search

SynoCommunity / spksrc

Cross compilation framework to create native packages for the Synology's NAS
https://synocommunity.com
Other
3.01k stars 1.23k forks source link

Installing Icecast with HTTPS Support #5374

Closed simistef closed 1 year ago

simistef commented 2 years ago

Is this a new Bug?

Package Name

Icecast

Package Version

1.4.4-7

Device Model

DS218+

Device Architecture

x86_64

Firmware Version

DSM 7.1-42661 Update 3

What happened?

I have succesfully managed to install icecast package and run it through http. It runs just fine trough Safari on any mac or iOS device. However it does not work in other browser players. As of Google Chrome 80, mixed content is no longer supported. If the stream is without SSL and the website is with SSL, the stream will no longer be played. Other browsers follow the example of Google. The solution is to set the stream to SSL.

My public site is running on SSL, but the stream from icecast is still in HTTP, and i believe this is the issue i am facing. Searching on web i found this site that explains how to setup SSL, but i am unable to replicate this in my synology.

Looking for any help out here on how could i make icecast stream in HTTPs/SSL.

Reproduction steps

see service log and above description

Install Log

2022/07/11 07:45:58 install icecast 2.4.4-7 Begin preinst
2022/07/11 07:45:58 Begin reload_inst_variables
2022/07/11 07:45:58 End reload_inst_variables
2022/07/11 07:45:58 Begin initialize_variables
2022/07/11 07:45:58 End initialize_variables
2022/07/11 07:45:58 ===> Step preinst. USER=sc-icecast GROUP= SHARE_PATH=
2022/07/11 07:45:58 install icecast 2.4.4-7 End preinst ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/mkdir -p /volume1/@appstore/icecast -m 755
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/mkdir -p /volume1/@appstore/icecast -m 755 ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/rm -rf /volume1/@appstore/icecast
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/rm -rf /volume1/@appstore/icecast ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/package /volume1/@appstore/icecast
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/package /volume1/@appstore/icecast ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/rm -rf /var/packages/icecast
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/rm -rf /var/packages/icecast ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/mkdir -p /var/packages/icecast -m 755
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/mkdir -p /var/packages/icecast -m 755 ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/touch /var/packages/icecast/installing
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/touch /var/packages/icecast/installing ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/INFO /var/packages/icecast/INFO
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/INFO /var/packages/icecast/INFO ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/rm -rf /var/packages/icecast/scripts
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/rm -rf /var/packages/icecast/scripts ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/scripts /var/packages/icecast/scripts
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/scripts /var/packages/icecast/scripts ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/rm -rf /var/packages/icecast/WIZARD_UIFILES
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/rm -rf /var/packages/icecast/WIZARD_UIFILES ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/WIZARD_UIFILES /var/packages/icecast/WIZARD_UIFILES
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/WIZARD_UIFILES /var/packages/icecast/WIZARD_UIFILES ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/rm -rf /var/packages/icecast/conf
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/rm -rf /var/packages/icecast/conf ret=[0]
2022/07/11 07:45:58 install icecast 2.4.4-7 Begin /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/conf /var/packages/icecast/conf
2022/07/11 07:45:58 install icecast 2.4.4-7 End /bin/mv -f /volume1/@tmp/synopkg/install.2d44pU/conf /var/packages/icecast/conf ret=[0]
2022/07/11 07:46:02 install icecast 2.4.4-7 Begin postinst
2022/07/11 07:46:02 Begin reload_inst_variables
2022/07/11 07:46:02 End reload_inst_variables
2022/07/11 07:46:02 Begin initialize_variables
2022/07/11 07:46:02 End initialize_variables
2022/07/11 07:46:02 ===> Step postinst. USER=sc-icecast GROUP= SHARE_PATH=
2022/07/11 07:46:02 Begin save_wizard_variables
2022/07/11 07:46:02 End save_wizard_variables
2022/07/11 07:46:02 Begin syno_sync_var_folder
2022/07/11 07:46:02 Install files from var folder
2022/07/11 07:46:02 /bin/rsync -avh --ignore-existing --remove-source-files /volume1/@appstore/icecast/var/ /volume1/@appdata/icecast
2022/07/11 07:46:02 sending incremental file list
2022/07/11 07:46:02 ./
2022/07/11 07:46:02 icecast.xml
2022/07/11 07:46:02 mime.types
2022/07/11 07:46:02 log/
2022/07/11 07:46:02 sent 33.93K bytes  received 77 bytes  68.01K bytes/sec
2022/07/11 07:46:02 total size is 33.71K  speedup is 0.99
2022/07/11 07:46:02 /bin/rsync -avh --remove-source-files /volume1/@appstore/icecast/var/ /volume1/@appdata/icecast
2022/07/11 07:46:02 sending incremental file list
2022/07/11 07:46:02 ./
2022/07/11 07:46:02 sent 100 bytes  received 20 bytes  240.00 bytes/sec
2022/07/11 07:46:02 total size is 0  speedup is 0.00
2022/07/11 07:46:02 End syno_sync_var_folder
2022/07/11 07:46:02 Begin service_postinst
2022/07/11 07:46:02 End service_postinst
2022/07/11 07:46:02 install icecast 2.4.4-7 End postinst ret=[0]
2022/07/11 07:46:03 install icecast 2.4.4-7 Begin start-stop-status start
2022/07/11 07:46:04 install icecast 2.4.4-7 End start-stop-status start ret=[0]
2022/07/11 07:50:48 stop icecast 2.4.4-7 Begin start-stop-status stop
2022/07/11 07:50:49 stop icecast 2.4.4-7 End start-stop-status stop ret=[0]
2022/07/11 07:50:53 start icecast 2.4.4-7 Begin start-stop-status start
2022/07/11 07:50:54 start icecast 2.4.4-7 End start-stop-status start ret=[0]

