Installing a proper SSL certificate chain

Tutorials, tips and tricks.

Moderator: moderators

Installing a proper SSL certificate chain

Postby spookybathtub » Wed Apr 25, 2012 11:53 pm

Has anyone been able to successfully install a fully signed SSL certificate chain in Subsonic? I'm running version 4.6 on Mac OS X 10.7.3. I bought an SSL certificate from InCommon, but I can't get it to work completely. It seems like the server cert is working, but it's ignoring the intermediate and root certificates.

I created a keystore with 3 aliases: subsonic, rootCA, and intermediateCA, with the keystore password 'subsonic'. I named it subsonic.keystore and added it to subsonic-booter-jar-with-dependencies.jar. Restarted Subsonic, and my certificate shows up in a web browser. But it says "certificate was signed by an unknown authority". I double-checked using the command-line openssl and get the following errors:
http://pastebin.com/uptxPYHh
spookybathtub
 
Posts: 108
Joined: Thu Oct 07, 2010 7:13 am

Re: Installing a proper SSL certificate chain

Postby spookybathtub » Thu Apr 26, 2012 6:58 am

I'm happy to be able to answer my own question now. Reading the documentation for jetty, I learned that it's very particular about keystores. All your certificates have to be contained in the same alias. And contrary to popular belief, I learned that the alias doesn't need to be named 'subsonic'. The default name for an alias in a keystore made by keytool is '1', and that worked just fine for me. In case this helps anyone else, I'll write down exactly what I did here:

Concatenate my certificate, the intermediate cert, and root cert, because they were provided to me as separate files by the certificate authority. The 3 certificates must go in this order.
Code: Select all
cat myserver.srt intermediate.crt root.crt > cert-chain.txt

Pack all the certificates and my private key into a pkcs12 file
Code: Select all
openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12

Pack that file into a java keystore
Code: Select all
keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore

Add that keystore to subsonic, replacing the default self-signed keystore. The location will depend on your operating system, but on mac it's inside of a JAR file at /Applications/Subsonic/Contents/Resources/Java/
Code: Select all
jar uf subsonic-booter-jar-with-dependencies.jar subsonic.keystore

Relaunch Subsonic, and say goodbye to certificate errors!
More information can be found here: http://docs.codehaus.org/display/JETTY/ ... figure+SSL
Last edited by spookybathtub on Fri Apr 27, 2012 12:41 am, edited 1 time in total.
spookybathtub
 
Posts: 108
Joined: Thu Oct 07, 2010 7:13 am

Re: Installing a proper SSL certificate chain

Postby BKKKPewsey » Thu Apr 26, 2012 11:48 am

Yep the power of Google helps again - what would we do without it :D
I found the same solution but you beat me to it.
Thanks for sharing - I am moving this thread to the tutorials sub-forum where hopefully it will be found by other users.

:mrgreen:
Everyone is entitled to be stupid, Image but some abuse the privilege!

Due to the confusion from too many genres of music, we have decided to put both country music and rap music into the genre of Crap music.
User avatar
BKKKPewsey
 
Posts: 2080
Joined: Mon May 23, 2011 12:16 pm
Location: United Kingdom

Re: Installing a proper SSL certificate chain

Postby karmaking » Wed May 09, 2012 2:06 pm

Thanks for posting, got me a few steps further.

However, SS becomes unaccessible when using the custom keystore, I get

HTTP ERROR: 404
NOT_FOUND
RequestURI=/
Powered by jetty://


No obvious errors in the logs. After switching back to the stock subsonic crt, everything works fine.

Any ideas?

