Guide: Subsonic with Letsencrypt SSL using IIS

Tutorials, tips and tricks.

Moderator: moderators

Guide: Subsonic with Letsencrypt SSL using IIS

Postby b.bassett » Thu Jun 29, 2017 6:37 pm

Hey all,
Thanks for checking out my guide. If you’re like me, you may not be familiar with how to run and or configure NGINX or Apache or many of the other web servers available. I am not much of a “shell” guy, so trying to scour the internet for commands to type using Linux can be tedious. However, I did have a Windows machine and I wanted to run Subsonic over HTTPS. I also had a custom domain. So, after much tinkering and lonely nights with my friend Google, I think I finally found a solution that is working. And I wanted to share my experience for those others out there that would like to run their Subsonic installation using HTTPS.

Step 1. Install Subsonic for Windows on your server/workstation. (This will require Java, if you do not already have it installed.)

Step 2. Install the Internet Information Services (IIS) role on your server using “Add Roles & Features” in Server Manager, or in “Turn Windows features on or off” in the Programs and Features menu.

Step 3. Once IIS is installed, you’ll need to download and install the URL Rewrite module and ARR module. Found here: https://www.iis.net/downloads/microsoft ... lDownloads and here: https://www.iis.net/downloads/microsoft ... lDownloads

Step 4. Set up A record/CNAME record in DNS.

Step 5. For my installation, I used Letsencrypt for my SSL. I love this project. If you are not familiar you can get more information from their site: https://letsencrypt.org/ . Since I am using Windows, I tried a couple of the different ACME clients for Windows. The one I settled on was the “letsencrypt-win-simple” client. Found here: https://github.com/Lone-Coder/letsencry ... e/releases .

Step 6. Run Letsencrypt to get your certificate.

Step 7. Configure reverse proxy and http redirect in IIS.

Step 8. Configure scheduled task to disable and re-enable http redirect. (This is required for renewing the certificate using Letsencrypt. I created a powershell script that performs this.)

Okay, let’s break down the steps a little and show you how I configured each section.

Step 1 – Install Subsonic

This step should be self-explanatory. I used the default locations for the install and the default port for Subsonic. Since we will be using a URL rewrite, we won’t need to change anything unless you happen to already be running something that is using the default port. After Subsonic is installed, launch your browser and finish setting up according to the documentation and your requirements. Then log into your firewall and forward port 80 and 443 to your server. Now you’re ready to install IIS.

Step 2 – Install IIS

Again, this part is pretty simple. Just turn on the feature or install the role and then open your IIS console. In IIS, I am going to create two new sites. One for HTTP and one for HTTPS. I do this so that I can redirect HTTP traffic to HTTPS, and then use a reverse proxy to send HTTPS traffic to my subsonic port. If you don’t have anything other than Subsonic running in IIS, you can use the default site for HTTP instead of creating a new one. (I have multiple sites that I redirect so I like to keep it easier to manage.) For now, let’s just create the HTTP site. Open up your inetpub folder (should be located at C:\inetpub) and create a new folder to house your HTTP site, unless you are using the default site for HTTP. I named mine “subsonic-http”. Copy the contents of “C:\inetpub\wwwroot” to your new folder “C:\inetpub\subsonic-http”. This is a good time to create another folder for your HTTPS site as well, since it will save you a step later (I named this folder “subsonic”). In IIS, expand your server and right click on Sites. Then “Add Website” and name your site. I named it “subsonic-http” to match the folder I created for it and pointed to “%systemdrive%\inetpub\subsonic-http” then gave it a hostname of “subsonic.torgotech.com” and mapped it to port 80.

Step 3 – Install URL Rewrite Module

Browse to the sites provided and click on “additional downloads” and download the appropriate installations. After they are installed, reboot your server. IIS should now be prepped.

Step 4 – Create A record/CNAME record

I am going to assume that if you have a custom domain name, that you are familiar with this process. It should be set to the match the hostname you gave the binding in IIS. In my case, “subsonic.torgotech.com”. This is going to be your Public A record, however, your local machine needs to resolve your hostname to its local IP. If it’s running DNS, create a record in your DNS manager or create a record in your HOSTS file to map the hostname to your servers local IP.

Step 5 – Letsencrypt ACME client

Use the link provided above to download the letsencrypt-win-simple client from github. I extracted the ZIP to a folder called “Letsencrypt” and placed it in my C:\ drive.