Service Log

[2022-07-20  11:01:03] INFO main/main Icecast 2.4.4 server started
[2022-07-20  11:01:03] INFO yp/yp_update_thread YP update thread started
[2022-07-20  11:01:03] WARN connection/get_ssl_certificate Invalid cert file /usr/syno/etc/certificate/system/default/fullchain.pem
[2022-07-20  11:01:03] INFO connection/get_ssl_certificate No SSL capability on any configured ports
[2022-07-20  11:01:08] INFO connection/_handle_source_request Source logging in at mountpoint "/ozonefm" from 192.168.68.76
[2022-07-20  11:01:08] WARN format/format_get_type Unsupported or legacy stream type: "audio/mpeg". Falling back to generic minimal handler for best effort.

Other Logs

No response

hgy59 commented 2 years ago

@simistef what is the site that you found? maybe you found this: https://discourse.libretime.org/t/add-ssl-to-your-icecast2-stream-sweet-and-simple/1175 ?

Reading "Invalid cert file" in the service log is the error you are facing. please consider, that the user sc-icecast needs read access to the certificate file. Try to copy (and configure) the certificate to /var/packages/icecast/var/bundle.pem.

And you cannot use /usr/syno/etc/certificate/system/default/fullchain.pem, as the certificate for icecast must contain the private key too. See the linked page on how to create such a bundle.pem.

simistef commented 2 years ago

Thanks for your response and instructions. I have done this, by recreating the bundle.pem file as a concatenation of fullchain.pem and privkey.pem. Both files were taken from/usr/syno/etc/certificate/system/default/. I guess my synology geenrated this trough let's encrypt default mechanism.

But i still get the same error:

[2022-07-31  13:40:21] INFO admin/admin_handle_request Received admin command listclients on mount "/ozonefm"
[2022-07-31  13:40:31] INFO admin/admin_handle_request Received admin command listclients on mount "/ozonefm"
[2022-07-31  13:40:41] INFO admin/admin_handle_request Received admin command listclients on mount "/ozonefm"
[2022-07-31  13:40:51] INFO admin/admin_handle_request Received admin command listclients on mount "/ozonefm"
[2022-07-31  13:41:01] INFO admin/admin_handle_request Received admin command listclients on mount "/ozonefm"
[2022-07-31  13:41:05] INFO source/source_shutdown Source from 192.168.68.64 at "/ozonefm" exiting
[2022-07-31  13:41:05] INFO source/source_clear_source 1 active listeners on /ozonefm released
[2022-07-31  13:41:05] INFO main/_server_proc Caught halt request, shutting down...
[2022-07-31  13:41:05] INFO main/main Shutting down
[2022-07-31  13:41:05] INFO fserve/fserve_shutdown file serving stopped
[2022-07-31  13:41:05] INFO slave/_slave_thread shutting down current relays
[2022-07-31  13:41:05] INFO slave/_slave_thread Slave thread shutdown complete
[2022-07-31  13:41:05] INFO auth/auth_shutdown Auth shutdown
[2022-07-31  13:41:05] INFO yp/yp_shutdown YP thread down
[2022-07-31  13:41:06] INFO stats/stats_shutdown stats thread finished
[2022-07-31  13:41:12] INFO main/main Icecast 2.4.4 server started
[2022-07-31  13:41:12] WARN connection/get_ssl_certificate Invalid cert file /var/packages/icecast/var/bundle.pem
[2022-07-31  13:41:12] INFO connection/get_ssl_certificate No SSL capability on any configured ports
[2022-07-31  13:41:12] INFO yp/yp_update_thread YP update thread started
[2022-07-31  13:41:12] INFO stats/_stats_thread stats thread started
[2022-07-31  13:41:12] INFO connection/_handle_source_request Source logging in at mountpoint "/ozonefm" from 192.168.68.64
[2022-07-31  13:41:12] WARN format/format_get_type Unsupported or legacy stream type: "audio/mpeg". Falling back to generic minimal handler for best effort.
[2022-07-31  13:41:12] INFO source/source_main listener count on /ozonefm now 0
[2022-07-31  13:41:13] INFO source/source_main listener count on /ozonefm now 1
[2022-07-31  13:41:17] INFO admin/admin_handle_request Received admin command metadata on mount "/ozonefm"
hgy59 commented 2 years ago

