Steps to enable SSL with auth certificate on Ubuntu 10.04

Need help? Post your questions here.

Moderator: moderators

Steps to enable SSL with auth certificate on Ubuntu 10.04

Postby thedudeman » Tue Aug 09, 2011 6:58 pm

Hello,

I have installed Subsonic on my Ubuntu 10.04 server. It is awesome, thank you so much for this product! I apologize in advance if this information is on the forum, I did some searches but did not find explicit steps.

I want to setup SSL with a security certificate for authentication. I see the following on the website:

"On Linux, add --https-port=4443 (or any other port) to SUBSONIC_ARGS in /etc/default/subsonic (Ubuntu/Debian) or /etc/sysconfig/subsonic (Fedora/RPM).

Note that Subsonic uses a self-signed https certificate by default. This provides encryption but not proper authentication. To use your own certificate you must put it in a Java keystore, then specify the following Java system properties: subsonic.ssl.keystore – (Path to an alternate SSL keystore), and subsonic.ssl.password – (Password of the alternate SSL keystore)"

What are the steps to create the java keystore certificate?

Thank you for your time and assistance everyone!
thedudeman
 
Posts: 2
Joined: Tue Aug 09, 2011 6:50 pm

Postby mikes » Fri Aug 12, 2011 9:49 pm

mikes
 
Posts: 64
Joined: Fri Aug 12, 2011 9:29 pm

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby thedudeman » Thu Aug 18, 2011 9:10 pm

Thanks mikes, unfortunately I need instructions for how to do this with an Ubuntu Subsonic installation.
thedudeman
 
Posts: 2
Joined: Tue Aug 09, 2011 6:50 pm

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby wiobyrne » Sat Aug 20, 2011 3:30 pm

Hi all,

Agreed. I'm trying to figure out how to set up HTTPS: and SSL on Subsonic running on my Ubuntu 11.04 box.

Any support appreciated for a newb. Thanks.
wiobyrne
 
Posts: 34
Joined: Sun Apr 24, 2011 3:15 pm

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby cybertronian » Tue Aug 23, 2011 2:45 pm

Here are the steps for Ubuntu Natty (11.04). It should be the same on Lucid (10.04), but I don't have access to a Lucid box anymore so I can't be sure. These instructions assume you are using a new (self-signed) certificate rather than an existing certificate, and that you are using the stand-alone Ubuntu/Debian install of subsonic 4.5.

First, you've got to setup a java keystore file with the SSL cert. Open up a terminal and run:

Code: Select all
sudo keytool -genkey -alias subsonic -keyalg RSA \
-dname "CN=HOSTNAME,OU=subsonic,O=subsonic,L=CITY,S=STATE,C=COUNTRY" \
-validity 3560 -keystore /etc/ssl/certs/subsonic.keystore -storepass subsonic -keypass subsonic


You will need to at least change the HOSTNAME, CITY, STATE, and COUNTRY values. HOSTNAME should be the name of your subsonic server, and CITY, STATE, and COUNTRY should be the location of the server (this really doesn't matter all that much since this is a self-signed certificate anyway). Running the command will create the file /etc/ssl/certs/subsonic.keystore that will contain the new certificate. It's very important that you set the alias to be subsonic. The passwords are set to be "subsonic" above, which you can change if you desire, but be sure to remember what you use.

Next, we have to tell subsonic to use the new keystore file rather than its built-in one. This means setting the subsonic.ssl java properties. The best way I found to do this is to edit the script that starts subsonic. I'm open to suggestions for better ways. In the mean time, you need to edit the /usr/bin/subsonic file (it's a plain text script). In the file, go to line 113 near the bottom to find a bunch of lines that start with "-D subsonic". These set properties when subsonic starts. Add these two lines:

Code: Select all
-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
-Dsubsonic.ssl.password=subsonic \


I added them after the "-D subsonic.httpsPort=..." line (line 118). Note that the backslashes at the end of each line are important. The above assumes you left the keystore password as "subsonic". Change to the password you set if you used something else.

