GitLab

Situation: globally accepted certificate authority has certified another certificate authority for signing SSL certificates. The certificate authority that everyone has in their root cert databases has signed the second authority's root cert with theirs, with signing rights granted. The second authority then signs our certificate.

This is called a chained SSL certificate. Every SSL client I've ever seen can deal with them, however, they usually take a little additional setup on the server end to make it work.

We operate several large websites with SSL certificates signed by this same vendor. In Apache, there is a separate configuration option for a certificate chain file. In some other applications (most notably mail servers) you can append the chain certificate onto the end of your own certificate, and it will Just Work.

Based on the way the config is set up in Icecast, it should be using the second method (appending the chain cert onto the end of the pem file for the certs). However, Icecast is using the wrong API call into OpenSSL for this to work.

Patch attached to fix.