Skip to content

Instantly share code, notes, and snippets.

@churro-s

churro-s/LetsEncrypt_HTTPS_SABnzbd.MD

Last active July 18, 2023 23:03
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save churro-s/e56fa7aee3b2cf36f9c240c90f456494 to your computer and use it in GitHub Desktop.
Save churro-s/e56fa7aee3b2cf36f9c240c90f456494 to your computer and use it in GitHub Desktop.
Download ZIP
Setup Let's Encrypt certificate for use with SABnzbd+
Raw
LetsEncrypt_HTTPS_SABnzbd.MD

I just discovered Let's Encrypt and wanted to get myself a free cert for use with my SABnzbd+ installation at home. Here's my setup:

  • Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
  • SABNzbd+ 0.7.16 running on server
  • Netgear Nighthawk R6900 home router
  • Dynamic hostname from no-ip.org, which I'll use for this setup

Preparation

I have a dynamic hostname from no-ip.org, which I use to access my home network. I have port forwarding set up on my Netgear router to access the programs running on my home server. See my port forwarding settings on my comment below.

I will use my hostname, along with the port 443 forwarded to my server to run Let's Encrypt certificate process. I also have forwarded ports 8888-8889 (or your choice of ports) for use with SABnzbd+.

Be sure to also open up port 443, and your desired SABNzbd+ ports on Ubuntu firewall. I use UFW, and temporarily disabled it with sudo ufw disable, but I will just whitelist that port for future use during certificate renewals.

Get EFF's certbot

  1. Select I'm using "None of the above" on "Ubuntu 14.04 (trusty)".
  2. Install it according to the Install section

Generate the cert

  1. Run certbot using certonly:

    $ ./certbot-auto certonly

  2. Follow on-screen instructions:

  • Select 2 Automatically use a temporary webserver (standalone)

  • Enter your email address

  • Agree to the Terms of Service

  • Enter your dynamic hostname. If you didn't open up access for your server on port 443, you'll get an error message like this:

    Failed authorization procedure. myhostname.no-ip.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 123.234.222.111:443 for TLS-SNI-01 challenge

    Fix your port forwarding and firewall settings on port 443, and you can continue.

  • Once verification is complete, you'll see a message like the following:

    Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myhostname.no-ip.org/fullchain.pem.

Set up the certificate

  1. Set the SABNzbd HTTPS settings. Here are my settings:

    • Default Base Folder: /home/churro/.sabnzbd/admin
    • HTTPS Port: 8889
    • HTTPS Certificate: server.cert
    • HTTPS Key: server.key

    Apply these settings. We'll restart SABnzbd+ later.

  2. Copy the certificates over to the Default Base Folder as seen in the last step.

    Let's Encrypt suggests symlinking or pointing directly to the certificates, but I run SABnzbd under my username, and certs belong to root, so unfortunately, I couldn't figure out permissions to get this working as they suggested.

    $ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem /home/churro/.sabnzbd/admin/server.cert
$ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem /home/churro/.sabnzbd/admin/server.key

  3. Allow the SABnzbd user to access these files. I run SABnzbd as my personal user account churro, but files belong to root. Otherwise, you may see these errors in the SABnzbd logs:

    IOError: [Errno 13] Permission denied: '/home/churro/.sabnzbd/admin/server.key'
2016-08-16 15:20:18,359::WARNING::[sabnzbdplus:1350] Disabled HTTPS because of missing CERT and KEY files

    Adjust permissions as follows (obviously use your username, and not mine):

    sudo chown -h churro:churro /home/churro/.sabnzbd/admin/server.*

Restart and access via HTTPS

  1. Assuming you've saved SABnzbd+ HTTPS settings from the last section, Restart SABnzbd+ now.
  2. Check your SABnzbd+ status for error messages. If you don't see error messages regarding HTTPS, you should be good to go!
  3. Access your SABnzbd+ with HTTPS at https://host:sslport/ In my case, the URL is: https://myhost.no-ip.org:8889/

