Subsonic Forum

[schitonk]

Thanks for the Lets Encrypt support here.

One thing I encountered after moving and chown'ing subsonic.keystore for appropriate user is to add the last two lines from supplied script:

Code: Select all

-Dsubsonic.ssl.keystore=subsonic.keystore \
-Dsubsonic.ssl.password=yourpassword \


under ${JAVA} block in /usr/share/subsonic/subsonic.sh (Debian 7.11) as opposed to the end of the file:

Code: Select all

${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
  -Dsubsonic.home=${SUBSONIC_HOME} \
  -Dsubsonic.host=${SUBSONIC_HOST} \
  -Dsubsonic.port=${SUBSONIC_PORT} \
  -Dsubsonic.httpsPort=${SUBSONIC_HTTPS_PORT} \
  -Dsubsonic.contextPath=${SUBSONIC_CONTEXT_PATH} \
  -Dsubsonic.defaultMusicFolder=${SUBSONIC_DEFAULT_MUSIC_FOLDER} \
  -Dsubsonic.defaultPodcastFolder=${SUBSONIC_DEFAULT_PODCAST_FOLDER} \
  -Dsubsonic.defaultPlaylistFolder=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER} \
  -Dsubsonic.ssl.keystore=subsonic.keystore \
  -Dsubsonic.ssl.password=password \
  -Djava.awt.headless=true \
  -verbose:gc \
  -jar subsonic-booter-jar-with-dependencies.jar > ${LOG} 2>&1 &


I would get not found errors for keystore otherwise.

[thisisanull]

All the posts in this thread were a great help. I decided to go ahead and make the process automated and generate the keystore on each load of subsonic, that way it would automatically pick up renewals of the Let's Encrypt Certificate. The only thing an end user would need to do is define SUBSONIC_SSL_CERT and SUBSONIC_SSL_KEY (im grabbing these straight from the output of my acme client). I am using the chained certificate and not just the domain cert. SUBSONIC_SSL_PASSWORD generates a random password for the keystore each launch, but you can change SUBSONIC_SSL_PASSWORD to anything greater than 6 characters if you want.

Here are my modifications to the start of /usr/bin/subsonic (the last three lines are all I added here)

Code: Select all

#!/bin/sh

###################################################################################
# Shell script for starting Subsonic.  See http://subsonic.org.
#
# Author: Sindre Mehus
###################################################################################

SUBSONIC_HOME=/var/subsonic
SUBSONIC_HOST=0.0.0.0
SUBSONIC_PORT=4040
SUBSONIC_HTTPS_PORT=0
SUBSONIC_CONTEXT_PATH=/
SUBSONIC_MAX_MEMORY=150
SUBSONIC_PIDFILE=
SUBSONIC_DEFAULT_MUSIC_FOLDER=/var/music
SUBSONIC_DEFAULT_PODCAST_FOLDER=/var/music/Podcast
SUBSONIC_DEFAULT_PLAYLIST_FOLDER=/var/playlists
SUBSONIC_SSL_CERT=/path/to/chained_domain.crt
SUBSONIC_SSL_KEY=/path/to/domain.key
SUBSONIC_SSL_PASSWORD=$(head -c 16 /dev/urandom | md5sum | head -c 32)


And here are my modifications to the launch portion / end of /usr/bin/subsonic. I replaced the entire launch statement to catch potential errors and fallback to a standard launch if no ssl keystore can be created. This means that if the user simply doesn't define the ssl cert (or the subsonic user lacks access to it), subsonic launches as normal without attempting to use a non-existent keystore.

