After renewal, domain.com:8XXX uses old cert

My domain is: reggaespace.com

I ran this command: certbot renew

It produced this output: /etc/letsencrypt/live/reggaespace.com/fullchain.pem expires on 2022-01-15 (skipped)

My web server is (include version): nginx version: nginx/1.14.2

The operating system my web server runs on is (include version): NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"

My hosting provider, if applicable, is: Linode VPS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi folks,

I have website running at domain.com
After renewal the new certificate works

Audio stream at domain.com:8XXX
Cert info:
This cert has expired or is not vaild
Valid from: dates for previous cert

Can anyone help me make renewal work on domain.com:8XXX smoothly?

Thanks in advance

1 Like

It would help if you provided the port and domain name for the server that is failing. Also, is that alternate port 8XXX served by your nginx or is nginx just a proxy to something else that serves your audio stream?

Note the renew command in your post worked but did not update your certificate. There was no reason to as it does not expire for 58 more days. That is why the message said "skipped" - there was nothing necessary to do.

Without more info it is hard to advise. You can check your own certs with a site like the one below. Enter the domain name and port to see your certs. Maybe that will be enough for you to see and fix your problem.
https://decoder.link/sslchecker
Note that site shows your 443 server certificates for reggaespace.com as being just fine.

3 Likes

Did you renew the audio stream service so it actually loads and uses the renewed certificate?

3 Likes

https://reggaespace.com:8012/live.mp3

This would be used to listen to our audio stream. It worked up until the certificate for reggaespace.com renewed two days ago. This is preferred as it avoids ‘mixed content’ issues on the player page (https://www.reggaespace.com/wrs-audio/).

The alternative stream url is http://97.107.136.190:8010/live.mp3. This works but can lead to ‘mixed content’ issues.

nginx serves both the website (reggaespace.com) and audio streaming.

I am running on a Linode VPS and I assume the audio stream service restarts when I reboot the VPS. Which I have done.

Hmm. Yes, I see now the cert that is sent from your 8012 server expired 3 days ago.

It looks like nginx is using a different certificate file for the server with "listen 8012;" compared to the one with "listen 443;". If you want us to look at it please post the results of this command: sudo nginx -T (omit sudo if you are already root, capital T is important)

When you paste the results please use the preformatted text option in the menu (Ctrl-E).

An important thing to note is your cert history shown here. You have issued various combinations of cert names - some with just reggaespace.com and others with www, stream, and so on.

Your port 443 server is using the one issued on Oct17 but your 8012 server looks like it is using one of them issued on Aug18. Maybe this is enough for you to see what is going wrong. If not, please post the nginx -T as I described.

3 Likes
root@mail:/home/yendis# nginx -T
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# configuration file /usr/local/nginx/conf/nginx.conf:
user www-data www-data;
worker_processes  4;
#worker_rlimit_nofile 100000;

events {
    worker_connections  1024;
}

http {
    # client_max_body_size 100M;
    # client_body_buffer_size 128k;

    include       mime.types;
#    log_format main   '$remote_addr - $remote_user [$time_local] "$request" '
#                      '$status $body_bytes_sent "$http_referer" '
#                      '"$http_user_agent" "$http_x_forwarded_for"';
    default_type  application/octet-stream;
#    access_log off;
    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     off;
    keepalive_timeout  5;

#    send_timeout 720;
#    fastcgi_connect_timeout 720;
#    fastcgi_send_timeout 720;
#    fastcgi_read_timeout 720;
    gzip  on;
    gzip_comp_level 2;
    gzip_proxied any;
    gzip_types      text/plain text/xml text/css application/json application/x-javascript application/xml application/xml+rss text/javascript;

#    include /etc/nginx/sites-enabled/*;
    include /usr/local/nginx/sites-enabled/*;
#    proxy_buffer_size   128k;
#    proxy_buffers   4 256k;
#    proxy_busy_buffers_size   256k;
}
# add_header ‘Access-Control-Allow-Origin' ‘*';
#rtmp {
#        server {
#                listen 1935;
#                chunk_size 4096;
#
#                application live {
#                        live on;
#                        record off;
#                }
#        }
#}

# configuration file /usr/local/nginx/conf/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    application/font-woff                            woff;
    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

How is the TLS certificate configured in your IceCast?

