I am trying to make work icecast 2 and my letsencrypt SSL with no luck. So far what I did is built icecast 2 with openssl support and I also made it run but it always give the next error in the log file.
[2018-03-15 12:48:21] WARN connection/get_ssl_certificate Invalid private key file /usr/local/icecast/share/fullchain.pem
[2018-03-15 12:48:21] INFO connection/get_ssl_certificate No SSL capability on any configured ports
I have set these cert files readable by user: richard and of course I am also running the server itself with the richard user.
Maybe you have any idea what is wrong?
You may also see my config file here:
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
In the path section I have set the ssl-certificate part to the SSL.
<ssl-certificate>/usr/local/icecast/share/icecast/fullchain.pem</ssl-certificate>
Nothing so far. The server itself is starting on the port, however when visiting it through https:// it just doesn't load. with http:// the port (8443) works fine.
Any help appricated.
Actually, I solved the issue myself.
The problem was the SSL not the configurations. Seems the LetsEncrypt SSL that is generated (fullchain.pem) is not working correctly. So instead of using that, I have copied the content from cert.pem and privkey.pem and made a new file named icecast.pem and pasted both into one. (first cert and then the privkey) and now everything is works fine and secure!
I am a genius!!!
For the Icecast2 complete certificate, you can use the command:
cat /etc/letsencrypt/live/domain.com/fullcert.pem /etc/letsencrypt/live/domain.com/privkey.pem > /etc/icecast2/bundle.pem
This will concatenate and save both certificates to a single file called bundle.pem under icecast2 folder, to which you can point the icecast2 configuration.
I have also found this very helpful and complete guide for reference: https://mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/
There is another way, by forwarding of Nginx, whose config is common on internet. So that the server only expose 80 and 443 port for http web. Then use letsencrypt for SSL of Nginx.
Related
I am trying to install a certificate using certbot from LetsEncrypt on a Raspberry Pi. I have installed Apache2 and created a webserver at http://subdomain.mydomain.com on the Raspberry Pi. The certbot command obtains a certificate and writes it to http://subdomain.mydomain.com/.well-known/acme-challenge/<etc.>
Background Info: I am doing this because I need a local server to address IoT devices and my Ajax calls are failing because I am not allowed to mix http with https. The IoT devices are incapable of a hosting a webserver with SSL - they use a simple http:/192.168.1.xx/<string> format
I don't want to create a DNS entry at my registrar/ISP because I am trying to create a scalable solution and creating hundreds (perhaps thousands if we do well) of subdomain entries there is impractical. Creating my own DNS server is a possibility, but I would rather just do it all on the Pi - my bash installation script will take care of everything (once I get it to work!).
I tried first to create an entry into the local hosts (/etc/hosts) file which looks like this:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 SubDomain
192.168.1.111 subdomain.mydomain.com
This works for commands like ping, but not for nslookup or dig and definitely not for certbot. The certbot command finds my main server - DNS is configured with a * to go to my Public IP for all unknown subdomains:
A * xx.xx.xx.xx //My public IP address
So then I installed dnsmasq (See: When using proxy_pass, can /etc/hosts be used to resolve domain names instead of "resolver"?) and followed the configuration options shown here: How to Setup a Raspberry Pi DNS Server
However, that doesn't work either. certbot still looks at my main (external DNS) and finds my Public (wildcard) IP. Here's a summary of the changes made in /etc/dnsmasq.conf
domain-needed ## enabled
bogus-priv ## enabled
no-resolv ## enabled
server=8.8.8.8 ## added (#server=/localnet/192.168.0.1 left as is)
server=8.8.4.4 ## added
cache-size=1500 ##increased from 150
How can I force certbot to find and use my local/private IP 192.168.1.111? Any alternative solutions using scripts/redirection?
Create a wildcard certificate using Let's Encrypt DNS validation. You will then have to renew the certificate manually. Otherwise, your server must be on the public Internet with correct DNS settings.
I finally solved my problem but I abandoned LetsEncrypt entirely. The answer was not in DNS, but in approaching it from a completely different angle. This was pretty much 95% of the solution.
Important! This only works if you have control over the browser. We do, since it is for our kiosk application which runs in a browser.
Step 1: Become your own CA
Step 2: Sign your SSL certificate as a CA
Step 3: Import the signed CA (.pem file) into the browser (under Authorities)
Step 4: Point your Apache conf file to the local SSL (the process generates .key and .crt files for this as well).
I have a node app that is setup on SSH by running node osjs run --hostname=dc-619670cb94e6.vtxfactory.org --port=4100.
It starts at http://dc-619670cb94e6.vtxfactory.org:4100/ without problems, but instead I want to serve it through HTTPS https://dc-619670cb94e6.vtxfactory.org:4100/ , where I receive an error ERR_CONNECTION_CLOSED.
If I use the port I'm unable to reach it with https, but https://dc-619670cb94e6.vtxfactory.org/ is accessible.
How can I serve the port 4100 through htttps?
Thanks.
This is an implementation detail of OS.js. Their docs recommend setting up a reverse proxy for servers. Doing this will give you more control over SSL and ports, like you want
https://manual.os-js.org/installation/
I installed nodejs and created a sample app. When I run npm start I get a message saying that I can open my web browser to http://localhost:3000 to see the app in action, but this installation is on a web server - not my local computer, so, instead of localhost:3000 I want to get there using something like mydomain.com:3000
I can't find the answer, it's very likely I just don't know how to search for it... any ideas?
I'm following the tutorial here: https://facebook.github.io/react/tutorial/tutorial.html
I think I only needed to get away from this for a while. I got it working using ssh local forwarding.
I already used an ssh config file to log in to my server without having to remember the password, so I just added this line to my config file:
LocalForward localhost:3000 xxx.xxx.xxx.xxx:3000
where xxx.xxx.xxx.xxx is my server IP address.
Then, I connected to my server via ssh:
ssh -f -N mysite
Once connected, I open up the browser and go to localhost:3000 and there it is now.
I used my ssh config file, but it should also work without it.
ssh -f -N -R 3000:localhost:3000 mydomain.com
I found this command that eventually led me to solve my problem in this link: http://stuff-things.net/2016/01/20/tunneling-to-localhost/
I have hosted my website in Azure. I have created a Virtual Machine on which i have installed LAMP stack as i am using php for my website. I have a sub domain along with the main domain. I want to install SSL for both.
My client has provided me the certificate for SSL installation. I search many Stack overflow post but could not find any post helpful for a beginner like me.
Thanks
Certificate Installation: Apache 2.4.8+
Under Linux, to check the version number of your Apache server, execute the following command:
apache2ctl -version
or
apachectl -version
Note : If your Apache server's version is less than 2.4.8, please skip this article and go this link
Prerequisites:
Concatenate the CAbundle and the certificate file which we sent you using the following command.
cat domain_com.crt domain_com.ca-bundle > ssl-bundle.crt
If you are Using GUI Text Editor (Ex: Notepad):
(i) To concatenate the certificate files into single bundle file, first open domainname.crt and domainname.ca-bundle files using any text editor.
(ii) Now copy all the content of domainname.crt and paste it on the top of domainname.ca-bundle file.
(iii) Now save the file name as ‘ssl-bundle.crt’.
Configure the Apache server:
Locate the Apache configuration file (example httpd.conf / ssl.conf), the configuration file name can be different depending on your apache version or flavour. Or in a Windows environment (EasyPHP, Wamp, ...) :
C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015
C:\Program Files\Apache Software Foundation\EasyPHP\SSL2015
In a standard installation under Linux, the SSL advanced configuration file is located here:
/etc/apache2/mods-enabled/ssl.conf
but it is not in this file that you will activate the certificate for a website. You'll have to edit the file
/etc/apache2/sites-enabled/default-ssl.conf
Use the following command to figure out where Apache is pulling its configuration from:
apache2ctl -V | grep SERVER_CONFIG_FILE
or just
apachectl -V | grep SERVER_CONFIG_FILE
The situation for ubuntu on Apache differs, as the configurations for 443 and 80 ports for each site are located in separate files. You can find it at /etc/apache2/sites-enabled/ Edit or create the file with the VirtualHost for 443 port to set up the secure connection.
Actually you can duplicate the record for port 80 (should be in your VirtulHost file by default) and change port 80 to port 443. Simply add it below non-secure module.
In the Virtual Host settings for your site, locate the SSL certificate settings section and verify that you have the following 2 directives within the Virtual Host. Please add them in if they are not present:
SSLCertificateKeyFile ( path to the private_key.key file used for the initial generation of the CSR)
SSLCertificateFile ( path to the PEM file containing the end entity certificate and the intermediates )
Example VirtualHost Configuration:
DocumentRoot /etc/httpd/htdocs
ServerName comodo.com
SSLEngine on
SSLCertificateFile /usr/local/ssl/crt/ssl-bundle.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
Note: As with the example above, file names can be domainname.crt, server.key, your server however may use a different naming convention. If you are using a different file location than the example above, you will need to change the paths to match your files on the server.
If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host section:
SSLUseStapling on
Also specify OCSP cache response location and size outside of the Virtual Host section using SSLStaplingCache directive:Converting a SSL certificate in Apache to Windows
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Note: OSCP Stapling can be configured starting from Apache HTTP server 2.3.3 and later.
After making changes to your config file it is good practice to check the file for syntax errors using "apachectl configtest". The command will return Syntax Ok if there are no errors.
Restart your apache web server:
apachectl stop
apachectl start
To verify if you have correctly installed the SSL, please use our SSL Analyzer.
You can check this link.
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1185/0/certificate-installation-apache-248
Is in azure provided free SSL? Otherwise you will not be able to install SSL with green bars. You can donate at https://letsencrypt.org/ to get SSL service with low price and develop your website even better.
I had setup a web server on my raspberry pi that was accessible by a domain name. I needed to add Https access to it, so I got a SSL certificate and I followed the steps and instead of having an https domain name, I got this error, SSH-2.0-OpenSSH_6.7p1 Raspbian-5 Protocol mismatch
Ive tried to undo everything from the SSL certificate initializing steps, but I still get this error.
I can ssh into the pi still over wifi and when I run nc -zv my.hostname.com 80 it says that the connection succeeded. Likewise, I checked canyouseeme.org and my port 80 is not being blocked
Btw figured out the problem. I added some extra code in a config file in the ssh folder that caused problems. Got rid of the unecessary code and bam! Problem solved.