Discussion:
[Icecast] SSL Cert Woes
Speagle, Andy
2017-08-25 16:49:39 UTC
Permalink
Hi Folks,

I'm having a problem getting a the SSL cert file formatted just like icecast wants... I'm running 2.4.2 ... and it doesn't seem to want to use my combined key + cert chain no matter in what order I put it. Presently, I have it in this format.. with spaces between each key/cert...

KEY

CERTCHAIN-1

CERTCHAIN-2

CERTCHAIN-3

MYCERT

And... well... not sure what else to do here. I have the file owned by icecast:icecast ... and ... it should be readable in its present location... so, not sure what else would be wrong.

Thoughts?

Andy Speagle
José Luis Artuch
2017-08-27 19:34:09 UTC
Permalink
Good afternoon Andy,
Post by Speagle, Andy
Hi Folks,
 
I’m having a problem getting a the SSL cert file formatted just like
icecast wants… I’m running 2.4.2 … and it doesn’t seem to want to use
my combined key + cert chain no matter in what order I put it. 
Presently, I have it in this format.. with spaces between each
key/cert…
 
KEY
 
CERTCHAIN-1
 
CERTCHAIN-2
 
CERTCHAIN-3
 
MYCERT
 
And… well… not sure what else to do here.  I have the file owned by
icecast:icecast … and … it should be readable in its present
location… so, not sure what else would be wrong.
 
Firtsly, what operative system are you running ?. On Debian GNU/Linux
user icecast2 and group icecast, then icecast2:icecast.

Secondly, check the Icecast2's error.log looking about SSL or TLS
capability. On Debian GNU/Linux /var/log/icecast2/error.log.

Regards.
José Luis
Post by Speagle, Andy
Thoughts?
 
Andy Speagle
_______________________________________________
Icecast mailing list
http://lists.xiph.org/mailman/listinfo/icecast
Speagle, Andy
2017-08-28 13:46:58 UTC
Permalink
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file formatted just like
icecast wants… I’m running 2.4.2 … and it doesn’t seem to want to use
my combined key + cert chain no matter in what order I put it.
Presently, I have it in this format.. with spaces between each
key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the file owned by
icecast:icecast … and … it should be readable in its present location…
so, not sure what else would be wrong.
Firtsly, what operative system are you running ?. On Debian GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Secondly, check the Icecast2's error.log looking about SSL or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
From the log, I get a simple:

WARN connection/get_ssl_certificate Invalid cert file <my cert filepath>
INFO connection/get_ssl_certificate No SSL capability on any configured ports

So... not sure what else I can do here... using simple openssl verify commands I can see that the cert chain is valid...

Thanks!
José Luis Artuch
2017-08-28 17:56:31 UTC
Permalink
Post by José Luis Artuch
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file formatted just like
icecast wants… I’m running 2.4.2 … and it doesn’t seem to want to use
my combined key + cert chain no matter in what order I put it.
Presently, I have it in this format.. with spaces between each
key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the file owned by
icecast:icecast … and … it should be readable in its present location…
so, not sure what else would be wrong.
Firtsly, what operative system are you running ?. On Debian
GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ... 
Post by José Luis Artuch
Secondly, check the Icecast2's error.log looking about SSL or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
From the log, I get a simple: 
WARN connection/get_ssl_certificate Invalid cert file <my cert
filepath>
INFO connection/get_ssl_certificate No SSL capability on any
configured ports
Make sure you have set up Icecast correctly:

<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
...
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>

Also, there is the possibility that Icecast2 package does not support
encrypted connections via openssl.
In my case I saw something similar to this:
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL
capability
Then, like solution I should have compiled Icecast with openssl support
enabled.

