Subsonic Forum

[jeff.m.taylor]

I know there a few threads out there regarding this, but none have a solution that I can make work.

I run Subsonic premium on Debian (not Ubuntu).
I run my own domain, etc. and wanted a CA-signed cert so I will stop getting the navigation and cert-acceptance errors in web browsers when I am out and about.
I got a CA-signed cert and chain (host, intermediate, root certificates) and made a Java keystore for it.

I used this process to build the keystore after uploading the certificates:

Code: Select all

# keytool -import -trustcacerts -alias root -file ./ca.pem -keystore /etc/ssl/certs/subsonic.keystore -storepass XXXXXX -keypass XXXXXX
Certificate already exists in system-wide CA keystore under alias <startcom_certification_authority>
Do you still want to add it to your own keystore? [no]:  y
Certificate was added to keystore
# keytool -import -trustcacerts -alias intermediate -file ./sub.class1.server.ca.pem -keystore /etc/ssl/certs/subsonic.keystore -storepass XXXXXX -keypass XXXXXX
Certificate was added to keystore
# keytool -import -trustcacerts -alias subsonic -file ./ssl.crt -keystore /etc/ssl/certs/subsonic.keystore -storepass XXXXXX -keypass XXXXXX
Certificate was added to keystore


Once that was done, I updated /usr/bin/subsonic with the following:

Code: Select all

  -Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
  -Dsubsonic.ssl.password=XXXXXX \


I restarted and the service came to life and the ports opened, as verified with netstat.
I was not, however, ever able to connect to Subsonic. I would navigate to port 80 (HTTP redirect to HTTPS) or to port 500 (what I have defined for HTTPS) and it would just clock and do nothing. Redirect was successful but nothing ever came up.

In the /var/subsonic/subsonic_sh.log, I see a LOT of this type of messaging:

Code: Select all

[Full GC 196381K->62608K(209240K), 0.0777280 secs]
[GC 75408K->75104K(205400K), 0.0035290 secs]
[GC 87902K->87468K(205400K), 0.0044370 secs]
[GC 100268K->98435K(205400K), 0.0041790 secs]
[GC 111235K->110832K(205400K), 0.0041160 secs]
[GC 123632K->123195K(205400K), 0.0044070 secs]
[GC 135983K->135591K(205400K), 0.0045810 secs]
[GC 148391K->147989K(205400K), 0.0042200 secs]
[GC 160789K->158973K(205400K), 0.0041530 secs]
[GC 171773K->169787K(205400K), 0.0037440 secs]
[GC 182587K->182251K(205400K), 0.0043540 secs]
[GC 195047K->194614K(207448K), 0.0049600 secs]


I have attached my configuration files and the subsonic_sh.log file from both the regular configuration (which is still working) and with my custom certificate.
If anyone can provide any guidance on this, I will be greatly appreciative. If anyone needs more information, please let me know that as well.

Thanks in advance,
~Jeff

NOTE: The failure log was too big to upload, so I truncated it. I removed 17MB of information like the quote above.

[jeff.m.taylor]

All,

I got it squared away but it was fairly painful.
I will document what I did here in case helps out other folks in the future.

This process worked with my CA cert, but it should work with self-signed as well.
1) The key thing I was missing was dealing with entire certificate chain properly (server -> intermediate -> root) with keytool.
The best way to deal with this (maybe the only way; I quit trying once it worked) is to first put your whole chain + private key into a PKCS12 file and then convert it into a new keystore.

I accomplished this by going back to my CA and requesting a PKCS bundle (cheating). If you signed your own certificates and/or your CA cannot make you a PKCS12 file, openssl can do it for you:
https://www.openssl.org/docs/apps/pkcs12.html
(I followed this and it worked, but I substituted the CA-created one instead just for consistency)
In short, do this:

Code: Select all

openssl pkcs12 -export -in [server].crt -inkey [private_key].key -certfile [CA_root].crt -out [filename].p12

NOTE: If your certificate chain includes an intermediate (mine does), you will need to concatenate the intermediate and the root certificates:

Code: Select all

# cat [root].pem [intermediate].pem > [CA_root].crt

2) Once you have your PKCS12 file by one method or another, you will need to convert it to the Java keystore format using keytool:
In my example, I created "subsonic.keystore"

Code: Select all

keytool -v -importkeystore -srckeystore [filename].p12 -srcstoretype PKCS12 -destkeystore ./subsonic.keystore -deststoretype JKS

This will prompt you for passwords as you proceed, first for the destination keystore and then for the source PKCS12 bundle.
IMPORTANT: YOUR KEYSTORE PASSWORD MUST MATCH YOUR PRIVATE KEY PASSWORD!
--> For what it is worth, I can't think of a good reason for this, since you had to provide the private key password during the conversion. Despite that, the only way I could make this work was by having the passwords match. Without that step, Subsonic would crash on startup with a stack trace related to key decryption.

3) Make a backup copy of /usr/bin/subsonic

4) Add the following lines to /usr/bin/subsonic. The first line is a path to the keystore; the second is the keystore password:

Code: Select all

  -Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
  -Dsubsonic.ssl.password=password \


--> These need to go below the "${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \" line and before the "-jar subsonic-booter-jar-with-dependencies.jar > ${LOG} 2>&1 &" line in this file. The backslashes are critical, so don't leave them out.

5) Restart Subsonic

Code: Select all

/etc/init.d/subsonic restart

6) Give it a minute and go log in. If you're lucky, you'll have a nicely-validated and signed site.

I hope this helps somebody hacking their way through this!