@simistef sorry, but I cannot reproduce your error. For me it works as expected (DSM 6.2.4-25556 Update 6, DS-218 aarch64) Did you change the owner of bundle.pem to sc-icecast?

$ sudo su

# cat /usr/syno/etc/certificate/system/default/fullchain.pem /usr/syno/etc/certificate/system/default/privkey.pem > /var/packages/icecast/var/bundle.pem

# chown sc-icecast /var/packages/icecast/var/bundle.pem

and added to config:


    <listen-socket>
        <port>8001</port>
        <ssl>1</ssl>
    </listen-socket>

        <!-- The certificate file needs to contain both public and private part.
             Both should be PEM encoded. -->
        <ssl-certificate>/var/packages/icecast/var/bundle.pem</ssl-certificate>

var/log/error.log:

[2022-07-31  15:48:38] INFO main/main Icecast 2.4.4 server started
[2022-07-31  15:48:38] INFO yp/yp_update_thread YP update thread started
[2022-07-31  15:48:38] INFO connection/get_ssl_certificate SSL certificate found at /var/packages/icecast/var/bundle.pem
[2022-07-31  15:48:38] INFO connection/get_ssl_certificate SSL using ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

but I will try on DSM 7.0.1 (no installation with DSM 7.1 available yet)

hgy59 commented 2 years ago

I can confirm that the same configuration works on my DS-218 (x64, apollolake) with DSM 7.0.1-42218 Update 4.

simistef commented 2 years ago

Thanks again. Good to know is possible at least.

I did the cat and chown, BUT…when creating the bundle.pen file i got an error -sh: /var/packages/icecast/var/bundle.pem. Permission denied

Therefore i created thebundle.pemfile in /volume1/downloads/ and then copied in that folder.

Also run the chown command with success, but still getting the same error regarding SSL when restarting icecast. I have two ports open : 8123 and 8443 for SSL. Should i use just one ?

Not sure about the sudo su command ? I tried and entered many commands as per your example, but not sure how to execute them. Enter key just takes me to next line.

simistef commented 2 years ago

Ok, managed to get rid of port error, by using one port 8123 and mark it as SSL. But the certificate error is still there, although ls -l /var/packages/icecast/var/bundle.pem shown sc-icecastas the owner.

So i guess that my method to generate the bundle.pem File is not good? Although content would be the same no matter the method i guess ?

hgy59 commented 2 years ago

Not sure about the sudo su command

sudo su opens a new shell as root (the promt changes from $ to #) This is required befpre executing cat /usr/syno/etc/certificate/system/default/fullchain.pem /usr/syno/etc/certificate/system/default/privkey.pem > /var/packages/icecast/var/bundle.pem

The command: sudo cat /usr/syno/etc/certificate/system/default/fullchain.pem /usr/syno/etc/certificate/system/default/privkey.pem > /var/packages/icecast/var/bundle.pem

will fail with permission denied because the creation of the bundle.pem file will be done in a new shell (without sudo) and therfore without root permissions.

hgy59 commented 2 years ago

The bundle.pem file should look similar to (..... placeholder for multiple base64 encoded text lines):

-----BEGIN CERTIFICATE-----
MIIDGjCCAgICCQCjwQUXzteS3zANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJU
.....
W5rVd3ISCfd/696LmWIea1xFk5QD8O+OMuug7iCe
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDPjeU0y2JRO9w6
......
oqAlFWkDowbJSl7GC1IZaGsCEw==
-----END PRIVATE KEY-----

depending on the chain there are multiple BEGIN / END CERTIFICATE blocks.

simistef commented 2 years ago

Got it. Done that and checked the time for the bundle.pem. However...same problem after restart: Certificate invalid.

