Using Stunnel to add ssl to shoutcast in OVH VPS [help]

I found this post where they explain how to get SSL on Shoutcast.
In one part , they say that the stunnel.pem format is:

rsa key first
certificate second
cabundle/intermediate third

The problem is that my OVH VPS can not get CA bundle certificates for what is exposed in this thread.
Any ideas for solving the stunnel.pem?

Hi @juanam,

I’m glad that you found an approach that may help with your Shoutcast problem.

I think that the discussion in the other thread has also provided a good solution for this. If you create a subdomain of your own domain, you can get certificates for that subdomain instead of for the domain. The certificate for your subdomain should work fine with stunnel once you have it.

Hi @schoen,
I already got the certificates! :slight_smile:
I have:
cert.pem chain.pem fullchain.pem privkey.pem
Now I need to create the stunnel.pem
It must have this format:

rsa key first
certificate second
cabundle/intermediate third

What would be the commands to create and/or concatenate those 3 certificates to achieve stunnel.pem?
Remember that I am a newbie, therefore these questions may be obvious to you. :blush:

@juanam, this is the command tha you should use

cat privkey.pem fullchain.pem > stunnel.pem

The above command should be executed from the dir that contains the pem files and will leave stunnel.pem in the same dir.


Hi @sahsanu,
That way it does not work.

@juanam, you have the shoutcast server listening in that ip and port so it is not using stunnel. I don’t know how or where you configured stunnel.

Also, I’ve been using stunnel for a long time to cover several services and I always used two directives for stunnel, cert that points to fullchain.pem and key that points to privkey.pem

Something like this:

accept = 1234
connect =
cert = /etc/letsencrypt/live/radio.domain.tld/fullchain.pem
key = /etc/letsencrypt/live/radio.domain.tld/privkey.pem

This configuration start stunnel on port 1234 using the certificates for radio.domain.tld and redirect the connection to your shoutcast server. on port 8820.

If you access to one of my domains on port 1234 (this link will be deactivated in 24 hours) you will see how it works.

Note: Keep in mind that you can’t start stunnel in the same machine and port that uses the shoutcast server, if you are configuring stunnel in the machine where the shoutcast server is installed, use another port as in my example (1234) or use 8820 but start the shoutcast server on a different port… port 9921 for example.

1 Like

Here is a radio that did it!
I hope someone with experience here can help me to achieve it, is the last thing I need for the green lock.


@sahsanu is someone with experience who is trying to help you achieve it :smiley:

He has even done a proof for you so not sure why you are ignoring his assistance

A) What is the website of your Station
B) What is the IP of your streaming server
C) Are you using shoutcast to stream (i.e. pushing one stream to
D) Are you using windows or linux?


@ahaw021, as @juanam has some problems to speak in English I’m already helping him by private messages. If he doesn’t give up I’ll post a resume here.

1 Like

ah ok :smiley:

if its a windows box let me know if you need help :smiley:


1 Like

Thanks Andrei, I fixed it with the help of @sahsanu

1 Like

Topic solved!
Thanks to @sahsanu for the patience, the support and the solution.
He’s a genius!


Wow, that’s great. Now we can all keep in mind that stunnel is a valid means of solving this problem if other people ask in the future. Nice work, @sahsanu!

1 Like

@juanam, I assume that you’ve also thought about renewal (this certificate will expire in 90 days and needs to be updated, possibly by running certbot renew regularly from cron).

@schoen, I had a log conversation with @juanam and all aspects of the renewal are already covered… and tested :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.