Azuracast: SSL Certificate Sharing Master Discussion

Created on 18 Nov 2018  路  3Comments  路  Source: AzuraCast/AzuraCast

Related issues: #956 #358 #809

There have been an increasing number of requests to allow SSL configuration for Icecast and Liquidsoap. Until now, the HTTP proxy implemented on the nginx level (rewriting /radio/8000 to ip-address:8000) was sufficient to implement SSL across the board, but increasingly people want SSL to be served directly through the corresponding frontend/backend services themselves.

At the moment, I'm at a loss for an elegant, clean way to accomplish this within the confines of the AzuraCast app.

One of the cleanest ways to manage SSL key generation and revocation would be to integrate it directly into AzuraCast itself.

There are obvious advantages to this, such as allowing the generated SSL certs to automatically be integrated into both the Icecast and Liquidsoap configurations. We could also use the cron task synchronization that AzuraCast already has to handle auto-renewal of the certificates.

The primary obstacle to this approach, at the moment, is finding a PHP ACME/LetsEncrypt client that can be cleanly integrated into AzuraCast and handle the ACME process elegantly. There are a number of popular clients (like Certbot) that aren't in PHP, and plenty of PHP clients that operate entirely from the PHP CLI, but few that can be included as client libraries (i.e. via Composer).

If anyone knows of some tools or software that could help with this process, please let me know. Otherwise, my current recommendation of using the nginx proxy via the main 80/443 ports remains the best practice for handling this.

enhancement help wanted
Source
picture SlvrEagle23

All 3 comments

I'm currently using Acme PHP to generate certificates for my websites. This library can be required via composer. They have a cli version that can also read config files to create the certs and the core module that handles the let's encrypt protocol is also available to be used directly in other applications. Here is the core package on packagist.

Vaalyn picture Vaalyn on 19 Nov 2018
👍1

@Vaalyn Ah, I saw the CLI part when I was exploring, but not the Composer component part. That will likely make an excellent starting point.

SlvrEagle23 picture SlvrEagle23 on 19 Nov 2018

My current solution to this problem has been to continue using the Certbot program (as it is the gold standard for managing and renewing certificates), but fixing issues with permissions that were causing Icecast to not properly recognize the generated SSL certs and automating LetsEncrypt renewal, which is now automatically taken care of by the main web service.

SlvrEagle23 picture SlvrEagle23 on 14 Jan 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

susl16c picture susl16c  路  3Comments
verdantsquare picture verdantsquare  路  3Comments
hecgua picture hecgua  路  3Comments
RemBdev picture RemBdev  路  4Comments
oussamatn picture oussamatn  路  3Comments