An excerpt from my bundle.pem:

-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIHFCVJmQc/ejANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQG
.....
QdEgBoBahetFTmypbN+LhVqSE/9Acdftseb83AHbpxBImMF7Py0=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA85xQ9WozraxfFBYvy5Ov6O2sNbMniRNfX9YhS9ByPzzKvBFj
.....
xTDt6lgdK8wMIHuMcB4x1birhUiEJDwuQo6s9bV7dw8Dyt4AuB7I
-----END RSA PRIVATE KEY-----

Maybe my fullchain and privkey are not good ?

simistef commented 2 years ago

Actually my icecast v2 is not installed with SSL option ? From your link i see the remark of the author: First you have to upgrade to a version of Icecast2 that supports SSL. But having latest version, guess it's already installed ?

hgy59 commented 2 years ago

icecast from synocommunity is compiled with ssl support (it depends on libssl and libcrypto)

hgy@ds-xxxx:~$ sudo synogear install
Password:
root@ds-xxxx:/volume1/homes/hgy# readelf -d /var/packages/icecast/target/bin/icecast

Dynamic section at offset 0x2f4a8 contains 37 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libssl.so.1.1]
 0x0000000000000001 (NEEDED)             Shared library: [libcrypto.so.1.1]
 0x0000000000000001 (NEEDED)             Shared library: [libcurl.so.4]
 0x0000000000000001 (NEEDED)             Shared library: [libspeex.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libtheora.so.0]
 0x0000000000000001 (NEEDED)             Shared library: [libvorbis.so.0]
 0x0000000000000001 (NEEDED)             Shared library: [libogg.so.0]
 0x0000000000000001 (NEEDED)             Shared library: [libxslt.so.1]
 0x0000000000000001 (NEEDED)             Shared library: [libxml2.so.2]
 0x0000000000000001 (NEEDED)             Shared library: [libz.so]
 0x0000000000000001 (NEEDED)             Shared library: [libm.so.6]
 0x0000000000000001 (NEEDED)             Shared library: [libpthread.so.0]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x000000000000000f (RPATH)              Library rpath: [/var/packages/icecast/target/lib:/spksrc/spk/icecast/work-aarch64-6.1/install//var/packages/icecast/target/lib]
...
root@ds-xxxx:/volume1/homes/hgy# /var/packages/icecast/target/bin/icecast -v
Icecast 2.4.4
root@ds-xxxx:/volume1/homes/hgy#
simistef commented 1 year ago

@hgy59 sorry for late reply, but after re-installing DSM on my NAS i managed to successfully have https stream. i think might have been related to many attempts of setting SSL to my NAS which confused icecast or rather me. Thanks again for you valuable support. Much appreciated.

starapple2 commented 1 year ago

@hgy59 sorry for late reply, but after re-installing DSM on my NAS i managed to successfully have https stream. i think might have been related to many attempts of setting SSL to my NAS which confused icecast or rather me. Thanks again for you valuable support. Much appreciated.

@simistef , what does your icecast.xml look like for SSL and on what port do you listen to the stream? Thanks.

simistef commented 1 month ago

Hi again, I have moved my radio to another domain name and suddenly I lost again the ability to stream over HTTPS. While I can comfortably access the ice cast admin page under HTTPS, the stream fails to start. No errors whatsoever it's just loading and loading.

Actually the only way it works is through my Safari browser being in the same network with my ice cast server. Rest o browsers or players do not work. Is this something that has to do maybe with newer version of Synology ? Thanks

simistef commented 1 month ago

I've done a check with https://www.sslshopper.com and this is what I got:

The certificate will expire in 89 days. 

The hostname (live.*****.fm) is correctly listed in the certificate.

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. [Learn more about this error](https://www.sslshopper.com/ssl-certificate-not-trusted-error.html). The fastest way to fix this problem is to contact your SSL provider.