SSL & Let's Encrypt
AzuraCast now includes built-in support for creating and managing SSL (HTTPS) certificates via LetsEncrypt from the System Settings panel.
LetsEncrypt is a free and simple way to allow safe and secure connections to your AzuraCast installation. With a valid SSL certificate, you can:
Secure your connection to AzuraCast when administering your stations,
Enforce security for all AzuraCast administrators via HTTP Strict Transport Security (HSTS), and
Provide a secure listening endpoint to listeners, avoiding “Mixed Content” warnings when your radio signal is played from a secure web page.
Before setting up LetsEncrypt, you should make sure the following conditions are met:
AzuraCast must be on its own domain or subdomain. You can’t set up LetsEncrypt using only an IP address; you must have a domain (i.e. example.com) or a subdomain (radio.example.com) set up to point to your AzuraCast installation.
AzuraCast’s web server must be served on the default ports, 80 for HTTP and 443 for HTTPS. By default, AzuraCast is already set up this way, but if you’ve modified the ports to serve the site on a secondary port, you must switch the ports back to the defaults when setting up LetsEncrypt and when performing renewals.
To enable LetsEncrypt, follow these steps:
- Log in to your AzuraCast installation
- Click the dropdown on the top right, then “System Administration”
- Click “System Settings”
- Select the “Services” tab
- Complete the LetsEncrypt section fields
- Click “Save Changes” at the bottom
The HTTPS certificate will automatically be generated in the next few minutes, but you can do it manually by clicking the “Create/Renew Certificate” button under the LetsEncrypt fields.
Renewing a Let’s Encrypt Certificate
The web service will automatically renew your LetsEncrypt certificates. If you provide an e-mail in the initial setup process, that e-mail will be used to send you reminders of upcoming expiration in the event that automatic renewal fails.
Always Use HTTPS (HTTP Strict Transport Security)
From the “System Settings” panel inside AzuraCast, you can enable the “Always Use HTTPS” setting in the “Security & Privacy” tab.
Once this setting is enabled, not only will all users be redirected to the secure version of AzuraCast when visiting, but HTTP Strict Transport Security (HSTS) will be enabled, which requires a valid SSL certificate to function. This significantly improves the security of your connection to AzuraCast and should be enabled whenever possible.
Disabling HSTS via CLI
If you enable HTTP Strict Transport Security, and then your domain is no longer available via HTTPS, you will normally be unable to access your installation via your web browser.
You can, however, turn this setting off via the SSH terminal, by using the code below:
cd /var/azuracast bash docker.sh cli azuracast:settings:set always_use_ssl 0
This will disable the setting and enable you to reconnect to your installation.
Using a Custom Certificate
If you have a custom SSL certificate on your host, you should create a
docker-compose.override.yml file in your
/var/azuracast directory on the host server with the contents below, modified to reflect your domain name and the path to your SSL certificate and key:
services: web: volumes: - /path/on/host/to/ssl.crt:/var/azuracast/acme/ssl.crt:ro - /path/on/host/to/ssl.key:/var/azuracast/acme/ssl.key:ro
Finally you need to restart AzuraCast in order to apply the changes:
docker-compose down docker-compose up -d