Code: Select all

# Create Subsonic home directory.
mkdir -p ${SUBSONIC_HOME}
LOG=${SUBSONIC_HOME}/subsonic_sh.log
rm -f ${LOG}

cd $(dirname $0)
if [ -L $0 ] && ([ -e /bin/readlink ] || [ -e /usr/bin/readlink ]); then
    cd $(dirname $(readlink $0))
fi
#begin ssl modifications
#delete old keystore (if it exists) as we are using randomly generated passwords
if [ -f ${SUBSONIC_HOME}/subsonic_cert.keystore ]; then
    rm -f ${SUBSONIC_HOME}/subsonic_cert.keystore
fi
#generate keystore from system certificates
SUBSONIC_SSL_PASSWORD_LENGTH=${#SUBSONIC_SSL_PASSWORD}
if [ ${SUBSONIC_HTTPS_PORT} -ge 1 -a -n "${SUBSONIC_SSL_CERT}" -a -n "${SUBSONIC_SSL_KEY}" -a $SUBSONIC_SSL_PASSWORD_LENGTH -ge 6 ]; then
   openssl pkcs12 -inkey $SUBSONIC_SSL_KEY -in $SUBSONIC_SSL_CERT -export -out ${SUBSONIC_HOME}/subsonic.pkcs12 -password pass:${SUBSONIC_SSL_PASSWORD}
   keytool -importkeystore -srckeystore ${SUBSONIC_HOME}/subsonic.pkcs12 -srcstoretype PKCS12 -srcstorepass ${SUBSONIC_SSL_PASSWORD} -destkeystore ${SUBSONIC_HOME}/subsonic_cert.keystore -deststorepass ${SUBSONIC_SSL_PASSWORD}
   rm -f ${SUBSONIC_HOME}/subsonic.pkcs12
fi
#if everything worked and the keystore exists, launch subsonic with keystore defined
if [ -f ${SUBSONIC_HOME}/subsonic_cert.keystore ]; then
if [ $quiet = 0 ]; then
    echo SSL keystore was generated successfully, launching with custom SSL certificate.
fi
   ${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
     -Dsubsonic.home=${SUBSONIC_HOME} \
     -Dsubsonic.host=${SUBSONIC_HOST} \
     -Dsubsonic.port=${SUBSONIC_PORT} \
     -Dsubsonic.httpsPort=${SUBSONIC_HTTPS_PORT} \
     -Dsubsonic.ssl.keystore=${SUBSONIC_HOME}/subsonic_cert.keystore \
     -Dsubsonic.ssl.password=${SUBSONIC_SSL_PASSWORD} \
     -Dsubsonic.contextPath=${SUBSONIC_CONTEXT_PATH} \
     -Dsubsonic.defaultMusicFolder=${SUBSONIC_DEFAULT_MUSIC_FOLDER} \
     -Dsubsonic.defaultPodcastFolder=${SUBSONIC_DEFAULT_PODCAST_FOLDER} \
     -Dsubsonic.defaultPlaylistFolder=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER} \
     -Djava.awt.headless=true \
     -verbose:gc \
     -jar subsonic-booter-jar-with-dependencies.jar > ${LOG} 2>&1 &
else
#no keystore was found, launching subsonic with standard options
if [ $quiet = 0 ]; then
    echo  Could not generate SSL keystore, launching with default options.
fi
        ${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
          -Dsubsonic.home=${SUBSONIC_HOME} \
          -Dsubsonic.host=${SUBSONIC_HOST} \
          -Dsubsonic.port=${SUBSONIC_PORT} \
          -Dsubsonic.httpsPort=${SUBSONIC_HTTPS_PORT} \
          -Dsubsonic.contextPath=${SUBSONIC_CONTEXT_PATH} \
          -Dsubsonic.defaultMusicFolder=${SUBSONIC_DEFAULT_MUSIC_FOLDER} \
          -Dsubsonic.defaultPodcastFolder=${SUBSONIC_DEFAULT_PODCAST_FOLDER} \
          -Dsubsonic.defaultPlaylistFolder=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER} \
          -Djava.awt.headless=true \
          -verbose:gc \
          -jar subsonic-booter-jar-with-dependencies.jar > ${LOG} 2>&1 &
fi
#end ssl modifications
# Write pid to pidfile if it is defined.
if [ $SUBSONIC_PIDFILE ]; then
    echo $! > ${SUBSONIC_PIDFILE}
fi

if [ $quiet = 0 ]; then
    echo Started Subsonic [PID $!, ${LOG}]
fi


On my system I've further modified the subsonic launch script by moving the ssl cert and ssl key into command line options which I can define in /etc/default/subsonic.

[ethancedrik]

I was able to do this on the self-contained Jetty version using LetsEncrypt. It requires a Linux VPS however to first generate the SSL cert. I'll post a tutorial if anyone wants it

[FlyingPersian]

Hi
I'm stuck on this on FreeNAS (FreeBSD)

What I did after creating the self-signed certificates and the PKCS12 file was running these two commands for seperate trials, but both didn't enable SSL:

Code: Select all

zip /usr/local/subsonic-standalone/subsonic-booter-jar-with-dependencies.jar subsonic.keystore

jar uf subsonic-booter-jar-with-dependencies.jar subsonic.keystore

They both basically do the same thing I think, namely replace the subsonic.keystore in jar uf subsonic-booter-jar-with-dependencies.jar subsonic.keystore with the one I created. Reading through this thread I added these two lines to /usr/local/etc/rc.d/subsonic (which is the file that is used to start subsonic as service/on startup):

Code: Select all

-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
        -Dsubsonic.ssl.password=subsonic

I added those before -Djava.awt.headless=true \. I also changed : ${subsonic_ssl:="NO"} to YES.

Starting the service works fine, but I get "connection" refused when I try with and without https. The only difference is that when I try without https, I get redirected to ip:4040/index.view, that doesn not happen with SSL. I tried both 4443 and 4040 for SSL.

Edit: I used this tutorial to install everything. I self-signed my certificates, so I don't have the startcom.class1.bundle, only subsonic.key and subsonic.crt

[subarthur]

Thanks a lot for sharing this tutorial! It's really helpful. I wound not handle this by myself.