apache2lets-encrypticecast

Add HTTPS support to Icecast2 using Let's Encrypt


I have an Icecast2 server running on the default port 8000 and I want to add HTTPs support to it with a free Let's Encrypt certificate. For example:

I've seen that Icecast2 supports SSL internally but that option is not available in some (most?) GNU/Linux distributions. Moreover I see that using the internal SSL support is not very integrated with Let's Encrypt since you have to concatenate the two certificates into a single files.

https://icecast.org/docs/icecast-2.4.1/config-file.html

https://community.letsencrypt.org/t/icecast2-and-letsencrypt/9329

Question: What are the suggested ways to add https:// support to Icecast2 with Let's Encrypt?

For example using the official icecast2 package from Debian GNU/Linux stable and without compiling anything. Note that on the server I already have the webserver Apache HTTPd (apache2) running, listening on port 80 and 443. Thank you!


Solution

  • Do you have native SSL support in your icecast2 package?

    If you love to use the official package, first check if you have SSL support in your already installed icecast2 package:

    ldd /usr/bin/icecast2 | grep ssl
    

    If you don't see anything, you have no native support for SSL. In this case you can choose one of these options:

    How to use Apache to setup a frontend webserver with HTTPs support, to serve Icecast2

    To visit Icecast over https://, you can install Apache and use it as frontend webserver, listening on standard port 443. It's easy to use Let's Encrypt to create a free certificate for Apache. Once it works, you can pass the traffic to Icecast2.

     Browser
     │
     │ https://example.com/radio.mp3
     ▼
    ┌───────────┐
    │           │
    │ Apache    │:443
    │           │
    └┬──────────┘
     │
     │ http://localhost:8080/radio.mp3
     ▼
    ┌───────────┐
    │           │
    │ Icecast   │:8080
    │           │
    └───────────┘
    

    If you use Debian GNU/Linux, here the guide:

    The core of the solution is to enable an apache VirtualHost like this:

    #
    # Apache VirtualHost serving my Icecast under HTTPs (:443)
    #
    # This frontend webserver passes all the traffic to
    # the underlying Icecast, listening on port 8000.
    #
    # The certificate comes from Let's Encrypt.
    #
    # Credits: https://stackoverflow.com/a/71383133/3451846
    <virtualhost *:443>
    
      ServerName example.com
    
      # this path is not useful and it's used only for Let's Encrypt's temporary files during the renewal process
      DocumentRoot /var/www/html
    
      # send all traffic to Icecast in plaintext
      <Location "/">
        ProxyPass        http://localhost:8000/
        ProxyPassReverse http://localhost:8000/
      </Location>
    
      # these files are served from /var/www/html to serve Let's Encrypt temporary files
      <Location "/.well-known/acme-challenge">
        ProxyPass !
      </Location>
    
      <IfFile /etc/letsencrypt/live/example.com/cert.pem>
        SSLEngine on
        SSLCertificateFile      /etc/letsencrypt/live/example.com/cert.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
      </IfFile>
    
    </virtualhost>
    
    <VirtualHost *:80>
      ServerName example.com
    
      Redirect / https://example.com/
    </VirtualHost>
    

    And then enable it and issue your certificate:

    letsencrypt certonly --domain example.com --webroot --webroot-path /var/www/html
    

    But this is explained maybe better from the above guide.

    At the moment the guide does not cover nginx but other answers might give a similar practical example using that technology as well as apache2. The benefit of involving a frontend webserver like apache2 or nginx is that you don't have to touch Icecast. Also, it allows to serve Icecast2 among your already-existing websites, if any.


    Other answers might want to talk about an Icecast2's native interface with Let's Encrypt. At the moment I can share just the apache2 method that is the one I use in production since years without any problem. Moreover since I use Debian GNU/Linux, my package has not SSL support.