First, we run a radiostation on the web.
For that purpose we have streaming service on a separate computer.
This computer serves the music on several ports, 80 8000 8080 8085
The Domain used for this is http://nvradio.info.
We want that to be https://nvradio.info for several reasons.
There is no webserver on the computer
So, do we have to run a web server in order to use the streamers
First, we run a radiostation on the web.
If you are willing to put IceCast (at least, on port 80) behind a reverse proxy like nginx, this can be very trivial to do.
Does that sound like something you’d be willing to try?
Edit: whoops, Windows. That complicates matters a little bit, but the principle is the same. Yes, a web server would enable you to do this with the least pain.
Sure willing to try everything.
I have however no knowledge on how to do this.
I believe one plan worth trying is something like:
Download a Let’s Encrypt client like https://certifytheweb.com
Use it to create a certificate for
nvradio.info: When prompted, you want to use HTTP validation and point Certify to use the
./web directory of your IceCast installation (the
webroot according to the IceCast configuration).
At this point, you would have a certificate.
Now, you can configure IceCast directly to use the SSL certificate created by Certify with the
This all ends up being a bit inelegant because you would have to restart IceCast every time the certificate was renewed, which could interrupt your streams. IceCast 2.5 beta supports reloading the renewed certificate without interrupting the streams, but it’s not a production release so I assume you won’t want to use it.
You could, instead of configuring IceCast directly with the certificate, choose to use a webserver like Apache to proxy HTTPS for IceCast so you only need to reload Apache rather than restart IceCast.
Will dig into this. Been an IT consultant for more than 25 years, but this is new to me.
Will inform you on how it goes.
I think the docs do NOT cover Windows implementations.
The SSL option requires it being compiled against OpenSSL.
Was this install compiled from source code?
That still leaves the proxy option (#1 on my suggestion list).
One other option is you could use a DNS challenge type instead of http, acme-dns is the easiest option in a lot of cases.
You can do with with the latest version of Certify and a webserver (IIS etc) is not required to fetch the certificate. However, certify produces a pfx so you would need to script (Show Advanced Options> Scripting) a conversion using openssl to .pem (you need to generate a file with both the private and public key, according to the docs). In the future we will add export to .pem as a deployment option.
There is an example script you could adapt at the bottom of this thread: https://community.certifytheweb.com/t/filezilla-server-ps-script/141/2
The real problem is not in getting a cert, it is in applying a cert to a system that may not be TLS capable.
Back again as we have not solved the matter. Here is an update sofar:
First, we have a Windows 10 environment that hosts all our streaming services. Up till now we have only run Shoutcast 2 but as it not usable for ssl connections we must move over to Icecast.
We now have one “service/lab instance” of Icecast running at
http://vgsound.online:8085/stream.ogg and that is OK, but we want this to run over https. As described before here is no webserver involved and we run all our services hosted by ourselves. Icecast is right out of the box.
Now, we have managed to get the files for the SSL from SSL for Free /Letsencrypt resulting in three different files: ca_bundle.crt , certificate.crt and private.key. The certificate is made for domain vgsound.online
Now the thing is to get the stream running for https://vgsound.online:8085/stream.ogg. In the config.xlm file we have tried all sorts of combination without luck.
Please tell us what to do. We have got all the ingrediances but don’t know how to get this running.
The problem I see is that Icecast for Windows doesn’t support SSL.
You may have to insert a proxy that can stream ogg and do it securely.
Or use a different O/S.