Regards.
José Luis
So... not sure what else I can do here... using simple openssl verify
commands I can see that the cert chain is valid... 
Thanks!
_______________________________________________
Icecast mailing list
http://lists.xiph.org/mailman/listinfo/icecast
Speagle, Andy
2017-08-28 19:05:11 UTC
Permalink
Post by José Luis Artuch
Post by Speagle, Andy
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file formatted just
like icecast wants… I’m running 2.4.2 … and it doesn’t seem to
want to use my combined key + cert chain no matter in what order I
put it.
Presently, I have it in this format.. with spaces between each
key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the file owned
by icecast:icecast … and … it should be readable in its present
location… so, not sure what else would be wrong.
Firtsly, what operative system are you running ?. On Debian GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Secondly, check the Icecast2's error.log looking about SSL or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file <my cert filepath>
INFO connection/get_ssl_certificate No SSL capability on any
configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package does not support
encrypted connections via openssl.
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL capability
Then, like solution I should have compiled Icecast with openssl support
enabled.
Well... I believe it to be setup correctly... the RPM has a libssl requirement... and the fact that it tries to check the SSL cert file indicates that it has capability...
José Luis Artuch
2017-08-28 19:25:19 UTC
Permalink
Hi Andy,
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file formatted just
like icecast wants… I’m running 2.4.2 … and it doesn’t seem to
want to use my combined key + cert chain no matter in what order I
put it.
Presently, I have it in this format.. with spaces between each
key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the file owned
by icecast:icecast … and … it should be readable in its present
location… so, not sure what else would be wrong.
Firtsly, what operative system are you running ?. On Debian GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Secondly, check the Icecast2's error.log looking about SSL or
TLS
capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file <my cert filepath>
INFO connection/get_ssl_certificate No SSL capability on any configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package does not support
encrypted connections via openssl.
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL capability
Then, like solution I should have compiled Icecast with openssl support
enabled.
Well... I believe it to be setup correctly... the RPM has a libssl
requirement... and the fact that it tries to check the SSL cert file
indicates that it has capability... 
I agree.
I generated the certificate with:
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem
Then you need only change owner and group, nothing more.
Speagle, Andy
2017-08-28 20:23:04 UTC
Permalink
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file formatted
just like icecast wants… I’m running 2.4.2 … and it doesn’t
seem to want to use my combined key + cert chain no matter in
what order I put it.
Presently, I have it in this format.. with spaces between each
key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the file
owned by icecast:icecast … and … it should be readable in its
present location… so, not sure what else would be wrong.
Firtsly, what operative system are you running ?. On Debian GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Secondly, check the Icecast2's error.log looking about SSL or
TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file <my cert filepath>
INFO connection/get_ssl_certificate No SSL capability on any configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package does not
support encrypted connections via openssl.
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL
capability Then, like solution I should have compiled Icecast with
openssl support enabled.
Well... I believe it to be setup correctly... the RPM has a libssl
requirement... and the fact that it tries to check the SSL cert file
indicates that it has capability...
I agree.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem Then
you need only change owner and group, nothing more.
Well... I was able to get it to work with a self-signed cert... so, something must be up with my Starfield signed cert... looks like they're configuring certs using "Subject Alternative Name" entries by default... could that be causing Icecast to barf on the cert?

Also... I setup another <listen-socket> entry for SSL... but Icecast doesn't seem to want to listen on that port when the service comes up. Any idea why that might be?
Jordan Erickson
2017-08-28 21:08:34 UTC
Permalink
On 08/28/2017 01:23 PM, Speagle, Andy wrote:
*bigsnip*
Post by Speagle, Andy
Also... I setup another <listen-socket> entry for SSL... but Icecast doesn't seem to want to listen on that port when the service comes up. Any idea why that might be?
What port are you using? If < 1024 (such as 443) you must first run as a
privileged user (like root) and then <changeowner> as described here:

http://icecast.org/docs/icecast-2.4.1/config-file.html#security

If that is not the case, please give log output.


