Shoutcast access to letsencrypt certs

hbilbrey · April 1, 2025, 5:46am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rock101klol.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian 18.0.68 Update #2 Web Pro Edition

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I am trying to upgrade my Shoutcast server to 2.6.1.777 so I can secure my stream. The Conf file needs paths to the certs so when the server is started it can run with SSL. I added the following paths to the conf file:

sslCertificateFile = /usr/local/psa/var/modules/letsencrypt/etc/live/rock101klol.com/privkey.pem
sslCertificateKeyFile = /usr/local/psa/var/modules/letsencrypt/etc/live/rock101klol.com/fullchain.pem

But when the server starts it spits out:

2025-04-01 00:43:53 WARN [MAIN] Invalid certificate file /usr/local/psa/var/modules/letsencrypt/etc/live/rock101klol.com/privkey.pem
2025-04-01 00:43:53 WARN [MAIN] failed to set up SSL, system lib

The server software is not run via a root user, so obviously the shoutcast user does not have permissions to the certs or their directories and I am assuming this is why it is failing.

How do I allow the Shoutcast user permissions to the directories and certs?

9peppe · April 1, 2025, 7:57am

I think these might be the other way around. What does Shoutcast's documentation say about it?

hbilbrey · April 1, 2025, 5:48pm

Other way around?

They have disabled the documentaion for some reason so i could not tell you. Thats part of the problem.

hbilbrey · April 1, 2025, 5:51pm

Perhaps that will ne a problem after i get the shoutcast user access to the directories. But i cant take ownership without breaking Plesk and letsencrypts contril over the certs.

MikeMcQ · April 1, 2025, 6:09pm

Yes, just going by the config file settings I would have also guessed it should be

sslCertificateFile = /usr/local/psa/var/modules/letsencrypt/etc/live/rock101klol.com/fullchain.pem
sslCertificateKeyFile = /usr/local/psa/var/modules/letsencrypt/etc/live/rock101klol.com/privkey.pem

MattMski · April 1, 2025, 7:17pm

Hello, I have managed to get it to work with my shoutcast server.

Pretty much you have to give your user account permissions to the letsencrypt directories live and archive.

sudo chmod +x /etc/letsencrypt/live
sudo chmod +x /etc/letsencrypt/archive
sudo chmod -R 0755 /etc/letsencrypt/live
sudo chmod -R 0755 /etc/letsencrypt/archive

hbilbrey · April 1, 2025, 7:31pm

Thank you, but will this break the letsencrypt/SSLit extension in the Plesk control panel?

hbilbrey · April 1, 2025, 7:33pm

I had it that way originally, but someone from the multitude of places I have been searching for help said it should be the other way, so I've tried it both ways and get the same error, which I believe is permissions related.

hbilbrey · April 1, 2025, 7:39pm

My paths are different, I assume because you are not running Plesk or some other software. Mine are:

/usr/local/psa/var/modules/letsencrypt/etc/live/rock101klol.com/
/usr/local/psa/var/modules/letsencrypt/etc/archive/rock101klol.com/

I do not want to break the extension by changing the permissions from the current owner. I just want to add the Shoutcast user to a group to allow the correct permissions if possible. Can you help me with that please?

MattMski · April 1, 2025, 7:45pm

Hey,

Yeah I am not using Plesk.

I would assume it won't break any extension as it's not changing the folder's actual user. I believe this should work.

hbilbrey · April 1, 2025, 7:48pm

The current owner is psaadm. And in my archive directory it does not show the normal names. It appends a number each time it is renewed I assume.

hbilbrey · April 1, 2025, 7:51pm

The permissions on the live directory are different, and they have the standard names.

MikeMcQ · April 1, 2025, 7:52pm

the /live/ folder should be symlinks to the most recent set of cert files in /archive/

Your /archive folder allows read-only for everyone. Why do you think it needs more?

MattMski · April 1, 2025, 7:54pm

Yeah I have that as well with the renewal numbers. My owner however is root though shoutcast runs on a different user just fine.

hbilbrey · April 1, 2025, 7:59pm

I don't think it needs more. If the archive folder allows read-only for all, why isn't that enough? I tried that directory and got the same error. When I try to change to the archive directory with the Shoutcast user, I get permission denied.

hbilbrey · April 1, 2025, 8:00pm

My Shoutcast server runs fine under the shoutcast user, has been for years, but when I try to start it with those lines for the SSL in the conf, it spits out that error

MattMski · April 1, 2025, 8:11pm

Yeah that's why I am recommending those commands. Your user does not have access to the letsencrypt ssl directory and needs access to it.

hbilbrey · April 1, 2025, 8:17pm

Yes, I understand and I'm sure that is the issue. I have multiple websites on this server and am just nervous I might break the letsencrypt/sslit extension in the console, but you think it should be fine? It's not going to remove psaadm as the owner of the directories and files?

I really appreciate your help Matt! Seems like it should be such a simple thing, but no real documentation I can find.

I did not see anywhere that both directories had to be accessed. Would you be willing to share that section of your conf please?

MattMski · April 1, 2025, 8:32pm

I think it should be fine, it will not remove psaadm as the owner 100% as my owner is root and I never set that. I run LetsEncrypt on root.
chmod +x just sets the directory executable
chmod -R 0755 just sets the directory readable and -R is for recursive

Worst case you can reverse that I think quite easily.

I don't remember where I found this but someone recommended this commands a few years back on a shoutcast forum.

Both directories have to be accessed because you are using the live on the config both times.
The privkey.pem redirects to the archive directory where it picks the recent numbered file.

My config:
sslCertificateFile=/etc/letsencrypt/live/domain.net/cert.pem
sslCertificateKeyFile=/etc/letsencrypt/live/domain.net/privkey.pem

9peppe · April 1, 2025, 8:45pm

Private keys with 755? I imagine some software will complain about that eventually.

Topic		Replies	Views
Logfile /var/log/letsencrypt/letsencrypt.log Help	2	1731	December 16, 2021
Howto get a Let' Encrypt certficate for my website Help	2	729	May 10, 2018
New to LetsEncrypt Help	34	2865	October 29, 2021
Update letsencrypt command with -d subdomainsitename Help	7	565	January 10, 2020
Is There a Problem with Let's Encrypt? Help	3	501	July 3, 2024

Shoutcast access to letsencrypt certs

Related topics