mirror
/
Sonarr
mirror of https://github.com/Sonarr/Sonarr
1
0
Fork 0
Code Issues Releases Wiki Activity
Page: SSL
Pages
Anime naming scheme AppData Directory Asking for Help Backup and Restore Cannot install update because startup folder is not writable by the user Command Line Options Completed Download Handling Configuration Custom Lists Custom Post Processing Scripts Delay Profiles Disable Authentication Downloads and Importing FAQ Failed Download Handling Forgot my Password Health Checks Home Implementing a Torznab indexer Indexer Integration Indexer Seed Ratio Installation (v3 beta) Fedora 31 Installation CentOS 7 Installation CentOS 8 V3 Beta Installation CentOS 8 Language Profile Log Files Logging and Log Files Manual Episode Search Trace Log Manual Episode Search XML Output Manually Triggering Imports Master Migration Monitoring Series and Episodes Problematic Shows Profiles PushOver Quality Profile RSS Sync Recovering from a Failed Update Release Branches Reverse Proxy Reverse symlink script for Connect SSL Searches Indexers and Trackers Sonarr notifications in Slack using curl Sorting and Renaming Specifying install user on Deb Ubu Supported DownloadClients Supported Indexers Supported Notifications Tips and Tricks Twitter Notifications Updating Webhook Schema Webhook
33 SSL
bakerboy448 edited this page 2022-09-28 13:46:26 -05:00
Table of Contents

Windows

Prerequisites

Enabling SSL in Sonarr

  1. Go to Settings -> General
  2. Show advanced options
  3. Enable SSL, set the SSL port and certificate hash (Sonarr will remove all spaces from the hash as they are not required).
  4. Stop Sonarr, either through the UI or by stopping the service or killing the NzbDrone.exe or NzbDrone.Console.exe process.
  5. Ensure that server is started in **Run as Administrator ** mode which allows it register SSL URL and certificate with Windows.
  6. Verify SSL connectivity
  7. If Sonarr server is still not listening on SSL port, then follow the workaround mentioned in this thread.

Linux / OS X

Limitations

There are two issues with mono and SSL:

  1. New ciphers aren't supported so some browsers block the connections by default (chrome and FF both do this) Mono doesn't support intermediate certificates, which results in a broken chain and the browsers end up requesting a client certificate

  2. The second issue can be mitigated by using a certificate chain that doesn't have an intermediate certificate, but most CAs use an intermediate certificate (at least the trusted public ones), which means it leaves you to a self signed certificate. The easiest solution for the time being is a reverse proxy with nginx or apache.

Prerequisites

  • SSL certificate with Private Key Create self-signed Certificate or generate your own
  • .pvk certificate, this can be done by converting a .key and .crt
  • Windows PC/VM. The conversion tool only works there. OpenSSL 1.0.0 and up should be able to do it, but it needs to be done without a pass phrase, currently (version 1.0.1l) this is not possible.

Converting key/cert to pvk on windows

  1. Download the PVK Conversion Tool and extract it.

  2. Run pvk.exe via Command Prompt:

    pvk.exe -in yourdomain.key -topvk -nocrypt -out yourdomain.pvk

LetsEncrypt Support - Converting key/cert to pvk on linux

  1. Using OpenSSL >1.0.0 it should be possible to generate a .pvk using a .pem from LetsEncrypt

    openssl rsa -in privkey.pem -outform PVK -pvk-none -out yourdomain.pvk

  2. You will also need to generate a .cert from .pem

    openssl x509 -inform PEM -in cert.pem -outform DER -out yourdomain.crt

Synology Only

If you're not running Sonarr on a Synology, skip these steps

  1. Place the SSL certificate and converted key in pvk format in /volume1/@appstore/nzbdrone/var/

  2. Load the certificate with httpcfg (comes with mono) as sc-nzbdrone, the user that runs Sonarr:

    su sc-nzbdrone -c "/volume1/@appstore/mono/bin/httpcfg -add -port <SSL_PORT> -pvk yourdomain.pvk -cert yourdomain.crt"

Replace <SSL_PORT> with the SSL port you set in Sonarr. 3. Skip the importing step below as the pvk and cert have already been imported

Importing

Load the certificate with httpcfg (comes with mono) with the user that runs Sonarr:

httpcfg -add -port <SSL_PORT> -pvk yourdomain.pvk -cert yourdomain.crt

Replace <SSL_PORT> with the SSL port you set in Sonarr.

Enabling SSL in Sonarr

  1. Go to Settings -> General
  2. Show advanced options
  3. Enable SSL, set the SSL port
  4. Save
  5. Verify

Generate a Self-signed Certificate

openssl genrsa -out yourdomain.key 2048
openssl req -new -x509 -key yourdomain.key -out yourdomain.crt -days 3650 -subj /CN=yourdomain

Getting Started

Troubleshooting

Additional Configuration

More Information

Development

API