/p>\nchown -R nobody \/var\/log\/icecast2\/<\/code><\/p>\nservice icecast2 restart<\/code><\/p>\napt-get install certbot<\/code><\/p>\ncertbot certonly --webroot-path=\"\/usr\/share\/icecast2\/web\" -d 'stream.example.com'<\/code><\/p>\ncat \/etc\/letsencrypt\/live\/stream.example.com\/fullchain.pem \/etc\/letsencrypt\/live\/stream1.example.com\/privkey.pem > \/etc\/icecast2\/bundle.pem<\/code><\/p>\nchmod 666 \/etc\/icecast2\/bundle.pem<\/code><\/p>\nnano \/etc\/letsencrypt\/renewal\/stream.example.com.conf<\/code><\/p>\npost_hook = cat \/etc\/letsencrypt\/live\/stream.example.com\/fullchain.pem \/etc\/letsencrypt\/live\/stream.example\/privkey.pem > \/etc\/icecast2\/bundle.pem && service icecast2 restart<\/code><\/p>\ncertbot renew --dry-run<\/code><\/p>\n
\nEdit Icecast.xml in a text editor:<\/p>\nnano \/etc\/icecast2\/icecast.xml<\/code><\/p>\n
\nNow, add this section to the document (in the root XML node):<\/p>\n
\n <port>443<\/port>
\n <ssl>1<\/ssl>
\n<\/listen-socket><\/p>\nservice icecast2 restart<\/code><\/p>\n