FAQ  •  Register  •  Login

HOWTO: Remote Access SSL certificate with DDNS (Linux)

<<

Fr33dan

Serviio newbie

Posts: 5

Joined: Sun Aug 06, 2017 3:13 pm

Post Thu Apr 26, 2018 4:06 pm

HOWTO: Remote Access SSL certificate with DDNS (Linux)

It took some effort to get this to work so Chrome wouldn't complain about the connection being insecure. I figured I would share my process with anyone who might be interested. There are some old guides that used some proprietary windows software that didn't work for me but were immensely helpful for figuring this out. My server is hosted on an Ubuntu 16.04 installation but should work on any linux distro that has curl, cron, apache2, jdk and supports the certbot client.

Overview
The idea is to use the DDNS service duckdns.org to get a url, then use the services from letsencrypt.org to get a certificate using Apache2 and Certbot. Finally configure Serviio to use that certificate. This guide assumes a pre-existing Serviio installation.

Step 0 - Have a static local IP.
In order for this to work your server machine has to have a static IP address on your network. I achieve this by having a DHCP reservation on my router but it could easily be done in the operating system.

Step 1 - Install prerequisite software.
On ubuntu this can be done by running the following command:
  Code:
sudo apt install cron curl apache2 default-jdk


Once this is done you Apache should be started and thus accessible by typing your servers local IP address into the browser.

Step 2 - Get a URL
Goto duckdns.org and register. Proceed to their install page and follow it's instructions for "linux cron". Duck DNS the only DNS I have found that works with letsencrypt/certbot.

Step 3 - Configure your router
In order for the certificate work we must configure the router so that regular HTTP requests goto Apache2, while HTTPS requests goto Serviio so we can actually view our library. I prefer to leave Serviio configured to it's default port and map it in the router configuration. To accomplish this add the following port forwarding configurations to your router to forward them to your server machine:
  Code:
External Port - Internal Port
80            - 80
443           - 23524


Consult the documentation on your router model for how to do this.

After this is done you should be able to get to Apache's "It works" page by typing the URL you created in step two into your browser (with HTTP://, not HTTPS://).

Step 4 - Install Certbot and obtain a certificate
Follow the handy instructions at certbot.eff.org for Apache and your version of linux. Obtain your certificate using the certonly option.

Step 5 - Import certificate into Serviio
This part turned out to be quite tricky, so I wrote a script to make it quite easy. The keystore and key will have the same password as the ones included with Serviio to avoid having to modify serviio.properties in the jar file. I like to place my scripts in a hidden folder in my home directory. Thus create the script with this command:
  Code:
nano ~/.scripts/MigrateScriptToServiio.sh

Paste the following code into the script:
  Code:
#!/bin/bash
(
    domain='[Your Domain]'
    serviioLoc='[Serviio Location]'
    # Export certificate to pkcs12 file.
    openssl pkcs12 -password pass:'h,U)-RM!j,]9H2nwKq/cKb]{5&ST2wt/' -export -in /etc/letsencrypt/live/$domain/cert.pem -inkey /etc/letsencrypt/live/$domain/privkey.pem > server.p12


    # Clear out the old certificate store
    rm $serviioLoc/config/serviio.jks
    # Import key into serviio keystore
    keytool -importkeystore -srckeystore server.p12 -destkeystore $serviioLoc/config/serviio.jks -storepass '>[Z=@Ahjr,(pA[{4,u8Q?T`gzKp^mAf&' -srcstorepass 'h,U)-RM!j,]9H2nwKq/cKb]{5&ST2wt/' -srcstoretype pkcs12

    # Delete the pkcs12 file
    rm server.p12

    chmod 755 $serviioLoc/config/serviio.jks

    # Find the existing serviio process
    pid=`jps | grep MediaServer | cut -d ' ' -f 1`
    # and kill it and wait for it to die
    kill $pid
    while kill -0 $pid;do sleep 1;done;

    # Start it in the background
    sh $serviioLoc/bin/serviio.sh &
)

Be sure to change the domain and serviioLoc values to match the domain you created in step 2 and the root location of your serviio installation. (The folder containing bin, config, legal, lib, etc)

Make the script executable and run it with the following commands:
  Code:
chmod 755 ~/.scripts/MigrateCertToServiio.sh
sudo ~/.scripts/MigrateCertToServiio.sh


After this Serviio should be running your trusted certficate. If you got the type the domain you created in step 2 into the browser using HTTPS:// you should get the Serviio media browser with the lovely green lock next to the URL (in at least, not sure how other browser denote it)

Step 6 - Setup certificate renewal
The letsencrypt documentation recommends checking for certificate renewal twice a day. This is easy with cron. Certificate renewal must be run as an administrator so edit the cron table for administrator using sudo:
  Code:
sudo crontab -e

And add the following line to the table making sure to change [user] to reflect your linux username:
  Code:
23 06,18 * * * /usr/bin/certbot renew --deploy-hook /home/[user]/.scripts/MigrateCertToServiio.sh


The by setting our migrate script as the deploy-hook we can make sure that the script serviio uses is changed when the cert is renewed, keeping it up to date all the time.

