Icecast is a popular and well loved live audio streaming application. It is free, and requires very limited resources to run. My guide on how to host it for $3.50/month is still very popular. However, it can be confusing to understand how to enable SSL/HTTPS within Icecast.

In this guide, I explain how to enable HTTPS on Icecast, and how to generate SSL certificates for free via Lets Encrypt.

It’s becoming more and more important to supply your audio via HTTPS. With Chrome 80, released in January, Chrome attempts to automatically upgrade HTTP media requests to HTTPS. If the server doesn’t supply HTTPS media, the request will fail.

This guide assumes you’re running Ubuntu 18.04 or newer. Older versions may work, but there’s a lot of painful stuffing around with package dependencies.

Some online guides show you how to place Nginx or Apache in front of Icecast for SSL termination, but that’s not necessary. Ubuntu/Debian do not supply a version of Icecast with HTTPS support enabled (due to some licensing issues), but Xiph (the foundation behind Icecast) supplies repositories with a pre-built version of Icecast with SSL support.

Even if you already have the Debian/Ubuntu packages of Icecast already installed on your system, it’s easy to upgrade using the same process detailed below.

Installing Icecast with HTTPS Support

On your server, add the Xiph package repository to your apt source list:

sudo sh -c "echo deb http://download.opensuse.org/repositories/multimedia:/xiph/xUbuntu_18.10/ ./ >>/etc/apt/sources.list.d/icecast.list"

Download the signing key and add it to apt:

wget -qO - http://icecast.org/multimedia-obs.key | sudo apt-key add -

Note: at the time of writing, the key supplied in the above command has expired. You can instead use this command to download the the newer one from OpenSUSE directly:

wget -qO - https://build.opensuse.org/projects/multimedia:libs/public_key | sudo apt-key add -

Update the packages cache:

apt-get update

Now, you can install or update Icecast:

apt-get install icecast2

At this point, you may need to configure Icecast. If this is a new installation, jump over to my setup guide for detailed instructions. If this is an existing installation, Icecast should still be running with your existing configuration. Make sure you test this now.

Installing and running Lets Encrypt Certbot for Icecast

Now, we can begin to install and run the tools needed to generate an SSL certificate. This section assumes your server can be located at ‘stream.example.com’.

In order for the SSL Certificate validation to work, you will need to have DNS setup and pointing to this server. Icecast must already be running on Port 80. I am using the domain ‘stream.example.com’ in this guide – make sure you swap the paths out for your own.u

apt-get install certbot

Run certbot with the correct domain for your server:

certbot certonly --webroot-path="/usr/share/icecast2/web" -d 'stream.example.com'

When prompted, select the ‘webroot’ option and input your email address. Your certificate should be generated at this point. If you receive errors, take note of them and start doing some research online. The most common error is the inability to validate – in this case, make sure Icecast is accessible via DNS on Port 80, and check your webfoot is indeed ‘/usr/share/icecast2/web’.

We now need to concatenate two certificate files so they are in the correct format for Icecast to use:

cat /etc/letsencrypt/live/stream.example.com/fullchain.pem /etc/letsencrypt/live/stream1.example.com/privkey.pem > /etc/icecast2/bundle.pem

chmod 666 /etc/icecast2/bundle.pem

If you know which user Icecast is running under, you can run a chown instead of a chmod. Icecast needs to be able to read this new PEM file – that’s the goal here.

While we’re thinking about it, we should also make sure certificate renewals run correctly. Open the certificate config file in a text editor:

nano /etc/letsencrypt/renewal/stream.example.com.conf

Add this line to the [renewalparams] section:

post_hook = cat /etc/letsencrypt/live/stream.example.com/fullchain.pem /etc/letsencrypt/live/stream.example/privkey.pem > /etc/icecast2/bundle.pem && service icecast2 restart

You can validate the renewal process to make sure it works correctly:

certbot renew --dry-run

Configure Icecast for SSL

We are now ready to finish this off and get Icecast running with our new certificate.

Edit Icecast.xml in a text editor:

nano /etc/icecast2/icecast.xml

Add this line to the <paths></paths> section:

<ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>

Now, add this section to the document (in the root XML node):

<listen-socket>
    <port>443</port>
    <ssl>1</ssl>
</listen-socket>

Quit the text editor, and now restart Icecast:

sudo service icecast2 restart

If all goes well, you can now browse to httsp://stream.example.com/ and also listen to your internet streams over HTTPS.

Optional: DNS Validation

If you operate a round-robin configuration of Icecast, you may prefer to use DNS certificate validation instead of HTTP validation. This will allow every server to get a certificate for the one domain.

To do this, you need to install a DNS plugin for your provider. Suported providers include AWS Route53 and others.

Installation of the Route53 plugin on your server is easy:

apt-get install python3-certbot-dns-route53

You will need to create a new user in IAM with permissions on your DNS zone. This is done via the AWS IAM Console. Here is an example policy:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "route53:ListHostedZones",
                 "route53:GetChange"
             ],
             "Resource": "*"
         },
         {
             "Sid": "VisualEditor1",
             "Effect": "Allow",
             "Action": [
                 "route53:GetHostedZone",
                 "route53:ChangeResourceRecordSets",
                 "route53:ListResourceRecordSets"
             ],
             "Resource": "arn:aws:route53:::hostedzone/ABCDEF"
         }
     ]
 }

You will need to install the AWS CLI on your server. When prompted, insert the AWS IAM credentials provided to you via the AWS Console.

curl "https://d1vvhvl2y92vvt.cloudfront.net/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"  unzip awscliv2.zip  ./aws/install  aws configure

When initially requesting the certificate via certbot, your command would look like this:

certbot certonly
–dns-route53
-d ‘stream.example.com’