Generate ssl certificate

Now I'm curious about mine:

  • RSA4096 on R3: 5946
  • RSA2048 on R3: 5609
  • P-256 on R3: 5329
  • P-256 on E1: 3968

(What the... How are they so close? -- they're not, I checked the wrong certificate)

(The keys are another story, ~3200, ~1700 and ~300)

1 Like

this is the result

openssl rsa -check -noout -in /opt/bitnami/letsencrypt/certificates/

139998102226048:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:

@9peppe and I are chatting off-thread. In the meantime, can you confirm for us:

Are you using ECDSA certs and ECC key?
Nevermind: @9peppe sees you are. Still:

Do you know if icecast supports ECDSA certs?


So, it looks like you were concatenating the files correctly.

We don't know why icecast would not support ECDSA given it uses openssl.

I don't have any other ideas. Maybe @9peppe or someone else will think of something more. Best of luck.


What I don't get is why would Icecast just ignore some but not others of those configuration options.

I don't know either. Is there an icecast community somewhere?

Should OP drop plans to use TLS with icecast directly and try again reverse proxying with nginx? I don't know that either.

1 Like

One prior icecast poster had to drop TLS because some (all?) of the hardware radios that would connect to their icecast server did not support HTTPS.


Yeah, I remember. But serving both http and https should be allowed, I think.

1 Like

so far i have 2 VM on google cloud and 1 in oracle cloud
the google cloud vm use debian 10 and the bitnami nginx package

the oracle vm is under centos 7 but use httpd apache server

i will install lets incrypte (cerbot) and see if it will fail like on Debian

Wait. If you can install WordPress/bitnami somewhere and icecast somewhere else it's probably better. That way you can just use a different subdomain and hope TLS works this time.

1 Like

i have the same problem on the second server
the port come up as http not as http

On the second server you can use 80 and 443 :wink:

Maybe telling it to use 443 will shame icecast into actually using TLS.

1 Like

yes but i want the listener to access the music from
just click on the player

I assumed you had the website on a server and the stream on another, not two different radios each with website and stream. (I would try again with the reverse proxy, but you need to find somebody that has already done that)

There probably is some strange icecast behavior that were missing.

1 Like

on the top it says port 8843 is https

nmap -p 80,443,8000,8443

Starting Nmap 6.40 ( ) at 2022-03-19 22:35 GMT
Nmap scan report for (
Host is up (0.013s latency).
rDNS record for
80/tcp open http
443/tcp open https
8000/tcp open http-alt
8443/tcp open https-alt

No, it says it's usually https.

If you want to know what it actually is you have to add the -A option.

1 Like

it shows 8443 as http like in the other server

]# nmap -A -p 80,443,8000,8443

Starting Nmap 6.40 ( ) at 2022-03-19 22:42 GMT
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 92.31% done; ETC: 22:42 (0:00:01 remaining)
Nmap scan report for (
Host is up (0.013s latency).
rDNS record for
80/tcp open http nginx
|_http-generator: WordPress 5.9.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-title: USDZ RADIO – Welcome to our community
443/tcp open http nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject:
| Not valid before: 2022-03-15T22:31:53+00:00
|_Not valid after: 2022-06-13T22:31:52+00:00
8000/tcp open http Icecast streaming media server
|_http-title: Icecast Streaming Media Server
8443/tcp open http Icecast streaming media server
|_http-title: Icecast Streaming Media Server
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|WAP|media device|storage-misc
Running (JUST GUESSING): Crestron 2-Series (87%), Netgear embedded (87%), Western Digital embedded (87%), HP embedded (85%)
OS CPE: cpe:/o:crestron:2_series cpe:/h:netgear:dg834g cpe:/o:westerndigital:wd_tv cpe:/h:hp:p2000_g3
Aggressive OS guesses: Crestron XPanel control system (87%), Netgear DG834G WAP or Western Digital WD TV media player (87%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 7 hops

I see there is a github for Icecast although it is not very active. You could try asking there.

I saw this article via google which says the Debian Icecast does not have SSL built into it but you can get and build an SSL version from Xiph. Does this make sense? Could that be it?

In the article, you could ignore the parts about using certbot to get a cert since you have a method to get certs. The interesting part was the package of Icecast for SSL support.

Icecast is unusual and while we can make guesses it does not substitute for actually working with it. Perhaps github or this article will help? Or, even search this forum for the other Icecast threads. Cheers


You should be able to proxy inbound HTTPS connections to the HTTP radio.


i tryed it as well never worked.
wonder if Tuzongo on this

have his icecast up and runing and what is his conf

This seems to be the case in Debian 10 but not Debian 11.