I just discovered Let's Encrypt and wanted to get myself a free cert for use with my SABnzbd+ installation at home. Here's my setup:
- Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
- SABNzbd+ 0.7.16 running on server
- Netgear Nighthawk R6900 home router
- Dynamic hostname from no-ip.org, which I'll use for this setup
I have a dynamic hostname from no-ip.org, which I use to access my home network. I have port forwarding set up on my Netgear router to access the programs running on my home server. See my port forwarding settings on my comment below.
I will use my hostname, along with the port 443 forwarded to my server to run Let's Encrypt certificate process. I also have forwarded ports 8888-8889 (or your choice of ports) for use with SABnzbd+.
Be sure to also open up port 443, and your desired SABNzbd+ ports on Ubuntu firewall. I use UFW, and temporarily disabled it with sudo ufw disable
, but I will just whitelist that port for future use during certificate renewals.
Get EFF's certbot
- Select I'm using "None of the above" on "Ubuntu 14.04 (trusty)".
- Install it according to the Install section
-
Run certbot using
certonly
:$ ./certbot-auto certonly
-
Follow on-screen instructions:
-
Select
2 Automatically use a temporary webserver (standalone)
-
Enter your email address
-
Agree to the Terms of Service
-
Enter your dynamic hostname. If you didn't open up access for your server on port 443, you'll get an error message like this:
Failed authorization procedure. myhostname.no-ip.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 123.234.222.111:443 for TLS-SNI-01 challenge
Fix your port forwarding and firewall settings on port 443, and you can continue.
-
Once verification is complete, you'll see a message like the following:
Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/myhostname.no-ip.org/fullchain.pem.
-
Set the SABNzbd HTTPS settings. Here are my settings:
- Default Base Folder: /home/churro/.sabnzbd/admin
- HTTPS Port: 8889
- HTTPS Certificate: server.cert
- HTTPS Key: server.key
Apply these settings. We'll restart SABnzbd+ later.
-
Copy the certificates over to the Default Base Folder as seen in the last step.
Let's Encrypt suggests symlinking or pointing directly to the certificates, but I run SABnzbd under my username, and certs belong to root, so unfortunately, I couldn't figure out permissions to get this working as they suggested.
$ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem /home/churro/.sabnzbd/admin/server.cert $ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem /home/churro/.sabnzbd/admin/server.key
-
Allow the SABnzbd user to access these files. I run SABnzbd as my personal user account
churro
, but files belong toroot
. Otherwise, you may see these errors in the SABnzbd logs:IOError: [Errno 13] Permission denied: '/home/churro/.sabnzbd/admin/server.key' 2016-08-16 15:20:18,359::WARNING::[sabnzbdplus:1350] Disabled HTTPS because of missing CERT and KEY files
Adjust permissions as follows (obviously use your username, and not mine):
sudo chown -h churro:churro /home/churro/.sabnzbd/admin/server.*
- Assuming you've saved SABnzbd+ HTTPS settings from the last section, Restart SABnzbd+ now.
- Check your SABnzbd+ status for error messages. If you don't see error messages regarding HTTPS, you should be good to go!
- Access your SABnzbd+ with HTTPS at https://host:sslport/ In my case, the URL is: https://myhost.no-ip.org:8889/
Let's encrypt suggests setting up a cron or systemd job, running it twice per day, and selecting a random minute within the hour for your renewal tasks. Let's do it using cron
:
Note: The command to renew is: ./path/to/certbot-auto renew --quiet --no-self-upgrade
Note: Cron has the RANDOM_DELAY variable to randomize the minute
-
Enter cron settings:
crontab -e
-
Enter a scheduled job to renew, at the bottom of the file:
0 1/23 * * * /home/churro/Downloads/certbot-auto renew --quiet --no-self-upgrade
-
Save and exit your text editor.
-
Edit the main system crontab file:
sudo nano /etc/crontab
-
After
PATH=
andSHELL=
lines, enter a new line with your desired delay:RANDOM_DELAY=30
-
Save your changes and exit your text editor. All done!
My schedule above runs at 1AM and 11PM (twice a day), with a ranom delay between 0 and 30 minutes.
Note: Unfortunately, due to the disconnect between the renewed files being in /etc/letsencrypt/live/myhostname.no-ip.org/
and the fact that I copied those over to the /home/churro/.sabnzbd/admin/
directory, my renewed certificates won't be used by SABnzbd+. I'll post updated instructions once I figure out a workaround, or how to properly set user permissions to updated certificates.
Dear sir,
Thanks for your great guide! Worked great for me.
Concerning the NOTE at the end, about copying files after certificate renewal: do you have an update on that?
Have you figured out a workaround, or were you able to correct the user permissions?
I would like to solve this permanently, without copying files every three months :)