Add HTTPS support to Icecast2 using Let's Encrypt

Do you have native SSL support in your icecast2 package?

If you love to use the official package, first check if you have SSL support in your already installed icecast2 package:

ldd /usr/bin/icecast2 | grep ssl

If you don't see anything, you have no native support for SSL. In this case you can choose one of these options:

• Option A: remove the package and install something else
• Option B: setup a frontend webserver using nginx
• Option C: setup a frontend webserver using Apache (← this answer)

How to use Apache to setup a frontend webserver with HTTPs support, to serve Icecast2

To visit Icecast over https://, you can install Apache and use it as frontend webserver, listening on standard port 443. It's easy to use Let's Encrypt to create a free certificate for Apache. Once it works, you can pass the traffic to Icecast2.

 Browser
 │
 │ https://example.com/radio.mp3
 ▼
┌───────────┐
│           │
│ Apache    │:443
│           │
└┬──────────┘
 │
 │ http://localhost:8080/radio.mp3
 ▼
┌───────────┐
│           │
│ Icecast   │:8080
│           │
└───────────┘

If you use Debian GNU/Linux, here the guide:

https://wiki.debian.org/Icecast2

The core of the solution is to enable an apache VirtualHost like this:

#
# Apache VirtualHost serving my Icecast under HTTPs (:443)
#
# This frontend webserver passes all the traffic to
# the underlying Icecast, listening on port 8000.
#
# The certificate comes from Let's Encrypt.
#
# Credits: https://stackoverflow.com/a/71383133/3451846
<virtualhost *:443>

  ServerName example.com

  # this path is not useful and it's used only for Let's Encrypt's temporary files during the renewal process
  DocumentRoot /var/www/html

  # send all traffic to Icecast in plaintext
  <Location "/">
    ProxyPass        http://localhost:8000/
    ProxyPassReverse http://localhost:8000/
  </Location>

  # these files are served from /var/www/html to serve Let's Encrypt temporary files
  <Location "/.well-known/acme-challenge">
    ProxyPass !
  </Location>

  <IfFile /etc/letsencrypt/live/example.com/cert.pem>
    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
  </IfFile>

</virtualhost>

<VirtualHost *:80>
  ServerName example.com

  Redirect / https://example.com/
</VirtualHost>

And then enable it and issue your certificate:

letsencrypt certonly --domain example.com --webroot --webroot-path /var/www/html

But this is explained maybe better from the above guide.

At the moment the guide does not cover nginx but other answers might give a similar practical example using that technology as well as apache2. The benefit of involving a frontend webserver like apache2 or nginx is that you don't have to touch Icecast. Also, it allows to serve Icecast2 among your already-existing websites, if any.

Other answers might want to talk about an Icecast2's native interface with Let's Encrypt. At the moment I can share just the apache2 method that is the one I use in production since years without any problem. Moreover since I use Debian GNU/Linux, my package has not SSL support.