GUIDE how to setup a proper ssl certifikat on Linux/Ubuntu

Frequently asked questions. Tutorials, tips and tricks.
chali
Contributor
Contributor
Posts: 100
Joined: 13 Dec 2012, 16:25
Has thanked: 18 times
Been thanked: 35 times

GUIDE how to setup a proper ssl certifikat on Linux/Ubuntu

Unread post by chali »

Hi

I found this very well written guide,
so I copy it here. Hope it helps someone :)

It is the user Dan who wrote the guide that should have all the credit;
(I copy and paste only)


I have been using Subsonic for a couple years now and after getting sick of the SSL warnings you receive due to the default self-signed certificate I decided to purchase a third-party cert from a trusted CA.

The installation wasn't well documented at all (for Linux anyways), so hopefully this will help anyone that is looking to do the installation themselves. In my setup I am running Ubuntu 12.04 LTS, but this should be adaptable for any Linux install with OpenSSL and ZIP installed.

NOTE: During these instructions you will be modifying a file that Subsonic required to start. If something goes wrong you will need to re-install Subsonic, so it would be a good idea to backup the file you are modifying first:

sudo cp /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar /home/<username>/

1. Purchase a certificate from a third-party CA. NameCheap.com offers $9 Comodo certificates here. Choose Apache/OpenSSL as your server type during the order.

2. Generate a CSR during your order using the following command. Make sure you enter in all the required information when prompted (Country code, State/Province, City, Organization Name... etc). When prompted for Common name make sure you enter in the URL that you use to access your Subsonic server.

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

3. Open the server.csr file using your favorite text editor and copy the contents, then paste in the cert order form.

4. Once the order is finished you will need to wait some time for the CA to accept the request. Check your email and follow the instructions they send you.

5. Once you receive your certificate you will need to combine the private key, server cert, and intermediate certs into one file. Simply open all three in a text editor and copy/paste everything into a new text file without any blank lines. I added mine in the following order:

Private Key (myserver.key)
Server Certificate
Intermediate Certificate
6. Save this text file as subsonic.crt

7. Next, convert the cert from PEM to PKCS12 format using the following command.

openssl pkcs12 -in subsonic.crt -export -out subsonic.pkcs12

8. Now that the cert has been converted into the proper format you can create the new Java keystore:

keytool -importkeystore -srckeystore subsonic.pkcs12 -destkeystore subsonic.keystore -srcstoretype PKCS12 -srcalias 1 -destalias tomcat

9. Import the keystore into subsonic-booter-jar-with-dependencies.jar:

zip /usr/share/subsonic/subsonic-booter-jar-with-dependencies.jar subsonic.keystore

10. Lastly, restart the Subsonic service to load the new certificate:

sudo service subsonic restart

Once you browse to your Subsonic site you shouldn't get the certificate warning anymore. Please leave a comment regarding any questions, hopefully this helps!

HERE BELOW IS A LITTLE Additional info, FROM ONE OF THE USERS OF THIS GUIDE (USER ETHAN)

Hey! Thanks for the tutorial. I had to make a few tweaks to get it to work on my end.
First, I am using a free StartSSL-issued certificate. I added StartSSL’s additional chain certificate known as “sub.class1.ca.pem” to the other three you listed.
Second, I couldn’t get keytool to work without using a passphrase on my exported PKCS12 file. I used “subsonic” for convenience. Without using an export passphrase, I would get either the error: “keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded” or “keytool error: java.security.UnrecoverableKeyException: Get Key failed: / by zero” depending on my later entries.
Third, the default Subsonic keystore is also protected by a passphrase: “subsonic”. When I ran the keytool, it required both a source and destination key – I entered “subsonic” for both.
Finally, Subsonic expects the alias in the keystore to be “subsonic”, not “tomcat”, which changes the keytool command. With the correct alias, Subsonic loaded the correct key and everything worked for me. Thanks again.


Here is the original thread; (http://www.fatframe.com/2012/11/25/inst ... sonic-4-7/)

/Chali
These users thanked the author chali for the post:
Madsonic
Rating: 7.69%
Metzlmane
Posts: 21
Joined: 09 Aug 2013, 16:55
Has thanked: 14 times
Been thanked: 7 times

Re: GUIDE how to setup a proper ssl certifikat on Linux/Ubun

Unread post by Metzlmane »

Thanks!

