Auto renewal with Icecast2 server

rg305 · March 25, 2023, 7:08pm

There are several ways:
If the cert is being served to the Internet, then there are many ways to show the expiration date.
If the cert is not being served to the Internet, then you can use OpenSSL:
openssl x509 -enddate -noout -in cert.pem

certbot renew

If you are going to continue using HTTP-01 authentication, you will need to use port 80.

popeyebrown · March 25, 2023, 7:11pm

yes, that's my web server at port 80 on a MacMini with OSX. For now, I have changed the port to 80 for the Icecast servers running Ubuntu on another MacMini so I can renew your certificate.

rg305 · March 25, 2023, 7:11pm

Did you miss my post #20?:

I asked for you to do two things.

popeyebrown · March 25, 2023, 7:16pm

root@louie:~# ls -l /etc/icecast2/bundle.pem
-rw-rw-rw- 1 joe joe 7283 Mar 23 13:06 /etc/icecast2/bundle.pem
root@louie:~#

here is the first

Osiris · March 25, 2023, 7:18pm

By using > instead of >>, you've deleted the original contents of the renewal configuration file, effectively destroying all the required information for Certbot to even recognise the cert.

> truncates the original, >> appends to the original. You want to use >> and not >. Not that it matters now, as the original is gone.

You probably want to delete the current certificate and generate a new one. When doing so, please use the --deploy-hook option instead of manually messing with the renewal configuration file.

popeyebrown · March 25, 2023, 7:19pm

Second one cat /etc/icecast2/bundle.pem

It won't let me post. one pending, ok and big red delete button

???

rg305 · March 25, 2023, 7:20pm

7283 bytes does seem about the right size.

I'm still not sure why you aren't using a deploy hook for this.

rg305 · March 25, 2023, 7:21pm

I specifically asked you NOT to post it:

Please read the entire instruction before proceeding.

Osiris · March 25, 2023, 7:22pm

I agree, a deploy hook would be the better choice instead of a post hook.

popeyebrown · March 25, 2023, 7:22pm

how do I delete the current certificate?

Osiris · March 25, 2023, 7:23pm

Depends if Certbot can still delete it, as the renewal configuration file is broken. Please see User Guide — Certbot 2.4.0 documentation.

Or even better: generate a new certificate with a different name (using --cert-name) and start using that one first before deleting anything.

rg305 · March 25, 2023, 7:34pm

Something like:
certbot --cert-name IceCast -d kpurrr.com -d www.kpurrr.com
[along with any other "words" previous used: "--standalone" or "--webroot" etc. ]

Bruce5051 · March 25, 2023, 7:37pm

Here is a list of issued certificates https://crt.sh/?q=kpurrr.com, latest being 2023-03-23.

And the presently being served certificate https://decoder.link/sslchecker/kpurrr.com/443

rg305 · March 25, 2023, 7:41pm

Have you tried manually "fixing" that entry in the file /etc/letsencrypt/renewal/kpurrr.com.conf ?
Maybe that is all you really need to do to get this working again.

I would try:

post_hook = "cat /etc/letsencrypt/live/kpurrr.com/fullchain.pem /etc/letsencrypt/live/kpurrr.com/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart"

Then, if that works, I would switch it to a deploy hook.

Bruce5051 · March 25, 2023, 7:44pm

Did you Revoke this Certificate crt.sh | 8966055863?

popeyebrown · March 25, 2023, 8:06pm

I cert delete of kpurrr.com. I reran certbot. I said it was successful.

I ran certbot dry run. rebooted. Check icecast server works on port 80

But i get this failed key.
see below the error code

oot@louie:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/kpurrr.com.conf

Simulating renewal of an existing certificate for kpurrr.com
Failed to renew certificate kpurrr.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/kpurrr.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@louie:~#

Osiris · March 25, 2023, 8:09pm

You're probably using the standalone plugin.

What was the exact Certbot command you've used?

rg305 · March 25, 2023, 8:11pm

I see Icecast server on port 80:

curl -Ii kpurrr.com
HTTP/1.1 400 Bad Request
Server: Icecast 2.4.4

popeyebrown · March 25, 2023, 8:18pm

root@louie:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/kpurrr.com.conf

Simulating renewal of an existing certificate for kpurrr.com

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/kpurrr.com/fullchain.pem (success)

root@louie:~#

kpurrr.com,conf


post_deply = "cat /etc/letsencrypt/live/kpurrr.com/fullchain.pem /etc/letsencrypt/live/kpurrr.com/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart"

Since I will use this port 8000 and 8443 for this Icecast2 server and my webserver is port 80 and port 443.

thanks

Thanks guys I have only one question how to do you manual renew and how to get the expiration date??? If I don't have port 80 open at the time of renewal??? What will happen also?
peace
good job

rg305 · March 25, 2023, 8:52pm

Did you make that up or your actually read that somewhere?
I suspect you meant:
deploy_hook