I just discovered Let's Encrypt and wanted to get myself a free cert for use with my SABnzbd+ installation at home. Here's my setup:
- Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
- SABNzbd+ 0.7.16 running on server
- Netgear Nighthawk R6900 home router
- Dynamic hostname from no-ip.org, which I'll use for this setup
I have a dynamic hostname from no-ip.org, which I use to access my home network. I have port forwarding set up on my Netgear router to access the programs running on my home server. See my port forwarding settings on my comment below.
I will use my hostname, along with the port 443 forwarded to my server to run Let's Encrypt certificate process. I also have forwarded ports 8888-8889 (or your choice of ports) for use with SABnzbd+.
Be sure to also open up port 443, and your desired SABNzbd+ ports on Ubuntu firewall. I use UFW, and temporarily disabled it with sudo ufw disable, but I will just whitelist that port for future use during certificate renewals.
Get EFF's certbot
- Select I'm using "None of the above" on "Ubuntu 14.04 (trusty)".
- Install it according to the Install section
-
Run certbot using
certonly:$ ./certbot-auto certonly -
Follow on-screen instructions:
-
Select
2 Automatically use a temporary webserver (standalone) -
Enter your email address
-
Agree to the Terms of Service
-
Enter your dynamic hostname. If you didn't open up access for your server on port 443, you'll get an error message like this:
Failed authorization procedure. myhostname.no-ip.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 123.234.222.111:443 for TLS-SNI-01 challengeFix your port forwarding and firewall settings on port 443, and you can continue.
-
Once verification is complete, you'll see a message like the following:
Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/myhostname.no-ip.org/fullchain.pem.
-
Set the SABNzbd HTTPS settings. Here are my settings:
- Default Base Folder: /home/churro/.sabnzbd/admin
- HTTPS Port: 8889
- HTTPS Certificate: server.cert
- HTTPS Key: server.key
Apply these settings. We'll restart SABnzbd+ later.
-
Copy the certificates over to the Default Base Folder as seen in the last step.
Let's Encrypt suggests symlinking or pointing directly to the certificates, but I run SABnzbd under my username, and certs belong to root, so unfortunately, I couldn't figure out permissions to get this working as they suggested.
$ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem /home/churro/.sabnzbd/admin/server.cert $ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem /home/churro/.sabnzbd/admin/server.key -
Allow the SABnzbd user to access these files. I run SABnzbd as my personal user account
churro, but files belong toroot. Otherwise, you may see these errors in the SABnzbd logs:IOError: [Errno 13] Permission denied: '/home/churro/.sabnzbd/admin/server.key' 2016-08-16 15:20:18,359::WARNING::[sabnzbdplus:1350] Disabled HTTPS because of missing CERT and KEY filesAdjust permissions as follows (obviously use your username, and not mine):
sudo chown -h churro:churro /home/churro/.sabnzbd/admin/server.*
- Assuming you've saved SABnzbd+ HTTPS settings from the last section, Restart SABnzbd+ now.
- Check your SABnzbd+ status for error messages. If you don't see error messages regarding HTTPS, you should be good to go!
- Access your SABnzbd+ with HTTPS at https://host:sslport/ In my case, the URL is: https://myhost.no-ip.org:8889/
Let's encrypt suggests setting up a cron or systemd job, running it twice per day, and selecting a random minute within the hour for your renewal tasks. Let's do it using cron:
Note: The command to renew is: ./path/to/certbot-auto renew --quiet --no-self-upgrade
Note: Cron has the RANDOM_DELAY variable to randomize the minute
-
Enter cron settings:
crontab -e -
Enter a scheduled job to renew, at the bottom of the file:
0 1/23 * * * /home/churro/Downloads/certbot-auto renew --quiet --no-self-upgrade -
Save and exit your text editor.
-
Edit the main system crontab file:
sudo nano /etc/crontab -
After
PATH=andSHELL=lines, enter a new line with your desired delay:RANDOM_DELAY=30 -
Save your changes and exit your text editor. All done!
My schedule above runs at 1AM and 11PM (twice a day), with a ranom delay between 0 and 30 minutes.
Note: Unfortunately, due to the disconnect between the renewed files being in /etc/letsencrypt/live/myhostname.no-ip.org/ and the fact that I copied those over to the /home/churro/.sabnzbd/admin/ directory, my renewed certificates won't be used by SABnzbd+. I'll post updated instructions once I figure out a workaround, or how to properly set user permissions to updated certificates.
My router's Port forward settings:
My SABNzbd+ HTTPS settings:
