Moderator: moderators
cat myserver.srt intermediate.crt root.crt > cert-chain.txt
openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12
keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore
jar uf subsonic-booter-jar-with-dependencies.jar subsonic.keystore
HTTP ERROR: 404
NOT_FOUND
RequestURI=/
Powered by jetty://
Re: Installing a proper SSL certificate chain
Post by spookybathtub » Thu Apr 26, 2012 6:58 am
I'm happy to be able to answer my own question now. Reading the documentation for jetty, I learned that it's very particular about keystores. All your certificates have to be contained in the same alias. And contrary to popular belief, I learned that the alias doesn't need to be named 'subsonic'. The default name for an alias in a keystore made by keytool is '1', and that worked just fine for me. In case this helps anyone else, I'll write down exactly what I did here:
Concatenate my certificate, the intermediate cert, and root cert, because they were provided to me as separate files by the certificate authority. The 3 certificates must go in this order.
- Code: Select all
cat myserver.srt intermediate.crt root.crt > cert-chain.txt
Pack all the certificates and my private key into a pkcs12 file
- Code: Select all
openssl pkcs12 -export -inkey myserver.key -in cert-chain.txt -out cert-chain.pkcs12
Pack that file into a java keystore
- Code: Select all
keytool -importkeystore -srckeystore cert-chain.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic.keystore
openssl pkcs12 -inkey mywebsite.key -in mywebsite.crt -export -out subsonic.pkcs12
keytool -importkeystore -srckeystore subsonic.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/subsonic.keystore
-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
-Dsubsonic.ssl.password=subsonic \
SUBSONIC_ARGS="--port=0 --https-port=4443 --max-memory=100"
cd /etc/letsencrypt/live/<your-domain-name-for-which-you-obtained-your-certificate>
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem (asks for password - I used subsonic also)
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/subsonic.keystore
rm keystore.pkcs12
# Color output
red=`tput setaf 1`
green=`tput setaf 2`
reset=`tput sgr0`
# CHANGE THIS LINE, DON'T FORGET THE DASH AT THE END
certpath="/etc/letsencrypt/live/domain.org/"
echo "${green}Generate as PKCS12 key file${reset}"
echo "Enter a password 2 times:"
openssl pkcs12 -inkey "${certpath}privkey.pem" -in "${certpath}cert.pem" -export -out subsonic.pkcs12
echo "${green}subsonic.pkcs12 key generated.${reset}"
echo "\n${green}Loading the key to a keystore.${reset}"
echo "${green}Please re-type the same password 3 times:${reset}"
keytool -importkeystore -srckeystore subsonic.pkcs12 -srcstoretype PKCS12 -destkeystore subsonic_cert.keystore
echo "${red}Deleting the PKCS12 file not needed anymore${reset}"
rm subsonic.pkcs12
echo "\n${green}### subsonic_cert.keystore successfully generated! :) ### ${reset}\n"
echo "${green}You can now copy the keystore file into Subsonic's main folder.${reset}"
echo "\n${red}Make sure that subsonic.sh contains the following lines:${reset}\n"
echo ">--Dsubsonic.ssl.keystore=subsonic_cert.keystore \ "
echo ">--Dsubsonic.ssl.password=yourpassword \ "
chown user:user /path/to/key/subsonic_cert.keystore
lupinehorror wrote:tried the script and everything seemed to go fine.
copied the keystore and inserted the two lines into subsonic.sh
it still seems to be using the old certificate though...tried a few restarts. don't see any errors in the logs.
Users browsing this forum: No registered users and 7 guests