Sonarr and SSL not functioning

[Joshua Parker Ruehlig]

How are people managing to use httpcfg inside the sonarr jail? For me it's not installed! I have installed a freebsd jail and installing mono (pkg install mono) gives me httpcfg but in the sonarr plugin, there is no httpcfg. Did you upgrade mono yourself inside the jail?

maybe check in /usr/pbi/sonarr-amd64/bin, PBIs install themselves to their own directory

 

[NahsiN]

Thank you so much! I finally have it working. I will list the steps below for future users. I assume you have your private key in .pvk format (otherwise look here https://github.com/Sonarr/Sonarr/wiki/SSL ) and Sonarr is installed as a FreeNAS Plugin with no additional changes to users etc..

1. Load your certificate with httpcfg for root, /usr/pbi/sonarr-amd64/bin/httpcfg -add -port <SSL_PORT> -pvk yourdomain.pvk -cert yourdomain.crt
2. (Optional) Verify the certificate is loaded, /usr/pbi/sonarr-amd64/bin/httpcfg -list
3. Move the httplistener directory to where sonarr can use it, mv /root/.config/.mono/httplistener /var/db/sonarr/.mono/
4. Change permissions so Sonarr has access to the httplistener directory, chown -R media /var/db/sonarr/.mono/httplistener
5. Go in Sonarr. Settings --> General (Enable Advanced Settings) and enable SSL and select your <SSL_PORT> (default 9898)
6. Restart both Sonarr and the Sonarr jail :).

Should I also be changing the group to media or is it insecure to leave the group as wheel?

 

[Joshua Parker Ruehlig]

Group permissions shoudn't matter. I bet the file was written with 600 permissions. And if a user is in the 'wheel' group they can switch to root so permissions wouldn't stop them at that point.

 

[NahsiN]

Group permissions shoudn't matter. I bet the file was written with 600 permissions. And if a user is in the 'wheel' group they can switch to root so permissions wouldn't stop them at that point.

You mean before when it wasn't working? Yes it was rw for the user media only so 600. Should have been rwx (700).

 

[Joshua Parker Ruehlig]

You mean before when it wasn't working? Yes it was rw for the user media only so 600. Should have been rwx (700).

I'm guessing that's what httpcfg wrote the certificates as (600). I'm not sure what else your asking? all I was stating was 'wheel' group ownership poses no additional risk.

 

[NahsiN]

Ah okay, I was just wondering why when I didn't use httpcfg command and manually created the httplistener folder with the two files inside it, ssl wasn't working... Anyway working now so yay! Thanks for all your help.

 

[monkeybutt]

Thank you so much! I finally have it working. I will list the steps below for future users. I assume you have your private key in .pvk format (otherwise look here https://github.com/Sonarr/Sonarr/wiki/SSL ) and Sonarr is installed as a FreeNAS Plugin with no additional changes to users etc..

1. Load your certificate with httpcfg for root, /usr/pbi/sonarr-amd64/bin/httpcfg -add -port <SSL_PORT> -pvk yourdomain.pvk -cert yourdomain.crt
2. (Optional) Verify the certificate is loaded, /usr/pbi/sonarr-amd64/bin/httpcfg -list
3. Move the httplistener directory to where sonarr can use it, mv /root/.config/.mono/httplistener /var/db/sonarr/.mono/
4. Change permissions so Sonarr has access to the httplistener directory, chown -R media /var/db/sonarr/.mono/httplistener
5. Go in Sonarr. Settings --> General (Enable Advanced Settings) and enable SSL and select your <SSL_PORT> (default 9898)
6. Restart both Sonarr and the Sonarr jail :).

Should I also be changing the group to media or is it insecure to leave the group as wheel?

I am trying to follow these steps, and I keep getting httpcfg: Command not found.

I can see httpcfg is inside the directory mentioned here. No idea what the problem is.

 

[Joshua Parker Ruehlig]

I am trying to follow these steps, and I keep getting httpcfg: Command not found.

I can see httpcfg is inside the directory mentioned here. No idea what the problem is.

if the command is in the same directory use "./htttpcfg"

 

[appliance]

these steps change every year. for 2019 i've automated process which is called from .acme.sh after certificate is refreshed:

Code:

openssl rsa -in /root/.acme.sh/$1/$1.key -outform PVK -pvk-none -out /root/.acme.sh/$1/$1.pvk
openssl x509 -inform PEM -in /root/.acme.sh/$1/$1.cer -outform DER -out /root/.acme.sh/$1/$1.crt
cp /root/.acme.sh/$1/$1.pvk /jails/jails/sonarr/root/tmp/
cp /root/.acme.sh/$1/$1.crt /jails/jails/sonarr/root/tmp/
iocage exec sonarr /usr/local/bin/httpcfg -del -port 9898
iocage exec sonarr /usr/local/bin/httpcfg -add -port 9898 -pvk /tmp/$1.pvk -cert /tmp/$1.crt
iocage exec sonarr /usr/local/bin/httpcfg -list;
iocage exec sonarr rm /tmp/$1.pvk /tmp/$1.crt
iocage exec sonarr cp -Ra /root/.config/.mono/httplistener /usr/local/sonarr/.mono/
iocage exec sonarr chown -R sonarr /usr/local/sonarr/.mono/
iocage exec sonarr service sonarr onestop
iocage exec sonarr service sonarr start

slap it into acme.sh or deploy_freenas.sh code or into acme cron -reloadcmd parameter. i trigger the script with 1 parameter (works on CLI too):
/root/deploy-freenas/deploy_freenas_more.sh $domain
will check it for errors upon next renewal. ideally, this will be unattended instant refresh of Letsencrypt certificate.
i cloned the script into Radarr version and in a minute i had a working HTTPS connection from outside.