Subsonic Forum

by **spookybathtub** » Wed Apr 25, 2012 11:53 pm

Has anyone been able to successfully install a fully signed SSL certificate chain in Subsonic? I'm running version 4.6 on Mac OS X 10.7.3. I bought an SSL certificate from InCommon, but I can't get it to work completely. It seems like the server cert is working, but it's ignoring the intermediate and root certificates.

I created a keystore with 3 aliases: subsonic, rootCA, and intermediateCA, with the keystore password 'subsonic'. I named it subsonic.keystore and added it to subsonic-booter-jar-with-dependencies.jar. Restarted Subsonic, and my certificate shows up in a web browser. But it says "certificate was signed by an unknown authority". I double-checked using the command-line openssl and get the following errors:
http://pastebin.com/uptxPYHh

by **spookybathtub** » Thu Apr 26, 2012 6:58 am

I'm happy to be able to answer my own question now. Reading the documentation for jetty, I learned that it's very particular about keystores. All your certificates have to be contained in the same alias. And contrary to popular belief, I learned that the alias doesn't need to be named 'subsonic'. The default name for an alias in a keystore made by keytool is '1', and that worked just fine for me. In case this helps anyone else, I'll write down exactly what I did here:

Concatenate my certificate, the intermediate cert, and root cert, because they were provided to me as separate files by the certificate authority. The 3 certificates must go in this order.

Code: Select all: cat myserver.srt intermediate.crt root.crt > cert-chain.txt

Pack all the certificates and my private key into a pkcs12 file

Code: Select all: openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12

Pack that file into a java keystore

Code: Select all: keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore

Add that keystore to subsonic, replacing the default self-signed keystore. The location will depend on your operating system, but on mac it's inside of a JAR file at /Applications/Subsonic/Contents/Resources/Java/

Code: Select all: jar uf subsonic-booter-jar-with-dependencies.jar subsonic.keystore

Relaunch Subsonic, and say goodbye to certificate errors!
More information can be found here: http://docs.codehaus.org/display/JETTY/ ... figure+SSL

by **BKKKPewsey** » Thu Apr 26, 2012 11:48 am

Yep the power of Google helps again - what would we do without it

I found the same solution but you beat me to it.
Thanks for sharing - I am moving this thread to the tutorials sub-forum where hopefully it will be found by other users.

:mrgreen:

by **karmaking** » Wed May 09, 2012 2:06 pm

Thanks for posting, got me a few steps further.

However, SS becomes unaccessible when using the custom keystore, I get

HTTP ERROR: 404
NOT_FOUND
RequestURI=/
Powered by jetty://

No obvious errors in the logs. After switching back to the stock subsonic crt, everything works fine.

Any ideas?

Cheers, Daniel

by **karmaking** » Thu May 10, 2012 3:23 pm

Ok this was probably due to the certificate not matching the domain name. Created a new certificate particularly for this hostname - and it works now. Great.

by **fflooos** » Thu Jul 18, 2013 1:32 pm

Re: Installing a proper SSL certificate chain

Post by spookybathtub » Thu Apr 26, 2012 6:58 am
I'm happy to be able to answer my own question now. Reading the documentation for jetty, I learned that it's very particular about keystores. All your certificates have to be contained in the same alias. And contrary to popular belief, I learned that the alias doesn't need to be named 'subsonic'. The default name for an alias in a keystore made by keytool is '1', and that worked just fine for me. In case this helps anyone else, I'll write down exactly what I did here:

Concatenate my certificate, the intermediate cert, and root cert, because they were provided to me as separate files by the certificate authority. The 3 certificates must go in this order.

Code: Select all
cat myserver.srt intermediate.crt root.crt > cert-chain.txt

Pack all the certificates and my private key into a pkcs12 file

Code: Select all
openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12

Pack that file into a java keystore

Code: Select all
keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore

I just wanted to add some information to the instructions given by @spookybathtub in order to make it functional in Linux OS.

Generate PKCS12 file, in my case I had only a key file and a cert file given by my CA

Code: Select all: openssl pkcs12 -inkey mywebsite.key -in mywebsite.crt -export -out subsonic.pkcs12

Load key into keystore

Code: Select all: keytool -importkeystore -srckeystore subsonic.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/subsonic.keystore

I used "subsonic" as a password for the keystore

Tell subsonic to use the generated keystore I used the method given by cybertronian in the following post http://forum.subsonic.org/forum/viewtopic.php?t=7548)#p30654
Add the following lines into /usr/bin/subsonic file

Code: Select all: -Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \ -Dsubsonic.ssl.password=subsonic \

Edit the /etc/default/subsonic
Add the following option "--https-port=<PORT>" non-SSL can be disable with the option "--port=0"

Code: Select all: SUBSONIC_ARGS="--port=0 --https-port=4443 --max-memory=100"

by **Spektrum32** » Sun Oct 20, 2013 10:25 am

I'm pretty new to all of this, I got lost at the command:

openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12

Where would one find myserver.key?

I've been trying to get a cert in to Subsonic for months, it doesn't help that I apparently don't have the necessary knowledge for this. Even though this port is a few months old now, it would be great to get a little assistance as I'm about to just give up.