3 Likes

If nginx is involved at all:

curl -Iki https://reggaespace.com:8012/
Server: Icecast 2.4.4 (MSCP)

Perhaps just restarting Icecast (or the server) will suffice.

3 Likes

It might be useful for folk to see the content of this file

File: /etc/nginx/sites-available/reggaespace.com

server {
    server_name reggaespace.com;
    rewrite ^/(.*) http://www.reggaespace.com/$1 permanent;


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/reggaespace.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/reggaespace.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    server_name www.reggaespace.com;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "sameorigin" always;
#    add_header Content-Security-Policy "default-src 'self';";

    access_log /var/log/nginx/reggaespace.com.access.log;
    error_log /var/log/nginx/reggaespace.com.error.log;
         location / {
            root /var/www/public_html/reggaespace.com/public;
            index index.php index.html;
            try_files $uri $uri/ /rspace/index.php?$args;
            #rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml$ "/index.php?xml_sitemap=params=$2" last;
            #rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.xml\.gz$ "/index.php?xml_sitemap=params=$2;zip=true" last;
            #rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html$ "/index.php?xml_sitemap=params=$2;html=true" last;
            #rewrite ^/sitemap(-+([a-zA-Z0-9_-]+))?\.html.gz$ "/index.php?xml_sitemap=params=$2;html=true;zip=true" last;
            #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$
        {
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
            #fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME /var/www/public_html/reggaespace.com/public/$fastcgi_script_name;
            #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/reggaespace.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/reggaespace.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "sameorigin" always;
#    add_header Content-Security-Policy "default-src 'self';";
    if ($host = reggaespace.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name reggaespace.com;
    return 404; # managed by Certbot


}
server {
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "sameorigin" always;
#    add_header Content-Security-Policy "default-src 'self';";
    if ($host = www.reggaespace.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name www.reggaespace.com;
    return 404; # managed by Certbot


}


nginx seems unrelated to Icecast.

Perhaps just restarting Icecast (or the server) will suffice.

2 Likes

Is it useful to see this? File: /etc/icecast2/icecast.xml

<icecast>
    <!-- location and admin are two arbitrary strings that are e.g. visible
         on the server info page of the icecast web interface
         (server_version.xsl). -->
    <location>Earth</location>
    <admin>icemaster@localhost</admin>

    <!-- IMPORTANT!
         Especially for inexperienced users:
         Start out by ONLY changing all passwords and restarting Icecast.
         For detailed setup instructions please refer to the documentation.
         It's also available here: http://icecast.org/docs/
    -->

    <limits>
        <clients>100</clients>
        <sources>2</sources>
        <queue-size>524288</queue-size>
        <client-timeout>30</client-timeout>
        <header-timeout>15</header-timeout>
        <source-timeout>10</source-timeout>
        <!-- If enabled, this will provide a burst of data when a client
             first connects, thereby significantly reducing the startup
             time for listeners that do substantial buffering. However,
             it also significantly increases latency between the source
             client and listening client.  For low-latency setups, you
             might want to disable this. -->
        <burst-on-connect>1</burst-on-connect>
        <!-- same as burst-on-connect, but this allows for being more
             specific on how much to burst. Most people won't need to
             change from the default 64k. Applies to all mountpoints  -->
        <burst-size>65535</burst-size>
    </limits>

    <authentication>
        <!-- Sources log in with username 'source' -->
        <source-password>gl0bal</source-password>
        <!-- Relays log in with username 'relay' -->
        <relay-password>gl0bal</relay-password>

        <!-- Admin logs in with the username given below -->
        <admin-user>admin</admin-user>
        <admin-password>w0rldwide</admin-password>
    </authentication>

    <!-- set the mountpoint for a shoutcast source to use, the default if not
         specified is /stream but you can change it here if an alternative is
         wanted or an extension is required
    <shoutcast-mount>/live.nsv</shoutcast-mount>
    -->

