In the Raspbian repositories, the Icecast2 package does NOT support encrypted connections via openssl. If you try to use the ssl tags in the /etc/icecast2/icecast.xml configuration file, Icecast will fail to start.
You’ll see something like this in /var/log/icecast2/error.log:
[2016-10-15 20:41:45] INFO connection/get_ssl_certificate No SSL capability.
To remedy this, you need to compile Icecast with openssl support enabled. I recommend installing Icecast2 from the repositories and then removing it. This builds all the configuration files in /etc/icecast2, creates a daemon user and group called icecast2 and icecast, respectively, and provides the init scripts necessary to start Icecast automatically during the boot process.
Make sure your repository cache is up-to-date:
sudo apt-get update
Install Icecast2 from the repositories:
sudo apt install icecast2
It will ask you three passwords to set. These will be stored as plain text in /etc/icecast2/icecast.xml, so choose your passwords wisely.
Remove Icecast2, but don’t purge:
sudo apt remove icecast2
Optionally, you can check whether the configuration files are still there:
ls -l /etc/init.d/ /etc/ | grep icecast
Install the development tools required to build Icecast from source:
sudo apt install git gcc build-essential
Note: I’m not positive these are all the development tools. Leave me a comment if you need help with this.
Now let’s get some of the dependencies required to compile Icecast from source. As of Icecast v. 2.4, it requires the following packages: libxml2, libxslt, curl (>= version 7.10 required), and ogg/vorbis (>= version 1.0 required). You’ll also need libssl-dev (of course).
sudo apt install libcurl4-openssl-dev libxslt1-dev libxml2-dev \ libogg-dev libvorbis-dev libflac-dev libtheora-dev libssl-dev
If apt reports you already have these installed, no worries. Let’s get compiling!
The development libraries provided above are only the bare minimum necessary to compile Icecast with SSL support. You can also install other libraries to extend the functionality of Icecast. Once you have the Icecast source downloaded, you can run
./configure -h to see some of the extra packages that are supported. For example, you can install the Speex library to provide support for this speech codec:
sudo apt install libspeex-dev
Make a folder that we can use to compile the source code.
cd /home/pi/; mkdir src; cd src
Clone the latest release of Icecast (See Icecast.org Downloads):
git clone --recursive https://git.xiph.org/icecast-server.git
Move into the source directory and prepare the configuration script:
cd icecast-server; ./autogen.sh
Configure the source code with SSL support enabled:
./configure --with-curl --with-openssl
The configure script will not report that SLL was enabled, it will only report if it’s disabled. You can check that the configuration was successful by running this:
grep lssl config.status
Grep should output a line similar to this:
S["XIPH_LIBS"]=" -lssl -lcrypto -L/usr/lib/arm-linux-gnueabihf -lcurl -lspeex -ltheora -lvorbis -logg -lm -lxslt -lxml2 "
If so, then openssl has been successfully enabled for compilation. Alternatively, you can look for “configure: SSL disabled!” near the end of the configure script output.
If the SSL library was successfully enabled, compile Icecast:
If you have a 4-core ARM, let’s use all 4 of them:
make -j 4
Otherwise, stick with your single core 🙁
Compiling Icecast only takes about 3 minutes with 4-cores enabled on the RPi 3. This is a breeze compared to FFMPEG, which can take over 90 minutes.
sudo make install
Create a self-signed SSL certificate to be used for encryption:
sudo mkdir /etc/icecast2/ssl; sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 \ -keyout /etc/icecast2/ssl/icecast.pem -out /etc/icecast2/ssl/icecast.pem
This command will provide you with several prompts to answer. Each one is optional, but I recommend filling in at least the Country, State or Province, and Organization.
Configure Icecast to use the newly minted SLL certificate. You need to tell Icecast to only use SSL on a particular port and where the SLL certificate is located:
sudo nano /etc/icecast2/icecast.xml
8443 … 1 … /etc/icecast2/ssl/icecast.pem
Since I was streaming with Darkice, I also needed to create another listen socket. This port will allow Darkice to communicate with Icecast. Icecast will stream to the world with the encrypted socket (port 8443), but communicate locally unencrypted with Darkice using port 8000.
Create symbolic links to the old repository version of Icecast2, so that we can use the /etc files:
sudo ln -s /usr/local/bin/icecast /usr/bin/icecast2 sudo ln -s /usr/local/share/icecast /usr/share/icecast2
Now, let’s start it up:
sudo service icecast2 start
And test whether Icecast is hosting via a browser:
Update (2016-10-31): Fixed symbolic link commands, added pre-requisites for building, and added a comment on adding optional packages to the build based on the comment from acrawford.