Discussion:
[Icecast] Having icecast SSL connection problem
Zernick, John
2017-09-22 16:50:50 UTC
Permalink
I have been trying to get icecast 2.4.2 to stream with ssl to https. But so far I have had no luck.

I am running Ubuntu 16.04 and the regular stream is working properly over port 80. I want to stream securely over port 443. I need to use 443 because of network rules here. I can view the Icecast2 Status pages and listen to a stream, but once I add https:// I get 'Secure Connection Failed' on Firefox and 'This site can’t be reached' from Chrome. Both can view and stream non-ssl content.

I have tried both a Digicert and a self-signed cert. I have followed the pem rules from Digicert. I have set the permissions to the user Icecast2 from the group Icecast. I have read almost everything on this and I have tried Walter York's instructions to pre-install a number of packages that icecast needs to successfully enable ssl. I have placed the cert files in the same directory as the icecast.xml file. Here are the details regarding the ssl portions of the XML config file.

...
<!-- You may have multiple <listener> elements -->
<listen-socket>
<port>80</port>
<!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>

<listen-socket>
<port>443</port>
<ssl>1</ssl>
</listen-socket>
...
<paths>

<!-- The certificate file needs to contain both public and private part.
Both should be PEM encoded. -->
<ssl-certificate>/etc/icecast2/icecast2_new.pem</ssl-certificate>
...

So, there you have it. The only anomaly with the set up was that when the VMWare instance of the site started it was running dhcp and I struggled to wrestle control away from it. And I was never able to get eth0 to work so I used same interface name that dhcp used 'ens160'.

Any and all suggestions, recommendation, ideas, and solutions would be greatly appreciated.

Thanks, --John



John Zernick | Senior Systems Administrator (Web)| D: (216) 916-6472 | F: (216) 916-6473<http://www.ideastream.org>

Idea Center | 1375 Euclid | Cleveland OH 44115



[ideastream]

The mission of ideastream is to strengthen our communities

Follow us on Facebook<http://www.ideastream.org/engage/facebook> and Twitter<http://www.ideastream.org/engage/twitter>

Explore what you love, discover even more at ideastream.org<http://www.ideastream.org>
José Luis Artuch
2017-09-22 17:14:42 UTC
Permalink
Hi John,
Post by Zernick, John
I have been trying to get icecast 2.4.2 to stream with ssl to https.
But so far I have had no luck.
 
I am running Ubuntu 16.04 and the regular stream is working properly
over port 80. I want to stream securely over port 443. I need to use
443 because of network rules here. I can view the Icecast2 Status
pages and listen to a stream, but once I add https:// I get 'Secure
Connection Failed' on Firefox and 'This site can’t be reached' from
Chrome. Both can view and stream non-ssl content.
 
I have tried both a Digicert and a self-signed cert. I have followed
the pem rules from Digicert. I have set the permissions to the user
Icecast2 from the group Icecast. I have read almost everything on
this and I have tried Walter York's instructions to pre-install a
number of packages that icecast needs to successfully enable ssl. I
have placed the cert files in the same directory as the icecast.xml
file. Here are the details regarding the ssl portions of the XML
config file.
 
...
    <!-- You may have multiple <listener> elements -->
    <listen-socket>
        <port>80</port>
        <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
    </listen-socket>
    
    <listen-socket>
        <port>443</port>
        <ssl>1</ssl>
    </listen-socket>
...
    <paths>
       
        <!-- The certificate file needs to contain both public and
private part.
             Both should be PEM encoded. -->
        <ssl-certificate>/etc/icecast2/icecast2_new.pem</ssl-
certificate>
...
 
So, there you have it. The only anomaly with the set up was that when
the VMWare instance of the site started it was running dhcp and I
struggled to wrestle control away from it. And I was never able to
get eth0 to work so I used same interface name that dhcp used
'ens160'.
 
Any and all suggestions, recommendation, ideas, and solutions would be greatly appreciated.
 
