Azuracast: How install LetsEncrypt?

I'd like to know how to install ANY SSL cert for azuracast.

All AzuraCast instances will serve their web interface via both ports 80 and 443, with 443 using a self-signed certificate by default. You can then use a reverse proxy service like CloudFlare to provide a fully secure radio station for your listeners.

The reason SSL isn't necessarily a "first-class citizen" in AzuraCast has to do with its upstream components: both Icecast and Shoutcast don't easily or intuitively support SSL, and historically this has meant that the only way to listen to a radio station over a fully secure connection was to proxy the connection via nginx. AzuraCast does this as part of its default configuration, forwarding URLs in the form of /radio/8000/stream.mp3 to localhost:8000/stream.mp3.

If you're using the traditional installer, you can supply your own SSL certificates by directly updating the nginx configuration at /etc/nginx/sites-enabled/00-azuracast. Replace the self-signed SSL cert path with the path of your own, restart nginx, and you'll be up and running.

If you're using Docker, you can you can alter the built-in docker-compose.yml file to map its configuration files to a custom path on your host, where you can then override the SSL settings. Assuming you create a path like /var/azuracast/nginx to store your local config, you can update your Docker Compose file to look something like:

version: '2'

services:
  nginx:
    image: azuracast/azuracast_nginx:latest
    ports:
      - '80:80'
      - '443:443'
    depends_on:
      - web
      - stations
    volumes:
      - .:/var/azuracast/www
      - /var/azuracast/nginx/azuracast.conf:/etc/nginx/conf.d/azuracast.conf
      - /var/azuracast/nginx/ssl/:/etc/nginx/ssl
    restart: always

Thank.. i am try that...

letsencrypt- would be a good addition to this project. I tried and did not get the ssl protection.

Here is how I use AzuraCast with LetsEncrypt.

1. I generate a LetsEncrypt certificate with Certbot using this command:
   $ sudo certbot certonly -d example.com

1. I check if the certificate is correctly installed:
   $ sudo ls -l /etc/letsencrypt/live/example.com
   We should find cert.pem, chain.pem, fullchain.pem and privkey.pem in the folder.

2. Then I generate a strong Diffie-Hellman Group:
   $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

3. I create the ssl configuration in Nginx:
   $ sudo nano /etc/nginx/snippets/ssl-example.com.conf
   In the file i include the ssl certificates:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

1. I create some strong ssl parameters:
   $ sudo nano /etc/nginx/snippets/ssl-params.conf
   Inside the file, I enter the ciphers from https://cipherli.st/ .
   I include the OpenDNS ip:
   resolver $DNS-IP-1 $DNS-IP-2 valid=300s; to resolver 208.67.222.222 208.67.220.220 valid=300s;
   Also, i include the strong Diffie-Hellman Group generated before:
   ssl_dhparam /etc/nginx/dhparam.pem; to ssl_dhparam /etc/ssl/certs/dhparam.pem;
   Finally, i can comment the add_header X-Frame-Options DENY; using a # to avoid some issues with embedding the radio.
   I save the file, and we can continue.

2. Last step, i edit the server block to use a good ssl setting:
   $ sudo nano /etc/nginx/sites-available/default (replace default by your server block)
   In the file, i replace:

server {
    listen 80;
    listen 443 default_server ssl;

    ssl_certificate    /etc/nginx/ssl/server.crt;
    ssl_certificate_key    /etc/nginx/ssl/server.key;

By:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

And the original server_name localhost; by server_name example.com;
Then, i save the file, i do a $ nginx -t to check if there is any error with my new config, and if everything is good, i do a $ nginx -s reload. And that's all !

Some notes:

• You need a domain name to use this configuration.
• Be sure to always replace example.com by your domain name.
• It enables HSTS, and doesn't support IE < 9, Android < 2.2 or Java < 6.
• Be sure to renew your domain.
• I included the OpenDNS DNS servers, but you can use any DNS server.

If you have any remarks on my config, i'm open :)

Good advice to try it out .. Thanks ..

Hey!

That is work thanks Donokami and add this Wiki please :)

No problem. I would suggest a rework on the Nginx part of the installation of Azuracast, to eventually use that kind of configuration and to avoid conflicts between original Nginx configuration on the server and the one needed by Azuracast. I will make an issue to suggest this :)

@Donokami There should not be an original nginx configuration on the server where you host AzuraCast. The traditional installation instructions are very clear in that the software should be spun up in a clean environment, and with Docker all of the requisite software is self-contained and thus avoids conflicts of that sort by design.

@SlvrEagle23 Hello ! It's true but, if you want to install SSL certificate, the update procedure erase it. The certificate become invalid because the default azura configuration was applied to nginx.

@FrBillyD @Donokami @Berttas @Gartral

Thank you all for your patience. With HTTPS becoming a gold standard across the web, there has been a great deal of demand for AzuraCast to add support for LetsEncrypt. I am happy to announce that LetsEncrypt is now a first-class part of the AzuraCast Docker installation method!