Cheers, Daniel
karmaking
 
Posts: 5
Joined: Wed May 09, 2012 2:01 pm

Re: Installing a proper SSL certificate chain

Postby karmaking » Thu May 10, 2012 3:23 pm

Ok this was probably due to the certificate not matching the domain name. Created a new certificate particularly for this hostname - and it works now. Great.
karmaking
 
Posts: 5
Joined: Wed May 09, 2012 2:01 pm

Re: Installing a proper SSL certificate chain

Postby fflooos » Thu Jul 18, 2013 1:32 pm

Re: Installing a proper SSL certificate chain

Post by spookybathtub » Thu Apr 26, 2012 6:58 am
I'm happy to be able to answer my own question now. Reading the documentation for jetty, I learned that it's very particular about keystores. All your certificates have to be contained in the same alias. And contrary to popular belief, I learned that the alias doesn't need to be named 'subsonic'. The default name for an alias in a keystore made by keytool is '1', and that worked just fine for me. In case this helps anyone else, I'll write down exactly what I did here:

Concatenate my certificate, the intermediate cert, and root cert, because they were provided to me as separate files by the certificate authority. The 3 certificates must go in this order.
Code: Select all
cat myserver.srt intermediate.crt root.crt > cert-chain.txt



Pack all the certificates and my private key into a pkcs12 file
Code: Select all
openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12



Pack that file into a java keystore
Code: Select all
keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore



I just wanted to add some information to the instructions given by @spookybathtub in order to make it functional in Linux OS.

Generate PKCS12 file, in my case I had only a key file and a cert file given by my CA
Code: Select all
openssl pkcs12 -inkey mywebsite.key -in mywebsite.crt -export -out subsonic.pkcs12


Load key into keystore
Code: Select all
keytool -importkeystore -srckeystore subsonic.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/subsonic.keystore

I used "subsonic" as a password for the keystore

Tell subsonic to use the generated keystore I used the method given by cybertronian in the following post http://forum.subsonic.org/forum/viewtopic.php?t=7548)#p30654
Add the following lines into /usr/bin/subsonic file
Code: Select all
-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
-Dsubsonic.ssl.password=subsonic \



Edit the /etc/default/subsonic
Add the following option "--https-port=<PORT>" non-SSL can be disable with the option "--port=0"
Code: Select all
SUBSONIC_ARGS="--port=0 --https-port=4443 --max-memory=100"
fflooos
 
Posts: 1
Joined: Thu Jul 18, 2013 12:46 pm

Re: Installing a proper SSL certificate chain

Postby Spektrum32 » Sun Oct 20, 2013 10:25 am

I'm pretty new to all of this, I got lost at the command:

openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12

Where would one find myserver.key?

I've been trying to get a cert in to Subsonic for months, it doesn't help that I apparently don't have the necessary knowledge for this. Even though this port is a few months old now, it would be great to get a little assistance as I'm about to just give up.

Thanks!
Spektrum32
 
Posts: 3
Joined: Sun Oct 20, 2013 10:20 am

Re: Installing a proper SSL certificate chain

Postby mwardm » Mon Feb 15, 2016 12:36 am

I just appear to have successfully accomplished this on a Raspberry Pi2 running dietpi.
In summary:
I did the letsencrypt stuff via dietpi's mechanism. I.e. Install it (and the LASP stack); port-forward 80 and 443 on my router to the Pi2; then use dietpi-letsencrypt to configure. I picked the cron-job option.

Then the commands to run are...
Code: Select all
cd /etc/letsencrypt/live/<your-domain-name-for-which-you-obtained-your-certificate>
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem   (asks for password - I used subsonic also)
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/subsonic.keystore
rm keystore.pkcs12


Some flavour of the above is going to be required every 90 days, I reckon :-(

Then I added these lines into /usr/bin/subsonic:
-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
-Dsubsonic.ssl.password=subsonic \
and then I ensured that
--https-port=4443
was one of the args in /etc/default/subsonic.

Then I did a
shutdown -r now
(because I don't know how to stop and start just subsonic :-) )
I now get a green padlock in my address bar!

I'm not entirely convinced by the security of having the password in the file and everything running as root, but I can't sort my entire life out in one day...
Mike
mwardm
 
Posts: 1
Joined: Mon Feb 15, 2016 12:19 am

Re: Installing a proper SSL certificate chain

Postby IwishIcanFLighT » Mon Feb 15, 2016 1:23 pm

An ideal solution would be Subsonic to have native support with Let's Encrypt (or crt files if you prefer).
SSL certificates used to be hard to obtain and expensive, but Let's Encrypt can provide a free valid certificate in basically 30 seconds.

The current methods to add the certificate to subsonic feels weird and poorly documented.
I'd bet it discouraged more than one, which is bad because SSL will eventually become default in the future (Firefox for developers already started it).

