In the Raspbian repositories, the Icecast2 package does NOT support encrypted connections via openssl. If you try to use the ssl tags in the /etc/icecast2/icecast.xml configuration file, Icecast will fail to start. You'll see something like this in /var/log/icecast2/error.log:
INFO connection/get_ssl_certificate No SSL capability.
To remedy this, you need to compile Icecast with openssl support enabled. I recommend installing Icecast2 from the repositories and then removing it. This builds all the configuration files in /etc/icecast2, creates a daemon user and group called icecast2 and icecast, and provides the init scripts necessary to start Icecast automatically during the boot process.
Make sure your repository cache is up-to-date:
sudo apt-get update
Install Icecast2 from the repositories:
sudo apt install icecast2
It will ask you three passwords to set. These will be stored as plain text in /etc/icecast2/icecast.xml, so choose your passwords wisely.
Remove Icecast2, but don't purge:
sudo apt remove icecast2
Optionally, you can check whether the configuration files are still there:
ls -l /etc/init.d/ /etc/ | grep icecast
Install the development tools required to build Icecast from source (I'm not positive this is everything. Leave me a comment if you need help with this.):
sudo apt install git gcc build-essential
Now let's get some of the dependencies required to compile Icecast from source. As of Icecast v. 2.4, it requires the following packages: libxml2, libxslt, curl (>= version 7.10 required), and ogg/vorbis (>= version 1.0 required). You'll also need libssl-dev (of course).
sudo apt install libcurl4-openssl-dev libxslt1-dev libxml2-dev libogg-dev libvorbis-dev libflac-dev libtheora-dev libssl-dev
If apt reports you already have these installed, no worries. Let's get compiling!
The development libraries provided above are only the bare minimum necessary to compile Icecast with SSL support. You can also install other libraries to extend the functionality of Icecast. Once you have the Icecast source downloaded, you can run
./configure -h
to see some of the extra packages that are supported. For example, you can install the Speex library to provide support for this speech codec:sudo apt install libspeex-dev
Make a folder that we can get dirty.
cd /home/pi/ mkdir src cd src
git clone --recursive https://git.xiph.org/icecast-server.git
Move into the source directory and prepare the configuration script:
cd icecast-server; ./autogen.sh
Configure the source code with SSL support enabled:
./configure --with-curl --with-openssl
The configure script will not report that SLL was enabled, it will only report if it's disabled. You can check that the configuration was successful by running this:
grep lssl config.status
Grep should output a line similar to this:
S["XIPH_LIBS"]=" -lssl -lcrypto -L/usr/lib/arm-linux-gnueabihf -lcurl -lspeex -ltheora -lvorbis -logg -lm -lxslt -lxml2"
If so, then openssl has been successfully enabled for compilation. Alternatively, you can look for "configure: SSL disabled!" near the end of the configure script output.
If the SSL library was successfully enabled, compile Icecast:
If you have a 4-core ARM, let's use all 4 of them:
make -j4
Otherwise, stick with your single core :(
make
Install Icecast:
make install
Create a self-signed SSL certificate to be used for encryption:
sudo mkdir /etc/icecast2/ssl sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout /etc/icecast2/ssl/icecast.pem -out /etc/icecast2/ssl/icecast.pem
This command will provide you with several prompts to answer. Each one is optional, but I recommend filling in at least the Country, State or Province, and Organization.
Configure Icecast to use the newly minted SLL certificate. You need to tell Icecast to only use SSL on a particular port and where the SLL certificate is located:
sudo nano /etc/icecast2/icecast.xml
Since I was streaming with Darkice, I also needed to create another listen socket. This port will allow Darkice to communicate with Icecast. Icecast will stream to the world with the encrypted socket (port 9005), but communicate locally unencrypted with Darkice using port 8005.
Create symbolic links to the old repository version of Icecast2, so that we can use the /etc files:
sudo ln -s /usr/local/bin/icecast /usr/bin/icecast2 sudo ln -s /usr/local/share/icecast /usr/share/icecast2
sudo service icecast2 start
Test whether Icecast is hosting via a browser:
https://Your_RPi_IP:8443/
Details on centova forum
http://forums.centova.com/index.php?topic=4151