Derrick.Blarg

Renewing Let’s Encrypt SSL on SABnzbd+

in

Having a secure way to manage your usenet downloads of the hit movie Big Buck Bunny with SABnzbd+ is great, but one problem/feature of Let’s Encrypt is that the SSL certificates expire only after three months, requiring plenty of renewals.  Luckily this can be easily scripted and forgotten.

The primary part of renewing the SSL certificates will be handled by a modified version of Erika Heidi‘s le-renew.sh script.  Erika’s script does a few things we don’t need, such as restarting Apache, so I forked it on GitHub and made a few changes.

The first thing we need to do is download a copy of le-renew.sh, install it locally, and make it executable:

sudo curl -L -o /usr/local/sbin/le-renew-standalone https://gist.githubusercontent.com/emrikol/055ea6afcfcfda7de7da/raw/ab9704e28912964e6d3828379f490dc697e794b8/le-renew.sh
sudo chmod +x /usr/local/sbin/le-renew-standaloneCode language: JavaScript (javascript)

Since le-renew.sh is a generic renewal script, we also need a helper script to do the extra work for SABnzbd+. Edit and save the following script to /usr/local/sbin/sabnzbd-renew-ssl and then run chmod +x /usr/local/sbin/sabnzbd-renew-ssl to make it executable.

#!/bin/bash
ufw allow https
/usr/local/sbin/le-renew-standalone yourdomain.example.com >> /var/log/le-renew-standalone.log
ufw deny https
cp /etc/letsencrypt/live/yourdomain.example.com/cert.pem /path/to/.sabnzbd/admin/server.cert
cp /etc/letsencrypt/live/yourdomain.example.com/privkey.pem /path/to/.sabnzbd/admin/server.key
/etc/init.d/sabnzbdplus restartCode language: HTML, XML (xml)

Other than le-renew-standalone, all of these commands were covered in my earlier post about SABnzbd+ and Let’s Encrypt.

Now we just need to add sabnzbd-renew-ssl to the cron so that it will run weekly and make sure our SSL certs are renewed.

sudo crontab -e

Add this line to the crontab (borrowed again from Erika):

30 2 * * 1 /usr/local/sbin/sabnzbd-renew-ssl

My next goal is to get Let’s Encrypt set up and automated with Sonarr, but it doesn’t look like it will be as easy since we’ll have to convert cert formats.

Disclaimer: This is what worked for me, and I’m just using this as a brain dump. I’m not a network security expert, so don’t do anything I say.

Other Posts Not Worth Reading

Hey, You!

Like this kind of garbage? Subscribe for more! I post like once a month or so, unless I found something interesting to write about.

Comments

Leave a Reply

Close

Ad-Blocker Not Detected 🛑

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security, conserve your expensive data plan, and cut your online carbon footprint. Learn more.