Forcing Centovacast to Use LetsEncrypt Certificates for SSL

Forcing Centovacast to Use LetsEncrypt Certificates for SSL

Starting with What Made Sense

So the Krypton Radio web site has to go full SSL now because most modern web browsers (read “Google Chrome”) won’t let people visit without warning them that your web site will slay your children in their sleep if you don’t have an SSL certificate on it.

This is frankly just Google messing with our heads, for the most part. A site that does not handle money shouldn’t have to worry about this. All the monetary things we need to do are handled by external sites that actually are secure. But I digress.

So our first assumption was that we could just buy a cert from secureserver.net, install it on Centova, Icecast and our main web server and we were probably good to go.

And then everything collapsed.

What We Did First

I went to create our private key and Certificate Signing Request. After a few tries, I finally was able to use CPanel to generate this, adding in wildcard domains for every domain we wanted to cover. This is a completely legal thing, and you can buy one certificate to handle as many domains as you want.

If you actually buy it through CPanel, though, you can’t. It’s one domain per cert, and $30 per cert. Buying it through your registrar, though, is a lot cheaper.  If you own ten domains, you can easily spend a bundle doing this, and there’s literally no reason for it. Shall we spend 10% of the cost Cpanel wants us to spend?

Yes. Yes we shall.

Mind you, the only reason we’re doing that is that when we started all this there was no such things as Let’s Encrypt, which is a free secure certificate signing company.

The only catch to certificates you get from Let’s Encrypt is that the certificates expire after 90 days, so it’s kind of a problem if you want to use them with a mail server. Every three months your users will have to accept a new SSL certificate to get their email, and trust me, it wigs them out. Most people can barely operate the send button.

That Utterly Failed

No matter what we did with the certificates supplied to us by secureserver.net, Centovacast hated them. The installation script provided by Centova (your installation will tell you that the script lives at /usr/local/centovacast/sbin/setssl) just barfs on it every time.

The instructions provided by Centova say to get Apache credentials. This is wrong. You need credentials for something, but whatever it is, it wants a .pem file, and whatever is supposed to be IN that .pem file isn’t documented.

If you can get a .pem file, great – otherwise, you’ll have to do a massive workaround.

The Icecast Connection

So that’s when we figured out that Icecast, the Centova main panel , and WordPress all needed to be set up with certificates, and that not all of them were going to be able to use the same ones.

Here’s the instructions I found on how to do that for Icecast.

Note with particular attention that they’re talking about putting the private key, the public key, and the authority chain all in one file. I found a BBS topic on how this should be done, specifically with Let’s Encrypt.

The authority chain from LetsEncrypt comes in in the chain.pem file as created by the Centova LetsEncrypt utility, and that’s stored in /usr/local/centovacast/etc/ssl/certs, and then from there there are directories corresponding to each domain. The fact that they bother to identify files by domain name teases the fact that may be possible to run Centovacast from more than one valid domain so long as the server answers to multiple domains.

To inspect the certificates being managed by CPanel, you need to log into your WHM panel and go to:

Home » SSL/TLS » SSL Storage Manager

The Centovacast Connection

I never got the certs I bought working with Centovacast, and self-signing isn’t an option, so I went ahead and asked the Centova Utility  at /usr/local/centovacast/sbin/setssl to create the certs for me using Let’s Encrypt.

To do that, you need to set up a directory alias on a web server on the same domain as Centovacast to serve up the validation files Let’s Encrypt needs to prove that you’re who you say you are.

The instructions say to use a specific block of code to define the directory alias that points to where those validation files are held on the server, but it says nothing about where in your Apache file to put them.

You’re going to need to set up your aliased directory so that the same domain that handles your Centova server is being served as a regular domain or subdomain on port 80, which is the standard port for serving web pages.

In my case, I had a subdirectory called ‘station’. I had to create a server alias so that that subdomain was included in the list of other servers my main vhost listing handles for me, so that my Centovacast subdomain and my main one are really being handled by the same vhost. This saved me from having to set up a complete separate vhost just to handle this one fricking problem.

It also gives the incorrect code to insert in the first place. Forget what they say in their article. Here’s the correct code:

Alias /.well-known/acme-challenge /usr/local/centovacast/etc/ssl/acme-challenges

<Directory “/usr/local/centovacast/etc/ssl/acme-challenges”>
Options Indexes
AllowOverride None
Order allow,deny
Allow from all
Require all granted

# Apache 2.x
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>

# Apache 2.4
<IfModule mod_authz_core.c>
Order allow,deny
Require all granted
</IfModule>
</Directory>

Big question: Regarding the ‘setssl’ utility, why put broken code in a utility, and then write documentation that pretends it works? Again?

Centova is notorious for this.

When we fixed all of the above basic configuration with the Apache server to satisfy the needs of LetsEncrypt, we found that the setssl script was changing permissions on the target file folder such that it would return a 403 error.

That’s right, the Centova utility script that installs the certificate intentionally breaks the process so that it can’t finish.

Insert the change in the chmod instruction that alters it from 750 to 755.

For some reason this bug has been in there forever, and Centova’s never fixed it. They say the answer to this problem is to make the user that the Apache server runs under a member of the ‘centovacast’ group, but in my experience this didn’t work and I got a 403 error no matter what I did later.

Anyway, here’s the code to modify:

if [ ! -e “$challengepath” ]; then
mkdir -p “$challengepath”
fi

chown root.centovacast “$challengepath”
chmod 0755 “$challengepath”

testcontent=”test-$(date +%s).$$”
testfilename=”${testcontent}.txt”
echo “$testcontent” > “$challengepath/$testfilename”

#(In later versions of the code, these two lines are missing entirely. If they’re present, make the change to the chmod parameter as shown).chown root.centovacast “$challengepath/$testfilename”
chmod 0755 “$challengepath/$testfilename”

Once I patched my copy, I set the file permissions on it so that future Centova updates couldn’t revert my changes, like they did the last three times.

You’re Not Out of the Woods Yet

It’s not enough to get Centova itself running on an SSL certificate. Now you have to get IceCast itself working with SSL, which for some reason is a separate task, and any attempt to link to an unsecured stream from a secured site will make web browsers claim your site is not secure, thereby defeating the whole point of having a certificate in the first place.

So the trick here is, you will probably have to create a new listen socket beyond your default. Centova, by default, set you up on port 8000. I had to create a new secure port, so I moved it well up out of the way, on port 8080. All the mount points are available on both ports, but you can’t have one port be both secured and unsecured.

Your Icecast config isn’t called icecast.xml in a Centova installation. It’s called server.conf, and it’s also in a nonstandard location, which is /usr/local/var/vhosts/<your station name>/etc/server.conf.

Here are the listen socket sections from my server.conf.  It’s the top one you’re looking at. The bottom one is the default definition, and the top one is the secure one. Centova does not support the direct creation of secure listen sockets, so you have to hack this by hand.

<listen-socket>
<port>8080</port>
<ssl>1</ssl>
</listen-socket>

<listen-socket>
<port>8000</port>
</listen-socket>

Then finally, you’ll have to add a line in your server.conf file that loads the required SSL certificate. If you’re running your Icecast stream and your Centova server from the same domain, you can reuse the same bundle.pem file, but there’s literally nothing stopping you from making a separate one for each individual Centova virtual host and putting each bundle.pem file in a separate place.

The line for your server.conf file looks like this:

<ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>

Last Step

Once this is done, you can go to the Centova interface and reload the server, and it will inhale the new settings. You can test them to make sure it worked by going to https://<yourdomain>:8080 and seeing if it loads. If it doesn’t, you’re still broken, but if it does, congratulations, you now have a secure stream on your internet radio station’s business end!

Except that that doesn’t quite do it.

So it’s /usr/local/letsencrypt/letsencrypt-auto renew,

then rebuild your Icecast PEM file, then use your modified setssl script:

/usr/local/centovacast/sbin/setssl letsencrypt <your domain name>

and then after all that, you have to both restart centova, and then stop your Icecast instance completely and restart it before Icecast will use the new certificate.

Now you’re done.

What a fricking ordeal.

Use Azuracast instead

To be honest, a much better idea is Azuracast, which does everything Centova does, plus a lot more, does not require a monthly license, is open source and is being actively maintained.  Centova is neither fully open source nor actively maintained.

