Renewing Let’s Encrypt SSL on SABnzbd+

Having a secure way to manage your usenet downloads of the hit movie Big Buck Bunny with SABnzbd+ is great, but one problem/feature of Let’s Encrypt is that the SSL certificates expire only after three months, requiring plenty of renewals.  Luckily this can be easily scripted and forgotten.

The primary part of renewing the SSL certificates will be handled by a modified version of Erika Heidi‘s le-renew.sh script.  Erika’s script does a few things we don’t need, such as restarting Apache, so I forked it on GitHub and made a few changes.

The first thing we need to do is download a copy of le-renew.sh, install it locally, and make it executable:

sudo curl -L -o /usr/local/sbin/le-renew-standalone https://gist.githubusercontent.com/emrikol/055ea6afcfcfda7de7da/raw/ab9704e28912964e6d3828379f490dc697e794b8/le-renew.sh
sudo chmod +x /usr/local/sbin/le-renew-standalone

Since le-renew.sh is a generic renewal script, we also need a helper script to do the extra work for SABnzbd+. Edit and save the following script to /usr/local/sbin/sabnzbd-renew-ssl and then run chmod +x /usr/local/sbin/sabnzbd-renew-ssl to make it executable.

#!/bin/bash
ufw allow https
/usr/local/sbin/le-renew-standalone yourdomain.example.com >> /var/log/le-renew-standalone.log
ufw deny https
cp /etc/letsencrypt/live/yourdomain.example.com/cert.pem /path/to/.sabnzbd/admin/server.cert
cp /etc/letsencrypt/live/yourdomain.example.com/privkey.pem /path/to/.sabnzbd/admin/server.key
/etc/init.d/sabnzbdplus restart

Other than le-renew-standalone, all of these commands were covered in my earlier post about SABnzbd+ and Let’s Encrypt.

Now we just need to add sabnzbd-renew-ssl to the cron so that it will run weekly and make sure our SSL certs are renewed.

sudo crontab -e

Add this line to the crontab (borrowed again from Erika):

30 2 * * 1 /usr/local/sbin/sabnzbd-renew-ssl

My next goal is to get Let’s Encrypt set up and automated with Sonarr, but it doesn’t look like it will be as easy since we’ll have to convert cert formats.


Disclaimer: This is what worked for me, and I’m just using this as a brain dump. I’m not a network security expert, so don’t do anything I say.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s