Using Let's Encrypt SSL with Subsonic

letsencryt-subsonic.md

Using Let's Encrypt SSL with Subsonic

Let's Encrypt Docs

Subsonic getting started Docs

Link from where most of this info came from

Here is a simple tutorial to use Letsencrypt SSL Certs with Subsonic. This is on a Debian Server

keytool complains if your openssl export password is empty. Additionally, Subsonic expects your keystore password to be subsonic.

To the questions asked, subsonic for each i.e.:

Enter Export Password: subsonic
Verifying - Enter Export Password: subsonic

Enter destination keystore password: subsonic
Re-enter new password: subsonic
Enter source keystore password: subsonic

Here's the steps, after you got Certbot installed and your certificate issued:

cd /etc/letsencrypt/live/<domain_name>

cat privkey.pem > subsonic.crt
cat cert.pem >> subsonic.crt
cat chain.pem >> subsonic.crt

openssl pkcs12 -in subsonic.crt -export -out subsonic.pkcs12

keytool -importkeystore -srckeystore subsonic.pkcs12 -destkeystore subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic

zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore 

Tell Subsonic to listen for HTTPS, edit /etc/default/subsonic

SUBSONIC_ARGS="--max-memory=512 --context-path=/subsonic --port=8080 --https-port=8443"

Restart subsonic

service subsonic restart

I followed these instructions, but am still getting the subsonic certificate instead of the letsencrypt one.
I also get a warning after the keytool command:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore subsonic.keystore -destkeystore subsonic.keystore -deststoretype pkcs12".

I followed these instructions, but am still getting the subsonic certificate instead of the letsencrypt one.

Check if the Java keystore subsonic.keystore file made it into the Subsonic jar file:

zipinfo /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar it should be listed there, and with the correct date of when you updated with with the Let's Encrypt files. If they are not there, then you need to review the steps. If they are there, then are there any error messages on Subsonic's logs? Perhaps you should extract subsonic.keystore and review its contents:

unzip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore

then

keytool -list -storepass subsonic -keystore subsonic.keystore and see if the Let's Encrypt certificate is there.

I also get a warning after the keytool command:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore subsonic.keystore -destkeystore subsonic.keystore -deststoretype pkcs12".

This is just a warning, you can safely ignore it. Until Sindre updates the Subsonic code to use PKCS12 instead of JKS, we can't convert this either. It's not more or less secure, just a warning. JKS been around for decades and only now folks started to care it is proprietary. When Subsonic code is updated, then we simply skip the step of importing the PKCS12 file we are generating into a JKS. Less work here.

Thanks for the response. From the zipinfo command, I get

-rw-r--r-- 3.0 unx 3913 bx defN 19-Jul-17 08:56 subsonic.keystore

which is today's keystore.
I did all your steps inside /etc/letsencrypt/live/jarfx.dyndns.org

jardell:/etc/letsencrypt/live/jarfx.dyndns.org # keytool -list -storepass subsonic -keystore subsonic.keystore
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
subsonic, Jul 17, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 62:B6:38:BD:4D:2B:77:B8:24:0F:63:44:B5:C4:15:C4:0C:55:AF:FC
Which does not say which cert is in the keystore. But

jardell:/etc/letsencrypt/live/jarfx.dyndns.org # ls -l subsonic.keystore
-rw-r--r-- 1 root root 3913 Jul 17 08:56 subsonic.keystore
has the same size.
So I listed the detailed contents of the keystore, and the letsencrypt cert is there:

