I ran this command: sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.xtratuneradio.servemp3.com -d xtratuneradio.servemp3.com
It produced this output:
Domain: xtratuneradio.servemp3.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xtratuneradio.servemp3.com - check that a DNS record exists for this domain
Domain: xtratuneradio.servemp3.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xtratuneradio.servemp3.com - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.```
My web server is (include version): Icecast 2.4.4
The operating system my web server runs on is (include version): WSL Ubuntu 22.04.3 LTS "jammy"
My hosting provider, if applicable, is: No-IP
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot): certbot 1.21.0
I am attempting to host an Icecast server on my desktop computer using WSL Ubuntu. Current progress is as follows: server is running. Ports 8000-8010 allowed through firewalls. Server can be accessed via the web, No-IP hostname made.
I am attempting to get a cert to get the site on HTTPS as that is necessary for embedding the stream to work. I tried this guide first, as a StackExchange user linked it, purporting that nginx and apache wouldn't be necessary. The outputted cert from certbot starts with an underscore, which appears to not be kosher accourding to no-ip which informed me to contact support in this case. Why is this? I also cross-referenced this guide, but I simply cannot get Icecast to run on port 80. Below is my terminal with info about my Icecast setup
# Defaults for icecast2 initscript
# sourced by /etc/init.d/icecast2
# installed at /etc/default/icecast2 by the maintainer scripts
#
# This is a POSIX shell fragment
#
# Full path to the server configuration file
CONFIGFILE="/etc/icecast2/icecast.xml"
# Name or ID of the user and group the daemon should run under
USERID=root
GROUPID=root
yanmar@Donmon:~$ sudo grep -h shoutcast-mount /etc/icecast2/icecast.xml
<shoutcast-mount>/live.nsv</shoutcast-mount>
<shoutcast-mount>/stream</shoutcast-mount>
<shoutcast-mount>/autodj</shoutcast-mount>
<shoutcast-mount>/stream2</shoutcast-mount>
yanmar@Donmon:~$ sudo grep -h port /etc/icecast2/icecast.xml
<port>80</port>
<port>8005</port>
<port>8009</port>
<!--<master-server-port>8001</master-server-port>-->
<port>8080</port>
May be made specific to a port or bound address using the "port"
this example will redirect all requests for http://server:port/ to
yanmar@Donmon:~$ sudo /etc/init.d/icecast2 start
Starting icecast2 (via systemctl): icecast2.service.
yanmar@Donmon:~$ icecast2 --version
Icecast 2.4.4
yanmar@Donmon:~$ certbot --version
certbot 1.21.0
yanmar@Donmon:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy```
Yet I see this from my machine using nmap -Pn -p80,443 xtratuneradio.servemp3.com,
they show open.
$ nmap -Pn -p80,443 xtratuneradio.servemp3.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-17 16:29 UTC
Nmap scan report for xtratuneradio.servemp3.com (108.162.194.235)
Host is up (0.012s latency).
Other addresses for xtratuneradio.servemp3.com (not scanned): 162.159.38.235 172.64.34.235 2606:4700:50::a29f:26eb 2a06:98c1:50::ac40:22eb 2803:f800:50::6ca2:c2eb
rDNS record for 108.162.194.235: katelyn.ns.cloudflare.com
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
Edit 2
This time nmap -Pn -p80,443 xtratuneradio.servemp3.com gets filtered
$ nmap -Pn -p80,443 xtratuneradio.servemp3.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-17 16:48 UTC
Nmap scan report for xtratuneradio.servemp3.com (108.249.167.126)
Host is up.
rDNS record for 108.249.167.126: 108-249-167-126.lightspeed.miamfl.sbcglobal.net
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.09 seconds
Certbot appears to be functioning correctly judging by this usage, it seems my issue is getting the server to work on port 80. I will see what I can figure out from the icecast community, though it seems they've moved on from that forum.
I know that @Bruce5051 mentioned at one point that a connection could not be made on port 80, but that is not immediately relevant to your error, since you are using
--manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns
and you are indeed trying to use the DNS-01 challenge method, but it isn't working
Thus, the acme-dns-auth.py script that you're using isn't successfully creating DNS TXT records under your domain and so the thing that's necessary to figure out in order to get this certificate is why the DNS TXT records aren't being created.
EDIT:
I was able to get my server running on 80 by having it cleared through the firewall and also I had to restart my computer, kill the "IP helper" service as soon as possible, then running icecast2.
I returned to following this guide but I'd like some clarification if possible(albeit, this might be an Icecast specific thing)
After the cert setup is complete, the instructions say to
Configure Icecast for SSL
We are now ready to finish this off and get Icecast running with our new certificate.
Edit Icecast.xml in a text editor:
nano /etc/icecast2/icecast.xml
Add this line to the section:
/etc/icecast2/bundle.pem
Now, add this section to the document (in the root XML node):
<port>443</port>
<ssl>1</ssl>
</listen-socket>
Quit the text editor, and now restart Icecast:
sudo service icecast2 restart
If all goes well, you can now browse to httsp://stream.example.com/ and also listen to your internet streams over HTTPS.
