Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using Let's Encrypt SSL with Subsonic

Using Let's Encrypt SSL with Subsonic

Let's Encrypt Docs

Subsonic getting started Docs

Link from where most of this info came from

Here is a simple tutorial to use Letsencrypt SSL Certs with Subsonic. This is on a Debian Server

keytool complains if your openssl export password is empty. Additionally, Subsonic expects your keystore password to be subsonic.

To the questions asked, subsonic for each i.e.:

Enter Export Password: subsonic
Verifying - Enter Export Password: subsonic

Enter destination keystore password: subsonic
Re-enter new password: subsonic
Enter source keystore password: subsonic

Here's the steps, after you got Certbot installed and your certificate issued:

cd /etc/letsencrypt/live/<domain_name>

cat privkey.pem > subsonic.crt
cat cert.pem >> subsonic.crt
cat chain.pem >> subsonic.crt

openssl pkcs12 -in subsonic.crt -export -out subsonic.pkcs12

keytool -importkeystore -srckeystore subsonic.pkcs12 -destkeystore subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic

zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore 

Tell Subsonic to listen for HTTPS, edit /etc/default/subsonic

SUBSONIC_ARGS="--max-memory=512 --context-path=/subsonic --port=8080 --https-port=8443"

Restart subsonic

service subsonic restart

@jimrome

This comment has been minimized.

Copy link

jimrome commented Jul 17, 2019

I followed these instructions, but am still getting the subsonic certificate instead of the letsencrypt one.
I also get a warning after the keytool command:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore subsonic.keystore -destkeystore subsonic.keystore -deststoretype pkcs12".

@alvarow

This comment has been minimized.

Copy link
Owner Author

alvarow commented Jul 17, 2019

I followed these instructions, but am still getting the subsonic certificate instead of the letsencrypt one.

Check if the Java keystore subsonic.keystore file made it into the Subsonic jar file:

zipinfo /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar it should be listed there, and with the correct date of when you updated with with the Let's Encrypt files. If they are not there, then you need to review the steps. If they are there, then are there any error messages on Subsonic's logs? Perhaps you should extract subsonic.keystore and review its contents:

unzip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore

then

keytool -list -storepass subsonic -keystore subsonic.keystore and see if the Let's Encrypt certificate is there.

I also get a warning after the keytool command:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore subsonic.keystore -destkeystore subsonic.keystore -deststoretype pkcs12".

This is just a warning, you can safely ignore it. Until Sindre updates the Subsonic code to use PKCS12 instead of JKS, we can't convert this either. It's not more or less secure, just a warning. JKS been around for decades and only now folks started to care it is proprietary. When Subsonic code is updated, then we simply skip the step of importing the PKCS12 file we are generating into a JKS. Less work here.

@jimrome

This comment has been minimized.

Copy link

jimrome commented Jul 17, 2019

Thanks for the response. From the zipinfo command, I get

-rw-r--r-- 3.0 unx 3913 bx defN 19-Jul-17 08:56 subsonic.keystore

which is today's keystore.
I did all your steps inside /etc/letsencrypt/live/jarfx.dyndns.org

jardell:/etc/letsencrypt/live/jarfx.dyndns.org # keytool -list -storepass subsonic -keystore subsonic.keystore
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
subsonic, Jul 17, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 62:B6:38:BD:4D:2B:77:B8:24:0F:63:44:B5:C4:15:C4:0C:55:AF:FC
Which does not say which cert is in the keystore. But

jardell:/etc/letsencrypt/live/jarfx.dyndns.org # ls -l subsonic.keystore
-rw-r--r-- 1 root root 3913 Jul 17 08:56 subsonic.keystore
has the same size.
So I listed the detailed contents of the keystore, and the letsencrypt cert is there:

