Installing a proper SSL certificate chain

Tutorials, tips and tricks.

Moderator: moderators

Re: Installing a proper SSL certificate chain

Postby schitonk » Thu Jul 28, 2016 1:58 am

Thanks for the Lets Encrypt support here.

One thing I encountered after moving and chown'ing subsonic.keystore for appropriate user is to add the last two lines from supplied script:

Code: Select all
-Dsubsonic.ssl.keystore=subsonic.keystore \
-Dsubsonic.ssl.password=yourpassword \

under ${JAVA} block in /usr/share/subsonic/subsonic.sh (Debian 7.11) as opposed to the end of the file:
Code: Select all
${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
  -Dsubsonic.home=${SUBSONIC_HOME} \
  -Dsubsonic.host=${SUBSONIC_HOST} \
  -Dsubsonic.port=${SUBSONIC_PORT} \
  -Dsubsonic.httpsPort=${SUBSONIC_HTTPS_PORT} \
  -Dsubsonic.contextPath=${SUBSONIC_CONTEXT_PATH} \
  -Dsubsonic.defaultMusicFolder=${SUBSONIC_DEFAULT_MUSIC_FOLDER} \
  -Dsubsonic.defaultPodcastFolder=${SUBSONIC_DEFAULT_PODCAST_FOLDER} \
  -Dsubsonic.defaultPlaylistFolder=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER} \
  -Dsubsonic.ssl.keystore=subsonic.keystore \
  -Dsubsonic.ssl.password=password \
  -Djava.awt.headless=true \
  -verbose:gc \
  -jar subsonic-booter-jar-with-dependencies.jar > ${LOG} 2>&1 &

I would get not found errors for keystore otherwise.
schitonk
 
Posts: 15
Joined: Fri Dec 10, 2010 4:01 pm

Re: Installing a proper SSL certificate chain

Postby thisisanull » Sat Oct 22, 2016 11:21 pm

All the posts in this thread were a great help. I decided to go ahead and make the process automated and generate the keystore on each load of subsonic, that way it would automatically pick up renewals of the Let's Encrypt Certificate. The only thing an end user would need to do is define SUBSONIC_SSL_CERT and SUBSONIC_SSL_KEY (im grabbing these straight from the output of my acme client). I am using the chained certificate and not just the domain cert. SUBSONIC_SSL_PASSWORD generates a random password for the keystore each launch, but you can change SUBSONIC_SSL_PASSWORD to anything greater than 6 characters if you want.

Here are my modifications to the start of /usr/bin/subsonic (the last three lines are all I added here)
Code: Select all
#!/bin/sh

###################################################################################
# Shell script for starting Subsonic.  See http://subsonic.org.
#
# Author: Sindre Mehus
###################################################################################

SUBSONIC_HOME=/var/subsonic
SUBSONIC_HOST=0.0.0.0
SUBSONIC_PORT=4040
SUBSONIC_HTTPS_PORT=0
SUBSONIC_CONTEXT_PATH=/
SUBSONIC_MAX_MEMORY=150
SUBSONIC_PIDFILE=
SUBSONIC_DEFAULT_MUSIC_FOLDER=/var/music
SUBSONIC_DEFAULT_PODCAST_FOLDER=/var/music/Podcast
SUBSONIC_DEFAULT_PLAYLIST_FOLDER=/var/playlists
SUBSONIC_SSL_CERT=/path/to/chained_domain.crt
SUBSONIC_SSL_KEY=/path/to/domain.key
SUBSONIC_SSL_PASSWORD=$(head -c 16 /dev/urandom | md5sum | head -c 32)


And here are my modifications to the launch portion / end of /usr/bin/subsonic. I replaced the entire launch statement to catch potential errors and fallback to a standard launch if no ssl keystore can be created. This means that if the user simply doesn't define the ssl cert (or the subsonic user lacks access to it), subsonic launches as normal without attempting to use a non-existent keystore.
Code: Select all
# Create Subsonic home directory.
mkdir -p ${SUBSONIC_HOME}
LOG=${SUBSONIC_HOME}/subsonic_sh.log
rm -f ${LOG}