First, update your Docker install to the latest version with ./docker-update.sh, then follow the instructions on the readme here: https://github.com/AzuraCast/AzuraCast#setting-up-https-with-letsencrypt

In a few short steps, you will have a fully secured AzuraCast installation. Once LetsEncrypt is set up, don't forget to visit the settings page and set "Always Use HTTPS" to "Yes", which will enforce secure cookies, HSTS and other security measures.

Hello @SlvrEagle23 ! Thanks a lot ! What's about traditional installation ? We are hosted on Scaleway infrastructure (VPS) and we can't use docker because of the limitations and our choices. How to proceed without risk of loosing SSL configuration ?

@FrBillyD Similar to what the Docker install does, you should create a symlink between whatever SSL cert you install (via LetsEncrypt or any other method) and the paths expected by AzuraCast, namely /etc/nginx/ssl/server.crt and /etc/nginx/ssl/server.key for the fullchain certificate and private key, respectively. If those files exist, they won't be replaced by the update process.

@SlvrEagle23 I ask you to re-evaluate enabling icecast-kh encryption with Azuracast. icecast-kh has made some drastic improvements to their encryption capability. All dependencies are already installed and it only needs some minor config file updates. I tested on docker and it works great. With my limited knowledge of docker, your actual implementation would be smoother. Either way, its really easy!!!

Improvements to icecast-kh
https://karlheyes.github.io/
8/5/2017
--autodetect SSL connections on incoming sockets. No need for in listen-socket now but is still there for compatability. _(THIS IS BIG!!! We no longer need to use different ports for encrypted and unencrypted dramatically reducing complexity)_
--add in to allow for combined PEM or for separate SSL key/certificate files. _(THIS IS BIG TOO! No longer need a separate process after updating let's encrypt to combine your fullchain and private cert into one pem file for icecast to read it!)_

How to implement on docker:

1. Reference your live (letsencrypt or nginx) fullchain and private pem files in your icecast.xml files.
2. Restart appropriate icecast-kh service
3. Update your Let's Encrypt update process to restart icecast-kh services after updating certificates.

How I implemented on docker because of my lack of docker config knowledge:

1. I copied my live fullchain.pem and private.pem files from /var/lib/docker/volumes/azuracast_nginx_letsencrypt_certs/_data/live/myradiodomain.tld/
   to
   /var/lib/docker/volumes/azuracast_station_data/_data/myradio/config/

1. I chown user:group to match the other config files

2. I updated the icecast.xml file:
   /var/lib/docker/volumes/azuracast_station_data/_data/myradio/config/icecast.xml
   Adding the following in the paths section:

<ssl-private-key>/var/azuracast/stations/myradio/config/privkey.pem</ssl-private-key>
<ssl-certificate>/var/azuracast/stations/myradio/config/fullchain.pem</ssl-certificate>

You can also define the ciphers if you don't want the defaults:
<ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>

1. I restarted icecast-kh service

Since icecast-kh allows both http and https off of the same port, no need to update liquidsoap... it will still connect to icecast as it was originally defined. However, a user can now connect to the stream (same port) either encrypted or unencrypted. What a Christmas present!!!

Here is log file /var/lib/docker/volumes/azuracast_station_data/_data/myradio/config/icecast_error.log

[2017-12-25  18:24:36] INFO connection/get_ssl_certificate SSL certificate found at /var/azuracast/stations/myradio/config/fullchain.pem
[2017-12-25  18:24:36] INFO connection/get_ssl_certificate SSL private key found at /var/azuracast/stations/myradio/config/privkey.pem
[2017-12-25  18:24:36] INFO connection/get_ssl_certificate SSL using ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
[2017-12-25  18:24:36] INFO connection/connection_setup_sockets 1 listener socket(s) for port 8030
[2017-12-25  18:24:36] INFO connection/connection_setup_sockets 1 listening sockets setup complete

@amavarick Your request is an excellent and very detailed one, but would you mind making it a separate issue so I can track its progress independently?

I agree that it's worth looking into the Icecast encryption settings again, and using secure direct connections when possible. This ticket, though, refers to allowing LetsEncrypt support via the main web service, which I'm considering implemented and closing.

The link
https://github.com/AzuraCast/AzuraCast#setting-up-https-with-letsencrypt

Does not have any step by step instructions on how to get the SSL certificate installed.
I have finally managed to got Azuracast running on my home server via the docker method!
It's working great. However I have no idea how to install the security certificate in the most basic and step by step way.
Can you please provide a step by step method (With Docker Install method) to install the certificate please. I have absolutely no idea and cannot find simple instructions.

Yeah, I've done ./docker.sh letsencrypt-create many a time and it's still serving me with the same self-signed certificate.