Page 1 of 1

Letsencrypt with SABnzbd over HTTPS

Posted: October 30th, 2015, 5:39 pm
by sander
I have SABnzbd over HTTPS now working with the free keys from Letsencrypt ( on my own domain (let's say

I'm not 100% sure I did it the right way, but it is working and Chromium 45 is saying the connection is safe with TLS1.2. Here's how:

1) Run Apache2 on your server, like
2) Get an invite from Letsencrypt (general availability: 16 november 2015). Run the one-liner procedure in the letsencrypt-mail: just fill out the ASCII-art form.

After that (and an apache2 restart?) should be running with the Letsencrypt keys, and Chrome should say it's safe. If not, do NOT proceed.

Now use the keys for SABnzbd:

As root go to /etc/letsencrypt/live/ and do this:

Code: Select all

sudo cp cert.pem /home/USER/.sabnzbd/admin/letsencrypt---cert.pem
sudo cp privkey.pem /home/USER/.sabnzbd/admin/letsencrypt---privkey.pem
In /home/USER/.sabnzbd/admin/

Code: Select all

cp server.cert server.cert.OLD
cp server.key server.key.OLD
sudo cp letsencrypt---cert.pem server.cert
sudo cp letsencrypt---privkey.pem server.key

sudo chmod 400 lets* server*
ll lets* server*
-r-------- 1 root   root   1805 Oct 30 22:40 letsencrypt---cert.pem
-r-------- 1 root   root   1704 Oct 30 22:40 letsencrypt---privkey.pem
-r-------- 1 sander sander 1805 Oct 30 22:41 server.cert
-r-------- 1 root   root    631 Oct 30 22:36 server.cert.bewaar
-r-------- 1 sander sander 1704 Oct 30 22:41 server.key
-r-------- 1 root   root    912 Oct 30 22:36 server.key.bewaar
Set the owner to the normal user. Now (re)start SABnzbd and go to . Hopefully it works. :)

Chromium version 45.0.2454.101 Ubuntu 14.04 reports:
Note the "Your connection to" ... "is encrypted using an obsolete cipher suite" ... that's probably caused by cherrypy.

Firefox 41.0.2:



PS: Comments welcome, but I'm afraid I can't help with problems; I'm a SSL newbie

EDIT: Ah ... never a dull moment: Chromium Version 45.0.2454.101 on Ubuntu 15.04, Chrome 46 on Windows and Android now complain the connection to SAB HTTPS is not secure: NET::ERR_CERT_AUTHORITY_INVALID.
The problem is not in letsencrypt as my Apache HTTPS webserver is still OK, so something in combination with SABnzbd / Cherrypy?
Everything fine.

EDIT 12-11-2015:
Firefox 40 on Windows is fine with both my Apache HTTPS and SABnzbd HTTPS. Furthermore, Firefox tells the Cipher Suite used:
Apache HTTPS: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128-bits sleutels, TLS 1.2
SABnzbd HTTPS: TLS_RSA_WITH_AES_128_CBC_SHA, 128-bits sleutels, TLS 1.2

So why is my Chromium complaining about "obsolete cipher suite"? I found this about Chromium:
In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. localhost:9090 says:

Code: Select all

 Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here 

Not OK: No ciphers supporting Forward Secrecy offered
So SABnzbd/Cherrypy offers no Forward Secrecy (like ECDHE), and thus Chrome complains with a "using an obsolete cipher suite"?