    <!-- Uncomment this if you want directory listings -->

    <directory>
        <yp-url-timeout>15</yp-url-timeout>
        <yp-url>http://dir.xiph.org/cgi-bin/yp-cgi</yp-url>
    </directory>
    <!-- This is the hostname other people will use to connect to your server.
         It affects mainly the urls generated by Icecast for playlists and yp
         listings. You MUST configure it properly for YP listings to work!
    -->
    <hostname>reggaespace.com</hostname>

    <!-- You may have multiple <listener> elements -->
    <!-- <listen-socket>
        <port>80</port>
        </listen-socket>
     -->
        <listen-socket>
        <port>8000</port>
        <!-- <bind-address>127.0.0.1</bind-address> -->
        <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
    </listen-socket>
    <!--
    <listen-socket>
        <port>8080</port>
    </listen-socket>
    -->

    <!--
    <listen-socket>
        <port>8012</port>
        <ssl>1</ssl>
    </listen-socket>
    <listen-socket>
        <port>8022</port>
        <ssl>1</ssl>
    </listen-socket>
    <listen-socket>
        <port>8032</port>
        <ssl>1</ssl>
    </listen-socket>
    -->

    <!-- Global header settings
         Headers defined here will be returned for every HTTP request to Icecast.

         The ACAO header makes Icecast public content/API by default
         This will make streams easier embeddable (some HTML5 functionality needs it).
         Also it allows direct access to e.g. /status-json.xsl from other sites.
         If you don't want this, comment out the following line or read up on CORS.
    -->
    <http-headers>
        <header name="Access-Control-Allow-Origin" value="*" />
    </http-headers>


    <!-- Relaying
         You don't need this if you only have one server.
         Please refer to the config for a detailed explanation.
    -->
    <!--<master-server>127.0.0.1</master-server>-->
    <!--<master-server-port>8001</master-server-port>-->
    <!--<master-update-interval>120</master-update-interval>-->
    <!--<master-password>hackme</master-password>-->

    <!-- setting this makes all relays on-demand unless overridden, this is
         useful for master relays which do not have <relay> definitions here.
         The default is 0 -->
    <!--<relays-on-demand>1</relays-on-demand>-->

    <!--
    <relay>
        <server>127.0.0.1</server>
        <port>8080</port>
        <mount>/example.ogg</mount>
        <local-mount>/different.ogg</local-mount>
        <on-demand>0</on-demand>

        <relay-shoutcast-metadata>0</relay-shoutcast-metadata>
    </relay>
    -->


    <!-- Mountpoints
         Only define <mount> sections if you want to use advanced options,
         like alternative usernames or passwords
    -->

    <!-- Default settings for all mounts that don't have a specific <mount type="normal">.
    -->
    <!--
    <mount type="default">
        <public>0</public>
        <intro>/server-wide-intro.ogg</intro>
        <max-listener-duration>3600</max-listener-duration>
        <authentication type="url">
                <option name="mount_add" value="http://auth.example.org/stream_start.php"/>
        </authentication>
        <http-headers>
                <header name="foo" value="bar" />
        </http-headers>
    </mount>
    -->

    <!-- Normal mounts -->
    <!--
    <mount type="normal">
        <mount-name>/example-complex.ogg</mount-name>

        <username>othersource</username>
        <password>hackmemore</password>

        <max-listeners>1</max-listeners>
        <dump-file>/tmp/dump-example1.ogg</dump-file>
        <burst-size>65536</burst-size>
        <fallback-mount>/example2.ogg</fallback-mount>
        <fallback-override>1</fallback-override>
        <fallback-when-full>1</fallback-when-full>
        <intro>/example_intro.ogg</intro>
        <hidden>1</hidden>
        <public>1</public>
        <authentication type="htpasswd">
                <option name="filename" value="myauth"/>
                <option name="allow_duplicate_users" value="0"/>
        </authentication>
        <http-headers>
                <header name="Access-Control-Allow-Origin" value="http://webplayer.example.org" />
                <header name="baz" value="quux" />
        </http-headers>
        <on-connect>/home/icecast/bin/stream-start</on-connect>
        <on-disconnect>/home/icecast/bin/stream-stop</on-disconnect>
    </mount>
    -->

