Okay folks, I filled out the form and it's included below. I'm self-hosting an Icecast server on a Raspberry Pi, and streaming to [stream.no-soap.net/stream](http://stream.no-soap.net/stream. It works fine on its own, but because it's not secure, it is mismatched with the secure webpage (no-soap.net) and therefore won't play.

My understanding is to fix this, I need an SSL certificate added to my Icecast server using Certbot and Let's Encrypt. I'm hitting the below error when I try to create a certificate to the webroot - I should point out that this error is new, originally it was saying there was not a valid A or AAAA reference to my domain. I'm assuming this is because I have DDNS set up through Namecheap?

Anyway, help! I'm very much a beginner at setting up and self-hosting servers, and the documentation with Icecast in particular is difficult, at best. Thanks in advance!

--

My domain is: stream.no-soap.net

I ran this command: sudo certbot certonly --webroot-path="/usr/share/icecast2/web" -d 'stream.no-soap.net'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Nginx Web Server plugin (nginx)

2: Spin up a temporary webserver (standalone)

3: Place files in webroot directory (webroot)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3

Requesting a certificate for stream.no-soap.net

An unexpected error occurred:

AttributeError: can't set attribute

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): icecast2

The operating system my web server runs on is (include version): Raspberry Pi OS

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don't know): I think so! I'm accessing the Pi headlessly by ssh-ing into it

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.1.0

Hello @maaaaaaaaaatt, welcome to the Let's Encrypt community.

You need to use the Publicly facing Internet IP Address.

Using the online tool Let's Debug yields these results https://letsdebug.net/stream.no-soap.net/1821849

ReservedAddress
FATAL
A private, inaccessible, IANA/IETF-reserved IP address was found for stream.no-soap.net. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.
10.0.0.179

The IPv4 Address you are using 10.0.0.179
is part of the IPv4 Private Address Space and Filtering - American Registry for Internet Numbers
Also see Reserved IP addresses - Wikipedia

Edit: and also this IANA IPv4 Special-Purpose Address Registry

Hey, okay! This makes sense - what's the best way to find and use the Public-facing IP?

Alternatively, I see in Let's Debug I could use the DNS validation method instead, which is the preferred fix?

Thanks Bruce!

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io

Edit: or as @rg305 said

curl -4 ifconfig.[co|io|me]

Okay! This spit out the IP, I imagine I can just replace the old IP (10.0.0.179) with the new value in my Dynamic DNS record?

Yes; that is correct.

Currently waiting for it to propagate

Once that updates, I should be able to run sudo certbot certonly --webroot-path="/usr/share/icecast2/web" -d 'stream.no-soap.net' and follow the steps, yeah?

It has propagate enough for Let’s Encrypt as show here from Let's Debug

image1208×534 16.4 KB

@maaaaaaaaaatt,

Port 80 is Open (good).
However Port 443 is filtered (meaning the Public Internet cannot access it for HTTPS), and maybe that is what you want, if not you should Open (pass) Port 443 through your router or firewall.

$ nmap -Pn -p80,443 stream.no-soap.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-02 02:28 UTC
Nmap scan report for stream.no-soap.net (174.161.46.112)
Host is up (0.095s latency).
rDNS record for 174.161.46.112: c-174-161-46-112.hsd1.tn.comcast.net

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds

And you have successfully been issue a certificate.
Here is a list of issued certificates crt.sh | stream.no-soap.net, the latest being 2024-03-02.

Well done. Enjoy!

Couldn't have done it without your help, @Bruce5051 !

So, doublechecking my Icecast config, but it seems like since port 443 is the one linked to https, that should be the port I use as my public facing, stream mountpoint?

I don't know Icecast nor the stream mountpoint, but my guess is yes.

However Port 443 still is filtered by a router and/or a firewall.

$ nmap -Pn -p80,443 stream.no-soap.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-02 02:42 UTC
Nmap scan report for stream.no-soap.net (174.161.46.112)
Host is up (0.093s latency).
rDNS record for 174.161.46.112: c-174-161-46-112.hsd1.tn.comcast.net

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds

@maaaaaaaaaatt,

Great! Now Port 443 is Open as well.

$ nmap -Pn -p80,443 stream.no-soap.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-02 02:48 UTC
Nmap scan report for stream.no-soap.net (174.161.46.112)
Host is up (0.38s latency).
rDNS record for 174.161.46.112: c-174-161-46-112.hsd1.tn.comcast.net

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds

Edit: and is serving its certificate SSL Checker

@Bruce5051, I'm up and running thanks to your help!

Head over to no-soap.net if you feel like listening to some Joe Pass jazz guitar

Thanks again!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.