Re: Letsencrypt with SABnzbd over HTTPS

Posted: November 14th, 2015, 4:53 pm
by sander
This is what says about the supported Cipher Suites by SABnzbd:

Code: Select all

 Testing all 181 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256         TLS_RSA_WITH_AES_256_GCM_SHA384                   
 x3d     AES256-SHA256                  RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA256                   
 x35     AES256-SHA                     RSA        AES        256         TLS_RSA_WITH_AES_256_CBC_SHA                      
 x84     CAMELLIA256-SHA                RSA        Camellia   256         TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 
 x9c     AES128-GCM-SHA256              RSA        AESGCM     128         TLS_RSA_WITH_AES_128_GCM_SHA256                   
 x3c     AES128-SHA256                  RSA        AES        128         TLS_RSA_WITH_AES_128_CBC_SHA256                   
 x2f     AES128-SHA                     RSA        AES        128         TLS_RSA_WITH_AES_128_CBC_SHA                      
 x96     SEED-SHA                       RSA        SEED       128         TLS_RSA_WITH_SEED_CBC_SHA                         
 x41     CAMELLIA128-SHA                RSA        Camellia   128         TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 
 x05     RC4-SHA                        RSA        RC4        128         TLS_RSA_WITH_RC4_128_SHA                          
 x04     RC4-MD5                        RSA        RC4        128         TLS_RSA_WITH_RC4_128_MD5                          
 x010080 RC4-MD5                        RSA        RC4        128         SSL_CK_RC4_128_WITH_MD5                           
 x0a     DES-CBC3-SHA                   RSA        3DES       168         TLS_RSA_WITH_3DES_EDE_CBC_SHA                     
 x09     DES-CBC-SHA                    RSA        DES        56          TLS_RSA_WITH_DES_CBC_SHA    
So no ECDHE ... >:(

Re: Letsencrypt with SABnzbd over HTTPS

Posted: December 25th, 2015, 12:07 pm
by nock
I tired Letsecrypt (open beta) on my HTPC Manger, and it worked great.
I did the following:

Code: Select all

#Download Letsencrypt:
git clone
#create standalone cert, paste directly in cli:
letsencrypt/letsencrypt-auto certonly --text --standalone --standalone-supported-challenges tls-sni-01 --domain --email [email protected] --agree-tos --renew-by-default
Then copied the certs like Sander did. Fast and simple :)
Edit: Port 443 needs to be open

Re: Letsencrypt with SABnzbd over HTTPS

Posted: December 25th, 2015, 3:50 pm
by sander
Cool. Is your system behind NAT/firewall? If so: which ports did you forward? Only 443, or others too?

Re: Letsencrypt with SABnzbd over HTTPS

Posted: December 25th, 2015, 5:33 pm
by nock
Yes, i'm behind a NAT/firewall.
Under the process I had port 80 and 443 forwarded, but according to the documentation from Letsencrypt we only need to forward port 443 when using

Code: Select all

--standalone-supported-challenges tls-sni-01
, I guess.

Earlier today I copied the certs to all my standalone and apache web servers, works like a charm :)

Re: Letsencrypt with SABnzbd over HTTPS

Posted: January 5th, 2016, 11:26 am
by nock
For the record, you also have the option in SABnzbd to set the path to the certs insted of replacing the default ones.. I have not tried it thou.

Re: Letsencrypt with SABnzbd over HTTPS

Posted: January 5th, 2016, 2:57 pm
by sander
nock wrote:For the record, you also have the option in SABnzbd to set the path to the certs insted of replacing the default ones.. I have not tried it thou.
The Letsencrypt certificates/keys and directories are only readable for root. On my system, SABnzbd is running as a normal, so can't read the Letsencrypt directories.

Re: Letsencrypt with SABnzbd over HTTPS

Posted: January 22nd, 2016, 3:37 pm
by sander
I renewed the Letsencrypt keys, which you have to do each 3 months. Renewing is easy for Apache2. However, I had to manually copy those new keys to the SABnzbd directory /home/USER/.sabnzbd/admin/ and set the owner & rights again. A bit boring.

So I tried another way: use Apache 2.4 as reverse proxy in front of SABnzbd, as described here: Just a few standard lines in /etc/apache2/sites-available/000-default-le-ssl.conf

Technical: Apache2.4's HTTPS is a proxy to SABnzbd's HTTP on localhost

Result: SABnzbd is secure via

But it does not work all the time. Sometimes I get "The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later." or a screen with a bad layout.
It looks like it then works again after a few browser refreshes

It works reliable now.