jardell:/etc/letsencrypt/live/jarfx.dyndns.org # keytool -list -v -keystore subsonic.keystore
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: subsonic
Creation date: Jul 17, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=jarfx.dyndns.org
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 383b01f4761b6bf61a7d2041485e1420c6b
Valid from: Tue Jul 16 08:14:13 EDT 2019 until: Mon Oct 14 08:14:13 EDT 2019
Certificate fingerprints:
MD5: 17:A7:A9:9A:A9:BA:49:3D:DF:BD:7A:71:20:95:51:E7
SHA1: 62:B6:38:BD:4D:2B:77:B8:24:0F:63:44:B5:C4:15:C4:0C:55:AF:FC
SHA256: C8:81:54:8B:27:CF:BA:81:1A:C2:71:0C:02:B0:0C:C9:A6:80:42:DD:4D:4B:1F:A4:8F:C3:CE:C7:68:27:21:A8
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 81 F2 00 F0 00 76 00 74 7E DA 83 31 AD 33 10 ......v.t...1.3.
0010: 91 21 9C CE 25 4F 42 70 C2 BF FD 5E 42 20 08 C6 .!..%OBp...^B ..
0020: 37 35 79 E6 10 7B CC 56 00 00 01 6B FA EB 4F D8 75y....V...k..O.
0030: 00 00 04 03 00 47 30 45 02 20 58 13 D3 42 7E FC .....G0E. X..B..
0040: A0 FB 2F AA 0C 8E DD 8A 2E 17 89 5D C4 F1 66 94 ../........]..f.
0050: 0F 4E 61 5A E9 37 F7 B6 1F A5 02 21 00 AF 49 E7 .NaZ.7.....!..I.
0060: F7 19 30 1E EE A4 6F F6 9E 1F F5 74 A7 4A 1E 93 ..0...o....t.J..
0070: B2 03 CA 3A 7D 96 EF 78 8D 04 92 4A CA 00 76 00 ...:...x...J..v.
0080: 63 F2 DB CD E8 3B CC 2C CF 0B 72 84 27 57 6B 33 c....;.,..r.'Wk3
0090: A4 8D 61 77 8F BD 75 A6 38 B1 C7 68 54 4B D8 8D ..aw..u.8..hTK..
00A0: 00 00 01 6B FA EB 4F DF 00 00 04 03 00 47 30 45 ...k..O......G0E
00B0: 02 20 25 95 6B 01 22 DF C8 C7 E5 00 3C F8 C9 3A . %.k.".....<..:
00C0: 36 AB 6C 48 DE 9C DE D5 6D FA 25 F0 F5 7D 4C 0B 6.lH....m.%...L.
00D0: CC 17 02 21 00 A4 A5 79 39 71 25 F0 E3 49 77 78 ...!...y9q%..Iwx
00E0: 01 1D A9 6A 14 82 2A 89 BD F4 24 C3 CD AE 74 99 ...j..*...$...t.
00F0: 85 DB 78 87 36 ..x.6

#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [

How are you running Subsonic? .deb file? Tomcat? Check if it was started with the proper flags:

for x in $(pgrep -f subsonic); do cat /proc/$x/cmdline; echo; done

Here that outputs:

java-Xmx512m-Dsubsonic.home=/var/subsonic-Dsubsonic.host=0.0.0.0-Dsubsonic.port=4040-Dsubsonic.httpsPort=8443-Dsubsonic.contextPath=/subsonic-Dsubsonic.db=-Dsubsonic.defaultMusicFolder=/var/music-Dsubsonic.defaultPodcastFolder=/var/music/Podcast-Dsubsonic.defaultPlaylistFolder=/var/playlists-Djava.awt.headless=true-verbose:gc-jarsubsonic-booter-jar-with-dependencies.jar

Then if I go on port 8443, it is using the certificate. I am on version 6.1.5 on an RPi3 using the .deb file and Linux IPTables to redirect port 443 to 8443.

I have successfully managed to get this working, but now I'm wondering what will happen when the certificate's date comes. Will they become obsolete and I will have to redo the procedure again or will they somehow update with the original certbot cron job ?

