MediaCP Manual
SSL Certificates

Last updated 4 months ago

The Media Control Panel provides 100% support for SSL in the control panel and all streaming services including Shoutcast 198, Shoutcast 2.5, Shoutcast 2.6, Icecast 2, Icecast 2 KH, Wowza Streaming Engine and Flussonic Media Server.

You can configure either your own custom SSL certificate or an automatic SSL certificate from Lets Encrypt.

  • SSL Configuration is currently only supported on CentOS and Debian operating systems.
  • If using Wowza Streaming Engine, you will need to configure Wowza Secure HTTPS Streaming.

Media Service SSL Support Information

Please note that not all audio streaming servers support native HTTPS. In these cases, the MediaCP can provide a HTTPS proxy, however HTTPS Proxy will use a lot of CPU. We recommend using Native HTTPS where available.

 

 

Native
HTTPS
Proxy
HTTPS
Wowza Streaming Engine -
Flussonic Media Server -
Shoutcast 198 Shoutcast 198 does not provide native SSL and requires proxy to use HTTPS streaming.
Shoutcast 2.5 Shoutcast 198 does not provide native SSL and requires proxy to use HTTPS streaming.
Shoutcast 2.6 Shoutcast 2.6 requires a Premium Shoutcast license purchased separately from www.shoutcast.com to use SSL.
Icecast 2 Icecast 2.4 does not support SSL and non-SSL on the same port. Many encoders do not provide SSL support and therefore the MediaCP will provide an alternate non-SSL port for encoders to connect. By default, if your service is on port 8000; the port 8000 will be SSL and another port 18000 will be created that is unsecured.
Icecast 2 KH RECOMMENDED
Icecast 2 KH provides 100% support for SSL and non-SSL on the same port. This is our recommended server for audio streaming.

AutoSSL / Free HTTPS Certificate Installation

AutoSSL requires that port 80 is available to your server and is also not in use. MediaCP provides compatibility already with the following applications that use port 80 and you can use AutoSSL in combination without making any changes: cPanel, Plesk, CentOS Web Panel, DirectAdmin. It is also compatible with any standard Apache 2 or Nginx installation.

Simply run the following command to install autossl with the MediaCP:

cd /root;rm -f init;wget http://install.mediacp.net/scripts/init;chmod +x init;./init autossl

The following utility will automatically configure Wowza Streaming Engine SSL on port 1936 and Wowza Streaming Engine Manager SSL on port 8089. 

  1. Run the following to automatically configure WSE SSL/HTTPS:
    cd /root;rm -f init;wget http://install.mediacp.net/scripts/init;chmod +x init;./init autossl-wse

Flussonic SSL is automatically configured by running the above “MediaCP Web Panel AutoSSL”.

Custom HTTPS Certificate Installation

Important: To use AutoSSL you must ensure that port 80 is not in use on your server. This is to ensure that letsencrypt ACME servers can properly validate the domain name. Unfortunately this is the downside of using an automated certificate.

Configure HTTPS for MediaCP:

  1. Firstly disable any existing LetsEncrypt / SSL configurations:
    cd /root;rm -f init;wget http://install.mediacp.net/scripts/init;chmod +x init;./init letsencrypt-disable
  2. Update the MediaCP to the latest version:
     cd /root;rm -f init;wget http://install.mediacp.net/scripts/init;chmod +x init;./init upgrade
  3. Login to the MediaCP, navigate to Administration -> Configuration and select the System Tab. Update the MediaCP Full URL to include https://
  4. Add the following to /usr/local/mediacp/nginx/conf.d/ssl.conf, replacing yourdomain with your actual domain name:
    ssl on;
    ssl_certificate /usr/local/mediacp/nginx/fullchain.pem;
    ssl_certificate_key /usr/local/mediacp/nginx/server.key;
    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;
    error_page 497 301 =307 https://yourdomain:2000$request_uri;
  5. Install your certificate file in /usr/local/mediacp/nginx/server.pem
  6. Install your fullchain certificate file in /usr/local/mediacp/nginx/fullchain.pem
  7. Install your private key file in /usr/local/mediacp/nginx/server.key
  8. Create a certificate for icecast 2 & icecast 2 kh services to use:
    cat /usr/local/mediacp/nginx/server.key > /usr/local/mediacp/icecast2/icecast.cert;
    echo "" >> /usr/local/mediacp/icecast2/icecast.cert;
    cat /usr/local/mediacp/nginx/fullchain.pem >> /usr/local/mediacp/icecast2/icecast.cert;
  9. Ensure these files have appropriate permissions:
    chown mediacp:mediacp /usr/local/mediacp/icecast2/icecast.cert;
    chown mediacp:mediacp /usr/local/mediacp/nginx/fullchain.pem;
    chown mediacp:mediacp /usr/local/mediacp/nginx/server.pem;
    chown mediacp:mediacp /usr/local/mediacp/nginx/server.key;
  10. Restart the MediaCP service:
    # /usr/local/mediacp/service restart

WSE provide a free near-instant SSL certificate called a Stream Lock Certificate with all licenses.

How to install Wowza Secure HTTPS StreamLock Certificate

Run the following command to automatically convert and install your SSL certificate to Wowza Streaming Engine.

/root/init beta autossl-wse

Table of Contents