Subsonic Forum

[thedudeman]

Hello,

I have installed Subsonic on my Ubuntu 10.04 server. It is awesome, thank you so much for this product! I apologize in advance if this information is on the forum, I did some searches but did not find explicit steps.

I want to setup SSL with a security certificate for authentication. I see the following on the website:

"On Linux, add --https-port=4443 (or any other port) to SUBSONIC_ARGS in /etc/default/subsonic (Ubuntu/Debian) or /etc/sysconfig/subsonic (Fedora/RPM).

Note that Subsonic uses a self-signed https certificate by default. This provides encryption but not proper authentication. To use your own certificate you must put it in a Java keystore, then specify the following Java system properties: subsonic.ssl.keystore – (Path to an alternate SSL keystore), and subsonic.ssl.password – (Password of the alternate SSL keystore)"

What are the steps to create the java keystore certificate?

Thank you for your time and assistance everyone!

[mikes]

http://forum.subsonic.org/forum/viewtopic.php?t=5295

[thedudeman]

Thanks mikes, unfortunately I need instructions for how to do this with an Ubuntu Subsonic installation.

[wiobyrne]

Hi all,

Agreed. I'm trying to figure out how to set up HTTPS: and SSL on Subsonic running on my Ubuntu 11.04 box.

Any support appreciated for a newb. Thanks.

[cybertronian]

Here are the steps for Ubuntu Natty (11.04). It should be the same on Lucid (10.04), but I don't have access to a Lucid box anymore so I can't be sure. These instructions assume you are using a new (self-signed) certificate rather than an existing certificate, and that you are using the stand-alone Ubuntu/Debian install of subsonic 4.5.

First, you've got to setup a java keystore file with the SSL cert. Open up a terminal and run:

Code: Select all

sudo keytool -genkey -alias subsonic -keyalg RSA \
-dname "CN=HOSTNAME,OU=subsonic,O=subsonic,L=CITY,S=STATE,C=COUNTRY" \
-validity 3560 -keystore /etc/ssl/certs/subsonic.keystore -storepass subsonic -keypass subsonic


You will need to at least change the HOSTNAME, CITY, STATE, and COUNTRY values. HOSTNAME should be the name of your subsonic server, and CITY, STATE, and COUNTRY should be the location of the server (this really doesn't matter all that much since this is a self-signed certificate anyway). Running the command will create the file /etc/ssl/certs/subsonic.keystore that will contain the new certificate. It's very important that you set the alias to be subsonic. The passwords are set to be "subsonic" above, which you can change if you desire, but be sure to remember what you use.

Next, we have to tell subsonic to use the new keystore file rather than its built-in one. This means setting the subsonic.ssl java properties. The best way I found to do this is to edit the script that starts subsonic. I'm open to suggestions for better ways. In the mean time, you need to edit the /usr/bin/subsonic file (it's a plain text script). In the file, go to line 113 near the bottom to find a bunch of lines that start with "-D subsonic". These set properties when subsonic starts. Add these two lines:

Code: Select all

-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
-Dsubsonic.ssl.password=subsonic \


I added them after the "-D subsonic.httpsPort=..." line (line 118). Note that the backslashes at the end of each line are important. The above assumes you left the keystore password as "subsonic". Change to the password you set if you used something else.

Finally, you need to edit /etc/default/subsonic. In the SUBSONIC_ARGS line, add the -https-port=PORT option. You can also disable non-SSL usage with --port=0. For example, if you want to run on SSL port 5000 with non-SSL traffic disabled, you might have a line like this:

Code: Select all

SUBSONIC_ARGS="--port=0 --https-port=5000 --max-memory=100"

Then, restart the subsonic service:

Code: Select all

sudo service subsonic restart

[pkx]

Hi Cybertronian,

Thank you for your post. Perhaps you can help me troubleshoot my own setup.

I just paid for a real SSL cert. I downloaded it from godaddy, then ran:

sudo keytool -keystore /etc/ssl/certs/subsonic.keystore -storepass subsonic -import -alias subsonic -file (the .crt file I downloaded from godaddy) -trustcacerts


After doing that, I added the two lines to /usr/bin/subsonic.

When I restart subsonic, it seems to restart successfully... but it doesn't respond on the SSL port (I had already set it up to run on port 8443, which works fine but I wanted a 'real' cert).
Any ideas? I can't find anything in the logs...(maybe there is some java/jetty log I'm not seeing?).

Thanks!

[Pcace]

Hey, did you solved your Problem?


Pcace

[josifbg]

HI Guys,

Is there some step by step instructions for a CentOS 6?

I really want to secure my server but reading all the information in this subject not helps me at all.

I tried to find some documentation on the subsonic website without success.

Anyone?

[GH0]

I attempted to follow your instructions but am running into this issue:
viewtopic.php?f=2&t=9069

Any help?

[p4xel]

I found this topic while trying to implement my SSL certificate (purchased from comodo), and after some more research I found this solution (for Ubuntu 14.04, but should work for most other Linux releases).

To generate a .keystore certificate you need your .key .crt and ca.crt files (ca.crt is Intermediate CA Certificate, in my case COMODORSAAddTrustCA.crt)
You could also generate your own self-signed certificate (openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt)

Convert x509 Cert and Key to a pkcs12 (remember to set some_password), as [some-alias] I used subsonic
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name [some-alias] -CAfile ca.crt -caname root

Convert the pkcs12 file to a java keystore
keytool -importkeystore -deststorepass [new_password] -destkeypass [new_password] -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [some_password] -alias [some-alias]

edit /ust/bin/subsonic file and add following lines (I added them after -Dsubsonic.httpsPort)
-Dsubsonic.ssl.keystore=/opt/apps/subsonic/server.keystore \
-Dsubsonic.ssl.password=[new_password] \

enable ssl connection in /etc/default/subsonic
SUBSONIC_ARGS="--port=9090 --https-port=9091 --max-memory=512"

From now on connect to SubSonic using https://yourdomain.com:9091 where yourdomain.com is the domain used to generate your SSL certificate/key.
Your Subsonic alias will also redirect you to SSL site, but domain name will not match the key, so the example above is preferred method.

Here is the result: