Subsonic Forum

[dr3van]

Hello, I have been using subsonic for a while now using SSL. I was trying to figure out how to make a valid SSL certificate. I tried searching around the boards a bit and found a lot of posts about this topic, but could not find a tutorial anywhere. I am a bit noobish in this area and a nicely written step by step tutorial would be great. I have tried fumbling around trying to get this done, but having no luck...

I am running my subsonic server off a windows 7 64 bit PC.

Thanks in advance for any help in this!

[BKKKPewsey]

Unless you are Trusted Certificate Authority (CA) you can only create a self-signed cert.
Unless the question was meant to be "how do I install a certificate (purchased from a CA) into SS"?

[dr3van]

Unless the question was meant to be "how do I install a certificate (purchased from a CA) into SS"?

More or less that is what I was trying to accomplish. I have already followed another guide and generated and replaced my subsonic.keystore file, but it is still self signed and I still get the nag screen. I have a hosting package through 1&1 for a personal website I have built and I have purchased an alternate domain with that package and use the 2nd domain to point to my subsonic. The package I have purchased through 1&1 I can create 1 certificate. I have no need for it on the other unrelated website and I was looking to put it to use on my subsonic. The only reason I would want to do this is to eliminate the nag screen for self signed certificates really. I just want to make sure that I am going about doing this the correct way.

[bushman4]

Unless you have a static IP address, good luck. Remember that a SSL certificate is tied to a particular site NAME, and if a name is not in use, to a particular IP ADDRESS.

Because of the redirection functionality that is provided by subsonic.org, your final SSL (HTTPS) connection is ALWAYS to https://your.ip.address:YourHTTPSPort/YourContextPath.

Unless the "your.ip.address" part of that never changes, whatever certificate you create will be invalid as soon as your externally facing IP address changes... you will get a different nag screen that says "certificate name does not match site name" or something similar.

Sorry,

Glenn

[BKKKPewsey]

Ok this is WAY above my pay grade, but would it not be possible to install via c-panel the certificate into the domain that is re-directing to SS?

[bushman4]

The problem is that by the time subsonic gets around to using SSL it is no longer using the name at all...

Recall that the redirect works like this:

• Your computer tries to contact http://MyCustomDomain.subsonic.org. It does so by looking up the ip address using the DNS system (which is always 66.49.215.227) and then contacting that IP address using the host header of "MyCustomDomain.subsonic.org"
• The subsonic.org web server receives that connection and looks up the host header provided in its database to find out your real current ip address, your real HTTP port, and your real context path.
• The server then sends back a message to the browser that says "The page that you are trying to retrieve is temporarily unavailable. Why don't you try this address: http://your.real.ip.address:yourHTTPPort/YourContextPath ?"
• Your browser receives this message and attempts to contact that ip address port and context path but passes no host header information. This is your real live server at home.
• Your server receives this connection and says "hey, I'm set up for HTTPS." It then send another message similar to the first one... "The page that you are trying to retrieve is temporarily unavailable. Why don't you try this address: https://your.real.ip.address:yourHTTPSPort/YourContextPath ?"
• Your browser tries to contact that ip address and port and context path (again with no host header information), but this time it uses SSL encrypted communication. In order to do that, it asks your server for it's certificate and checks the certificate's name against the address that it is trying to connect to. If they don't match, a security warning ensues.

So I can't see any way to make it work unless the certificate has been generated for that specific IP address, and that IP address never changes.

I'd love to be proven wrong, but I'm not going to spend the money to do so...

Cheerio,

Glenn