Letsencrypt with SABnzbd over HTTPS
Posted: October 30th, 2015, 5:39 pm
I have SABnzbd over HTTPS now working with the free keys from Letsencrypt (https://letsencrypt.org/) on my own domain (let's say http://www.blabla.com).
I'm not 100% sure I did it the right way, but it is working and Chromium 45 is saying the connection is safe with TLS1.2. Here's how:
1) Run Apache2 on your server, like http://www.blabla.com
2) Get an invite from Letsencrypt (general availability: 16 november 2015). Run the one-liner procedure in the letsencrypt-mail: just fill out the ASCII-art form.
After that (and an apache2 restart?) https://www.blabla.com/ should be running with the Letsencrypt keys, and Chrome should say it's safe. If not, do NOT proceed.
Now use the keys for SABnzbd:
As root go to /etc/letsencrypt/live/www.blabla.com/ and do this:
In /home/USER/.sabnzbd/admin/
Set the owner to the normal user. Now (re)start SABnzbd and go to https://www.blabla.com:9090/ . Hopefully it works.
Chromium version 45.0.2454.101 Ubuntu 14.04 reports:
Note the "Your connection to" ... "is encrypted using an obsolete cipher suite" ... that's probably caused by cherrypy.
Firefox 41.0.2:
HTH
PS: Comments welcome, but I'm afraid I can't help with problems; I'm a SSL newbie
EDIT: Ah ... never a dull moment: Chromium Version 45.0.2454.101 on Ubuntu 15.04, Chrome 46 on Windows and Android now complain the connection to SAB HTTPS is not secure: NET::ERR_CERT_AUTHORITY_INVALID.
The problem is not in letsencrypt as my Apache HTTPS webserver is still OK, so something in combination with SABnzbd / Cherrypy? Everything fine.
EDIT 12-11-2015:
Firefox 40 on Windows is fine with both my Apache HTTPS and SABnzbd HTTPS. Furthermore, Firefox tells the Cipher Suite used:
Apache HTTPS: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128-bits sleutels, TLS 1.2
SABnzbd HTTPS: TLS_RSA_WITH_AES_128_CBC_SHA, 128-bits sleutels, TLS 1.2
So why is my Chromium complaining about "obsolete cipher suite"? I found this about Chromium:
So SABnzbd/Cherrypy offers no Forward Secrecy (like ECDHE), and thus Chrome complains with a "using an obsolete cipher suite"?
I'm not 100% sure I did it the right way, but it is working and Chromium 45 is saying the connection is safe with TLS1.2. Here's how:
1) Run Apache2 on your server, like http://www.blabla.com
2) Get an invite from Letsencrypt (general availability: 16 november 2015). Run the one-liner procedure in the letsencrypt-mail: just fill out the ASCII-art form.
After that (and an apache2 restart?) https://www.blabla.com/ should be running with the Letsencrypt keys, and Chrome should say it's safe. If not, do NOT proceed.
Now use the keys for SABnzbd:
As root go to /etc/letsencrypt/live/www.blabla.com/ and do this:
Code: Select all
sudo cp cert.pem /home/USER/.sabnzbd/admin/letsencrypt---cert.pem
sudo cp privkey.pem /home/USER/.sabnzbd/admin/letsencrypt---privkey.pem
Code: Select all
cp server.cert server.cert.OLD
cp server.key server.key.OLD
sudo cp letsencrypt---cert.pem server.cert
sudo cp letsencrypt---privkey.pem server.key
sudo chmod 400 lets* server*
ll lets* server*
-r-------- 1 root root 1805 Oct 30 22:40 letsencrypt---cert.pem
-r-------- 1 root root 1704 Oct 30 22:40 letsencrypt---privkey.pem
-r-------- 1 sander sander 1805 Oct 30 22:41 server.cert
-r-------- 1 root root 631 Oct 30 22:36 server.cert.bewaar
-r-------- 1 sander sander 1704 Oct 30 22:41 server.key
-r-------- 1 root root 912 Oct 30 22:36 server.key.bewaar
Chromium version 45.0.2454.101 Ubuntu 14.04 reports:
Note the "Your connection to" ... "is encrypted using an obsolete cipher suite" ... that's probably caused by cherrypy.
Firefox 41.0.2:
HTH
PS: Comments welcome, but I'm afraid I can't help with problems; I'm a SSL newbie
EDIT: Ah ... never a dull moment: Chromium Version 45.0.2454.101 on Ubuntu 15.04, Chrome 46 on Windows and Android now complain the connection to SAB HTTPS is not secure: NET::ERR_CERT_AUTHORITY_INVALID.
The problem is not in letsencrypt as my Apache HTTPS webserver is still OK, so something in combination with SABnzbd / Cherrypy? Everything fine.
EDIT 12-11-2015:
Firefox 40 on Windows is fine with both my Apache HTTPS and SABnzbd HTTPS. Furthermore, Firefox tells the Cipher Suite used:
Apache HTTPS: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128-bits sleutels, TLS 1.2
SABnzbd HTTPS: TLS_RSA_WITH_AES_128_CBC_SHA, 128-bits sleutels, TLS 1.2
So why is my Chromium complaining about "obsolete cipher suite"? I found this about Chromium:
testssl.sh localhost:9090 says:In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Code: Select all
Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
Not OK: No ciphers supporting Forward Secrecy offered