What to Look For In a Good Cheap Guitar

What to Look For In a Good Cheap Guitar

asheville guitarsI recently got an email from one of my coworkers who wanted to know what she should be looking for in a good used guitar in the $100 range.  I thought I’d share the answers with you, because people get asked this a lot and it’s one of the most common questions a new guitar player asks:

Hi Gene,

I’m going to start looking for a full-sized guitar, for myself.
In looking at used guitars, what brands do you think are better than others?  Or, does it matter?
I’m going to try and find something that is around $100.

At the $100 price point, your best measure of the quality of a guitar is you.  You can often get a little better quality if you get a used one rather than a new one, but here are things to look for:

  • Does it feel right in your hands?  Everybody’s hands are different, so get a guitar that feels good in yours.
  • Does it sound right (even playing all the way up the neck)?
  • Does it have a cutaway so you can reach the high notes (if that’s important to you)?
  • Are the machine heads (the tuning heads) firm or do they slip or rattle? (“What the – where’s that buzz coming from??”)
  • How high are the frets compared to the fretboard?  Taller frets make a guitar harder to play than slimmer frets and will require more energy to get a clean sound out of them.  The difference can be small, and you can often only see this by comparing one guitar to another.
  • Does it speak well?  Some guitars are quieter or sound tinny compared to others, some guitars are brighter, or have a stronger bass content in their voices.  Remember that there are things you can do to make a guitar’s voice change depending on how you play it, but that its fundamental character will remain fairly constant.
  • Does it have a truss rod in the neck so that the bow in the neck can be adjusted?  Surprisingly, some at this price point don’t.  A guitar with a truss rod in the neck will have a little hex bolt head inside the sound hole just under the end of the fretboard.

After that it’s more like picking out a comfortable pair of shoes than anything else.  Listen to the guitar’s voice, and find one that sounds like an old friend.  That’s the guitar you’re going to get the most out of.

Brands to look for are Taylor, Martin, Ovation, Yamaha, Fender – but there are dozens more really excellent brands, and again, at this price point the well known name brands are as likely to be lemons as any other guitar.

If I get a nylon string guitar, will it have the same great twang as your guitar?  Or, will it always be softer?

No, it will always be softer.  Nylon is uncommon, most guitars are steel string.  They have an inherently softer sound than metal does, and they tend not to break strings as often (but a guitar string usually costs a bit under $2 and can last years).

I just don’t want it to sound like a harp, like the little 1/2 size guitar that’s my daughter’s. And, if I buy a nylon string guitar, can I get it strung with steel strings, in the future?  Or, is the guitar just made for one type of strings?

A guitar is made for one particular kind of string, and you can’t use nylon strings on a guitar made for steel strings, and vice versa.

That said, I used a Kawasaki nylon string guitar (with no truss rod in the neck) for about 25 years before it finally broke in half on its own standing against the wall one day, just from the string tension.

A last point to mention is that at the $100 price point, adding an extra $20 – $60 can make a huge difference in the quality of the guitars in your price range.

Guitars can range from a hundred or so into the thousands of dollars.  The difference between a $100 guitar and a $150 guitar can be substantial – the difference between a $2000 guitar and a $3000 guitar may be one only a professional musician could appreciate.

Good luck in your search!

– Gene Turnbow

What the World Needs Now is More Ukelele

No, seriously.  It’s hard to listen to this and not feel all your stress and anxiety melt away.

Israel “IZ” Kamakawiwoʻole

— Gene Turnbow

The Major Scales on Guitar

The Major Scales on Guitar

Major scales on Guitar

I made up this for my guitar classes at the studio where I was working at the time. Click here to see the full sized image, then right-click and select ‘save’ to copy it to your own computer.

I used to teach beginning guitar to technical directors at Rhythm & Hues one day a week on my lunch break. I’d been relying on material made by other people for my classroom materials, but I couldn’t find anything to teach people the major scales that worked well with the way I teach, so I finally made one up myself.

Feel free to grab a copy of this and print it out for yourself if you’re struggling with this, or if you’re teaching a class yourself and need something like this for your students.

If you like this and use it, and want to help me out, consider signing up to donate a dollar or two to the SCIFI.radio Patreon campaign.  It’s cheaper than a cuppa coffee and it would help my radio station stay on the air.

— Gene Turnbow