HTTPS browser requests failing to Icecast server

Hello all!

Just used certbot to get some certificates issued for stream.transmission-reception.com.

I can see the certificate and the key saved to my server, but they aren't showing up on crt.sh | stream.transmission-reception.com and it doesn't look like the browser is detecting them as being secured when I visit the page.

Is there a lag between the cert being issued and propagating? It's always been instant for me in the past.

My domain is: stream.transmission-reception.com

I ran this command:

sudo certbot certonly --webroot-path="/usr/share/icecast2/web" -d 'stream.transmission-reception.com'Saving debug log to /var/log/letsencrypt/letsencrypt.log

It produced this output:

Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/stream.transmission-reception.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/stream.transmission-reception.com/privkey.pem This certificate expires on 2025-06-07. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.

My web server is (include version): icecast2

The operating system my web server runs on is (include version): Raspberry Pi OS

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Yes, there is often a lag. I am very surprised you "always" got instant response at crt.sh before

You could look at setting up an account at censys.io that CT log viewer is much quicker in general in my experience

Looks like you got 3 certs today (from censys.io)

image1002×1065 63.8 KB

crt.sh is often lagging behind, certificates logged to CT should show up there eventually but it might take a while. There are other CT search resources one can use, but in general if you actually have a cert than it's a good bet that it actually got logged, unless you're specifically getting an error from a browser about it not accepting the CT log signatures or something.

I think you'll need to be a lot more specific about what problems you're experiencing. From here it just looks like your site isn't responding on port 443 at all, which wouldn't indicate any issue with the certificate but with your firewall, router, or server settings.

Okay, got it. @MikeMcQ , thanks for checking that the certs did, in fact, come through!

In that case, here's where we are: I'm self-hosting an icecast2 server, and using stream.transmission-reception.com as the domain. The icecast server is running on ports 80 and 443, one secure and one not.

I can visit http://stream.transmission-reception.com:80 and :443 as expected. However, both show up as Not Secure in my browser.

I also cannot visit neither at https://stream.transmission-reception.com.

Ultimately, I need the stream to be secure in order to play properly on the homepage

Has this Icecast setup ever worked properly? Just want to know if this is first time or something has changed.

I confirm this works

curl -i http://stream.transmission-reception.com/
HTTP/1.0 200 OK

And this works but HTTP requests to port 443 should fail. Port 443 is the default for HTTPS

curl -i http://stream.transmission-reception.com:443
HTTP/1.0 200 OK
Server: Icecast 2.4.4

And an HTTPS request predictably fails as you handle port 443 requests only for HTTP, not HTTPS

curl -i https://stream.transmission-reception.com
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

This is a new instance, but I've had an Icecast setup that worked well in the past, using these same settings.

Double checked that the router is allowing port forwarding to 443.

Could this be the certificate being issued improperly?

No. 100% no

Review every part of your config versus the one that is working. Make sure Icecast is setup the same way.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.