Hi, no it will not auto update :-( You'll need to setup a cron job to automate the steps above and restart subsonic as well :-/

I just updated my certificate and followed all of these instructions, and again, I get the self-signed cert. I have the same flags as in your Jul 17 comment. Am running on Opensuse Leap 15.1, started from a script in /etc/init.d/subsonic from the rpm distribution.
subsonic-booter-jar-with-dependencies.jar is dated today and contains my new key.
But, after a reboot, Subsonic is running with my new Letsencrypt key. However, my browser says the site is still insecure, even though the certificate is valid! See https://www.dropbox.com/s/ks70lexvxv9rxvm/SubsonicSecurity.png?dl=0
What can cause this? I am running the new Microsoft Edge-Dev.

Is there a nice was to automate this ?

nevermind, now reading this
https://ordina-jworks.github.io/security/2019/08/14/Using-Lets-Encrypt-Certificates-In-Java.html#using-the-certificates-in-a-java-application

Hi, no it will not auto update :-( You'll need to setup a cron job to automate the steps above and restart subsonic as well :-/

Is it possible to set up cron with all the input required ? (password creation and confirmation, overwrite warning)

I think it is, google "expect" scripts, and if on JDK1.8 and lower, keytool accepts all the parameters on the command line. I am not familiar with the newer JDKs, but someone mentioned it changed, I haven't done that homework yet, I run my subsonic on Rpi3 with JDK1.8

See this https://community.letsencrypt.org/t/configuring-lets-encrypt-with-tomcat-6-x-and-7-x/32416

I wrote a renewal hook script to automate the update process, but it doesn't seem to be working properly. Even though the script executes properly, it still seems to have the 'old' certificate when I access the site.

zipinfo /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar gives me the correct date.

However, if I unzip it and run keytool -list -storepass subsonic -keystore subsonic.keystore, the wrong certificate is in there.

I've run out of things to try to get it to work. Can anyone see where I'm going wrong?

Posting the script below in case it's helpful to anyone else. (You will need to edit the directory locations in the obvious places).

#!/bin/bash
# Update the certificate for Subsonic.

# Directory locations
CERTIFICATE_PATH=/etc/letsencrypt/live/INSERT_YOUR_DOMAIN_HERE
WORKING_PATH=/INSERT_A_WORKING_PATH_HERE_EG_HOME_DIRECTORY

# Copy the new certificates over
cp $CERTIFICATE_PATH/privkey.pem $WORKING_PATH
cp $CERTIFICATE_PATH/cert.pem $WORKING_PATH
cp $CERTIFICATE_PATH/chain.pem $WORKING_PATH
cat $WORKING_PATH/privkey.pem > $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/cert.pem >> $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/chain.pem >> $WORKING_PATH/subsonic.crt

# Run openssl on our new key
openssl pkcs12 -in $WORKING_PATH/subsonic.crt -export -out $WORKING_PATH/subsonic.pkcs12 -passout pass:subsonic

# Run keytool on our new key
keytool -importkeystore -srckeystore $WORKING_PATH/subsonic.pkcs12 -destkeystore $WORKING_PATH/subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic -srcstorepass subsonic -deststorepass subsonic

# Now zip the new keystore
zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore

# Restart subsonic
service subsonic restart

# Tidy up
rm $WORKING_PATH/privkey.pem
rm $WORKING_PATH/cert.pem
rm $WORKING_PATH/chain.pem
rm $WORKING_PATH/subsonic.crt
rm $WORKING_PATH/subsonic.pkcs12
rm $WORKING_PATH/subsonic.keystore

