Ceci est une ancienne révision du document !
! … et bien voilà, je voulais documenter la sécurisation https de subsonic, je ne l'ai pas fait, et j'ai mis à jour… #crap
I found this topic while trying to implement my SSL certificate (purchased from comodo), and after some more research I found this solution (for Ubuntu 14.04, but should work for most other Linux releases).
To generate a .keystore certificate you need your .key .crt and ca.crt files (ca.crt is Intermediate CA Certificate, in my case COMODORSAAddTrustCA.crt)
You could also generate your own self-signed certificate (openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
)
Convert x509 Cert and Key to a pkcs12 (remember to set some_password), as [some-alias] I used subsonicopenssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name [some-alias] -CAfile ca.crt -caname root
Convert the pkcs12 file to a java keystorekeytool -importkeystore -deststorepass [new_password] -destkeypass [new_password] -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [some_password] -alias [some-alias]
edit /usr/bin/subsonic file and add following lines (I added them after -Dsubsonic.httpsPort)Dsubsonic.ssl.keystore=/opt/apps/subsonic/server.keystore \'' Dsubsonic.ssl.password=[new_password] \''
enable ssl connection in /etc/default/subsonicSUBSONIC_ARGS="--port=9090 --https-port=9091 --max-memory=512"
Le
.key
, c'est ma clé, en l'occurrence le fichier en […].privatekey.pem
.
Le .crt
, c'est mon certificat : […].server.pem
.
Ce qui nous donne, pour convertir le certificat en pkcs12 :
openssl pkcs12 -export -in […].server.pem -inkey […].privatekey.pem -out server.p12 -name [some-alias] -CAfile ca.crt -caname root
Puis, pour convertir le pkcs12 en java keystore :
keytool -importkeystore -deststorepass [new_password] -destkeypass [new_password] -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [some_password] -alias [some-alias]
Ne reste plus qu'à modifier le /usr/bin/subsonic
en ajoutant les deux lignes suivantes après -Dsubsonic.httpsPort
:
Dsubsonic.ssl.keystore=/opt/apps/subsonic/server.keystore \
Dsubsonic.ssl.password=[new_password] \
J'ai changé de certificat et de méthode. J'utilise un certificat de chez Gandi et la méthode