HTTPS / TLS

HTTPS is a protocol is used to serve encrypted audio streams to listeners, and also allows broadcasters to connect securely.

Rocket Streaming Audio Server fully supports HTTPS using TLS 1.2 and 1.3. Encrypted streams can be played in any modern web browser or on any mobile device. For more information on TLS 1.2 compatibility, please see this link. (SSL v2 and v3 are insecure and not supported, although we still use the terms "SSL" and "TLS" interchangeably.)

RSAS supports SSL/TLS certificates formatted in PEM files. For ease of use, the certificate chain and private key can be together in one file or in separate files. To configure your certificate to be used in RSAS, you will need to specifiy some extra options in your configuration file. Follow the instructions below to configure TLS/SSL with RSAS.

Getting Started with HTTPS

If you don't yet have an SSL certificate, jump to Getting Started with LetsEncrypt.

If you already have an SSL certificate, this section will explain how to install it and how to configure RSAS to use it.

  1. Start by creating an /etc/rsas/certs directory and copying your certificate files there. You might have one or more .pem files for your certificate - copy them all there.

  2. Edit your rsas.xml or icecast.xml config file, and add the following:

    <listen-socket>
        <port>443</port>
        <tls>1</tls>
    </listen-socket>
    
    <paths>
        <ssl-certificate>/etc/rsas/certs/fullchain.pem</ssl-certificate>
        <ssl-private-key>/etc/rsas/certs/privkey.pem</ssl-private-key>
    </paths>
    

    If you only have a single .pem file, use it for both the <ssl-certificate> and <ssl-private-key> value.

  3. Lastly, reload or restart your rsas service, and try listening to one of your streams with HTTPS, or visit https://127.0.0.1/health.

Troubleshooting

Here's some tips for troubleshooting common problems with HTTPS configuration:

  • Make sure your /etc/rsas/certs directory is readable by the user that's running rsas. If you're migrating from Icecast to RSAS, you should run chown -R icecast2:icecast /etc/rsas/certs.
  • Don't have a separate fullchain.pem and privkey.pem file? Then specify the same file for both <ssl-certificate> and <ssl-private-key>.
  • Can't broadcast to your server with SSL / TLS? Make sure you're using the right port. You must use the TLS port specified in your settings.
  • Still having problems? Send us an email.

Advanced

There's a couple extra options that can be configured for HTTPS:

<paths>
    <ssl-certificate>/etc/rsas/certs/fullchain.pem</ssl-certificate>
    <ssl-private-key>/etc/rsas/certs/privkey.pem</ssl-private-key>
    <ssl-dhparams>/etc/rsas/certs/dhparams.pem</ssl-dhparams>
    <ssl-allowed-ciphers>ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:
    ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:
    ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:
    ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS</ssl-allowed-ciphers>
</paths>

<ssl-certificate> - Path to your SSL/TLS certificate file (in PEM format), with the certificate chain concetenated to it.

<ssl-private-key> - Path to the private key for your certificate (in PEM format). If you only have one .pem file, set this to the same file as <ssl-certificate>.

<ssl-dhparams> - (Optional) Diffie-Hellman parameters file for certain chiper suites.

<ssl-allowed-ciphers> - (Optional) List of allowed ciphers, formatted as an OpenSSL cipher list. See the OpenSSL documentation on ciphers for more information.

SNI / Multiple TLS certificates via VHosts

RSAS 0.1.18+ includes support for multiple TLS certificates. Multiple TLS certificates are needed if you wish to serve HTTPS over multiple domain names from a single RSAS instance.

To configure additional TLS certificates for specific domains, add a section to your config file like so:

<!-- Your main TLS certificate is used by default for any hostname that is not in the <vhosts> section. -->
<paths>
    <ssl-certificate>/etc/rsas/certs/fullchain.pem</ssl-certificate>
    <ssl-private-key>/etc/rsas/certs/privkey.pem</ssl-private-key>
</paths>
<!-- VHosts specify which TLS certificate to use for other domains -->
<vhosts>
    <vhost>
        <hostname>test.example.com</hostname>
        <ssl-certificate>/etc/ssl/test.example.com/fullchain.pem</ssl-certificate>
        <ssl-private-key>/etc/ssl/test.example.com/privkey.pem</ssl-private-key>
    </vhost>
</vhosts>

For example, in the above configuration, HTTPS would work for test.example.com as well as whatever domain our main certificate was granted for.