cd $(dirname $0)
if [ -L $0 ] && ([ -e /bin/readlink ] || [ -e /usr/bin/readlink ]); then
    cd $(dirname $(readlink $0))
fi
#begin ssl modifications
#delete old keystore (if it exists) as we are using randomly generated passwords
if [ -f ${SUBSONIC_HOME}/subsonic_cert.keystore ]; then
    rm -f ${SUBSONIC_HOME}/subsonic_cert.keystore
fi
#generate keystore from system certificates
SUBSONIC_SSL_PASSWORD_LENGTH=${#SUBSONIC_SSL_PASSWORD}
if [ ${SUBSONIC_HTTPS_PORT} -ge 1 -a -n "${SUBSONIC_SSL_CERT}" -a -n "${SUBSONIC_SSL_KEY}" -a $SUBSONIC_SSL_PASSWORD_LENGTH -ge 6 ]; then
   openssl pkcs12 -inkey $SUBSONIC_SSL_KEY -in $SUBSONIC_SSL_CERT -export -out ${SUBSONIC_HOME}/subsonic.pkcs12 -password pass:${SUBSONIC_SSL_PASSWORD}
   keytool -importkeystore -srckeystore ${SUBSONIC_HOME}/subsonic.pkcs12 -srcstoretype PKCS12 -srcstorepass ${SUBSONIC_SSL_PASSWORD} -destkeystore ${SUBSONIC_HOME}/subsonic_cert.keystore -deststorepass ${SUBSONIC_SSL_PASSWORD}
   rm -f ${SUBSONIC_HOME}/subsonic.pkcs12
fi
#if everything worked and the keystore exists, launch subsonic with keystore defined
if [ -f ${SUBSONIC_HOME}/subsonic_cert.keystore ]; then
if [ $quiet = 0 ]; then
    echo SSL keystore was generated successfully, launching with custom SSL certificate.
fi
   ${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
     -Dsubsonic.home=${SUBSONIC_HOME} \
     -Dsubsonic.host=${SUBSONIC_HOST} \
     -Dsubsonic.port=${SUBSONIC_PORT} \
     -Dsubsonic.httpsPort=${SUBSONIC_HTTPS_PORT} \
     -Dsubsonic.ssl.keystore=${SUBSONIC_HOME}/subsonic_cert.keystore \
     -Dsubsonic.ssl.password=${SUBSONIC_SSL_PASSWORD} \
     -Dsubsonic.contextPath=${SUBSONIC_CONTEXT_PATH} \
     -Dsubsonic.defaultMusicFolder=${SUBSONIC_DEFAULT_MUSIC_FOLDER} \
     -Dsubsonic.defaultPodcastFolder=${SUBSONIC_DEFAULT_PODCAST_FOLDER} \
     -Dsubsonic.defaultPlaylistFolder=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER} \
     -Djava.awt.headless=true \
     -verbose:gc \
     -jar subsonic-booter-jar-with-dependencies.jar > ${LOG} 2>&1 &
else
#no keystore was found, launching subsonic with standard options
if [ $quiet = 0 ]; then
    echo  Could not generate SSL keystore, launching with default options.
fi
        ${JAVA} -Xmx${SUBSONIC_MAX_MEMORY}m \
          -Dsubsonic.home=${SUBSONIC_HOME} \
          -Dsubsonic.host=${SUBSONIC_HOST} \
          -Dsubsonic.port=${SUBSONIC_PORT} \
          -Dsubsonic.httpsPort=${SUBSONIC_HTTPS_PORT} \
          -Dsubsonic.contextPath=${SUBSONIC_CONTEXT_PATH} \
          -Dsubsonic.defaultMusicFolder=${SUBSONIC_DEFAULT_MUSIC_FOLDER} \
          -Dsubsonic.defaultPodcastFolder=${SUBSONIC_DEFAULT_PODCAST_FOLDER} \
          -Dsubsonic.defaultPlaylistFolder=${SUBSONIC_DEFAULT_PLAYLIST_FOLDER} \
          -Djava.awt.headless=true \
          -verbose:gc \
          -jar subsonic-booter-jar-with-dependencies.jar > ${LOG} 2>&1 &
fi
#end ssl modifications
# Write pid to pidfile if it is defined.
if [ $SUBSONIC_PIDFILE ]; then
    echo $! > ${SUBSONIC_PIDFILE}
fi

if [ $quiet = 0 ]; then
    echo Started Subsonic [PID $!, ${LOG}]
fi


On my system I've further modified the subsonic launch script by moving the ssl cert and ssl key into command line options which I can define in /etc/default/subsonic.
thisisanull
 
Posts: 2
Joined: Sat Oct 22, 2016 11:02 pm

Re: Installing a proper SSL certificate chain

Postby ethancedrik » Wed Feb 01, 2017 1:04 am

I was able to do this on the self-contained Jetty version using LetsEncrypt. It requires a Linux VPS however to first generate the SSL cert. I'll post a tutorial if anyone wants it
ethancedrik
 
Posts: 3
Joined: Sat Jan 28, 2017 6:04 am

Re: Installing a proper SSL certificate chain

Postby FlyingPersian » Tue Mar 14, 2017 8:57 pm

Hi
I'm stuck on this on FreeNAS (FreeBSD)

What I did after creating the self-signed certificates and the PKCS12 file was running these two commands for seperate trials, but both didn't enable SSL:

Code: Select all
zip /usr/local/subsonic-standalone/subsonic-booter-jar-with-dependencies.jar subsonic.keystore

jar uf subsonic-booter-jar-with-dependencies.jar subsonic.keystore


They both basically do the same thing I think, namely replace the subsonic.keystore in jar uf subsonic-booter-jar-with-dependencies.jar subsonic.keystore with the one I created. Reading through this thread I added these two lines to /usr/local/etc/rc.d/subsonic (which is the file that is used to start subsonic as service/on startup):

Code: Select all
-Dsubsonic.ssl.keystore=/etc/ssl/certs/subsonic.keystore \
        -Dsubsonic.ssl.password=subsonic


I added those before -Djava.awt.headless=true \. I also changed : ${subsonic_ssl:="NO"} to YES.

Starting the service works fine, but I get "connection" refused when I try with and without https. The only difference is that when I try without https, I get redirected to ip:4040/index.view, that doesn not happen with SSL. I tried both 4443 and 4040 for SSL.

Edit: I used this tutorial to install everything. I self-signed my certificates, so I don't have the startcom.class1.bundle, only subsonic.key and subsonic.crt
FlyingPersian
 
Posts: 29
Joined: Mon Oct 31, 2016 11:43 pm

Re: Installing a proper SSL certificate chain

Postby subarthur » Sun Mar 19, 2017 11:11 pm

Thanks a lot for sharing this tutorial! It's really helpful. I wound not handle this by myself.
subarthur
 
Posts: 2
Joined: Sun Mar 19, 2017 11:09 pm

Previous

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 21 guests