Finally, you need to edit /etc/default/subsonic. In the SUBSONIC_ARGS line, add the -https-port=PORT option. You can also disable non-SSL usage with --port=0. For example, if you want to run on SSL port 5000 with non-SSL traffic disabled, you might have a line like this:

Code: Select all
SUBSONIC_ARGS="--port=0 --https-port=5000 --max-memory=100"


Then, restart the subsonic service:

Code: Select all
sudo service subsonic restart
cybertronian
 
Posts: 3
Joined: Mon Jan 04, 2010 3:21 pm

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby pkx » Sun Oct 16, 2011 3:53 am

Hi Cybertronian,

Thank you for your post. Perhaps you can help me troubleshoot my own setup.

I just paid for a real SSL cert. I downloaded it from godaddy, then ran:

sudo keytool -keystore /etc/ssl/certs/subsonic.keystore -storepass subsonic -import -alias subsonic -file (the .crt file I downloaded from godaddy) -trustcacerts


After doing that, I added the two lines to /usr/bin/subsonic.

When I restart subsonic, it seems to restart successfully... but it doesn't respond on the SSL port (I had already set it up to run on port 8443, which works fine but I wanted a 'real' cert).
Any ideas? I can't find anything in the logs...(maybe there is some java/jetty log I'm not seeing?).

Thanks!
pkx
 
Posts: 7
Joined: Sat Jan 01, 2011 9:09 pm
Location: United States

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby Pcace » Wed Dec 28, 2011 1:24 pm

Hey, did you solved your Problem?


Pcace
Pcace
 
Posts: 117
Joined: Tue Nov 29, 2011 2:44 pm

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby josifbg » Thu Feb 09, 2012 9:07 am

HI Guys,

Is there some step by step instructions for a CentOS 6?

I really want to secure my server but reading all the information in this subject not helps me at all.

I tried to find some documentation on the subsonic website without success.

Anyone?
josifbg
 
Posts: 5
Joined: Tue Jan 04, 2011 10:28 am

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby GH0 » Sun Feb 26, 2012 12:50 am

I attempted to follow your instructions but am running into this issue:
viewtopic.php?f=2&t=9069

Any help?
GH0
 
Posts: 45
Joined: Sun Dec 18, 2011 6:44 pm

Re: Steps to enable SSL with auth certificate on Ubuntu 10.0

Postby p4xel » Sat Jun 07, 2014 11:48 pm

I found this topic while trying to implement my SSL certificate (purchased from comodo), and after some more research I found this solution (for Ubuntu 14.04, but should work for most other Linux releases).

To generate a .keystore certificate you need your .key .crt and ca.crt files (ca.crt is Intermediate CA Certificate, in my case COMODORSAAddTrustCA.crt)
You could also generate your own self-signed certificate (openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt)

Convert x509 Cert and Key to a pkcs12 (remember to set some_password), as [some-alias] I used subsonic
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name [some-alias] -CAfile ca.crt -caname root

Convert the pkcs12 file to a java keystore
keytool -importkeystore -deststorepass [new_password] -destkeypass [new_password] -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [some_password] -alias [some-alias]

edit /ust/bin/subsonic file and add following lines (I added them after -Dsubsonic.httpsPort)
-Dsubsonic.ssl.keystore=/opt/apps/subsonic/server.keystore \
-Dsubsonic.ssl.password=[new_password] \

enable ssl connection in /etc/default/subsonic
SUBSONIC_ARGS="--port=9090 --https-port=9091 --max-memory=512"

From now on connect to SubSonic using https://yourdomain.com:9091 where yourdomain.com is the domain used to generate your SSL certificate/key.
Your Subsonic alias will also redirect you to SSL site, but domain name will not match the key, so the example above is preferred method.

Here is the result: Image
p4xel
 
Posts: 3
Joined: Sat Jun 07, 2014 11:24 pm


Return to Help

Who is online

Users browsing this forum: No registered users and 19 guests