I just discovered Let's Encrypt and wanted to get myself a free cert for use with my SABnzbd+ installation at home. Here's my setup:
- Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
- SABNzbd+ 0.7.16 running on server
- Netgear Nighthawk R6900 home router
- Dynamic hostname from no-ip.org, which I'll use for this setup
I have a dynamic hostname from no-ip.org, which I use to access my home network. I have port forwarding set up on my Netgear router to access the programs running on my home server. See my port forwarding settings on my comment below.
I will use my hostname, along with the port 443 forwarded to my server to run Let's Encrypt certificate process. I also have forwarded ports 8888-8889 (or your choice of ports) for use with SABnzbd+.
Be sure to also open up port 443, and your desired SABNzbd+ ports on Ubuntu firewall. I use UFW, and temporarily disabled it with
sudo ufw disable, but I will just whitelist that port for future use during certificate renewals.
- Select I'm using "None of the above" on "Ubuntu 14.04 (trusty)".
- Install it according to the Install section
Generate the cert
Run certbot using
$ ./certbot-auto certonly
Follow on-screen instructions:
2 Automatically use a temporary webserver (standalone)
Enter your email address
Agree to the Terms of Service
Enter your dynamic hostname. If you didn't open up access for your server on port 443, you'll get an error message like this:
Failed authorization procedure. myhostname.no-ip.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 188.8.131.52:443 for TLS-SNI-01 challenge
Fix your port forwarding and firewall settings on port 443, and you can continue.
Once verification is complete, you'll see a message like the following:
Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/myhostname.no-ip.org/fullchain.pem.
Set up the certificate
Set the SABNzbd HTTPS settings. Here are my settings:
- Default Base Folder: /home/churro/.sabnzbd/admin
- HTTPS Port: 8889
- HTTPS Certificate: server.cert
- HTTPS Key: server.key
Apply these settings. We'll restart SABnzbd+ later.
Copy the certificates over to the Default Base Folder as seen in the last step.
Let's Encrypt suggests symlinking or pointing directly to the certificates, but I run SABnzbd under my username, and certs belong to root, so unfortunately, I couldn't figure out permissions to get this working as they suggested.
$ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem /home/churro/.sabnzbd/admin/server.cert $ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem /home/churro/.sabnzbd/admin/server.key
Allow the SABnzbd user to access these files. I run SABnzbd as my personal user account
churro, but files belong to
root. Otherwise, you may see these errors in the SABnzbd logs:
IOError: [Errno 13] Permission denied: '/home/churro/.sabnzbd/admin/server.key' 2016-08-16 15:20:18,359::WARNING::[sabnzbdplus:1350] Disabled HTTPS because of missing CERT and KEY files
Adjust permissions as follows (obviously use your username, and not mine):
sudo chown -h churro:churro /home/churro/.sabnzbd/admin/server.*
Restart and access via HTTPS
- Assuming you've saved SABnzbd+ HTTPS settings from the last section, Restart SABnzbd+ now.
- Check your SABnzbd+ status for error messages. If you don't see error messages regarding HTTPS, you should be good to go!
- Access your SABnzbd+ with HTTPS at https://host:sslport/ In my case, the URL is: https://myhost.no-ip.org:8889/
Automating renewal of Lets Encrypt certificate
Let's encrypt suggests setting up a cron or systemd job, running it twice per day, and selecting a random minute within the hour for your renewal tasks. Let's do it using
Note: The command to renew is:
./path/to/certbot-auto renew --quiet --no-self-upgrade
Enter cron settings:
Enter a scheduled job to renew, at the bottom of the file:
0 1/23 * * * /home/churro/Downloads/certbot-auto renew --quiet --no-self-upgrade
Save and exit your text editor.
Edit the main system crontab file:
sudo nano /etc/crontab
SHELL=lines, enter a new line with your desired delay:
Save your changes and exit your text editor. All done!
My schedule above runs at 1AM and 11PM (twice a day), with a ranom delay between 0 and 30 minutes.
Note: Unfortunately, due to the disconnect between the renewed files being in
/etc/letsencrypt/live/myhostname.no-ip.org/ and the fact that I copied those over to the
/home/churro/.sabnzbd/admin/ directory, my renewed certificates won't be used by SABnzbd+. I'll post updated instructions once I figure out a workaround, or how to properly set user permissions to updated certificates.