I got it working with 2 additional lines (see below).
How can i tell madsonic that the keyfile is in 'madsonic-booter.jar' ?
And: How can i determine the SSLCipherSuites ?

Code: Select all

${JAVA} -Xms${MADSONIC_INIT_MEMORY}m -Xmx${MADSONIC_MAX_MEMORY}m \
  -Dsubsonic.home=${MADSONIC_HOME} \
  -Dsubsonic.host=${MADSONIC_HOST} \
  -Dsubsonic.port=${MADSONIC_PORT} \
  -Dsubsonic.httpsPort=${MADSONIC_HTTPS_PORT} \
#--------------------------------------------------------------------------------------------------------------------------
  -Dsubsonic.ssl.keystore=/share/CACHEDEV1_DATA/.qpkg/madsonic/subsonic.keystore \
  -Dsubsonic.ssl.password=************* \
#--------------------------------------------------------------------------------------------------------------------------
  -Dsubsonic.contextPath=${MADSONIC_CONTEXT_PATH} \
  -Dsubsonic.defaultMusicFolder=${MADSONIC_DEFAULT_MUSIC_FOLDER} \
  -Dsubsonic.defaultUploadFolder=${MADSONIC_DEFAULT_UPLOAD_FOLDER} \
  -Dsubsonic.defaultPodcastFolder=${MADSONIC_DEFAULT_PODCAST_FOLDER} \
  -Dsubsonic.defaultPlaylistFolder=${MADSONIC_DEFAULT_PLAYLIST_IMPORT_FOLDER} \
  -Dsubsonic.defaultPlaylistExportFolder=${MADSONIC_DEFAULT_PLAYLIST_EXPORT_FOLDER} \
  -Djava.awt.headless=true \
  -verbose:gc \
  -jar madsonic-booter.jar > ${LOG} 2>&1 &

# Write pid to pidfile if it is defined.
if [ $MADSONIC_PIDFILE ]; then
    echo $! > ${MADSONIC_PIDFILE}
fi

if [ $quiet = 0 ]; then
    echo Started Madsonic [PID $!, ${LOG}]
fi
These users thanked the author Metzlmane for the post:
Madsonic
Rating: 7.69%
GJ51
Contributor
Contributor
Posts: 192
Joined: 15 Dec 2012, 17:52
Has thanked: 42 times
Been thanked: 83 times

Re: GUIDE how to setup a proper ssl certifikat on Linux/Ubun

Unread post by GJ51 »

I use the Tomcat installation on Windows Server. On that setup it's defined in "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf" and you have to edit the server.xml file.

Code: Select all

    <Connector port="8241" protocol="org.apache.coyote.http11.Http11NioProtocol"
		maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
		keystoreFile="C:\ssl\tomcat.ks"
		keystorePass="yourkeystorepassword"
		keyAlias="tomcat"
		clientAuth="false" sslProtocol="TLS" />
I don't know how relevant this may be to your setup, but I hope it's a lead.
User avatar
DoCC
Contributor
Contributor
Posts: 211
Joined: 25 Feb 2014, 14:41
Has thanked: 40 times
Been thanked: 65 times

Re: GUIDE how to setup a proper ssl certifikat on Linux/Ubun

Unread post by DoCC »

just a question ... who da hell buys a valid certificate from thwate or verisign or however those bunch of gipsys are called just for a media caster ?
selfsigned should be ok at any time.

but does it make sense ? to encrypt and decrypt audio and video media objects ?
GJ51
Contributor
Contributor
Posts: 192
Joined: 15 Dec 2012, 17:52
Has thanked: 42 times
Been thanked: 83 times

Re: GUIDE how to setup a proper ssl certifikat on Linux/Ubun

Unread post by GJ51 »

Some users have reported that it is helpful in some work environments that use packet inspection filters to block media streaming. Apparently the encryption can render some filtering techniques ineffective.

YMMV
These users thanked the author GJ51 for the post:
Madsonic
Rating: 7.69%
Post Reply