Automating renewal of Lets Encrypt certificate

Let's encrypt suggests setting up a cron or systemd job, running it twice per day, and selecting a random minute within the hour for your renewal tasks. Let's do it using cron:

Note: The command to renew is: ./path/to/certbot-auto renew --quiet --no-self-upgrade

Note: Cron has the RANDOM_DELAY variable to randomize the minute

  1. Enter cron settings: crontab -e

  2. Enter a scheduled job to renew, at the bottom of the file:

    0 1/23 * * * /home/churro/Downloads/certbot-auto renew --quiet --no-self-upgrade

  3. Save and exit your text editor.

  4. Edit the main system crontab file: sudo nano /etc/crontab

  5. After PATH= and SHELL= lines, enter a new line with your desired delay:

    RANDOM_DELAY=30

  6. Save your changes and exit your text editor. All done!

My schedule above runs at 1AM and 11PM (twice a day), with a ranom delay between 0 and 30 minutes.

Note: Unfortunately, due to the disconnect between the renewed files being in /etc/letsencrypt/live/myhostname.no-ip.org/ and the fact that I copied those over to the /home/churro/.sabnzbd/admin/ directory, my renewed certificates won't be used by SABnzbd+. I'll post updated instructions once I figure out a workaround, or how to properly set user permissions to updated certificates.

@churro-s
Copy link
Author

My router's Port forward settings:
screen shot 2016-08-16 at 4 45 37 pm

My SABNzbd+ HTTPS settings:
screen shot 2016-08-16 at 4 59 23 pm

@brambaars
Copy link

Dear sir,
Thanks for your great guide! Worked great for me.

Concerning the NOTE at the end, about copying files after certificate renewal: do you have an update on that?
Have you figured out a workaround, or were you able to correct the user permissions?

I would like to solve this permanently, without copying files every three months :)

@brambaars
Copy link

brambaars commented Jan 9, 2019
edited

I have a different setup, I use all this on a Synology server. SABnzbd is installed with ACL permissions, so chown or chmod is not sufficient.
After setting a symlink to the certificate files, then trying to fix the permissions (synoacltool) which didn't succeed for me, I decided to add the copy task to a weekly task in the task scheduler (kind of cron job).
Not ideal, but it'll work.

@fmeesters
Copy link

Thanks for the guide, works perfect! I got it working with Plex running in a docker.

Hope to see a solution for auto-renewal of the certificatie in SABnzbd or Plex. Probably need some scripting.

@syndrael
Copy link

syndrael commented Oct 4, 2022

Hello,
My Sabnzbd is dockerized (lscr.io/linuxserver/sabnzbd:latest)... and it doesn't work. I don't understand why :-(
If someone could help me. My HTTPS port is 9090, it doesn't work and HTTP Port 8080 works fine.
Here are logs..

INFO::[SABnzbd:1303] HTTPS keys are OK
INFO::[SABnzbd:1435] Starting web-interface on :::9090
INFO::[_cplogging:213] [04/Oct/2022:21:42:24] ENGINE Bus STARTING
/usr/lib/python3.9/site-packages/cherrypy/process/servers.py:416: UserWarning: Unable to verify that the server is bound on 8080
warnings.warn(msg)
INFO::[_cplogging:213] [04/Oct/2022:21:42:29] ENGINE Serving on http://:::8080
/usr/lib/python3.9/site-packages/cherrypy/process/servers.py:416: UserWarning: Unable to verify that the server is bound on 9090
warnings.warn(msg)
INFO::[_cplogging:213] [04/Oct/2022:21:42:34] ENGINE Serving on https://:::9090
INFO::[_cplogging:213] [04/Oct/2022:21:42:34] ENGINE Bus STARTED
INFO::[SABnzbd:1474] Starting SABnzbd.py-3.6.1
INFO::[panic:239] Launching browser with https://127.0.0.1:9090/sabnzbd
INFO::[notifier:123] Sending notification: SABnzbd - SABnzbd 3.6.1 started (type=startup, job_cat=None)

Thank you for anyone who help me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment