I have an Icecast2 server running on the default port 8000
and I want to add HTTPs support to it with a free Let's Encrypt certificate. For example:
http://example.com:8000/test.mp3
(current)https://example.com/test.mp3
(desired)I've seen that Icecast2 supports SSL internally but that option is not available in some (most?) GNU/Linux distributions. Moreover I see that using the internal SSL support is not very integrated with Let's Encrypt since you have to concatenate the two certificates into a single files.
https://icecast.org/docs/icecast-2.4.1/config-file.html
https://community.letsencrypt.org/t/icecast2-and-letsencrypt/9329
Question: What are the suggested ways to add https://
support to Icecast2 with Let's Encrypt?
For example using the official icecast2 package from Debian GNU/Linux stable and without compiling anything. Note that on the server I already have the webserver Apache HTTPd (apache2
) running, listening on port 80
and 443
. Thank you!
If you love to use the official package, first check if you have SSL support in your already installed icecast2
package:
ldd /usr/bin/icecast2 | grep ssl
If you don't see anything, you have no native support for SSL. In this case you can choose one of these options:
A
: remove the package and install something elseB
: setup a frontend webserver using nginxC
: setup a frontend webserver using Apache (← this answer)To visit Icecast over https://
, you can install Apache and use it as frontend webserver, listening on standard port 443
. It's easy to use Let's Encrypt to create a free certificate for Apache. Once it works, you can pass the traffic to Icecast2.
Browser
│
│ https://example.com/radio.mp3
▼
┌───────────┐
│ │
│ Apache │:443
│ │
└┬──────────┘
│
│ http://localhost:8080/radio.mp3
▼
┌───────────┐
│ │
│ Icecast │:8080
│ │
└───────────┘
If you use Debian GNU/Linux, here the guide:
The core of the solution is to enable an apache VirtualHost like this:
#
# Apache VirtualHost serving my Icecast under HTTPs (:443)
#
# This frontend webserver passes all the traffic to
# the underlying Icecast, listening on port 8000.
#
# The certificate comes from Let's Encrypt.
#
# Credits: https://stackoverflow.com/a/71383133/3451846
<virtualhost *:443>
ServerName example.com
# this path is not useful and it's used only for Let's Encrypt's temporary files during the renewal process
DocumentRoot /var/www/html
# send all traffic to Icecast in plaintext
<Location "/">
ProxyPass http://localhost:8000/
ProxyPassReverse http://localhost:8000/
</Location>
# these files are served from /var/www/html to serve Let's Encrypt temporary files
<Location "/.well-known/acme-challenge">
ProxyPass !
</Location>
<IfFile /etc/letsencrypt/live/example.com/cert.pem>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</IfFile>
</virtualhost>
<VirtualHost *:80>
ServerName example.com
Redirect / https://example.com/
</VirtualHost>
And then enable it and issue your certificate:
letsencrypt certonly --domain example.com --webroot --webroot-path /var/www/html
But this is explained maybe better from the above guide.
At the moment the guide does not cover nginx
but other answers might give a similar practical example using that technology as well as apache2
. The benefit of involving a frontend webserver like apache2
or nginx
is that you don't have to touch Icecast. Also, it allows to serve Icecast2 among your already-existing websites, if any.
Other answers might want to talk about an Icecast2's native interface with Let's Encrypt. At the moment I can share just the apache2
method that is the one I use in production since years without any problem. Moreover since I use Debian GNU/Linux, my package has not SSL support.