Cheers,
Jordan
José Luis Artuch
2017-08-28 21:13:41 UTC
Permalink
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file
formatted
just like icecast wants… I’m running 2.4.2 … and it doesn’t
seem to want to use my combined key + cert chain no matter in
what order I put it.
Presently, I have it in this format.. with spaces between each
key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the file
owned by icecast:icecast … and … it should be readable in its
present location… so, not sure what else would be wrong.
Firtsly, what operative system are you running ?. On Debian
GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Post by José Luis Artuch
Secondly, check the Icecast2's error.log looking about SSL or
TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file <my cert
filepath>
INFO connection/get_ssl_certificate No SSL capability on any
configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package does not
support encrypted connections via openssl.
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No SSL
capability Then, like solution I should have compiled Icecast with
openssl support enabled.
Well... I believe it to be setup correctly... the RPM has a libssl
requirement... and the fact that it tries to check the SSL cert file
indicates that it has capability...
I agree.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out
/usr/share/icecast2/icecast.pem Then
you need only change owner and group, nothing more.
Well... I was able to get it to work with a self-signed cert... so,
something must be up with my Starfield signed cert... looks like
they're configuring certs using "Subject Alternative Name" entries by
default... could that be causing Icecast to barf on the cert?
Looks like something about the configuration of the certificate, but I
do not specifically what ... I have only done tests with self-signed
certificates.
The format should be:
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
Post by Speagle, Andy
Also... I setup another <listen-socket> entry for SSL... but Icecast
doesn't seem to want to listen on that port when the service comes
up.  Any idea why that might be?
Do you mean with different port than 8443, by exemple 8765 ?. If so,
what is the output of:
netstat -tulpn | grep ':8765'
Speagle, Andy
2017-08-28 21:37:43 UTC
Permalink
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file formatted
just like icecast wants… I’m running 2.4.2 … and it
doesn’t seem to want to use my combined key + cert chain
no matter in what order I put it.
Presently, I have it in this format.. with spaces between
each key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the file
owned by icecast:icecast … and … it should be readable in
its present location… so, not sure what else would be
wrong.
Firtsly, what operative system are you running ?. On Debian
GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Post by José Luis Artuch
Secondly, check the Icecast2's error.log looking about SSL
or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file <my cert
filepath>
INFO connection/get_ssl_certificate No SSL capability on any
configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package does not
support encrypted connections via openssl.
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No
SSL capability Then, like solution I should have compiled
Icecast with openssl support enabled.
Well... I believe it to be setup correctly... the RPM has a libssl
requirement... and the fact that it tries to check the SSL cert
file indicates that it has capability...
I agree.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out /usr/share/icecast2/icecast.pem
Then you need only change owner and group, nothing more.
Well... I was able to get it to work with a self-signed cert... so,
something must be up with my Starfield signed cert... looks like
they're configuring certs using "Subject Alternative Name" entries by
default... could that be causing Icecast to barf on the cert?
Looks like something about the configuration of the certificate, but I do not
specifically what ... I have only done tests with self-signed certificates.
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
Post by Speagle, Andy
Also... I setup another <listen-socket> entry for SSL... but Icecast
doesn't seem to want to listen on that port when the service comes up.
Any idea why that might be?
Do you mean with different port than 8443, by exemple 8765 ?. If so, what is
netstat -tulpn | grep ':8765'
Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 ... very strange.
José Luis Artuch
2017-08-28 21:52:22 UTC
Permalink
Post by Speagle, Andy
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file
formatted
just like icecast wants… I’m running 2.4.2 … and it
doesn’t seem to want to use my combined key + cert chain
no matter in what order I put it.
Presently, I have it in this format.. with spaces between
each key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the
file
owned by icecast:icecast … and … it should be
readable in
its present location… so, not sure what else would be
wrong.
Firtsly, what operative system are you running ?. On Debian
GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Post by José Luis Artuch
Secondly, check the Icecast2's error.log looking about SSL
or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file <my cert
filepath>
INFO connection/get_ssl_certificate No SSL capability on any
configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package does not
support encrypted connections via openssl.
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No
SSL capability Then, like solution I should have compiled
Icecast with openssl support enabled.
Well... I believe it to be setup correctly... the RPM has a libssl
requirement... and the fact that it tries to check the SSL cert
file indicates that it has capability...
I agree.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out
/usr/share/icecast2/icecast.pem
Then you need only change owner and group, nothing more.
