Letsencrypt with SABnzbd over HTTPS

[sander]

I have SABnzbd over HTTPS now working with the free keys from Letsencrypt (https://letsencrypt.org/) on my own domain (let's say http://www.blabla.com).

I'm not 100% sure I did it the right way, but it is working and Chromium 45 is saying the connection is safe with TLS1.2. Here's how:

1) Run Apache2 on your server, like http://www.blabla.com
2) Get an invite from Letsencrypt (general availability: 16 november 2015). Run the one-liner procedure in the letsencrypt-mail: just fill out the ASCII-art form.

After that (and an apache2 restart?) https://www.blabla.com/ should be running with the Letsencrypt keys, and Chrome should say it's safe. If not, do NOT proceed.

Now use the keys for SABnzbd:

As root go to /etc/letsencrypt/live/www.blabla.com/ and do this:

Code: Select all

sudo cp cert.pem /home/USER/.sabnzbd/admin/letsencrypt---cert.pem
sudo cp privkey.pem /home/USER/.sabnzbd/admin/letsencrypt---privkey.pem

In /home/USER/.sabnzbd/admin/

Code: Select all

cp server.cert server.cert.OLD
cp server.key server.key.OLD
sudo cp letsencrypt---cert.pem server.cert
sudo cp letsencrypt---privkey.pem server.key

sudo chmod 400 lets* server*
ll lets* server*
-r-------- 1 root   root   1805 Oct 30 22:40 letsencrypt---cert.pem
-r-------- 1 root   root   1704 Oct 30 22:40 letsencrypt---privkey.pem
-r-------- 1 sander sander 1805 Oct 30 22:41 server.cert
-r-------- 1 root   root    631 Oct 30 22:36 server.cert.bewaar
-r-------- 1 sander sander 1704 Oct 30 22:41 server.key
-r-------- 1 root   root    912 Oct 30 22:36 server.key.bewaar

Set the owner to the normal user. Now (re)start SABnzbd and go to https://www.blabla.com:9090/ . Hopefully it works.

Chromium version 45.0.2454.101 Ubuntu 14.04 reports:

Note the "Your connection to" ... "is encrypted using an obsolete cipher suite" ... that's probably caused by cherrypy.

Firefox 41.0.2:



HTH

PS: Comments welcome, but I'm afraid I can't help with problems; I'm a SSL newbie


EDIT: Ah ... never a dull moment: Chromium Version 45.0.2454.101 on Ubuntu 15.04, Chrome 46 on Windows and Android now complain the connection to SAB HTTPS is not secure: NET::ERR_CERT_AUTHORITY_INVALID.
The problem is not in letsencrypt as my Apache HTTPS webserver is still OK, so something in combination with SABnzbd / Cherrypy? Everything fine.

EDIT 12-11-2015:
Firefox 40 on Windows is fine with both my Apache HTTPS and SABnzbd HTTPS. Furthermore, Firefox tells the Cipher Suite used:
Apache HTTPS: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128-bits sleutels, TLS 1.2
SABnzbd HTTPS: TLS_RSA_WITH_AES_128_CBC_SHA, 128-bits sleutels, TLS 1.2

So why is my Chromium complaining about "obsolete cipher suite"? I found this about Chromium:

In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

testssl.sh localhost:9090 says:

Code: Select all

 Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here 

Not OK: No ciphers supporting Forward Secrecy offered

So SABnzbd/Cherrypy offers no Forward Secrecy (like ECDHE), and thus Chrome complains with a "using an obsolete cipher suite"?

[sander]

This is what testssl.sh says about the supported Cipher Suites by SABnzbd:

Code: Select all

 Testing all 181 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256         TLS_RSA_WITH_AES_256_GCM_SHA384                   
 x3d     AES256-SHA256                  RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA256                   
 x35     AES256-SHA                     RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA                      
 x84     CAMELLIA256-SHA                RSA        Camellia   256         TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 
 x9c     AES128-GCM-SHA256              RSA        AESGCM     128         TLS_RSA_WITH_AES_128_GCM_SHA256                   
 x3c     AES128-SHA256                  RSA        AES        128         TLS_RSA_WITH_AES_128_CBC_SHA256                   
 x2f     AES128-SHA                     RSA        AES        128         TLS_RSA_WITH_AES_128_CBC_SHA                      
 x96     SEED-SHA                       RSA        SEED       128         TLS_RSA_WITH_SEED_CBC_SHA                         
 x41     CAMELLIA128-SHA                RSA        Camellia   128         TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 
 x05     RC4-SHA                        RSA        RC4        128         TLS_RSA_WITH_RC4_128_SHA                          
 x04     RC4-MD5                        RSA        RC4        128         TLS_RSA_WITH_RC4_128_MD5                          
 x010080 RC4-MD5                        RSA        RC4        128         SSL_CK_RC4_128_WITH_MD5                           
 x0a     DES-CBC3-SHA                   RSA        3DES       168         TLS_RSA_WITH_3DES_EDE_CBC_SHA                     
 x09     DES-CBC-SHA                    RSA        DES        56          TLS_RSA_WITH_DES_CBC_SHA    

So no ECDHE ...

[nock]

I tired Letsecrypt (open beta) on my HTPC Manger, and it worked great.
I did the following:

Code: Select all

#Download Letsencrypt:
git clone https://github.com/letsencrypt/letsencrypt
#create standalone cert, paste directly in cli:
letsencrypt/letsencrypt-auto certonly --text --standalone --standalone-supported-challenges tls-sni-01 --domain yourDomain.com --email [email protected] --agree-tos --renew-by-default

Then copied the certs like Sander did. Fast and simple
Edit: Port 443 needs to be open

[sander]

Cool. Is your system behind NAT/firewall? If so: which ports did you forward? Only 443, or others too?

[nock]

Yes, i'm behind a NAT/firewall.
Under the process I had port 80 and 443 forwarded, but according to the documentation from Letsencrypt we only need to forward port 443 when using

Code: Select all

--standalone-supported-challenges tls-sni-01

, I guess.

Earlier today I copied the certs to all my standalone and apache web servers, works like a charm

[nock]

For the record, you also have the option in SABnzbd to set the path to the certs insted of replacing the default ones.. I have not tried it thou.

[sander]

For the record, you also have the option in SABnzbd to set the path to the certs insted of replacing the default ones.. I have not tried it thou.

The Letsencrypt certificates/keys and directories are only readable for root. On my system, SABnzbd is running as a normal, so can't read the Letsencrypt directories.

[sander]

I renewed the Letsencrypt keys, which you have to do each 3 months. Renewing is easy for Apache2. However, I had to manually copy those new keys to the SABnzbd directory /home/USER/.sabnzbd/admin/ and set the owner & rights again. A bit boring.

So I tried another way: use Apache 2.4 as reverse proxy in front of SABnzbd, as described here: http://wiki.sabnzbd.org/howto-apache. Just a few standard lines in /etc/apache2/sites-available/000-default-le-ssl.conf

Technical: Apache2.4's HTTPS is a proxy to SABnzbd's HTTP on localhost

Result: SABnzbd is secure via https://www.blabla.com/sabnzbd/

But it does not work all the time. Sometimes I get "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later." or a screen with a bad layout.
It looks like it then works again after a few browser refreshes

It works reliable now.