Subsonic Forum

Is there a step by step on how to set up a custom SSL cert for Subsonic 6 standalone when running on Linux (ubuntu)?

Day 3 now of trying to get this to work. Every single website seems to have different instructions on how to get this to work. Is there any kind of guide on how to get a custom cert working with Subsonic 6 on Linux? The big issue seems to be the intermediate cert.

I managed to get my cert and the intermediate cert imported into the keystore. But no matter what the heck I try and do, my phone keeps throwing a cert error on the intermediate cert. The cert is in the keystore and the keystore is in the booter jar. I fail to understand what the hell the issue is.

Has anyone gotten this working on Linux? I cannot be the only one trying to do this.

i've been struggling with this too. no matter what i do i can't get it to work! using raspbian.

I just got it working. I'll write something up tonight and post it. I need to document it for next year when my cert expires, so this is a good exercise.

Ok, here's a try at explaining what I did:

I already had obtained a SSL/TLS certificate from SSLs.com for my Apache server. I wanted to reuse that cert on my Subsonic 6 installation. After 4 days of westling here is what I did to get it to work on Ubuntu 16.04.

Here is what you will need:

Your certificate (domain_name.crt)
Your key file (domain_name.key)
The intermediate cert (RapidSSL in my case. File ended in a .crt extension)
The root certificate (GeoTRUST in my case. Also ended in a .crt extension)

Software:

OpenSSL (should come with your distro)
Keytool (Comes with Java)
Keystore Explorer - http://www.keystore-explorer.org/

Step one: Convert your cert and key to a pkcs12 keystore using openssl

Ok, to convert to pkcs12, do the following from the linux command line:

openssl pkcs12 -export -out certificate.pfx -inkey domain_name.key -in domain_name.crt

enter 'subsonic' as the password

certificate.pfx is now your pkcs12 keystore that contains your cert and private key

Step two: Create the keystore using SSL Explorer

1. Launch Keystore Explorer
2. Choose Create New Keystore
3. Keystore Type is JKS
4. Go under Tools and Choose Import Keypair
5. Choose PKCS #12 and hit OK.
6. Browese to the pfx file you generated and select it. Enter the password 'subsonic'
7. Use the alias 'subsonic' when prompted and click on OK.
8. For the new keypair entry password use subsonic.
9. Click OK
10. Right click on your cert and choose Edit Certificate Chain -> Append Certificate
11. Browse to your intermediate cert and click OK
12. Choose Edit Certificate Chain -> Append Certificate again.
13. Browse to your root certificate and click OK.
14. Go under tools and choose Import Trusted Certificate
15. Import the intermediate cert
16. Leave the alias at the default
17. Go under Tools and choose Import Trusted Certificate
18. Import the root certificate
19. Click on the save icon in the toolbar
20. Use the password 'subsonic'
21. Name the file subsonic.keystore

Step three: Add the keystore to subsonic

Stop the subsonic service if it's running. On Ubuntu use 'sudo service subsonic stop'

You will need to add the keystore to the file subsonic-booter-jar-with-dependencies.jar

On Ubuntu 16/04 the command is:

sudo zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore

Step four: Enable SSL/TLS in Subsonic.

This is somewhat distro specific. On Ubuntu 16.04, you go to /etc/default/subsonic and add the argument --https-port=port, where port is the port number you want to use.

Save the file

Start subsonic back up. On Ubuntu 16.04, sudo service subsonic start

Wait 10 seconds and try and try and browse to https://domain_name:port.

Alternative approach:
Use nginx as a reverse proxy and SSL offload. You can even do this on the same machine, if need be, by just linking nginx to Subsonic via 127.0.0.1:4040 with no SSL (look at SUBSONIC_HOST in subsonic.sh to bind only to localhost)

There's a number of easy tutorials for how to reverse-proxy with nginx and Subsonic requires nothing weird.

I do this with nginx in a DMZ and Subsonic itself back in the internal network. Works perfect.