Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup Let's Encrypt certificate for use with SABnzbd+

I just discovered Let's Encrypt and wanted to get myself a free cert for use with my SABnzbd+ installation at home. Here's my setup:

  • Home server running Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-93-generic x86_64)
  • SABNzbd+ 0.7.16 running on server
  • Netgear Nighthawk R6900 home router
  • Dynamic hostname from no-ip.org, which I'll use for this setup

Preparation

I have a dynamic hostname from no-ip.org, which I use to access my home network. I have port forwarding set up on my Netgear router to access the programs running on my home server. See my port forwarding settings on my comment below.

I will use my hostname, along with the port 443 forwarded to my server to run Let's Encrypt certificate process. I also have forwarded ports 8888-8889 (or your choice of ports) for use with SABnzbd+.

Be sure to also open up port 443, and your desired SABNzbd+ ports on Ubuntu firewall. I use UFW, and temporarily disabled it with sudo ufw disable, but I will just whitelist that port for future use during certificate renewals.

Get EFF's certbot

  1. Select I'm using "None of the above" on "Ubuntu 14.04 (trusty)".
  2. Install it according to the Install section

Generate the cert

  1. Run certbot using certonly:

    $ ./certbot-auto certonly
    
  2. Follow on-screen instructions:

  • Select 2 Automatically use a temporary webserver (standalone)

  • Enter your email address

  • Agree to the Terms of Service

  • Enter your dynamic hostname. If you didn't open up access for your server on port 443, you'll get an error message like this:

    Failed authorization procedure. myhostname.no-ip.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 123.234.222.111:443 for TLS-SNI-01 challenge
    

    Fix your port forwarding and firewall settings on port 443, and you can continue.

  • Once verification is complete, you'll see a message like the following:

    Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/myhostname.no-ip.org/fullchain.pem.
    

Set up the certificate

  1. Set the SABNzbd HTTPS settings. Here are my settings:

    • Default Base Folder: /home/churro/.sabnzbd/admin
    • HTTPS Port: 8889
    • HTTPS Certificate: server.cert
    • HTTPS Key: server.key

    Apply these settings. We'll restart SABnzbd+ later.

  2. Copy the certificates over to the Default Base Folder as seen in the last step.

    Let's Encrypt suggests symlinking or pointing directly to the certificates, but I run SABnzbd under my username, and certs belong to root, so unfortunately, I couldn't figure out permissions to get this working as they suggested.

    $ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/cert.pem /home/churro/.sabnzbd/admin/server.cert
    $ sudo cp /etc/letsencrypt/live/myhostname.no-ip.org/privkey.pem /home/churro/.sabnzbd/admin/server.key
    
  3. Allow the SABnzbd user to access these files. I run SABnzbd as my personal user account churro, but files belong to root. Otherwise, you may see these errors in the SABnzbd logs:

    IOError: [Errno 13] Permission denied: '/home/churro/.sabnzbd/admin/server.key'
    2016-08-16 15:20:18,359::WARNING::[sabnzbdplus:1350] Disabled HTTPS because of missing CERT and KEY files
    

    Adjust permissions as follows (obviously use your username, and not mine):

    sudo chown -h churro:churro /home/churro/.sabnzbd/admin/server.*
    

Restart and access via HTTPS

  1. Assuming you've saved SABnzbd+ HTTPS settings from the last section, Restart SABnzbd+ now.
  2. Check your SABnzbd+ status for error messages. If you don't see error messages regarding HTTPS, you should be good to go!
  3. Access your SABnzbd+ with HTTPS at https://host:sslport/ In my case, the URL is: https://myhost.no-ip.org:8889/

Automating renewal of Lets Encrypt certificate

Let's encrypt suggests setting up a cron or systemd job, running it twice per day, and selecting a random minute within the hour for your renewal tasks. Let's do it using cron:

Note: The command to renew is: ./path/to/certbot-auto renew --quiet --no-self-upgrade

Note: Cron has the RANDOM_DELAY variable to randomize the minute

  1. Enter cron settings: crontab -e

  2. Enter a scheduled job to renew, at the bottom of the file:

    0 1/23 * * * /home/churro/Downloads/certbot-auto renew --quiet --no-self-upgrade
    
  3. Save and exit your text editor.

  4. Edit the main system crontab file: sudo nano /etc/crontab

  5. After PATH= and SHELL= lines, enter a new line with your desired delay:

    RANDOM_DELAY=30
    
  6. Save your changes and exit your text editor. All done!

My schedule above runs at 1AM and 11PM (twice a day), with a ranom delay between 0 and 30 minutes.

Note: Unfortunately, due to the disconnect between the renewed files being in /etc/letsencrypt/live/myhostname.no-ip.org/ and the fact that I copied those over to the /home/churro/.sabnzbd/admin/ directory, my renewed certificates won't be used by SABnzbd+. I'll post updated instructions once I figure out a workaround, or how to properly set user permissions to updated certificates.

@srilankanchurro

This comment has been minimized.

Copy link
Owner Author

srilankanchurro commented Aug 17, 2016

My router's Port forward settings:
screen shot 2016-08-16 at 4 45 37 pm

My SABNzbd+ HTTPS settings:
screen shot 2016-08-16 at 4 59 23 pm

@brambaars

This comment has been minimized.

Copy link

brambaars commented Jan 8, 2019

Dear sir,
Thanks for your great guide! Worked great for me.

Concerning the NOTE at the end, about copying files after certificate renewal: do you have an update on that?
Have you figured out a workaround, or were you able to correct the user permissions?

I would like to solve this permanently, without copying files every three months :)

@brambaars

This comment has been minimized.

Copy link

brambaars commented Jan 9, 2019

I have a different setup, I use all this on a Synology server. SABnzbd is installed with ACL permissions, so chown or chmod is not sufficient.
After setting a symlink to the certificate files, then trying to fix the permissions (synoacltool) which didn't succeed for me, I decided to add the copy task to a weekly task in the task scheduler (kind of cron job).
Not ideal, but it'll work.

@fmeesters

This comment has been minimized.

Copy link

fmeesters commented Jan 13, 2019

Thanks for the guide, works perfect! I got it working with Plex running in a docker.

Hope to see a solution for auto-renewal of the certificatie in SABnzbd or Plex. Probably need some scripting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.