jardell:/etc/letsencrypt/live/jarfx.dyndns.org # keytool -list -v -keystore subsonic.keystore
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: subsonic
Creation date: Jul 17, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=jarfx.dyndns.org
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 383b01f4761b6bf61a7d2041485e1420c6b
Valid from: Tue Jul 16 08:14:13 EDT 2019 until: Mon Oct 14 08:14:13 EDT 2019
Certificate fingerprints:
MD5: 17:A7:A9:9A:A9:BA:49:3D:DF:BD:7A:71:20:95:51:E7
SHA1: 62:B6:38:BD:4D:2B:77:B8:24:0F:63:44:B5:C4:15:C4:0C:55:AF:FC
SHA256: C8:81:54:8B:27:CF:BA:81:1A:C2:71:0C:02:B0:0C:C9:A6:80:42:DD:4D:4B:1F:A4:8F:C3:CE:C7:68:27:21:A8
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 81 F2 00 F0 00 76 00 74 7E DA 83 31 AD 33 10 ......v.t...1.3.
0010: 91 21 9C CE 25 4F 42 70 C2 BF FD 5E 42 20 08 C6 .!..%OBp...^B ..
0020: 37 35 79 E6 10 7B CC 56 00 00 01 6B FA EB 4F D8 75y....V...k..O.
0030: 00 00 04 03 00 47 30 45 02 20 58 13 D3 42 7E FC .....G0E. X..B..
0040: A0 FB 2F AA 0C 8E DD 8A 2E 17 89 5D C4 F1 66 94 ../........]..f.
0050: 0F 4E 61 5A E9 37 F7 B6 1F A5 02 21 00 AF 49 E7 .NaZ.7.....!..I.
0060: F7 19 30 1E EE A4 6F F6 9E 1F F5 74 A7 4A 1E 93 ..0...o....t.J..
0070: B2 03 CA 3A 7D 96 EF 78 8D 04 92 4A CA 00 76 00 ...:...x...J..v.
0080: 63 F2 DB CD E8 3B CC 2C CF 0B 72 84 27 57 6B 33 c....;.,..r.'Wk3
0090: A4 8D 61 77 8F BD 75 A6 38 B1 C7 68 54 4B D8 8D ..aw..u.8..hTK..
00A0: 00 00 01 6B FA EB 4F DF 00 00 04 03 00 47 30 45 ...k..O......G0E
00B0: 02 20 25 95 6B 01 22 DF C8 C7 E5 00 3C F8 C9 3A . %.k.".....<..:
00C0: 36 AB 6C 48 DE 9C DE D5 6D FA 25 F0 F5 7D 4C 0B 6.lH....m.%...L.
00D0: CC 17 02 21 00 A4 A5 79 39 71 25 F0 E3 49 77 78 ...!...y9q%..Iwx
00E0: 01 1D A9 6A 14 82 2A 89 BD F4 24 C3 CD AE 74 99 ...j..*...$...t.
00F0: 85 DB 78 87 36 ..x.6

#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [

@alvarow

This comment has been minimized.

Copy link
Owner Author

alvarow commented Jul 17, 2019

How are you running Subsonic? .deb file? Tomcat? Check if it was started with the proper flags:

for x in $(pgrep -f subsonic); do cat /proc/$x/cmdline; echo; done

Here that outputs:

java-Xmx512m-Dsubsonic.home=/var/subsonic-Dsubsonic.host=0.0.0.0-Dsubsonic.port=4040-Dsubsonic.httpsPort=8443-Dsubsonic.contextPath=/subsonic-Dsubsonic.db=-Dsubsonic.defaultMusicFolder=/var/music-Dsubsonic.defaultPodcastFolder=/var/music/Podcast-Dsubsonic.defaultPlaylistFolder=/var/playlists-Djava.awt.headless=true-verbose:gc-jarsubsonic-booter-jar-with-dependencies.jar

Then if I go on port 8443, it is using the certificate. I am on version 6.1.5 on an RPi3 using the .deb file and Linux IPTables to redirect port 443 to 8443.

@mcbmcb

This comment has been minimized.

Copy link

mcbmcb commented Nov 27, 2019

I have successfully managed to get this working, but now I'm wondering what will happen when the certificate's date comes. Will they become obsolete and I will have to redo the procedure again or will they somehow update with the original certbot cron job ?

@alvarow

This comment has been minimized.

Copy link
Owner Author

alvarow commented Dec 2, 2019

Hi, no it will not auto update :-( You'll need to setup a cron job to automate the steps above and restart subsonic as well :-/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.