I'd love to see that happening in upcoming releases. 8)
IwishIcanFLighT
 
Posts: 14
Joined: Fri May 10, 2013 8:26 am


Re: Installing a proper SSL certificate chain

Postby IwishIcanFLighT » Sat Apr 16, 2016 4:10 pm

I made a shell script to generate the keystore file faster. Working great with my Let's Encrypt setup.

Code: Select all
# Color output
red=`tput setaf 1`
green=`tput setaf 2`
reset=`tput sgr0`

# CHANGE THIS LINE, DON'T FORGET THE DASH AT THE END
certpath="/etc/letsencrypt/live/domain.org/"

echo "${green}Generate as PKCS12 key file${reset}"
echo "Enter a password 2 times:"
openssl pkcs12 -inkey "${certpath}privkey.pem" -in "${certpath}cert.pem" -export -out subsonic.pkcs12

echo "${green}subsonic.pkcs12 key generated.${reset}"
echo "\n${green}Loading the key to a keystore.${reset}"
echo "${green}Please re-type the same password 3 times:${reset}"

keytool -importkeystore -srckeystore subsonic.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic_cert.keystore

echo "${red}Deleting the PKCS12 file not needed anymore${reset}"
rm subsonic.pkcs12

echo "\n${green}### subsonic_cert.keystore successfully generated! :) ### ${reset}\n"
echo "${green}You can now copy the keystore file into Subsonic's main folder.${reset}"

echo "\n${red}Make sure that subsonic.sh contains the following lines:${reset}\n"
echo ">--Dsubsonic.ssl.keystore=subsonic_cert.keystore \ "
echo ">--Dsubsonic.ssl.password=yourpassword \ "



Usage:
  • Generate the certificates with Let's Encrypt client
  • Launch the script
  • Copy the keystore file to Subsonic's main folder
  • Make sure subsonic.sh contains the required lines (path to keystore and its password)
  • Restart subsonic

Enjoy! :D
IwishIcanFLighT
 
Posts: 14
Joined: Fri May 10, 2013 8:26 am

Re: Installing a proper SSL certificate chain

Postby Lucatze » Tue Jul 12, 2016 12:50 am

Hey guys,

thanks @all for the effort. Finally, it is working. I used IwishIcanFLighT script and I'd like to add something:

In case you are running subsonic under another user than root, you need to change ownership of subsonic_cert.keystore.

Code: Select all
chown user:user /path/to/key/subsonic_cert.keystore
Lucatze
 
Posts: 5
Joined: Tue Jul 12, 2016 12:44 am

Re: Installing a proper SSL certificate chain

Postby lupinehorror » Tue Jul 12, 2016 8:26 am

tried the script and everything seemed to go fine.
copied the keystore and inserted the two lines into subsonic.sh
it still seems to be using the old certificate though...tried a few restarts. don't see any errors in the logs.
User avatar
lupinehorror
 
Posts: 9
Joined: Sun Jun 10, 2012 7:26 am

Re: Installing a proper SSL certificate chain

Postby Lucatze » Tue Jul 12, 2016 11:36 pm

lupinehorror wrote:tried the script and everything seemed to go fine.
copied the keystore and inserted the two lines into subsonic.sh
it still seems to be using the old certificate though...tried a few restarts. don't see any errors in the logs.


Did you create your certs using letsencrypt?

I had a simliar issue and as i mentioned above, changing the files ownership did the magic.

Be aware: When using Artist Info within the Browser, files like artist image and cover are not transferred securely. They are linked directly and not gathered by the server before transfer so in case you don't want anybody to know what you are doing, you might consider switching off Artist Info within settings.
Lucatze
 
Posts: 5
Joined: Tue Jul 12, 2016 12:44 am

Re: Installing a proper SSL certificate chain

Postby lupinehorror » Wed Jul 13, 2016 5:41 am

yup...letsencrypt. certbot cert only. everything seemed to go without a hitch.
i'm still running as root so no need to change ownership.
User avatar
lupinehorror
 
Posts: 9
Joined: Sun Jun 10, 2012 7:26 am

Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 2 guests