Step 7 - Configure Apache redirect
In this step we will configure apache to redirect and http requests it received to the serviio browser. This will be accomplished using a .htaccess file, which we must first enable in the apache configuration. Edit apache2.conf:
  Code:
sudo nano /etc/apache2/apache2.conf

Find the directory configuration for /var/www/:
  Code:
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Modify it to allow override:
  Code:
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

After this you will need to restart apache for the changes to take effect:
  Code:
sudo service apache2 restart

Create the .htaccess file in the server root:
  Code:
sudo nano /var/www/html/.htaccess

Enter the following lines:
  Code:
RewriteEngine On
RewriteCond %{HTTPS}  !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/mediabrowser [R,L]

Save the file and you are now done. Any requests on the unsecure HTTP will redirect to the main entry page for the media browser. Enjoy your secure media server!
<<

jcaspes

Serviio newbie

Posts: 2

Joined: Mon Aug 07, 2023 12:42 pm

Post Mon Aug 07, 2023 12:53 pm

Re: HOWTO: Remote Access SSL certificate with DDNS (Linux)

Hello,

I'm using your method to activate SSL on may debian serviio server with success from long time ago.
I've recently loosed my server HDD, so i'm reinstalling all :-(

For serviio, i've restaured a backup of serviio folder, all seem quitte good but for certificate usage.

I use certbot to generate certificat, and your script with keytool...

when launching the script all work with success, but can't start the serviio server when activation the serviio.jks file.

I'm on debian 12 (6.1.0-10-amd64)
and openjdk 17
openjdk version "17.0.8" 2023-07-18
OpenJDK Runtime Environment (build 17.0.8+7-Debian-1deb12u1)
OpenJDK 64-Bit Server VM (build 17.0.8+7-Debian-1deb12u1, mixed mode, sharing)

y have an exception when accessing the store:

2023-08-07T13:29:59,745 INFO [RestletServer] Starting HTTPS/1.1 Restlet server (/console) exposed on port 23523
2023-08-07T13:29:59,745 INFO [RestletServer] Starting HTTPS/1.1 Restlet server (/rest) exposed on port 23523
2023-08-07T13:30:00,084 ERROR [MediaServer] An unexpected error occurred. Ending the application. Message: java.security.UnrecoverableKeyException: Get Key failed: Given final block not pr
operly padded. Such issues can arise if a bad key is used during decryption.
java.lang.RuntimeException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at org.serviio.restlet.RestletServer.runServer(RestletServer.java:93) ~[serviio.jar:?]
at org.serviio.MediaServer.main(MediaServer.java:131) ~[serviio.jar:?]
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:450) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91) ~[?:?]
at java.security.KeyStore.getKey(KeyStore.java:1050) ~[?:?]
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:141) ~[?:?]
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:64) ~[?:?]
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:275) ~[?:?]
at org.restlet.engine.ssl.DefaultSslContextFactory.createSslContext(DefaultSslContextFactory.java:322) ~[org.restlet.jar:?]
at org.restlet.ext.simple.HttpsServerHelper.start(HttpsServerHelper.java:92) ~[org.restlet.ext.simple.jar:?]
at org.restlet.Server.start(Server.java:579) ~[org.restlet.jar:?]
at org.restlet.Component.startServers(Component.java:642) ~[org.restlet.jar:?]
at org.restlet.Component.start(Component.java:567) ~[org.restlet.jar:?]
at org.serviio.restlet.RestletServer.startComponent(RestletServer.java:180) ~[serviio.jar:?]
at org.serviio.restlet.RestletServer.runServer(RestletServer.java:80) ~[serviio.jar:?]
... 1 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:862) ~[?:?]
at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:942) ~[?:?]
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:735) ~[?:?]
at com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:325) ~[?:?]
at javax.crypto.Cipher.doFinal(Cipher.java:2205) ~[?:?]
at sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:371) ~[?:?]
at sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257) ~[?:?]
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91) ~[?:?]
at java.security.KeyStore.getKey(KeyStore.java:1050) ~[?:?]
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:141) ~[?:?]
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:64) ~[?:?]
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:275) ~[?:?]
at org.restlet.engine.ssl.DefaultSslContextFactory.createSslContext(DefaultSslContextFactory.java:322) ~[org.restlet.jar:?]
at org.restlet.ext.simple.HttpsServerHelper.start(HttpsServerHelper.java:92) ~[org.restlet.ext.simple.jar:?]
at org.restlet.Server.start(Server.java:579) ~[org.restlet.jar:?]
at org.restlet.Component.startServers(Component.java:642) ~[org.restlet.jar:?]
at org.restlet.Component.start(Component.java:567) ~[org.restlet.jar:?]
at org.serviio.restlet.RestletServer.startComponent(RestletServer.java:180) ~[serviio.jar:?]
at org.serviio.restlet.RestletServer.runServer(RestletServer.java:80) ~[serviio.jar:?]
... 1 more
2023-08-07T13:30:01,731 INFO [MediaServer] ------------------------------------------------------------------------


Have somebody got an idea of how can i fix this ? did it is a java version to recent ?

Thank you!
<<

jcaspes

Serviio newbie

Posts: 2

Joined: Mon Aug 07, 2023 12:42 pm

Post Mon Aug 07, 2023 8:39 pm

Re: HOWTO: Remote Access SSL certificate with DDNS (Linux)

Hello

Hum after some investigations, it seem that keytool in openjdk 17 refuse to set a different password to keystore and key in store.
https://stackoverflow.com/questions/564 ... 2-keystore

@zip So the only solution i found is to change serviio.properties to set the same password for keystore and key:

  Code:
ssl_keystore=config/serviio.jks
ssl_keystore_keystore_password=>[Z=@Ahjr,(pA[{4,u8Q?T`gzKp^mAf&
ssl_keystore_key_password=>[Z=@Ahjr,(pA[{4,u8Q?T`gzKp^mAf&


with this change the script ion first post work correctly...

if some body have a better idea, because i do not like to change jar files, that will be broken in a future update... :-(

Return to Serviio Support & Help

Who is online

Users browsing this forum: Google [Bot] and 102 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software for PTF.