The earlier reverse-proxy solution had hiccups when thousands of listeners connected. So, explored directly using HTTPS on icecast. Then PB discovered icecast-kh which has improved SSL certificate handling, without needing a restart when the certificate is updated -
an interesting fork of icecast2 called icecast-kh
https://github.com/karlheyes/icecast-kh
https://github.com/xiph/Icecast-Server/issues/20
https://github.com/AzuraCast/AzuraCast/issues/358 says the following:
8/5/2017
--autodetect SSL connections on incoming sockets. No need for in listen-socket now but is still there for compatability. (THIS IS BIG!!! We no longer need to use different ports for encrypted and unencrypted dramatically reducing complexity)
--add ssl-private-key in paths to allow for combined PEM or for separate SSL key/certificate files. (THIS IS BIG TOO! No longer need a separate process after updating let's encrypt to combine your fullchain and private cert into one pem file for icecast to read it!)
--select https/http URL in autogenerated m3u based on incoming request.
So, this was what was implemented, with a LetsEncrypt certificate. Compiled with
$ cd <directory where you have extracted the tar.gz>
$ ./configure --prefix=/home/ouruser/icecastkhSSL
$ make
$ make install
The SSL certificate is updated through change_ssl_certificate.sh
cat /etc/ssl/private/ourserver.tld.key /root/.acme.sh/ourserver.tld/fullchain.cer > /path/to/icecast.pem.letsencrypt
chown ouruser:ouruser /path/to/icecast.pem.letsencrypt
cp /path/to/icecast.pem /path/to/icecast.pem.backup
#echo "Backed up icecast.pem to icecast.pem.backup..."
cp /path/to/icecast.pem.letsencrypt /path/to/icecast.pem
Cron is run as root every day after acme script
43 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
50 0 * * * /home/path/to/scripts/change_ssl_certificate.sh > /dev/null
No comments:
Post a Comment