Thanks!

by **mwardm** » Mon Feb 15, 2016 12:36 am

I just appear to have successfully accomplished this on a Raspberry Pi2 running dietpi.
In summary:
I did the letsencrypt stuff via dietpi's mechanism. I.e. Install it (and the LASP stack); port-forward 80 and 443 on my router to the Pi2; then use dietpi-letsencrypt to configure. I picked the cron-job option.

Then the commands to run are...

Code: Select all: cd /etc/letsencrypt/live/<your-domain-name-for-which-you-obtained-your-certificate> openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem (asks for password - I used subsonic also) keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/subsonic.keystore rm keystore.pkcs12

Some flavour of the above is going to be required every 90 days, I reckon :-(

Then I added these lines into /usr/bin/subsonic:
-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
-Dsubsonic.ssl.password=subsonic \
and then I ensured that
--https-port=4443
was one of the args in /etc/default/subsonic.

Then I did a
shutdown -r now
(because I don't know how to stop and start just subsonic :-)

)
I now get a green padlock in my address bar!

I'm not entirely convinced by the security of having the password in the file and everything running as root, but I can't sort my entire life out in one day...
Mike

by **IwishIcanFLighT** » Mon Feb 15, 2016 1:23 pm

An ideal solution would be Subsonic to have native support with Let's Encrypt (or crt files if you prefer).
SSL certificates used to be hard to obtain and expensive, but Let's Encrypt can provide a free valid certificate in basically 30 seconds.

The current methods to add the certificate to subsonic feels weird and poorly documented.
I'd bet it discouraged more than one, which is bad because SSL will eventually become default in the future (Firefox for developers already started it).

I'd love to see that happening in upcoming releases.

by **insann** » Tue Feb 16, 2016 1:37 am

Many topics on SSL !
http://forum.subsonic.org/forum/viewtopic.php?f=2&t=16129

http://forum.subsonic.org/forum/viewtopic.php?f=3&t=16409

http://forum.subsonic.org/forum/viewtopic.php?f=2&t=16370

PLZ DO SOMETHING ^^
Insann

by **IwishIcanFLighT** » Sat Apr 16, 2016 4:10 pm

I made a shell script to generate the keystore file faster. Working great with my Let's Encrypt setup.

Code: Select all: # Color output red=`tput setaf 1` green=`tput setaf 2` reset=`tput sgr0` # CHANGE THIS LINE, DON'T FORGET THE DASH AT THE END certpath="/etc/letsencrypt/live/domain.org/" echo "${green}Generate as PKCS12 key file${reset}" echo "Enter a password 2 times:" openssl pkcs12 -inkey "${certpath}privkey.pem" -in "${certpath}cert.pem" -export -out subsonic.pkcs12 echo "${green}subsonic.pkcs12 key generated.${reset}" echo "\n${green}Loading the key to a keystore.${reset}" echo "${green}Please re-type the same password 3 times:${reset}" keytool -importkeystore -srckeystore subsonic.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic_cert.keystore echo "${red}Deleting the PKCS12 file not needed anymore${reset}" rm subsonic.pkcs12 echo "\n${green}### subsonic_cert.keystore successfully generated! :) ### ${reset}\n" echo "${green}You can now copy the keystore file into Subsonic's main folder.${reset}" echo "\n${red}Make sure that subsonic.sh contains the following lines:${reset}\n" echo ">--Dsubsonic.ssl.keystore=subsonic_cert.keystore \ " echo ">--Dsubsonic.ssl.password=yourpassword \ "

Usage:

Generate the certificates with Let's Encrypt client
Launch the script
Copy the keystore file to Subsonic's main folder
Make sure subsonic.sh contains the required lines (path to keystore and its password)
Restart subsonic

Enjoy!

by **Lucatze** » Tue Jul 12, 2016 12:50 am

Hey guys,

thanks @all for the effort. Finally, it is working. I used IwishIcanFLighT script and I'd like to add something:

In case you are running subsonic under another user than root, you need to change ownership of subsonic_cert.keystore.

Code: Select all: chown user:user /path/to/key/subsonic_cert.keystore

by **lupinehorror** » Tue Jul 12, 2016 8:26 am

tried the script and everything seemed to go fine.
copied the keystore and inserted the two lines into subsonic.sh
it still seems to be using the old certificate though...tried a few restarts. don't see any errors in the logs.

by **Lucatze** » Tue Jul 12, 2016 11:36 pm

lupinehorror wrote:tried the script and everything seemed to go fine.
copied the keystore and inserted the two lines into subsonic.sh
it still seems to be using the old certificate though...tried a few restarts. don't see any errors in the logs.

Did you create your certs using letsencrypt?

I had a simliar issue and as i mentioned above, changing the files ownership did the magic.

Be aware: When using Artist Info within the Browser, files like artist image and cover are not transferred securely. They are linked directly and not gathered by the server before transfer so in case you don't want anybody to know what you are doing, you might consider switching off Artist Info within settings.

by **lupinehorror** » Wed Jul 13, 2016 5:41 am

yup...letsencrypt. certbot cert only. everything seemed to go without a hitch.
i'm still running as root so no need to change ownership.

Subsonic Forum

Who is online