I have an Icecast2 server running on the default port 8000 and I want to add HTTPs support to it with a free Let's Encrypt certificate. For example:
http://example.com:8000/test.mp3 (current)https://example.com/test.mp3 (desired)I've seen that Icecast2 supports SSL internally but that option is not available in some (most?) GNU/Linux distributions. Moreover I see that using the internal SSL support is not very integrated with Let's Encrypt since you have to concatenate the two certificates into a single files.
https://icecast.org/docs/icecast-2.4.1/config-file.html
https://community.letsencrypt.org/t/icecast2-and-letsencrypt/9329
Question: What are the suggested ways to add https:// support to Icecast2 with Let's Encrypt?
For example using the official icecast2 package from Debian GNU/Linux stable and without compiling anything. Note that on the server I already have the webserver Apache HTTPd (apache2) running, listening on port 80 and 443. Thank you!
If you love to use the official package, first check if you have SSL support in your already installed icecast2 package:
ldd /usr/bin/icecast2 | grep ssl
If you don't see anything, you have no native support for SSL. In this case you can choose one of these options:
A: remove the package and install something elseB: setup a frontend webserver using nginxC: setup a frontend webserver using Apache (← this answer)To visit Icecast over https://, you can install Apache and use it as frontend webserver, listening on standard port 443. It's easy to use Let's Encrypt to create a free certificate for Apache. Once it works, you can pass the traffic to Icecast2.
Browser
│
│ https://example.com/radio.mp3
▼
┌───────────┐
│ │
│ Apache │:443
│ │
└┬──────────┘
│
│ http://localhost:8080/radio.mp3
▼
┌───────────┐
│ │
│ Icecast │:8080
│ │
└───────────┘
If you use Debian GNU/Linux, here the guide:
The core of the solution is to enable an apache VirtualHost like this:
#
# Apache VirtualHost serving my Icecast under HTTPs (:443)
#
# This frontend webserver passes all the traffic to
# the underlying Icecast, listening on port 8000.
#
# The certificate comes from Let's Encrypt.
#
# Credits: https://stackoverflow.com/a/71383133/3451846
<virtualhost *:443>
ServerName example.com
# this path is not useful and it's used only for Let's Encrypt's temporary files during the renewal process
DocumentRoot /var/www/html
# send all traffic to Icecast in plaintext
<Location "/">
ProxyPass http://localhost:8000/
ProxyPassReverse http://localhost:8000/
</Location>
# these files are served from /var/www/html to serve Let's Encrypt temporary files
<Location "/.well-known/acme-challenge">
ProxyPass !
</Location>
<IfFile /etc/letsencrypt/live/example.com/cert.pem>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</IfFile>
</virtualhost>
<VirtualHost *:80>
ServerName example.com
Redirect / https://example.com/
</VirtualHost>
And then enable it and issue your certificate:
letsencrypt certonly --domain example.com --webroot --webroot-path /var/www/html
But this is explained maybe better from the above guide.
At the moment the guide does not cover nginx but other answers might give a similar practical example using that technology as well as apache2. The benefit of involving a frontend webserver like apache2 or nginx is that you don't have to touch Icecast. Also, it allows to serve Icecast2 among your already-existing websites, if any.
Other answers might want to talk about an Icecast2's native interface with Let's Encrypt. At the moment I can share just the apache2 method that is the one I use in production since years without any problem. Moreover since I use Debian GNU/Linux, my package has not SSL support.