My domain is: doof.fm

I ran this command: certbot certainly --webroot-path="/usr/share/icecast2/web" -d stream.doof.fm

It produced this output: (I can’t copy/paste so I’m typing this and some abbreviations
Challenge failed for domain stream.doof.fm
http-01 challenge for stream.doof.fm
Following errors:
domain: stream.doof.fm
type: unauthorised
Detail: invalid response form
http://stream.doof.fm/.well-known/acme-chellenge/azp…
[103.27.32.28]: "\n<html style=\ “height:100%!(MISSING)”>\n\n<meta name=“viewport” content=“width=device-width, initial-scale=1, shrink-to-”
To fix these errors, please make sure that your domain name was entered correctly and the DNSA/AAA records contain the the right IP address.

My web server is (include version): LiteSpeed (don’t know version

The operating system my web server runs on is (include version): Ubuntu 19.10 x64

My hosting provider, if applicable, is: Vultr (VPS) VentraIP (website)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes in to VPS

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, cPanel for website

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.36.0

Hi all,
new to the forum and new to building my own Icecast server etc.

Please help if you can, I’ve followed a couple of guides on how to get Icecast running with SSL and through a combination of two guides (https://weekly-geekly.github.io/articles/350236/index.html & https://mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/)
I’ve managed to compile Icecast to use ssl and the service is running on an http site… so far so good

I have installed certbot and as you can see from the log above, I cannot get it to generate a certificate for me…

could the issue be that I am using a different provider to run the VPS which is running icecast and a different provider for the hosting of the website itself?

an earlier error was that certbot could not look up the DNS (I fixed that by actually creating a subdomain stream.doof.fm) but then the second error (above) I can’t resolve
as far as I can tell, the IP listed in the error [103.27.32.28] belongs to my website

could the issue be that the server running icecast is not on the same ip as the website?

if so, what can I do? if not, what do I do?

thank you so much for your help :")

a

For HTTP authentication, certbot would need to run on the IP the name resolves to [103.27.32.28].
If that is the case, then you may need to do some "special" handling of those HTTP authentication requests [/.well-known/acme-challenge/…].

First get the cert, then apply it to the Icecast server.

thanks for reaching out

so if I can get certbot to run on 103xx, how would I be able to tell icecast (which is running on a different IP) to use the certificate?
or can I not do that?

oh and also, the website hosting provider gives me free SSL certificates, so the website itself is already
https://doof.fm and https://stream.doof.fm

have I made a complete mess?

Ok, if they are on different IPs, then you need to rethink the strategy.
I see that doof.fm and stream.doof.fm resolve to the same IP.
Q1. What is the name/IP of the Icecast server?
I see that doof.fm already has a valid cert (https://doof.fm) at that IP.
[that could be used for other things - on other ports - on that same system/IP]

No, by no means.
[free certs are free certs - take what you need from wherever it comes easiest]

icecast is running on 103.43.75.123

Ok, so that is another IP.
As such, it will need another name.
[certs are assigned to names]
[names are assigned to IPs]

Q2. What name will you be using for Icecast?

Q3. What is the O/S of the Icecast system?

Q4. How much access do you have to the Icecast system?

Q5. Is there a provider of that service, or are you running it there yourself?

the plan was to have the website doof.fm and then embed a HTML5 player which would get the icecast stream from 103.43.75.123… so. ideally, the visitors would only have to visit the one website which would pull the stream from wherever…

the website hosting provider has VPS for $75 so I decided to go to Vultr where I could get it for like $5 (lol)

so when setting up the Icecast server on the VPS, it asked for an Icecast2 hostname so I used stream.doof.fm (was this my first mistake?)

A3. Icecast is running on the VPS with ubuntu 19.10
A4. terminal access
A5. Vultr

I’ll say this now and probably later - I really appreciate your help… I haven’t had much experience on this and haven’t posted on a forum in a decade - so, thank you

You can still use that name (or create a new one)..
The name would need to point to the other IP.
[or you would have to proxy the stream through the first server - not recommended]

Yes, the users will be clicking on a link on the main site.
That link (if encrypted) will need a cert; and certs require names.
So, the embedded link will NOT be something like:
http://103.43.75.123:7890/channel/1/stream
but more like:
https://audio.doof.fm:7890/channel/1/stream
[as examples - I don't know how Icecast formats its' links]

so how do I configure this?

I can reinstall the VPS server and start from scratch and compile Icecast again, no worries ( I’ve had to fo this like 18 times already haha :()

but when I get to the Icecast hostname - what do I use?
and then when I install certbot, what do I do?

Going forward:
Step #1: Learn how operate an Icecast server
[presuming you have already done enough of that]
Step #2: Learn how to apply a certificate to an Icecast server/stream.

Getting the cert is simple:
Step #1: Install certbot
Step #2: run certbot
[requires a valid name that resolves to that IP]

That is up to you (users may never even see the name).
So, it can be as simple as:
a.doof.fm
or as complicated as:
myfirst.Icecast.server.doof.fm

Other non-essential questions:
O1: Why Ubuntu 19.10?
[.10s have shorter product lifetimes]

it was the latest version… should I reinstall to 18.04?

sorry if I’m being dense

in this instance, if I set up the Icecast server on stream.doof.fm which is running on 103.43.75.123 how do I get certbot to certify that particular IP? because when I did that earlier and typer certbot certonly … it gave the error logged above?

See: https://ubuntu.com/about/release-cycle
I would use the latest LTS version.
[LTS = Long Term Support - or is that LongTerm Support? - or maybe it's Long-Term Support]

That doesn't (yet) make sense.
Because stream.doof.fm does NOT equal 103.43.75.123.
Name: stream.doof.fm
Address: 103.27.32.28
You can "fix" that by changing the IP for that name (DNS control panel?).
Or create a new name; that points to 103.43.75.123.

okie… so…

stream.doof.fm when created as the icecast hostname and running on the VPS is 103.43.75.123
but
stream.doof.fm when created as the subdomain on the hosting is 103.27.23.28

is that the issue? that there are two conflicting stream.doof.fm ?

They don’t conflict.
Your understanding is… a bit off.
I could put up a server with that name too.
The Icecast server has a name that it doesn’t “own”.
The “owner” of the name is controlled by DNS.
And DNS says that 103.27.32.28 is stream.doof.fm
That is the only stream.doof.fm - there is no other.
You need to change that; and you can.
You control the domain, you control the DNS for it.
You need to change the DNS to say that 103.43.75.123 is stream.doof.fm.
Then the whole Internet will know where it “really” is.

ah sweet…

so I’ve gone into my webhosting provider and changed the IP address for doof.fm to point to 103.43.75.123 instead of 103.27.32.28
gonna wait for a few mins and try certbot again
hopefully will progress and report back soon

doof.fm or stream.doof.fm?

I changed doof.fm on my website to point to 103.43.75.123

yes? or should I change the VPS server instead??

I can’t do the design for you.
The requirements are simple:
You want Icecast to use a cert.
Certs are assigned to names.
Names resolve to IP address(es).
The Icecast server needs a name.
[you already installed it as “stream.doof.fm”]
That name needs to point to the IP of the Icecast server.
Then you can install certbot and obtain a cert for that name (easily) at that IP.
Then you can use that cert with Icecast to encrypt your “stream(s)”.