Take a look at /var/log/icecast2/error.log
In my case it says something like:
[2017-09-17  11:40:43] INFO connection/get_ssl_certificate No SSL
capability
Then, I interpret that Icecast2 is not compiled with SSl support.
Regards.
José Luis
Post by Zernick, John
Thanks,  --John
 
 John Zernick | Senior Systems Administrator (Web)| D: (216) 916-6472
| F: (216) 916-6473 
 Idea Center | 1375 Euclid | Cleveland OH 44115
 
 
 The mission of ideastream is to strengthen our communities
 Follow us on Facebook and Twitter
 Explore what you love, discover even more at ideastream.org
_______________________________________________
Icecast mailing list
http://lists.xiph.org/mailman/listinfo/icecast
Zernick, John
2017-09-22 17:34:44 UTC
Permalink
Here are the last few lines in the error.log file:


[2017-09-22 13:20:07] DBUG stats/modify_node_event update global connections (21)
[2017-09-22 13:20:11] DBUG stats/modify_node_event update "/wcpn" total_bytes_read (42454353)
[2017-09-22 13:20:11] DBUG stats/modify_node_event update "/wcpn" total_bytes_sent (4642577)


And here are the few lines of the access log:



10.9.1.112 - - [22/Sep/2017:12:36:33 -0400] "GET /tunein.png HTTP/1.1" 200 1934 "http://audio2.ideastream.org:443/style.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 0

10.9.1.112 - - [22/Sep/2017:12:36:41 -0400] "GET /wcpn HTTP/1.1" 200 68979 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 1

10.9.1.112 - - [22/Sep/2017:12:41:53 -0400] "GET /wcpn HTTP/1.1" 200 4522571 "http://audio2.ideastream.org:443/wcpn" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" 313

52.71.155.178 - - [22/Sep/2017:13:08:10 -0400] "GET /wcpn HTTP/1.1" 200 51027 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25" 0

66.249.88.82 - - [22/Sep/2017:13:21:10 -0400] "GET / HTTP/1.1" 200 2418 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon" 0

66.249.88.84 - - [22/Sep/2017:13:21:10 -0400] "GET /favicon.ico HTTP/1.1" 404 365 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon" 0



I am 10.9.1.112. I don’t see the same message and the connections in the error log are all from me attempting to connect using https.



I attempted to connect using https and the error log shows bytes sent. And the access.log shows different connections.



-----Original Message-----
From: José Luis Artuch [mailto:***@speedy.com.ar]
Sent: Friday, September 22, 2017 1:15 PM
To: Icecast streaming server user discussions <***@xiph.org>
Cc: Zernick, John <***@ideastream.org>
Subject: Re: [Icecast] Having icecast SSL connection problem



Hi John,
Post by Zernick, John
I have been trying to get icecast 2.4.2 to stream with ssl to https.
But so far I have had no luck.
I am running Ubuntu 16.04 and the regular stream is working properly
over port 80. I want to stream securely over port 443. I need to use
443 because of network rules here. I can view the Icecast2 Status
pages and listen to a stream, but once I add https:// I get 'Secure
Connection Failed' on Firefox and 'This site can’t be reached' from
Chrome. Both can view and stream non-ssl content.
I have tried both a Digicert and a self-signed cert. I have followed
the pem rules from Digicert. I have set the permissions to the user
Icecast2 from the group Icecast. I have read almost everything on this
and I have tried Walter York's instructions to pre-install a number of
packages that icecast needs to successfully enable ssl. I have placed
the cert files in the same directory as the icecast.xml file. Here are
the details regarding the ssl portions of the XML config file.
...
<!-- You may have multiple <listener> elements -->
<listen-socket>
<port>80</port>
<!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>
<listen-socket>
<port>443</port>
<ssl>1</ssl>
</listen-socket>
...
<paths>
<!-- The certificate file needs to contain both public and
private part.
Both should be PEM encoded. -->
<ssl-certificate>/etc/icecast2/icecast2_new.pem</ssl-
certificate>
...
So, there you have it. The only anomaly with the set up was that when
the VMWare instance of the site started it was running dhcp and I
struggled to wrestle control away from it. And I was never able to get
eth0 to work so I used same interface name that dhcp used 'ens160'.
Any and all suggestions, recommendation, ideas, and solutions would be
greatly appreciated.
Take a look at /var/log/icecast2/error.log In my case it says something like:

[2017-09-17 11:40:43] INFO connection/get_ssl_certificate No SSL capability Then, I interpret that Icecast2 is not compiled with SSl support.

Regards.

José Luis
Post by Zernick, John
Thanks, --John
John Zernick | Senior Systems Administrator (Web)| D: (216) 916-6472
| F: (216) 916-6473
Idea Center | 1375 Euclid | Cleveland OH 44115
The mission of ideastream is to strengthen our communities
Follow us on Facebook and Twitter
Explore what you love, discover even more at ideastream.org
_______________________________________________
Icecast mailing list
http://lists.xiph.org/mailman/listinfo/icecast
Loading...