Custom SSL cert on Linux
Moderator: moderators
6 posts
• Page 1 of 1
Custom SSL cert on Linux
by apastuszak » Wed Jul 06, 2016 2:03 pm
Is there a step by step on how to set up a custom SSL cert for Subsonic 6 standalone when running on Linux (ubuntu)?
- apastuszak
- Posts: 78
- Joined: Tue Oct 29, 2013 4:00 am
Re: Custom SSL cert on Linux
by apastuszak » Mon Jul 11, 2016 3:27 am
Day 3 now of trying to get this to work. Every single website seems to have different instructions on how to get this to work. Is there any kind of guide on how to get a custom cert working with Subsonic 6 on Linux? The big issue seems to be the intermediate cert.
I managed to get my cert and the intermediate cert imported into the keystore. But no matter what the heck I try and do, my phone keeps throwing a cert error on the intermediate cert. The cert is in the keystore and the keystore is in the booter jar. I fail to understand what the hell the issue is.
Has anyone gotten this working on Linux? I cannot be the only one trying to do this.
I managed to get my cert and the intermediate cert imported into the keystore. But no matter what the heck I try and do, my phone keeps throwing a cert error on the intermediate cert. The cert is in the keystore and the keystore is in the booter jar. I fail to understand what the hell the issue is.
Has anyone gotten this working on Linux? I cannot be the only one trying to do this.
- apastuszak
- Posts: 78
- Joined: Tue Oct 29, 2013 4:00 am
Re: Custom SSL cert on Linux
by lupinehorror » Mon Jul 11, 2016 7:10 am
i've been struggling with this too. no matter what i do i can't get it to work! using raspbian.
-
lupinehorror - Posts: 9
- Joined: Sun Jun 10, 2012 7:26 am
Re: Custom SSL cert on Linux
by apastuszak » Mon Jul 11, 2016 5:13 pm
I just got it working. I'll write something up tonight and post it. I need to document it for next year when my cert expires, so this is a good exercise.
- apastuszak
- Posts: 78
- Joined: Tue Oct 29, 2013 4:00 am
Re: Custom SSL cert on Linux
by apastuszak » Mon Jul 11, 2016 6:11 pm
Ok, here's a try at explaining what I did:
I already had obtained a SSL/TLS certificate from SSLs.com for my Apache server. I wanted to reuse that cert on my Subsonic 6 installation. After 4 days of westling here is what I did to get it to work on Ubuntu 16.04.
Here is what you will need:
Your certificate (domain_name.crt)
Your key file (domain_name.key)
The intermediate cert (RapidSSL in my case. File ended in a .crt extension)
The root certificate (GeoTRUST in my case. Also ended in a .crt extension)
Software:
OpenSSL (should come with your distro)
Keytool (Comes with Java)
Keystore Explorer - http://www.keystore-explorer.org/
Step one: Convert your cert and key to a pkcs12 keystore using openssl
Ok, to convert to pkcs12, do the following from the linux command line:
openssl pkcs12 -export -out certificate.pfx -inkey domain_name.key -in domain_name.crt
enter 'subsonic' as the password
certificate.pfx is now your pkcs12 keystore that contains your cert and private key
Step two: Create the keystore using SSL Explorer
1. Launch Keystore Explorer
2. Choose Create New Keystore
3. Keystore Type is JKS
4. Go under Tools and Choose Import Keypair
5. Choose PKCS #12 and hit OK.
6. Browese to the pfx file you generated and select it. Enter the password 'subsonic'
7. Use the alias 'subsonic' when prompted and click on OK.
8. For the new keypair entry password use subsonic.
9. Click OK
10. Right click on your cert and choose Edit Certificate Chain -> Append Certificate
11. Browse to your intermediate cert and click OK
12. Choose Edit Certificate Chain -> Append Certificate again.
13. Browse to your root certificate and click OK.
14. Go under tools and choose Import Trusted Certificate
15. Import the intermediate cert
16. Leave the alias at the default
17. Go under Tools and choose Import Trusted Certificate
18. Import the root certificate
19. Click on the save icon in the toolbar
20. Use the password 'subsonic'
21. Name the file subsonic.keystore
Step three: Add the keystore to subsonic
Stop the subsonic service if it's running. On Ubuntu use 'sudo service subsonic stop'
You will need to add the keystore to the file subsonic-booter-jar-with-dependencies.jar
On Ubuntu 16/04 the command is:
sudo zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore
Step four: Enable SSL/TLS in Subsonic.
This is somewhat distro specific. On Ubuntu 16.04, you go to /etc/default/subsonic and add the argument --https-port=port, where port is the port number you want to use.
Save the file
Start subsonic back up. On Ubuntu 16.04, sudo service subsonic start
Wait 10 seconds and try and try and browse to https://domain_name:port.
I already had obtained a SSL/TLS certificate from SSLs.com for my Apache server. I wanted to reuse that cert on my Subsonic 6 installation. After 4 days of westling here is what I did to get it to work on Ubuntu 16.04.
Here is what you will need:
Your certificate (domain_name.crt)
Your key file (domain_name.key)
The intermediate cert (RapidSSL in my case. File ended in a .crt extension)
The root certificate (GeoTRUST in my case. Also ended in a .crt extension)
Software:
OpenSSL (should come with your distro)
Keytool (Comes with Java)
Keystore Explorer - http://www.keystore-explorer.org/
Step one: Convert your cert and key to a pkcs12 keystore using openssl
Ok, to convert to pkcs12, do the following from the linux command line:
openssl pkcs12 -export -out certificate.pfx -inkey domain_name.key -in domain_name.crt
enter 'subsonic' as the password
certificate.pfx is now your pkcs12 keystore that contains your cert and private key
Step two: Create the keystore using SSL Explorer
1. Launch Keystore Explorer
2. Choose Create New Keystore
3. Keystore Type is JKS
4. Go under Tools and Choose Import Keypair
5. Choose PKCS #12 and hit OK.
6. Browese to the pfx file you generated and select it. Enter the password 'subsonic'
7. Use the alias 'subsonic' when prompted and click on OK.
8. For the new keypair entry password use subsonic.
9. Click OK
10. Right click on your cert and choose Edit Certificate Chain -> Append Certificate
11. Browse to your intermediate cert and click OK
12. Choose Edit Certificate Chain -> Append Certificate again.
13. Browse to your root certificate and click OK.
14. Go under tools and choose Import Trusted Certificate
15. Import the intermediate cert
16. Leave the alias at the default
17. Go under Tools and choose Import Trusted Certificate
18. Import the root certificate
19. Click on the save icon in the toolbar
20. Use the password 'subsonic'
21. Name the file subsonic.keystore
Step three: Add the keystore to subsonic
Stop the subsonic service if it's running. On Ubuntu use 'sudo service subsonic stop'
You will need to add the keystore to the file subsonic-booter-jar-with-dependencies.jar
On Ubuntu 16/04 the command is:
sudo zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore
Step four: Enable SSL/TLS in Subsonic.
This is somewhat distro specific. On Ubuntu 16.04, you go to /etc/default/subsonic and add the argument --https-port=port, where port is the port number you want to use.
Save the file
Start subsonic back up. On Ubuntu 16.04, sudo service subsonic start
Wait 10 seconds and try and try and browse to https://domain_name:port.
- apastuszak
- Posts: 78
- Joined: Tue Oct 29, 2013 4:00 am
Re: Custom SSL cert on Linux
by leoninelion » Wed Jul 13, 2016 4:19 am
Alternative approach:
Use nginx as a reverse proxy and SSL offload. You can even do this on the same machine, if need be, by just linking nginx to Subsonic via 127.0.0.1:4040 with no SSL (look at SUBSONIC_HOST in subsonic.sh to bind only to localhost)
There's a number of easy tutorials for how to reverse-proxy with nginx and Subsonic requires nothing weird.
I do this with nginx in a DMZ and Subsonic itself back in the internal network. Works perfect.
Use nginx as a reverse proxy and SSL offload. You can even do this on the same machine, if need be, by just linking nginx to Subsonic via 127.0.0.1:4040 with no SSL (look at SUBSONIC_HOST in subsonic.sh to bind only to localhost)
There's a number of easy tutorials for how to reverse-proxy with nginx and Subsonic requires nothing weird.
I do this with nginx in a DMZ and Subsonic itself back in the internal network. Works perfect.
- leoninelion
- Posts: 2
- Joined: Thu May 26, 2016 3:32 am
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 31 guests