Well... I was able to get it to work with a self-signed cert... so,
something must be up with my Starfield signed cert... looks like
they're configuring certs using "Subject Alternative Name"
entries by
default... could that be causing Icecast to barf on the cert?
Looks like something about the configuration of the certificate, but I do not
specifically what ... I have only done tests with self-signed certificates.
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
Post by Speagle, Andy
Also... I setup another <listen-socket> entry for SSL... but Icecast
doesn't seem to want to listen on that port when the service comes up.
Any idea why that might be?
Do you mean with different port than 8443, by exemple 8765 ?. If so, what is
netstat -tulpn | grep ':8765'
Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 ... very strange.
After restart the Icecast2 server ? ...
Speagle, Andy
2017-08-28 21:56:54 UTC
Permalink
Post by José Luis Artuch
Post by Speagle, Andy
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file
formatted just like icecast wants… I’m running 2.4.2 …
and it doesn’t seem to want to use my combined key +
cert chain no matter in what order I put it.
Presently, I have it in this format.. with spaces
between each key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have the
file owned by icecast:icecast … and … it should be
readable in its present location… so, not sure what
else would be wrong.
Firtsly, what operative system are you running ?. On
Debian GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Post by José Luis Artuch
Secondly, check the Icecast2's error.log looking about
SSL or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file <my cert
filepath>
INFO connection/get_ssl_certificate No SSL capability on
any configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package does not
support encrypted connections via openssl.
[2017-08-08  03:05:34] INFO connection/get_ssl_certificate No
SSL capability Then, like solution I should have compiled
Icecast with openssl support enabled.
Well... I believe it to be setup correctly... the RPM has a libssl
requirement... and the fact that it tries to check the SSL cert
file indicates that it has capability...
I agree.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out
/usr/share/icecast2/icecast.pem
Then you need only change owner and group, nothing more.
Well... I was able to get it to work with a self-signed cert... so,
something must be up with my Starfield signed cert... looks like
they're configuring certs using "Subject Alternative Name" entries by
default... could that be causing Icecast to barf on the cert?
Looks like something about the configuration of the certificate, but I do not
specifically what ... I have only done tests with self-signed certificates.
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
Post by Speagle, Andy
Also... I setup another <listen-socket> entry for SSL... but Icecast
doesn't seem to want to listen on that port when the service comes up.
Any idea why that might be?
Do you mean with different port than 8443, by exemple 8765 ?. If so, what is
netstat -tulpn | grep ':8765'
Yeah... I’m just trying 8443 ... and netstat shows nada for 8443 ... very strange.
After restart the Icecast2 server ? ...
Yeah... after the restart... the port doesn't appear. Does icecast2 play well with selinux?
José Luis Artuch
2017-08-28 22:19:15 UTC
Permalink
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file
formatted just like icecast wants… I’m running
2.4.2 …
and it doesn’t seem to want to use my combined
key +
cert chain no matter in what order I put it.
Presently, I have it in this format.. with spaces
between each key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have
the
file owned by icecast:icecast … and … it should
be
readable in its present location… so, not sure
what
else would be wrong.
Firtsly, what operative system are you running ?. On
Debian GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Post by José Luis Artuch
Secondly, check the Icecast2's error.log looking about
SSL or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file
<my
cert
filepath>
INFO connection/get_ssl_certificate No SSL capability on
any configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-
certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package
does
not
support encrypted connections via openssl.
[2017-08-08  03:05:34] INFO
connection/get_ssl_certificate
No
SSL capability Then, like solution I should have
compiled
Icecast with openssl support enabled.
Well... I believe it to be setup correctly... the RPM has
a
libssl
requirement... and the fact that it tries to check the
SSL
cert
file indicates that it has capability...
I agree.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048
-keyout
/usr/share/icecast2/icecast.pem -out
/usr/share/icecast2/icecast.pem
Then you need only change owner and group, nothing more.
Well... I was able to get it to work with a self-signed
cert...
so,
something must be up with my Starfield signed cert... looks like
they're configuring certs using "Subject Alternative Name" entries by
default... could that be causing Icecast to barf on the cert?
Looks like something about the configuration of the
certificate,
but I do not
specifically what ... I have only done tests with self-signed certificates.
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
Post by Speagle, Andy
Also... I setup another <listen-socket> entry for SSL... but Icecast
doesn't seem to want to listen on that port when the service comes up.
Any idea why that might be?
Do you mean with different port than 8443, by exemple 8765 ?.
If
so, what is
netstat -tulpn | grep ':8765'
Yeah... I’m just trying 8443 ... and netstat shows nada for 8443
...
very strange.
After restart the Icecast2 server ? ...
Yeah... after the restart... the port doesn't appear.  Does icecast2
play well with selinux?
Are you in the same LAN than the server ?.
What about the firewall ? ...
ufw allow proto tcp from any to xxx.xxx.xxx.xxx port 8443

