I found this post where they explain how to get SSL on Shoutcast.
In one part , they say that the stunnel.pem format is:
rsa key first
certificate second
cabundle/intermediate third
The problem is that my OVH VPS can not get CA bundle certificates for what is exposed in this thread.
Any ideas for solving the stunnel.pem?
Hi @juanam,
I’m glad that you found an approach that may help with your Shoutcast problem.
I think that the discussion in the other thread has also provided a good solution for this. If you create a subdomain of your own domain, you can get certificates for that subdomain instead of for the ovh.net domain. The certificate for your subdomain should work fine with stunnel once you have it.
Hi @schoen,
I already got the certificates! 
I have:
cert.pem chain.pem fullchain.pem privkey.pem
Now I need to create the stunnel.pem
It must have this format:
rsa key first
certificate second
cabundle/intermediate third
What would be the commands to create and/or concatenate those 3 certificates to achieve stunnel.pem?
Remember that I am a newbie, therefore these questions may be obvious to you. 
@juanam, this is the command tha you should use
cat privkey.pem fullchain.pem > stunnel.pem
The above command should be executed from the dir that contains the pem files and will leave stunnel.pem in the same dir.
Cheers,
sahsanu
@juanam, you have the shoutcast server listening in that ip and port so it is not using stunnel. I don’t know how or where you configured stunnel.
Also, I’ve been using stunnel for a long time to cover several services and I always used two directives for stunnel, cert that points to fullchain.pem and key that points to privkey.pem
Something like this:
[shoutcast]
accept = 1234
connect = 1.2.3.4:8820
cert = /etc/letsencrypt/live/radio.domain.tld/fullchain.pem
key = /etc/letsencrypt/live/radio.domain.tld/privkey.pem
This configuration start stunnel on port 1234 using the certificates for radio.domain.tld and redirect the connection to your shoutcast server.1.2.3.4 on port 8820.
If you access to one of my domains on port 1234 https://27a.net:1234 (this link will be deactivated in 24 hours) you will see how it works.
Note: Keep in mind that you can’t start stunnel in the same machine and port that uses the shoutcast server, if you are configuring stunnel in the machine where the shoutcast server is installed, use another port as in my example (1234) or use 8820 but start the shoutcast server on a different port… port 9921 for example.
Here is a radio that did it!
I hope someone with experience here can help me to achieve it, is the last thing I need for the green lock.
@sahsanu is someone with experience who is trying to help you achieve it 
He has even done a proof for you so not sure why you are ignoring his assistance
A) What is the website of your Station
B) What is the IP of your streaming server
C) Are you using shoutcast to stream (i.e. pushing one stream to shoutcast.com)
D) Are you using windows or linux?
Andrei
@ahaw021, as @juanam has some problems to speak in English I’m already helping him by private messages. If he doesn’t give up I’ll post a resume here.
ah ok
if its a windows box let me know if you need help
Andrei
Topic solved!
Thanks to @sahsanu for the patience, the support and the solution.
He’s a genius!
Wow, that’s great. Now we can all keep in mind that stunnel is a valid means of solving this problem if other people ask in the future. Nice work, @sahsanu!
@juanam, I assume that you’ve also thought about renewal (this certificate will expire in 90 days and needs to be updated, possibly by running certbot renew regularly from cron).
@schoen, I had a log conversation with @juanam and all aspects of the renewal are already covered… and tested 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.