How do I secure my newsgroup apps / servers

Overview

Adding SSL certificates to your newsgroup servers (SABNZBD, etc) is key to securing your systems, particularly if you connect via a public network. This guide will assist configuring some of the common systems for use with certificates.

The following provides an overview of the steps for certificates provided by StartSSL which will provide you with a free certificate that is valid for 1 year. Refer to the StartSSL's terms and conditions and product offerings to ensure this certificate is suitable for you. 

  1. Create a StartSSL account
  2. Validate your domain name
  3. Generate a private key and certificate
  4. Generate a decrypted private key 
  5. Load the key and certificate into the server
  6. Restart and connect via the HTTPS ports

1: Create a StartSSL Account

  1. Navigate to http://www.startssl.com, and click the Login to the Control Panel
  2. Sign Up for a new account
  3. Enter your personal details and verify your email
  4. Generate a High Grade 2048 bit certificate
  5. Install the certificate when prompted

2. Validate your domain name

  1. At the top of the StartSSL screen, select Validation Wizard
  2. Select type 'Domain Name Validation'
  3. Enter the domain name to be validated
  4. Select an email address you have access to
  5. When the email is received, enter the validation code. Check your SPAM folder or your domain privacy settings if this takes more than a few minutes

3. Generate a private key and certificate

  1. At the top of the StartSSL screen, select certificates wizard
  2. Select the certificate target: Web Server SSL/TSL Certificate
  3. Enter a long password and ensure you remember this password. You will need it in the future! Select key size 4096 and Secure Hash SHA2
  4. Copy and paste the entire key file (including the ------------ parts) into a text file and save as "private.key"
  5. Add your domain
  6. Enter a subdomain. Usually this is just "www"
  7. Continue processing certificate
  8. Copy and paste the entire certificate file (including the ----------- parts) into a text file and save as "ssl.crt"

4. Generate a decrypted private key

  1. In the StartSSL toolbox, select "Decrypt Private Key"
  2. Copy and paste the contents of your file "private.key" generated earlier in step 3 - 4
  3. Enter the password you created earlier in step 3 - 3 and click "Decrypt"
  4. Copy and paste the entire certificate file (including the ----------- parts) into a text file and save as "ssl.key"

5. Load the key and certificate into the server

Depending on the server, follow the relevant instructions. Please note, this may vary depending on if you are running a Windows, Linux, OSx, Pi, QNAP, toaster, etc based server.

The following table summarises the typical location of the config files for each of the servers:

  Windows Linux OSx
SABnzbd C:\Users\<user>\AppData\Local\SABnzbd\    
Couch Potato C:\Users\<user>\AppData\Roaming\CouchPotato\ /root/.couchpotato ~/Library/Applications Settings/Couchotato
SckBeard      
Headphones      
NZBGet      

SABnzbd

Firstly, backup your config file. 

  1. Open the SABnzbd data directory
  2. Make a copy of the file sabnzbd.ini

You'll then need to obtain the certificate chain from StartSSL

  1. In the StartSSL toolbox, select StartCom CA Certificates
  2. Download the StartCom Root CA (PEM encoded)

You will need the files: ssl.crt (step 3-8), ssl.key (step 4-4) and ca-bundle.pem (the file you've just downloaded)

  1. Open the SABnzbd General Settings menu. 
  2. Under the HTTPS Support section, look for the 'Default Base Folder'. For Windows users, this is probably C:\Users\<user>\AppData\Local\sabnzbd\admin. Copy the 3 files into this folder
  3. Set the HTTPS Certificate field to "ssl.crt"
  4. Set the HTTPS Key field to "ssl.key"
  5. Set the HTTPS Chain Certificates to "ca-bundle.pem"
  6. Save the changes and restart SABnzbd

When the server has restarted, connect via the https port, i.e.: https://yourdomain.com:9090

If you mess things up, you should still be able to connect via the non-ssl port. Check your settings and try again. 

If you can't access this, check the logs in the SABnzbd data directory, or if all else fails, replace your config file with the one you backed up earlier and try again / give up.

 

Couch Potato

First, backup your config file.

  1. Open the CouchPotato data directory. 
  2. Make a copy of the file "settings.conf"

You will need the files: ssl.crt (step 3-8) and ssl.key (step 4-4)

  1. Copy the files to a safe location on the server. This doesn't have to be in the CouchPotato directory, but should be out of the way somewhere.
  2. Open Couch Potato's General settings menu
  3. Ensure 'Show Advanced Settings' is checked
  4. In the SSL Cert box, enter the full path of the file "ssl.crt", e.g.: "C:\Certs\ssl.crt"
  5. In the SSL Key box, enter the full path tot he file "ssl.key", e.g.: C:\Certs\ssl.key"
  6. Restart CouchPotato

When the server has restarted, connect using https. This will be on the same URL as before, but starting with https, e.g.: https://yourdomain.com:5050

If you mess things up, check the logs in the CouchPotato data directory or if all else fails, replace your config file with the one you backed up earlier and try again / give up.

 

Sonarr

First, you'll need to create a PKCS#12 version of your key/certificate. 

  1. In the StartSSL Toolbox, click Create PKCS#12 (PFX) file
  2. Copy the contents of your "private.key" file (step 3-4) into the "Enter Private Key" box
  3. Copy the contents of your "ssl.crt" file (step 3-8) into the "Enter Certificate" box
  4. Enter the password you had entered before (step 3-3)
  5. Click continue, then click Get PFX. A file ending with *.p12 will be downloaded. 

Then, follow the instructions on installing and enabling your certificate as per the Sonarr SSL wiki page: https://github.com/Sonarr/Sonarr/wiki/SSL

 

Sickbeard

TBA

 

Headphones

TBA

 

NZBGet

TBA