Step 6 – Run Letsencrypt

Now open a command prompt as an administrator and change to your letsencrypt directory. (“C:\Letsencrypt” if you used the same directory as me.) and run the letsencrypt.exe. If you have IIS configured correctly and your DNS record is forwarding port 80 through your firewall, letsencrypt should find your HTTP page and prompt you to install the certificate. Follow the prompts you get to receive your certificate. If you get an error, follow the steps in the response provided by the letsencrypt program. If it works correctly, you should see your new certificate in IIS under “Server Certificates”.

Step 7 – Reverse Proxy

Now we’re ready to continue in IIS. When letsencrypt installs the certificate, it adds a HTTPS binding to your HTTP site. Go into bindings and remove the binding to port 443 from this site. Now right click on Sites and “Add Website” (if you didn’t do it during step 2, make sure you create a new folder in “inetpub” for your HTTPS site.) Fill in the site name, path (“%systemdrive%\inetpub\subsonic” for me), select HTTPS and enter your hostname (subsonic.torgotech.com). Make sure you check “Require Server Name Indication” (SNI) and click OK. Now go back to your “subsonic-http” site and click on HTTP Redirect. Check the box to enable and enter the hostname (https://subsonic.torgotech.com). Then check the box to “Redirect all requests to the exact destination”. Now let’s go to our HTTPS site (subsonic) and click on URL Rewrite. Choose the “Reverse Proxy” option and enter in the hostname:4040 (subsonic.torgotech.com:4040). You can leave the SSL Offloading checked and click OK. There you have it. You should now be able to browse to your hostname in a web browser using HTTP and it will redirect to HTTPS and then use reverse proxy to connect into your subsonic installation.

Step 8 – Configure Task Scheduler

When you run letsencrypt to install the certificate, it automatically creates a daily scheduled task to check your certificate for renewal. Since it does it’s check over HTTP and we are redirecting HTTP to HTTPS, this renewal check process will fail. In order to get it to work, we need to schedule a task that disables the redirect before the renewal runs, then re-enables it afterwards. To do this, I have created a couple powershell scripts that we can schedule to run using Task Scheduler. Here is a link to download those scripts (OneDrive https://1drv.ms/f/s!ApYb1bJu5GoZgctGMA6HbqQu_Ww2TQ). Place these powershell scripts in your “C:\Letsencrypt” folder. Then edit them in ISE to fill in the appropriate $siteName and $redirectPage to match your setup. Letsencrypt sets the renewal to run daily, but I like to set this to run weekly. You can leave it as it is or adjust the schedule. In either case, I like to create a Basic Task called “Disable Redirect”. Then I schedule it to run 1 minute BEFORE the renewal task. Once you have the schedule set, the action will be “Start a Program”. Then in the “program/script” box, type “powershell”. In the “Add arguments (optional)” field, type the following:

& "C:\Letsencrypt\DisableRedirect.ps1" Set-ExecutionPolicy Bypass

After you click finish and the task gets created, right click on it and choose Properties and make sure that the box for “Run with highest privileges” is checked. Also, I like to change the user to run as “System”. Now, repeat the steps to create a task to “Enable Redirect” and schedule it for 1 minute AFTER the renewal script runs. And make sure that your arguments field points to the EnableRedirect.ps1 script. Now I recommend testing the task. Right click on disable and choose “Run”. Then open your IIS console and go to your “subsonic-http” site. Click on HTTP Redirect and make sure that it successfully disabled. Now go back to Task Scheduler and run your Enable Redirect and check that it successfully enabled the HTTP Redirect in IIS. If not, double check your tasks and make sure they are set up correctly. Also, ensure that you put the correct redirect and site information into the powershell scripts to match what you have listed in IIS.

If everything is working, you are all set. You can now browse to Subsonic over HTTPS and your certificate should automatically stay up to date using Letsencrypt. If any of you have any questions or issues with the process, please feel free to reach out to me via email: brian@torgo.rocks
b.bassett
 
Posts: 8
Joined: Thu Jan 19, 2017 10:51 pm

Re: Guide: Subsonic with Letsencrypt SSL using IIS

Postby alphawave7 » Fri Jun 30, 2017 3:52 am

Dynamite tute. Brian! Yes, you do rock! 8)
alphawave7
 
Posts: 1031
Joined: Thu Feb 11, 2010 9:54 am

Re: Guide: Subsonic with Letsencrypt SSL using IIS

Postby LRanger » Mon Jul 03, 2017 4:53 am

To make a small addition to this excellent guide; http://www.duckdns.org/spec.jsp provides a free dynamic DNS that can be used with Letsencrypt.
LRanger
 
Posts: 6
Joined: Thu Mar 03, 2016 10:51 am


Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests