Using Let's Encrypt SSL with Subsonic

letsencryt-subsonic.md

Using Let's Encrypt SSL with Subsonic

Let's Encrypt Docs

Subsonic getting started Docs

Link from where most of this info came from

Here is a simple tutorial to use Letsencrypt SSL Certs with Subsonic. This is on a Debian Server

keytool complains if your openssl export password is empty. Additionally, Subsonic expects your keystore password to be subsonic.

To the questions asked, subsonic for each i.e.:

Enter Export Password: subsonic
Verifying - Enter Export Password: subsonic

Enter destination keystore password: subsonic
Re-enter new password: subsonic
Enter source keystore password: subsonic

Here's the steps, after you got Certbot installed and your certificate issued:

cd /etc/letsencrypt/live/<domain_name>

cat privkey.pem > subsonic.crt
cat cert.pem >> subsonic.crt
cat chain.pem >> subsonic.crt

openssl pkcs12 -in subsonic.crt -export -out subsonic.pkcs12

keytool -importkeystore -srckeystore subsonic.pkcs12 -destkeystore subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic

zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore 

Tell Subsonic to listen for HTTPS, edit /etc/default/subsonic

SUBSONIC_ARGS="--max-memory=512 --context-path=/subsonic --port=8080 --https-port=8443"

Restart subsonic

service subsonic restart

I just updated my certificate and followed all of these instructions, and again, I get the self-signed cert. I have the same flags as in your Jul 17 comment. Am running on Opensuse Leap 15.1, started from a script in /etc/init.d/subsonic from the rpm distribution.
subsonic-booter-jar-with-dependencies.jar is dated today and contains my new key.
But, after a reboot, Subsonic is running with my new Letsencrypt key. However, my browser says the site is still insecure, even though the certificate is valid! See https://www.dropbox.com/s/ks70lexvxv9rxvm/SubsonicSecurity.png?dl=0
What can cause this? I am running the new Microsoft Edge-Dev.

Is there a nice was to automate this ?

nevermind, now reading this
https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html#using-the-certificates-in-a-java-application

Hi, no it will not auto update :-( You'll need to setup a cron job to automate the steps above and restart subsonic as well :-/

Is it possible to set up cron with all the input required ? (password creation and confirmation, overwrite warning)

I think it is, google "expect" scripts, and if on JDK1.8 and lower, keytool accepts all the parameters on the command line. I am not familiar with the newer JDKs, but someone mentioned it changed, I haven't done that homework yet, I run my subsonic on Rpi3 with JDK1.8

See this https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416

I wrote a renewal hook script to automate the update process, but it doesn't seem to be working properly. Even though the script executes properly, it still seems to have the 'old' certificate when I access the site.

zipinfo /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar gives me the correct date.

However, if I unzip it and run keytool -list -storepass subsonic -keystore subsonic.keystore, the wrong certificate is in there.

I've run out of things to try to get it to work. Can anyone see where I'm going wrong?

Posting the script below in case it's helpful to anyone else. (You will need to edit the directory locations in the obvious places).

#!/bin/bash
# Update the certificate for Subsonic.

# Directory locations
CERTIFICATE_PATH=/etc/letsencrypt/live/INSERT_YOUR_DOMAIN_HERE
WORKING_PATH=/INSERT_A_WORKING_PATH_HERE_EG_HOME_DIRECTORY

# Copy the new certificates over
cp $CERTIFICATE_PATH/privkey.pem $WORKING_PATH
cp $CERTIFICATE_PATH/cert.pem $WORKING_PATH
cp $CERTIFICATE_PATH/chain.pem $WORKING_PATH
cat $WORKING_PATH/privkey.pem > $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/cert.pem >> $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/chain.pem >> $WORKING_PATH/subsonic.crt

# Run openssl on our new key
openssl pkcs12 -in $WORKING_PATH/subsonic.crt -export -out $WORKING_PATH/subsonic.pkcs12 -passout pass:subsonic

# Run keytool on our new key
keytool -importkeystore -srckeystore $WORKING_PATH/subsonic.pkcs12 -destkeystore $WORKING_PATH/subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic -srcstorepass subsonic -deststorepass subsonic

# Now zip the new keystore
zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore

# Restart subsonic
service subsonic restart

# Tidy up
rm $WORKING_PATH/privkey.pem
rm $WORKING_PATH/cert.pem
rm $WORKING_PATH/chain.pem
rm $WORKING_PATH/subsonic.crt
rm $WORKING_PATH/subsonic.pkcs12
rm $WORKING_PATH/subsonic.keystore

Did you reboot? James A. Rome https://blogs.jamesrome.net

…

On 10/9/21 2:17 PM, nairobiny wrote: ***@***.**** commented on this gist. ------------------------------------------------------------------------ I wrote a renewal hook script to automate the update process, but it doesn't seem to be working properly. Even though the script executes properly, it still seems to have the 'old' certificate when I access the site. |zipinfo /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar| gives me the correct date. However, if I unzip it and run |keytool -list -storepass subsonic -keystore subsonic.keystore|, the wrong certificate is in there. I've run out of things to try to get it to work. Can anyone see where I'm going wrong? Posting the script below in case it's helpful to anyone else. (You will need to edit the directory locations in the obvious places). |#!/bin/bash # Update the certificate for Subsonic. # Directory locations CERTIFICATE_PATH=/etc/letsencrypt/live/INSERT_YOUR_DOMAIN_HERE WORKING_PATH=/INSERT_A_WORKING_PATH_HERE_EG_HOME_DIRECTORY # Copy the new certificates over cp $CERTIFICATE_PATH/privkey.pem $WORKING_PATH cp $CERTIFICATE_PATH/cert.pem $WORKING_PATH cp $CERTIFICATE_PATH/chain.pem $WORKING_PATH cat $WORKING_PATH/privkey.pem > $WORKING_PATH/subsonic.crt cat $WORKING_PATH/cert.pem >> $WORKING_PATH/subsonic.crt cat $WORKING_PATH/chain.pem >> $WORKING_PATH/subsonic.crt # Run openssl on our new key openssl pkcs12 -in $WORKING_PATH/subsonic.crt -export -out $WORKING_PATH/subsonic.pkcs12 -passout pass:subsonic # Run keytool on our new key keytool -importkeystore -srckeystore $WORKING_PATH/subsonic.pkcs12 -destkeystore $WORKING_PATH/subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic -srcstorepass subsonic -deststorepass subsonic # Now zip the new keystore zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore # Restart subsonic service subsonic restart # Tidy up rm $WORKING_PATH/privkey.pem rm $WORKING_PATH/cert.pem rm $WORKING_PATH/chain.pem rm $WORKING_PATH/subsonic.crt rm $WORKING_PATH/subsonic.pkcs12 rm $WORKING_PATH/subsonic.keystore | — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/b691da8768a590b623261c845782f081#gistcomment-3921697>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJ6OB4UR5ZHHDJ765MCL2DUGCBMTANCNFSM4IEQD7XA>. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Did you reboot? James A. Rome

Yes, it persists across a reboot.

I think I fixed it... the issue was that it was storing the full path to the new keystore file and therefore wasn't overwriting the old one.

This seemed to work: replacing zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore with zip -j /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore

Here's a revised script in case it helps anyone else:

#!/bin/bash
# Update the certificate for Subsonic.

# Directory locations
CERTIFICATE_PATH=/etc/letsencrypt/live/INSERT_YOUR_DOMAIN_HERE
WORKING_PATH=/INSERT_A_WORKING_PATH_HERE_EG_HOME_DIRECTORY

# Copy the new certificates over
cp $CERTIFICATE_PATH/privkey.pem $WORKING_PATH
cp $CERTIFICATE_PATH/cert.pem $WORKING_PATH
cp $CERTIFICATE_PATH/chain.pem $WORKING_PATH
cat $WORKING_PATH/privkey.pem > $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/cert.pem >> $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/chain.pem >> $WORKING_PATH/subsonic.crt

# Run openssl on our new key
openssl pkcs12 -in $WORKING_PATH/subsonic.crt -export -out $WORKING_PATH/subsonic.pkcs12 -passout pass:subsonic

# Run keytool on our new key
keytool -importkeystore -srckeystore $WORKING_PATH/subsonic.pkcs12 -destkeystore $WORKING_PATH/subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic -srcstorepass subsonic -deststorepass subsonic

# Now zip the new keystore
zip -j /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore

# Restart subsonic
service subsonic restart

# Tidy up
rm $WORKING_PATH/privkey.pem
rm $WORKING_PATH/cert.pem
rm $WORKING_PATH/chain.pem
rm $WORKING_PATH/subsonic.crt
rm $WORKING_PATH/subsonic.pkcs12
rm $WORKING_PATH/subsonic.keystore

very nice!