SSL certificate renewal failure for Icecast 2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
radio.exploradio.fr

I ran this command:
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/radio.exploradio.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for radio.exploradio.fr
Failed to renew certificate radio.exploradio.fr with error: Couldn't create root for renew_hook http-01 challenge responses: [Errno 2] No such file or directory: 'cat /etc'

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Icecast 2.4.4

The operating system my web server runs on is (include version): Ubuntu 24.04.1 LTS

My hosting provider, if applicable, is: [Ovh] (Cloud Computing & HĂ©bergement Web | OVHcloud France)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

If needed, the Renewal file: /etc/letsencrypt/renewal/radio.exploradio.fr.conf

# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/radio.exploradio.fr
cert = /etc/letsencrypt/live/radio.exploradio.fr/cert.pem
privkey = /etc/letsencrypt/live/radio.exploradio.fr/privkey.pem
chain = /etc/letsencrypt/live/radio.exploradio.fr/chain.pem
fullchain = /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 1a616e669395a5ebf1ef359c72e1c2b8
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
webroot_path = /usr/share/icecast2/web,
[[webroot_map]]
renew_hook = cat /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem /etc/letsencrypt/live/radio.exploradio.fr/privkey.pem | sudo tee /etc/icecast2/bundle.pem && service icecast2 restart

I am the one who added to this file the last line :
renew_hook = cat /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem /etc/letsencrypt/live/radio.exploradio.fr/privkey.pem | sudo tee /etc/icecast2/bundle.pem && service icecast2 restart

I was following this guide to get succesfully an SSL certificate, but the renewal process validation failed: Icecast HTTPS/SSL with Let's Encrypt: Setup Guide - Media Realm

I can also provide if needed the certbot debug log file content. Please just tell me if it safe to share it or if I should not copy/paste some parts of it.

Thank you so much for your help.

That line should not be within the webroot_map section. It belongs in the renewalparams section. Such as after key_type

Was there previously a line in the webroot_map section? I don't know if Certbot requires one but I have one in a renewal profile I recently created.

We recommend not to make manual changes to these renewal config files. Very minor incorrect entries can cause significant problems. Sometimes even incorrect new-line characters and such.

With your version of Certbot you can use the reconfigure command. See

sudo certbot help reconfigure

Any version of Certbot will re-make the renewal profile just by repeating the original command with any new options.

Lastly, I did not test your long hook command but I personally prefer putting more complex series of commands in a script and invoke the script instead. This gives flexibility of adding things like logger or echo commands in the script to validate operation. You also don't have to modify Certbot profiles for routine system changes.

4 Likes

What is the <listen-socket>, see Configuration File - Icecast Docs, for the Icecast server?

Also it seems that Apache is the server for your Icecast, correct?

$ curl -k -Ii http://radio.exploradio.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Tue, 26 Nov 2024 22:04:47 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Edit

Here is a list of issued certificates crt.sh | radio.exploradio.fr, the latest being 2024-11-19.

Edit 2

From here Icecast HTTPS/SSL with Let's Encrypt: Setup Guide - Media Realm (the link you provided), this is bad advice apt-get install certbot.
Instead see Get Certbot — Certbot 3.0.1 documentation

4 Likes

Thank you very much for your answers and your help.
Sorry for this long answer.

 <listen-socket>
        <port>8443</port>
        <ssl>1</ssl>
    </listen-socket>

also, in the <path> I have: <ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>

you can listen to the https Icecast flow on radio.exploradio.fr:8443

My server seems to be Apache: Do you think my webroot_path in my .conf file should be Apache too then? My objective is to have https on my Icecast page on port 8443 (radio.exploradio.fr:8443), that's why the webroot_path is Icecast.

I uninstalled Certbot from apt and installed the snap one. I'm currently running certbot 3.0.1

Should I put my renew_hook between the key-type section en webroot_map section? I did not try that one yet.

Nothing more if I do not mistake

I'm sorry, I'm a newbie, I am not sure to correctly understand how to use it yet (directly in the script on in command line) and what is the purpose: reconfigure my renew .conf file?

I created a script file which I put in /home/ubuntu with my commands line and put on the last line of my renew .conf file:
renew_hook = ./home/ubuntu/myscript.sh
Here is the result of sudo certbot renew --dry-run -v

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/radio.exploradio.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for radio.exploradio.fr
Performing the following challenges:
http-01 challenge for radio.exploradio.fr
Using the webroot path /usr/share/icecast2/web for all unmatched domains.
Cleaning up challenges
Failed to renew certificate radio.exploradio.fr with error: Couldn't create root for renew_hook http-01 challenge responses: [Errno 2] No such file or directory: 'home/ubuntu'

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Then, I deleted the last renew_hook line to check the original renew .conf file and I get this when sudo certbot renew --dry-run -v

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/radio.exploradio.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for radio.exploradio.fr
Performing the following challenges:
http-01 challenge for radio.exploradio.fr
Using the webroot path /usr/share/icecast2/web for all unmatched domains.
Waiting for verification...
Challenge failed for domain radio.exploradio.fr
http-01 challenge for radio.exploradio.fr

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: radio.exploradio.fr
  Type:   unauthorized
  Detail: 54.36.183.156: Invalid response from http://radio.exploradio.fr/.well-known/acme-challenge/KOKkoq3CL1ZBXKVtlB_quyJgQJ53fr9qZErUZ6qXoys: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate radio.exploradio.fr with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Does it mean that my original file is already not working, before I had any renew_hook, if I did not break anything meanwhile of course.

Again, thanks a lot!

2 Likes

Hello again,
I might have found a solution (or a false solution).

I followed @MikeMcQ advice and put my renew_hook line before the webroot_path line in my certbot renew .conf file.

Then I changed the webroot_path from Icecast to Apache (/var/www/html/) since my Apache is the one "listenning" on port 80.

# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/radio.exploradio.fr
cert = /etc/letsencrypt/live/radio.exploradio.fr/cert.pem
privkey = /etc/letsencrypt/live/radio.exploradio.fr/privkey.pem
chain = /etc/letsencrypt/live/radio.exploradio.fr/chain.pem
fullchain = /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 1a616e669395a5ebf1ef359c72e1c2b8
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
renew_hook = ./home/ubuntu/exploradio/ScriptCertbotrenew_hook.sh
webroot_path = /var/www/html/,
[[webroot_map]]

The script in the file /home/ubuntu/exploradio/ScriptCertbotrenew_hook.sh includes:

#!/bin/bash

sudo cat /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem /etc/letsencrypt/live/radio.exploradio.fr/privkey.pem | sudo tee /etc/icecast2/bundle.pem && service icecast2 restart

Idon't know if the script work but I hope so.

It turned out that the sudo certbot renew --dry-run command went well:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/radio.exploradio.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for radio.exploradio.fr

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem (success)

I just hope now that should be enough to allow https on my Icecast2 flow on port 8443: radio.exploradio.fr:8443
Am I right or am I mistaking?

Thanks again.

1 Like

You should not have a period at the start of that path. That means start at the current directory and look for path within it of /home/...

To test a deploy-hook with --dry-run you need to do

sudo certbot renew --dry-run --run-deploy-hooks

By default, dry-run does not run deploy-hooks since a cert was not created by --dry-run

See: User Guide — Certbot 3.1.0.dev0 documentation

Yes, to properly update the renewal .conf file. It will also run a -dry-run validation before applying changes. Just run: sudo certbot help reconfigure for instructions

That said, I think your renewal profile is probably good now. Keep this in mind for future.

I see a valid connection on port 8443. Is it working for you?

4 Likes

Thank you very much for your help.
I did sudo certbot renew --dry-run --run-deploy-hooks and had some issue in deed,

Hook 'deploy-hook' reported error code 127
Hook 'deploy-hook' ran with error output:
 /bin/sh: 1: ./home/ubuntu/exploradio/ScriptCertbotrenew_hook.sh: not found

So, as you told me, I deleted the "." before my path/to/script.sh in my renew_hook line and re-run the command without any trouble that time: I got the 'deploy-hook' output I was looking for.

I do have for now SSL on my port 8443. I hope that for the certificate renewal, it will be the same. Otherwise, I should open a new ticket.

Once again, thank you very much for your kind help and time to explain how to configure correctly my file and run out of trouble!

3 Likes

Hi @Exploradio,

The HTTP-01 challenge states "It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443."

You should be fine as long as you do not redirect to HTTPS since you have Port 443 close and the challenge cannot work being redirected to port 8443.

3 Likes

Hi @Bruce5051,
Thank you for you message.

If I understand well (which I'm not sure), that's why I'm using the following script as renew_hook in my renewal certbot .conf file:

#!/bin/bash

sudo cat /etc/letsencrypt/live/radio.exploradio.fr/fullchain.pem /etc/letsencrypt/live/radio.exploradio.fr/privkey.pem | sudo tee /etc/icecast2/bundle.pem && service icecast2 restart

That way, I suppose my Icecast2 should be able to use the ssl certificate on the port 8443 as settled in my Icecast2 configuration file.

<listen-socket>
        <port>8443</port>
        <ssl>1</ssl>
    </listen-socket>

in the <path> I have: <ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>

It's working for now, I just don't really understand how. If it doesn't work for the renewal, I guess I should try to configure my Icecast to listen on port 443 for SSL and then configure my webroot_path in certbot renew .conf file with Icecast one.

Thanks for your help, it's well appreciated

2 Likes

Would it not be much less complex to simply reverse-proxy Icecast with Apache and handle all things TLS with Apache?

1 Like

Yes it should; and you can see it here https://decoder.link/sslchecker/radio.exploradio.fr/8443 using this certificate crt.sh | 15542634369

Please see:

3 Likes