Hi
I’m trying to create an Alexa skill for Internet radio. I’ve followed a tutorial here - their code/stream works. When I substitute in my stream URL leaving everything else the same, the skill hangs so I think there might be a problem with the stream (and perhaps the cert).
The stream plays in VLC, Winamp, and if you cut and paste it into Firefox/Chrome.
My domain is: ssl.canstream.co.uk
Checking with curl, I ran the following command:
curl -v https://ssl.canstream.co.uk:8201/live.mp3
It produced the following output:
[itcrowd@machine ~]$ curl -v https://ssl.canstream.co.uk:8201/live.mp3
-
About to connect() to ssl.canstream.co.uk port 8201 (#0)
-
Trying 195.10.228.22… connected
-
Connected to ssl.canstream.co.uk (195.10.228.22) port 8201 (#0)
-
Initializing NSS with certpath: sql:/etc/pki/nssdb
-
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none -
Peer’s certificate issuer is not recognized: ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’
-
NSS error -8179
-
Closing connection #0
-
Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Again checking with curl, I ran the following command which appeared to stream the URL:
curl -vk https://ssl.canstream.co.uk:8201/live.mp3
My web server is: Server version: Apache/2.2.15 (Unix)
[Not relevant]
The operating system my server runs is: Centos 6
My hosting provider, if applicable, is: self-hosted
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no
The version of my client is: certbot 1.2.0
The cert I am using is made as follows:
cat privkey.pem > icecast.pem
cat cert.pem >> icecast.pem
The file icecast.pem consists of
-----BEGIN RSA PRIVATE KEY-----
[priv ate key stuff]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[certificate stuff]
-----END CERTIFICATE-----
A tutorial here suggests that icecast.pem should be made as follows:
1) Your private key
2) Your SSL cert
3) CA Bundle
It is possible I did not use the above method as I followed a different tutorial which combined only the private key and the certificate - and it appeared to support streaming over SSL.
If I am to also combine CA Bundle
what file does that relate to? I have the following files:
cert.pem chain.pem fullchain.pem privkey.pem
What file does CA Bundle
relate to: fullchain.pem
?
I hope you can help. Many thanks in advance.