Hello all!
Just used certbot to get some certificates issued for stream.transmission-reception.com.
I can see the certificate and the key saved to my server, but they aren't showing up on crt.sh | stream.transmission-reception.com and it doesn't look like the browser is detecting them as being secured when I visit the page.
Is there a lag between the cert being issued and propagating? It's always been instant for me in the past.
My domain is: stream.transmission-reception.com
I ran this command:
sudo certbot certonly --webroot-path="/usr/share/icecast2/web" -d 'stream.transmission-reception.com'Saving debug log to /var/log/letsencrypt/letsencrypt.log
It produced this output:
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/stream.transmission-reception.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/stream.transmission-reception.com/privkey.pem This certificate expires on 2025-06-07. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.
My web server is (include version): icecast2
The operating system my web server runs on is (include version): Raspberry Pi OS
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0
Yes, there is often a lag. I am very surprised you "always" got instant response at crt.sh before 
You could look at setting up an account at censys.io that CT log viewer is much quicker in general in my experience
Looks like you got 3 certs today (from censys.io)
3 Likes
crt.sh is often lagging behind, certificates logged to CT should show up there eventually but it might take a while. There are other CT search resources one can use, but in general if you actually have a cert than it's a good bet that it actually got logged, unless you're specifically getting an error from a browser about it not accepting the CT log signatures or something.
I think you'll need to be a lot more specific about what problems you're experiencing. From here it just looks like your site isn't responding on port 443 at all, which wouldn't indicate any issue with the certificate but with your firewall, router, or server settings.
3 Likes
Okay, got it. @MikeMcQ , thanks for checking that the certs did, in fact, come through!
In that case, here's where we are: I'm self-hosting an icecast2 server, and using stream.transmission-reception.com as the domain. The icecast server is running on ports 80 and 443, one secure and one not.
I can visit http://stream.transmission-reception.com:80 and :443 as expected. However, both show up as Not Secure in my browser.
I also cannot visit neither at https://stream.transmission-reception.com.
Ultimately, I need the stream to be secure in order to play properly on the homepage
Has this Icecast setup ever worked properly? Just want to know if this is first time or something has changed.
I confirm this works
curl -i http://stream.transmission-reception.com/
HTTP/1.0 200 OK
And this works but HTTP requests to port 443 should fail. Port 443 is the default for HTTPS
curl -i http://stream.transmission-reception.com:443
HTTP/1.0 200 OK
Server: Icecast 2.4.4
And an HTTPS request predictably fails as you handle port 443 requests only for HTTP, not HTTPS
curl -i https://stream.transmission-reception.com
curl: (35) error:0A000126:SSL routines::unexpected eof while reading
3 Likes
This is a new instance, but I've had an Icecast setup that worked well in the past, using these same settings.
Double checked that the router is allowing port forwarding to 443.
Could this be the certificate being issued improperly?
No. 100% no 
Review every part of your config versus the one that is working. Make sure Icecast is setup the same way.
6 Likes