Did you reboot? James A. Rome https://blogs.jamesrome.net

…

On 10/9/21 2:17 PM, nairobiny wrote: ***@***.**** commented on this gist. ------------------------------------------------------------------------ I wrote a renewal hook script to automate the update process, but it doesn't seem to be working properly. Even though the script executes properly, it still seems to have the 'old' certificate when I access the site. |zipinfo /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar| gives me the correct date. However, if I unzip it and run |keytool -list -storepass subsonic -keystore subsonic.keystore|, the wrong certificate is in there. I've run out of things to try to get it to work. Can anyone see where I'm going wrong? Posting the script below in case it's helpful to anyone else. (You will need to edit the directory locations in the obvious places). |#!/bin/bash # Update the certificate for Subsonic. # Directory locations CERTIFICATE_PATH=/etc/letsencrypt/live/INSERT_YOUR_DOMAIN_HERE WORKING_PATH=/INSERT_A_WORKING_PATH_HERE_EG_HOME_DIRECTORY # Copy the new certificates over cp $CERTIFICATE_PATH/privkey.pem $WORKING_PATH cp $CERTIFICATE_PATH/cert.pem $WORKING_PATH cp $CERTIFICATE_PATH/chain.pem $WORKING_PATH cat $WORKING_PATH/privkey.pem > $WORKING_PATH/subsonic.crt cat $WORKING_PATH/cert.pem >> $WORKING_PATH/subsonic.crt cat $WORKING_PATH/chain.pem >> $WORKING_PATH/subsonic.crt # Run openssl on our new key openssl pkcs12 -in $WORKING_PATH/subsonic.crt -export -out $WORKING_PATH/subsonic.pkcs12 -passout pass:subsonic # Run keytool on our new key keytool -importkeystore -srckeystore $WORKING_PATH/subsonic.pkcs12 -destkeystore $WORKING_PATH/subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic -srcstorepass subsonic -deststorepass subsonic # Now zip the new keystore zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore # Restart subsonic service subsonic restart # Tidy up rm $WORKING_PATH/privkey.pem rm $WORKING_PATH/cert.pem rm $WORKING_PATH/chain.pem rm $WORKING_PATH/subsonic.crt rm $WORKING_PATH/subsonic.pkcs12 rm $WORKING_PATH/subsonic.keystore | — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/b691da8768a590b623261c845782f081#gistcomment-3921697>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJ6OB4UR5ZHHDJ765MCL2DUGCBMTANCNFSM4IEQD7XA>. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Did you reboot? James A. Rome

Yes, it persists across a reboot.

I think I fixed it... the issue was that it was storing the full path to the new keystore file and therefore wasn't overwriting the old one.

This seemed to work: replacing zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore with zip -j /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore

Here's a revised script in case it helps anyone else:

#!/bin/bash
# Update the certificate for Subsonic.

# Directory locations
CERTIFICATE_PATH=/etc/letsencrypt/live/INSERT_YOUR_DOMAIN_HERE
WORKING_PATH=/INSERT_A_WORKING_PATH_HERE_EG_HOME_DIRECTORY

# Copy the new certificates over
cp $CERTIFICATE_PATH/privkey.pem $WORKING_PATH
cp $CERTIFICATE_PATH/cert.pem $WORKING_PATH
cp $CERTIFICATE_PATH/chain.pem $WORKING_PATH
cat $WORKING_PATH/privkey.pem > $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/cert.pem >> $WORKING_PATH/subsonic.crt
cat $WORKING_PATH/chain.pem >> $WORKING_PATH/subsonic.crt

# Run openssl on our new key
openssl pkcs12 -in $WORKING_PATH/subsonic.crt -export -out $WORKING_PATH/subsonic.pkcs12 -passout pass:subsonic

# Run keytool on our new key
keytool -importkeystore -srckeystore $WORKING_PATH/subsonic.pkcs12 -destkeystore $WORKING_PATH/subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias subsonic -srcstorepass subsonic -deststorepass subsonic

# Now zip the new keystore
zip -j /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar $WORKING_PATH/subsonic.keystore

# Restart subsonic
service subsonic restart

# Tidy up
rm $WORKING_PATH/privkey.pem
rm $WORKING_PATH/cert.pem
rm $WORKING_PATH/chain.pem
rm $WORKING_PATH/subsonic.crt
rm $WORKING_PATH/subsonic.pkcs12
rm $WORKING_PATH/subsonic.keystore

very nice!