    <!--
    <mount type="normal">
        <mount-name>/auth_example.ogg</mount-name>
        <authentication type="url">
            <option name="mount_add"       value="http://myauthserver.net/notify_mount.php"/>
            <option name="mount_remove"    value="http://myauthserver.net/notify_mount.php"/>
            <option name="listener_add"    value="http://myauthserver.net/notify_listener.php"/>
            <option name="listener_remove" value="http://myauthserver.net/notify_listener.php"/>
            <option name="headers"         value="x-pragma,x-token"/>
            <option name="header_prefix"   value="ClientHeader."/>
        </authentication>
    </mount>
    -->

    <fileserve>1</fileserve>

    <paths>
        <!-- basedir is only used if chroot is enabled -->
        <basedir>/usr/share/icecast2</basedir>

        <!-- Note that if <chroot> is turned on below, these paths must both
             be relative to the new root, not the original root -->
        <logdir>/var/log/icecast2</logdir>
        <webroot>/usr/share/icecast2/web</webroot>
        <adminroot>/usr/share/icecast2/admin</adminroot>
        <!-- <pidfile>/usr/share/icecast2/icecast.pid</pidfile> -->

        <!-- Aliases: treat requests for 'source' path as being for 'dest' path
             May be made specific to a port or bound address using the "port"
             and "bind-address" attributes.
          -->
        <!--
        <alias source="/foo" destination="/bar"/>
        -->
        <!-- Aliases: can also be used for simple redirections as well,
             this example will redirect all requests for http://server:port/ to
             the status page
        -->
        <alias source="/" destination="/status.xsl"/>
        <!-- The certificate file needs to contain both public and private part.
             Both should be PEM encoded.
        <ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
        -->
        <ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>
    </paths>

    <logging>
        <accesslog>access.log</accesslog>
        <errorlog>error.log</errorlog>
        <!-- <playlistlog>playlist.log</playlistlog> -->
        <loglevel>3</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
        <logsize>10000</logsize> <!-- Max size of a logfile -->
        <!-- If logarchive is enabled (1), then when logsize is reached
             the logfile will be moved to [error|access|playlist].log.DATESTAMP,
             otherwise it will be moved to [error|access|playlist].log.old.
             Default is non-archive mode (i.e. overwrite)
        -->
        <!-- <logarchive>1</logarchive> -->
    </logging>

    <security>
        <chroot>0</chroot>
        <!--
        <changeowner>
            <user>nobody</user>
            <group>nogroup</group>
        </changeowner>
        -->
    </security>
</icecast>
1 Like

Yeah, agreed. I was relying on their comment that nginx was serving audio but you and Osiris are right that is not the case.

@Tuzongo I am not familiar with Icecast but you need to review its configuration and make sure it refers to the current certificates. That is, that it uses the same ones that nginx is using for your 443 servers. The Icecast docs say it needs a "bundle" containing the privkey.pem along with the fullchain.pem so you must have manually created that at one point (or maybe as a deploy hook?). You need to repeat what you did for that. See:
https://icecast.org/docs/icecast-2.4.1/config-file.html

Search that page for ssl-certificate for the config location and the description of the bundle

3 Likes

I issued this command but it seems to have made no difference.

systemctl restart icecast2
1 Like

If this is the actual correct place for IceCast to configure TLS certificates, this path is not automatically updated by certbot. You probably copied the certificate from /etc/letsencrypt/ to that /etc/icecast2/ location. If possible, use the path in /etc/letsencrypt/live/${name_of_certificate}/fullchain.pem directly(Edit: as @MikeMcQ already pointed out and what I missed is that it requires the certificate bundle and private key) and if that's not possible (e.g. due to permission issues), make a script which takes care of all the copying, chown-ing and reloading IceCast stuff and configure that script as a --deploy-hook in certbot.

3 Likes
<!-- The certificate file needs to contain both public and private part.
     Both should be PEM encoded.
-->
<ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>

You must have followed a guide/instructions that had you combine the (fullchain) cert and key files into this file: /etc/icecast2/bundle.pem

You will have to update that bundle file and also systemctl restart icecast2 each time a new cert is issued (there is --deploy-hook option in certbot to help with this step).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.