New User. Certificate expires prematurely

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:freedomradiofm.com

I ran this command:cat /etc/letsencrypt/live/stream.freedomradiofm.com/{fullchain.pem,cert.pem,privkey.pem} ›icecast.pem

mv alexacert.pem alexacert.old ; mv icecast.pem alexacert.pem

ps -ef |grep alexa

It produced this output:

7123 6974 0 16:57 pts/1 00:00:00 grep alexa
icecast2 26045 1 10 Nov06 pts/1 4-14:02:24 /usr/local/bin/icecast -b -c etc/icecast2/alexa.xml

My web server is (include version):

The operating system my web server runs on is (include version):Cent-OS

My hosting provider, if applicable, is: servercheap.com

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):I don't know how to find version

I am not a Linux user and I was left with this by former engineer. He said to look at the history on the server and just copy what was there. The former engineer is not available to help or to ask questions. I can renew the certificate but it dies prematurely so I am not doing something correctly. Below is what I do to renew.

Enter the following three commands:

root@vps: /etc/icecast2# cat /etc/letsencrypt/live/stream.freedomradiofm.com/{fullchain.pem,cert.pem,privkey.pem} ›icecast.pem

root@vps:/etc/icecast2# mv alexacert.pem alexacert.old ; mv icecast.pem alexacert.pem

root@vps:/etc/icecast2# ps -ef |grep alexa

Reply from Console:

root 7123 6974 0 16:57 pts/1 00:00:00 grep alexa

icecast2 26045 1 10 Nov06 pts/1 4-14:02:24 /usr/local/bin/icecast -b -c etc/icecast2/alexa.xml

Enter next two commands:

root@vps:/etc/icecast2# kill 26045

root@vps:/etc/icecast2# ps -ef |grep alexa

Reply from console:

root 7148 6974 0 16:58 pts/1 00:00:00 grep alexa

Enter next command:

root@vps:/etc/icecast2# /usr/local/bin/icecast -b –c /etc/icecast2/alexa.xml

Reply from console:

Starting icecast2

Detaching from the console

root@vps:/etc/icecast2# Changed groupid to 113.

Changed supplementary groups based on user: icecast2.

Changed userid to 108.

After the last response my streams are now working temporarily. What am I missing or doing incorrectly?

Thanks in advance
Larry

1 Like

Can you explain what you mean by "prematurely". Let's Encrypt certs are only valid for 90 days. It is recommended to renew with 30 days before expiry so every 60 days.

And, welcome to the community @hamshack

4 Likes

I renewed it on 4/25, 5/13 and today 5/17.

For stream.freedomradiofm.com ?

Because I only see certs issued with that name on Mar6 and May17

https://tools.letsdebug.net/cert-search?m=domain&q=stream.freedomradiofm.com&d=2160

Why do you think you need to keep renewing the certs? What goes wrong?

4 Likes

my stream connections stop working, they can't connect freedomradiofm.com unless I renew.

The cert.pem is already part of the fullchain.pem and it is not likely to be doing anything useful by being added a second time to the combined cert and key file that you are creating.

The fullchain.pem contains the leaf certificate (cert.pem) and the intermediate certificate.

3 Likes

I appreciate you may not be an expert but more words or description is helpful. Most of us here are unpaid volunteers giving our time and expertise for free to you.

Can you show the URL that is failing?
Can you show the reason for the failure? Does a browser or app complain about something? What reason does it give?

Because you mention two different domain names in the first post
freedomradiofm.com and stream.freedomradiofm.com

But, these have different public IP addresses.

Because of below I was focusing on the stream subdomain. Is it really the base domain connections that are failing?

Are these the correct IP addresses for each domain?

nslookup freedomradiofm.com
Address: 162.255.119.28
nslookup stream.freedomradiofm.com
Address: 162.212.157.221
3 Likes

I apologize for my brevity but none of this makes any sense to me. Freedomradiofm.com is the domain name but my streams are stream.freedomradiofm.com. I have streams going to phone apps and to the website in MP3 and AAC in two different bitrates. When I know there is a problem is when we get complaints about the web and app stream. Looking at Stereo Tool I have six BUTT connections going and they just say connecting until I renew the cert. When I renew the cert then they can all connect immediately.

That is extremely helpful even though you won't like my response :slight_smile:

I don't see many recent certs issued for either domain. So, it doesn't match that you think you got certs more often.

And, even if so I think it more likely that something related to the other steps are what is making a difference. That is, the steps related to killing alexa and getting new group for icecast and so on.

An icecast forum is probably your best place to get this resolved (this is the part I did not think you would like)

Here is nice tool to show issued certificates (there are several)
https://tools.letsdebug.net/cert-search?m=domain&q=freedomradiofm.com&d=2160
Sometimes there is as much as a 24 hour delay but it is reliable beyond that

4 Likes

Just to agree with @MikeMcQ, it looks like you have a certificate just fine but are just having trouble configuring it. While it's possible somewhere here knows about the server software you're running, it's not very likely. (Most people on the forum are just running web servers, though there are users of mail and FTPS and so forth scattered about.) Unless you can get some sort of error message from a system that explains what it isn't liking about how a certificate is configured, we're probably not going to be of much help.

4 Likes

Are you sure it's the renew of the certificate or just the restarting of your IceCast daemon which is part of your renewing process?

3 Likes

No I am not sure of anything at this point. From the replies I have received it appears that the problem is with IceCast. I will look into that next. Thanks to everyone who offered comments.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.