Applying Changes

Changes to your HTTPS / TLS or <listen-socket> configuration can be applied by reloading the server (no restart required). Remember to reload the server after renewing your SSL / TLS certificate.

Icecast and Icecast-KH Compatibility

Icecast 2.4, 2.5, and Icecast-KH all use slightly different syntax for their SSL certificate configuration. RSAS is compatible with all three formats, to make upgrading from either one easy. For future compatibility of new configurations, we recommend using the syntax used in our examples above.

Getting Started with LetsEncrypt

You can use LetsEncrypt to get a free SSL / TLS certificate to use with RSAS, allowing you to enable HTTPS on your audio streams for both listeners and broadcasters.

Before we begin, we'll assume you have a few things done already:

Now that you have your domain setup and certbot installed, we can go ahead and fetch your certificate and configure RSAS to use it.

Although you can use the "standalone" approach to get a certificate with certbot, we're going to configure RSAS to listen as a webserver on port 80, and use it to perform the verification certbot needs, to make automatic renewal painless.

Let's proceed:

  1. Enable port 80 with RSAS and configure the file serving path. To do this, edit your /etc/rsas/rsas.xml or icecast.xml file and add the following <listen-socket> and <webroot> sections:

        <!-- Enable port 80 serving -->
        <listen-socket>
            <port>80</port>
            <bind-address>0.0.0.0</bind-address>
        </listen-socket>
    
        <paths>
            <logdir>/var/log/rsas</logdir>
            <webroot>/usr/share/rsas/webroot</webroot>  <!-- Static files are served from here -->
        </paths>
    
  2. Next, make sure /usr/share/rsas/webroot exists and that the user running rsas has permissions to read it.

  3. Restart or reload your rsas daemon to apply these config changes.

  4. Now, let's use certbot to request a certificate:

    $ certbot certonly --webroot -w /usr/share/rsas/webroot
    

    Follow the interactive prompts and instructions. You'll see some output, then a big "Congratulations!" line containing the paths to your new certificate and private key files, like this:

       IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/example.oscillicious.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/example.oscillicious.com/privkey.pem
       Your cert will expire on 2019-11-21. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
    
  5. Next, we're finally ready to enable TLS / HTTPS in our RSAS config file and tell it where our new certificate files are. Add a listen socket on port 443 and SSL settings to your config file:

    <!-- NEW: Enable TLS / HTTPS -->
    <listen-socket>
        <port>443</port>
        <tls>1</tls> <!-- Use TLS on this port -->
        <bind-address>0.0.0.0</bind-address>
    </listen-socket>
    
    <listen-socket>
        <port>80</port>
        <bind-address>0.0.0.0</bind-address>
    </listen-socket>
    
    <paths>
        <logdir>/var/log/rsas</logdir>
        <webroot>/usr/share/rsas/webroot</webroot>  <!-- Static files are served from here -->
    
        <!-- NEW: Add these SSL settings. Use the paths to your SSL certificate and private key: -->
        <ssl-certificate>/etc/letsencrypt/live/example.oscillicious.com/fullchain.pem</ssl-certificate>
        <ssl-private-key>/etc/letsencrypt/live/example.oscillicious.com/privkey.pem</ssl-private-key>
        <ssl-dhparams>/etc/rsas/certs/dhparams.pem</ssl-dhparams>
    </paths>
    
  6. Test it! Try visiting the /health endpoint using https:// in your browser. If you have an encoder connected to a stream, try playing it using HTTPS too.

  7. Lastly, you'll need to set up a cron job to renew your certificates and reload rsas, so that it uses the renewed certificates.

    If you follow the Certbot instructions for your Linux distribution, the Certbot package you installed should set up a cron job or systemd timer that automatically renews your certificates. However, you will need to edit it to make sure it reloads rsas after renewing your certificate.

    For example, you'll want the command to look like:

    sudo certbot renew --post-hook "systemctl reload rsas"
    

    If you don't find the command, you can always fall back to editing your /etc/crontab file and setting up a cron job. Here's what you can append to your /etc/crontab file:

    30 6 * * * certbot renew --post-hook "systemctl reload rsas"