I have not worked with SELinux, I do not know :(
Speagle, Andy
2017-08-29 03:30:33 UTC
Permalink
Post by José Luis Artuch
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Post by José Luis Artuch
Post by Speagle, Andy
Hi Folks,
I’m having a problem getting a the SSL cert file
formatted just like icecast wants… I’m running
2.4.2 …
and it doesn’t seem to want to use my combined key
+ cert chain no matter in what order I put it.
Presently, I have it in this format.. with spaces
between each key/cert…
KEY
CERTCHAIN-1
CERTCHAIN-2
CERTCHAIN-3
MYCERT
And… well… not sure what else to do here.  I have
the file owned by icecast:icecast … and … it
should be readable in its present location… so,
not sure what else would be wrong.
Firtsly, what operative system are you running ?.
On
Debian GNU/Linux user
icecast2 and group icecast, then icecast2:icecast.
I'm on RHEL 7, so the user/group is icecast:icecast ...
Post by José Luis Artuch
Secondly, check the Icecast2's error.log looking
about SSL or TLS capability.
On Debian GNU/Linux /var/log/icecast2/error.log.
WARN connection/get_ssl_certificate Invalid cert file
<my cert
filepath>
INFO connection/get_ssl_certificate No SSL capability
on any configured ports
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
Yeah... it's setup properly...
Post by José Luis Artuch
<paths>
...
<ssl-
certificate>/usr/share/icecast2/icecast.pem</ssl-
certificate>
</paths>
Yes... correct for me.
Post by José Luis Artuch
Also, there is the possibility that Icecast2 package
does
not
support encrypted connections via openssl.
[2017-08-08  03:05:34] INFO
connection/get_ssl_certificate
No
SSL capability Then, like solution I should have compiled
Icecast with openssl support enabled.
Well... I believe it to be setup correctly... the RPM has
a
libssl
requirement... and the fact that it tries to check the
SSL
cert
file indicates that it has capability...
I agree.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout
/usr/share/icecast2/icecast.pem -out
/usr/share/icecast2/icecast.pem
Then you need only change owner and group, nothing more.
Well... I was able to get it to work with a self-signed
cert...
so,
something must be up with my Starfield signed cert... looks like
they're configuring certs using "Subject Alternative Name" entries by
default... could that be causing Icecast to barf on the cert?
Looks like something about the configuration of the
certificate,
but I do not
specifically what ... I have only done tests with self-signed certificates.
-----BEGIN PRIVATE KEY-----
blablabla
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
Post by Speagle, Andy
Also... I setup another <listen-socket> entry for SSL... but Icecast
doesn't seem to want to listen on that port when the service comes up.
Any idea why that might be?
Do you mean with different port than 8443, by exemple 8765 ?.
If
so, what is
netstat -tulpn | grep ':8765'
Yeah... I’m just trying 8443 ... and netstat shows nada for 8443
...
very strange.
After restart the Icecast2 server ? ...
Yeah... after the restart... the port doesn't appear.  Does icecast2
play well with selinux?
Are you in the same LAN than the server ?.
What about the firewall ? ...
ufw allow proto tcp from any to xxx.xxx.xxx.xxx port 8443
I have not worked with SELinux, I do not know :(
I have found some info about SELinux that I'll work through... though, it's not a firewall problem... I already have that configured... I presently just can't get Icecast to open the port. Thanks for the help on that.

I just wish I knew what was up with my SSL cert... I need a real world cert... not a self-signed one... and my cert provider is being difficult.
Loading...